SCF Release 2026.1

The Secure Controls Framework Council is pleased to announce the release of the 2026.1 version of the Secure Controls Framework (SCF). 

Version 2026.1 represents a moderate update, based on the following changes:

• New and updated Set Theory Relationship Mapping (STRM) for multiple laws, regulations and frameworks. 
• Updated maturity model criteria; 
• Updated “possible solutions & considerations” criteria; and 
• Proposed compensating controls (see the “SCF Overview & Practitioner Guidebook” for guidance on compensating controls).

Added / Updated Set Theory Relationship Mappings (STRM) for:

• Cyber Resilience Capability Maturity Model (CR-CMM) (2026)
• Government Risk and Authorization Management Program (GovRAMP)
• IEC 62443-2-1 (2024)
• IEC 62443-3-3 (2013)
• IEC 62443-4-1 (2018)
• ISO 27018 (2025)
• ISO 31000 (2018)
• OWASP Top 10 (2025)
• SWIFT Customer Security Controls Framework (2025)
• TISAX ISA (6.0.3)
• Shared Assessments Standard Information Gathering (SIG) Questionnaire 2025
• Criminal Justice Information Services (CJIS) Security Policy (v6.0)
• Texas DIR Security Control Standards Catalog (v2.2)
• And more!

By the end of 2026 Q2, the plan is for all laws, regulations and frameworks to have published STRM. You can download current STRM in PDF format at: https://securecontrolsframework.com/start-here/set-theory-relationship-mapping-strm/ 

• GERNERAL: complete with the exception of NIST 800-53 R4 (deprecated) and SIG (OEM provided mapping)
• USA: complete
• EMEA: will be complete in 2026 Q2
• APAC: will be complete in 2026 Q2
• AMERICAS: will be complete in 2026 Q2

You can download the new version of the SCF from:

• SCF Download Page - https://securecontrolsframework.com/scf-download/
• GitHub - https://github.com/securecontrolsframework/securecontrolsframework

You can read more on the errata for this version on GitHub:

https://github.com/securecontrolsframework/securecontrolsframework/releases/tag/2025.4