Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Secure Controls Framework (SCF) Newsletter 2023 Q1

Secure Controls Framework (SCF) Newsletter 2023 Q1

Posted by SCF Council on Mar 1st 2023

SCF version 2023.1 has new content, as well as some exciting capabilities enhancements:

  • New domain for Artificial Intelligence & Autonomous Technologies (AAT)
  • Assessment Objectives (AOs)
  • Conformity Assessment Program (CAP)
  • SCFConnect
  • SCF Marketplace
  • Evidence Request List (ERL)
  • Updated Risk & Threat Catalogs
  • New Mappings

Artificial Intelligence & Autonomous Technologies (AAT)

SCF version 2023.1 includes a new domain, Artificial Intelligence & Autonomous Technologies (AAT) that is mapped to the recent release of NIST's AI 100-1 v1.0, the AI Risk Management Framework. The intent of the SCF's AAT domain and controls is to help organizations ensure Artificial Intelligence (AI) and autonomous technologies are designed to be reliable, safe, fair, secure, resilient, transparent, explainable and privacy-enhanced. In addition, AI-related risks are governed according to technology-specific considerations to minimize emergent properties or unintended consequences.

No alt text provided for this image

Assessment Objectives (AOs)

SCF version 2023.1 includes Assessment Objectives (AOs). Per NIST's Glossary, an AO is "a set of determination statements that expresses the desired outcome for the assessment of a security control, privacy control, or control enhancement."

AOs are used objectively determine if the intent of a control is satisfied. This is important for the SCF's Conformity Assessment Program (CAP), since assessments will assess against AOs.

SCF Conformity Assessment Program (CAP)

The SCF CAP is an organization-level conformity assessment. The SCF CAP is designed to utilize tailored cybersecurity and privacy controls that specifically address the applicable statutory, regulatory and contractual obligations an Organization Seeking Certification (OSC) is required to comply with. By using the metaframework nature of the SCF, an OSC is able to perform conformity assessments that span multiple cybersecurity and privacy-specific laws, regulations and frameworks. We welcome you to read the SCF CAP Body of Knowledge (BoK).

No alt text provided for this image


SCFConnect is a cost-effective technology platform (e.g., GRC tool) that is specifically designed to efficiently manage an organization’s SCF-based cybersecurity and privacy program. SCFConnect is currently being beta tested and will be commercially available soon, but you can sign up to test it out in beta. Highlights include:

  • Incredibly cost-effective (e.g., $200/month for a SCF-based GRC)
  • Easily tailor SCF controls in a SaaS solution
  • Supply chain visibility across your suppliers, vendors, etc. (e.g., see how your supply chain stacks up against your specific SCF controls)
  • Single Source of Truth (SSOT) for conducting SCF CAP assessments
No alt text provided for this image

SCF Marketplace

SCF Marketplace just went live as a virtual marketplace for the SCF ecosystem. This free resource will continue to add stakeholders and grow to be a useful resource for finding specialists/tools that can help with your unique needs. You can find:

  • SCF-knowledgeable practitioners
  • Premium content (e.g., SCF-based policies, standards, procedures, etc.)
  • SCF-friendly GRC platforms & automation tools
  • Training resources
  • SCF CAP 3PAOs and Assessors

Evidence Request List (ERL)

The SCF's Evidence Request List (ERL) is designed to standardize and streamline the evidence request process for a SCF-based assessment. However, the ERL can be used as a guidebook for "reasonable" artifacts to demonstrate evidence of due diligence and due care for other cybersecurity and/or privacy audits or assessments. The ERL will be utilized as part of the SCF CAP to identify reasonably-expected artifacts/evidence to meet applicable SCF controls, since the identified evidence artifacts are mapped to SCF controls. The benefits are:

  • It levels the playing field by establishing evidence expectations upfront so there are no surprises; and
  • It prevents an assessor from literally making up documentation requirements on the fly. Since "time is money" when it comes to an audit/assessment, the ERL is specifically designed to make assessments more efficient, therefore less expensive. The ERL is one of the tabs that is included as part of the SCF.

Updated Risk & Threat Catalogs

New Risk

  • R-AM-3: Emergent properties and/or unintended consequences

New Threats

  • MT-12: Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) Data
  • MT-13: Artificial Intelligence & Autonomous Technologies (AAT)

Updated Control Mappings

  • NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0)
  • Australia ISM December 2022
  • CISA Cross-Sector Cybersecurity Performance Goals (CPG)
  • EU Digital Operational Resilience Act (DORA)
  • MPA Content Security Best Practices v5.1
  • Saudi Arabia - Operational Technology Cybersecurity Controls (OTCC -1: 2022)
  • TSA / DHS Security Directive 1580/82-2022-01 (Rail Cybersecurity Mitigation Actions and Testing)