SCF CAP - Assessment Guides
This page contains published Third-Party Assessment, Attestation & Certification (3PAAC) guides and standards for applicable Laws, Regulations & Frameworks (LRF) that are capable of having an SCF Assessment performed. When a LRF is added, a new 3PAAC guide & standards document will be published that is specific to that LRF:
 |
This NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) assessment guide is designed for organizations that align with the cybersecurity governance framework established by NIST CSF 2.0. This is ideal for organizations that want to demonstrate conformity with NIST CSF 2.0 through a third-party assessment that results in a certification. |
 |
The HIPAA Security Rule (NIST SP 800-66 R1) assessment guide is designed for organizations required to comply wiht the HIPAA Security Rule (e.g., NIST SP 800-66 R1). This is ideal for both Covered Entities (CE) and Business Associates (BA) that want to demonstrate conformity with the HIPAA Security Rule through a third-party assessment that results in a certification. |
 |
The SCF Cybersecurity Oversight, Resilience and Enablement (CORE) Fundamentals assessment guide is designed for organizations that align with the principles established by the SCF CORE Fundamentals control set. This is ideal for organizations that want to demonstrate conformity with SCF CORE Fundamentals through a third-party assessment that results in a certification. |
 |
This New York Department of Financial Services 23 NYCRR Part 500 assessment guide is designed for organizations that must comply with the NY DFS 23 NYCRR Part 500 regulation. This is ideal for organizations that want to demonstrate conformity with NY DFS 23 NYCRR Part 500 through a third-party assessment that results in a certification. |
 |
This CISA Secure Software Development Attestation Form (SSDAF) assessment guide is designed for organizations that must attest to secure software develop practices to the US Government. This is ideal for organizations that want to demonstrate conformity with Executive Order 14028 through a third-party assessment that results in a certification. |
 |
This NIST SP 800-161 R1 Cybersecurity Supply Chain Risk Management (C-SCRM) Baseline assessment guide is designed for organizations that must comply with the NIST SP 800-161 R1 C-SCRM baseline practices. This is ideal for organizations that want to demonstrate conformity with the C-SCRM baseline of NIST SP 800-161 R1 through a third-party assessment that results in a certification. |
 |
This NIST SP 800-171 R3 assessment guide is designed for organizations that must comply with the NIST SP 800-171 R3. This is not a CMMC assessment. This is ideal for organizations that want to demonstrate conformity with NIST SP 800-171 R3 through a third-party assessment that results in a certification. |
 |
This NIST SP 800-218 R1 assessment guide is designed for organizations that must demonstrate alignment with the Secure Software Development Framework (SSDF). This is ideal for organizations that want to demonstrate conformity with NIST SP 800-218 R1 through a third-party assessment that results in a certification. |
 |
This New Zealand Health Information Security Framework (HISF) - Guidance for Suppliers is designed for organizations that must comply with the NZ HISF for suppliers. This is ideal for organizations in New Zealand that want to demonstrate conformity with NZ HISF for Suppliers through a third-party assessment that results in a certification. |
 |
This assessment guide is for organizations that have a current Cybersecurity Maturity Model Certification (CMMC) Level 2 certification and want to leverage reciprocity towards NIST CSF 2.0 certification. |
 |
This assessment guide is for organizations that want to create a bespoke control set for a SCF assessment (e.g., unique control set, multiple laws/regulations/frameworks, etc.). |