SCRMS: Security, Compliance & Resilience Management System
Compliance tells you what you must do. SCRMS tells you what you should do. The Security, Compliance & Resilience Management System bridges the gap between passing an audit and building a security program that actually protects your organization.
Compliance Alone Is Not Enough
Organizations scope compliance frameworks, implement the required controls, and pass their audits. Then they get breached — not because the frameworks were wrong, but because compliance was treated as the ceiling rather than the floor.
Frameworks are written broadly. They cannot account for every organization's unique threat landscape, technology stack, or risk tolerance. The result is coverage gaps: entire domains of risk that no scoped framework happens to address.
SCRMS exists to identify and close those gaps systematically.
Minimum Compliance Requirements (MCRs)
The controls your scoped frameworks mandate — the compliance floor.
When you select compliance frameworks for your organization, the SCF maps those frameworks to its control catalog. The resulting set of controls is your MCRs — everything you must implement to satisfy your regulatory, contractual, and industry obligations.
MCR sources include:
- Federal and state regulations (HIPAA, FERPA, GLBA)
- Industry standards (PCI DSS, NERC CIP)
- Contractual obligations (NIST SP 800-171 for CMMC, StateRAMP)
- Voluntary frameworks (NIST CSF 2.0, ISO 27001)
MCRs are non-negotiable. But they only cover what frameworks require — and frameworks cannot anticipate every risk your organization faces.
Discretionary Security Requirements (DSRs)
Risk-driven controls that fill the gaps MCRs leave behind.
DSRs are controls that no scoped framework mandates but that your organization's risk profile indicates you should implement. SCRMS uses an algorithmic scoring model to evaluate every unscoped SCF control against five factors:
Domain Coverage
Identifies SCF domains where MCRs provide little or no coverage, highlighting blind spots in your program.
Industry Relevance
Flags controls commonly critical for your sector, even if not mandated by a selected framework.
Risk Tolerance
Adjusts recommendations based on your organization's appetite for residual risk.
Control Weight
Leverages the SCF's built-in 1–10 importance rating reflecting how fundamental each control is.
Maturity Alignment
Recommends controls appropriate for your current and target maturity level.
The result is a prioritized list of recommended DSRs. You review each recommendation and accept or reject it — the methodology informs the decision, but your organization owns it.
Minimum Security Requirements (MSR)
MCR + DSR = your complete security program.
When MCRs and accepted DSRs combine, the result is your organization's Minimum Security Requirements — the full control set that addresses both compliance obligations and risk-driven security needs.
Once the MSR is established, the PPTDF applicability model — People, Processes, Technologies, Data & Facilities — determines how each control applies across organizational elements. This ensures controls are scoped to where they are relevant, preventing unnecessary overhead.
How It Works in SCF Connect
Four steps from framework selection to a complete, defensible security program.
Program Selection
Select the compliance frameworks applicable to your organization. The platform calculates your MCRs automatically by mapping selected frameworks to SCF controls.
Control Refining
Review your MCR control set and adjust for organizational specifics, locking in your compliance baseline.
DSR Scoping
The platform analyzes your MCR coverage, identifies domain gaps, and scores unscoped controls against the DSR factors. You receive a prioritized list of recommended discretionary controls.
Review & Lock
Accept or reject each DSR recommendation, finalizing your MSR. The complete control set — MCRs plus accepted DSRs — becomes your security program baseline.
Frequently Asked Questions
What does SCRMS stand for?
SCRMS stands for Security, Compliance & Resilience Management System. It is a methodology developed by the Secure Controls Framework Council for determining the complete set of controls an organization needs to be both compliant and secure.
What is the difference between MCRs and DSRs?
Minimum Compliance Requirements (MCRs) are the controls mandated by your scoped compliance frameworks — they represent the compliance floor. Discretionary Security Requirements (DSRs) are additional controls recommended based on your organization's risk profile to fill coverage gaps that MCRs leave behind.
Are DSRs optional?
DSRs are recommendations, not mandates. The SCRMS methodology scores and prioritizes them based on domain gaps, industry relevance, risk tolerance, control weight, and maturity alignment. Your organization reviews each recommendation and decides whether to accept or reject it. However, rejecting high-priority DSRs means accepting the associated residual risk.
How does the DSR scoring model work?
The scoring model evaluates every unscoped SCF control against five factors: domain coverage gaps (blind spots in your current program), industry relevance (sector-specific importance), risk tolerance (your appetite for residual risk), control weight (SCF's 1–10 importance rating), and maturity alignment (appropriateness for your current and target maturity level). Controls are then prioritized into a recommended list.
What is PPTDF?
PPTDF stands for People, Processes, Technologies, Data & Facilities. It is an applicability model used within SCRMS to determine which organizational elements each control applies to, ensuring controls are scoped to where they are relevant rather than applied uniformly across the entire organization.