SCF Control Reference
2025.41,451 controls across 33 domains mapped to nearly 200 frameworks
Cybersecurity & Data Protection Governance
38 controlsExecute a documented, risk-based program that supports business objectives while encompassing appropriate cybersecurity & data protection principles that addresses applicable statutory, regulatory and contractual obligations..
AATArtificial Intelligence & Autonomous Technologies
156 controlsEnsure trustworthy and resilient Artificial Intelligence (AI) and autonomous technologies to achieve a beneficial impact by informing, advising or simplifying tasks, while minimizing emergent properties or unintended consequences..
ASTAsset Management
62 controlsManage all technology assets from purchase through disposition, both physical and virtual, to ensure secured use, regardless of the asset’s location..
BCDBusiness Continuity & Disaster Recovery
58 controlsMaintain a resilient capability to sustain business-critical functions while successfully responding to and recovering from incidents through well-documented and exercised processes..
CAPCapacity & Performance Planning
6 controlsGovern the current and future capacities and performance of technology assets..
CHGChange Management
19 controlsManage change in a sustainable and ongoing manner that involves active participation from both technology and business stakeholders to ensure that only authorized changes occur..
CLDCloud Security
24 controlsGovern cloud instances as an extension of on-premise technologies with equal or greater security protections than the organization's own internal cybersecurity & data privacy controls..
CPLCompliance
35 controlsOversee the execution of cybersecurity & data privacy controls to ensure appropriate evidence required due care and due diligence exists to meet compliance with applicable statutory, regulatory and contractual obligations..
CFGConfiguration Management
28 controlsEnforce secure configurations according to vendor-recommended and industry-recognized secure practices that enforce the concepts of “least privilege” and “least functionality” for all systems, applications and services..
MONContinuous Monitoring
70 controlsMaintain situational awareness of security-related events through the centralized collection and analysis of event logs from systems, applications and services..
CRYCryptographic Protections
29 controlsUtilize appropriate cryptographic solutions and industry-recognized key management practices to protect the confidentiality and integrity of sensitive/regulated data both at rest and in transit..
DCHData Classification & Handling
85 controlsEnforce a standardized data classification methodology to objectively determine the sensitivity and criticality of all data and technology assets so that proper handling and disposal requirements can be followed..
EMBEmbedded Technology
19 controlsProvide additional scrutiny to reduce the risks associated with embedded technology, based on the potential damages posed from malicious use of the technology..
ENDEndpoint Security
47 controlsHarden endpoint devices to protect against reasonable threats to those devices and the data those devices store, transmit and process..
HRSHuman Resources Security
46 controlsExecute sound hiring practices and ongoing personnel management to cultivate a cybersecurity & data privacy-minded workforce..
IACIdentification & Authentication
112 controlsEnforce the concept of “least privilege” consistently across all systems, applications and services for individual, group and service accounts through a documented and standardized Identity and Access Management (IAM) capability..
IROIncident Response
41 controlsMaintain a viable incident response capability that trains personnel on how to recognize and report suspicious activities so that trained incident responders can take the appropriate steps to handle incidents, in accordance with a documented Incident Response Plan (IRP)..
IAOInformation Assurance
15 controlsExecute an impartial assessment process to validate the existence and functionality of appropriate cybersecurity & data privacy controls, prior to a system, application or service being used in a production environment..
MNTMaintenance
28 controlsProactively maintain technology assets, according to current vendor recommendations for configurations and updates, including those supported or hosted by third-parties..
MDMMobile Device Management
11 controlsImplement measures to restrict mobile device connectivity with critical infrastructure and sensitive/regulated data that limit the attack surface and potential data exposure from mobile device usage..
NETNetwork Security
98 controlsArchitect and implement a secure and resilient defense-in-depth methodology that enforces the concept of “least functionality” through restricting network access to systems, applications and services..
PESPhysical & Environmental Security
51 controlsProtect physical environments through layers of physical security and environmental controls that work together to protect both physical and digital assets from theft and damage..
PRIData Privacy
102 controlsAlign data privacy practices with industry-recognized data privacy principles to implement appropriate administrative, technical and physical controls to protect regulated personal data throughout the lifecycle of systems, applications and services..
PRMProject & Resource Management
11 controlsOperationalize a viable strategy to achieve cybersecurity & data privacy objectives that establishes cybersecurity as a key stakeholder within project management practices to ensure the delivery of resilient and secure solutions..
RSKRisk Management
32 controlsProactively identify, assess, prioritize and remediate risk through alignment with industry-recognized risk management principles to ensure risk decisions adhere to the organization's risk threshold..
SEASecure Engineering & Architecture
44 controlsUtilize industry-recognized secure engineering and architecture principles to deliver secure and resilient systems, applications and services..
OPSSecurity Operations
8 controlsExecute the delivery of cybersecurity & data privacy operations to provide quality services and secure systems, applications and services that meet the organization's business needs..
SATSecurity Awareness & Training
17 controlsFoster a cybersecurity & data privacy-minded workforce through ongoing user education about evolving threats, compliance obligations and secure workplace practices..
TDATechnology Development & Acquisition
70 controlsDevelop and/or acquire systems, applications and services according to a Secure Software Development Framework (SSDF) to reduce the potential impact of undetected or unaddressed vulnerabilities and design flaws..
TPMThird-Party Management
28 controlsExecute Supply Chain Risk Management (SCRM) practices so that only trustworthy third-parties are used for products and/or service delivery..
THRThreat Management
13 controlsProactively identify and assess technology-related threats, to both assets and business processes, to determine the applicable risk and necessary corrective action..
VPMVulnerability & Patch Management
33 controlsLeverage industry-recognized Attack Surface Management (ASM) practices to strengthen the security and resilience systems, applications and services against evolving and sophisticated attack vectors..
WEBWeb Security
15 controlsEnsure the security and resilience of Internet-facing technologies through secure configuration management practices and monitoring for anomalous activity..
The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.