Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

SCF Commercial License Overview

BACKGROUND: The non-commercial, Commercial License of the Secure Controls Framework (SCF) uses the Creative Commons Attribution-NoDerivatives 4.0 International Commercial License (CC BY-ND 4.0). The CC BY-ND 4.0 prohibits individuals and/or organizations from distributing derivative content based on the SCF. This prohibition on creating derivative works includes utilizing Artificial Intelligence (AI) (or similar technologies) to leverage SCF content to generate policies, standards, procedures, metrics, risks, threats or other derivative content. An organization needs to be a Licensed Content Provider (LCP) to offer derivative SCF content, which involves paying for a commercial license.

In order to generate derivative content based on the SCF, an organization needs to purchase a Commercial SCF License to share and/or sell that derivative SCF content.

Standard SCF License

The Standard SCF License utilizes the Creative Commons Attribution-NoDerivatives 4.0 International Public License to help maintain the integrity of the SCF. Under that standard license, two fundamental requirements are (1) attribution and (2) no derivatives:

  • Attribution requires anyone using the SCF to give appropriate credit, provide a link to the license and indicate if changes were made. Providing attribution is as simple as stating SCF controls are used in the solution, such as a GRC platform that includes SCF content is required to provide attribution that SCF controls are used; and
  • No Derivatives prohibits the distribution of modified SCF content. This prohibition on creating derivative works includes utilizing Artificial Intelligence (AI) (or similar technologies) to leverage SCF content to generate policies, standards, procedures, metrics, risks, threats or other derivative content.

Note - graphically arranging existing SCF content for readability is not considered creating a derivative work. Many GRC platforms leverage the SCF and have flexibility into how SCF content is arranged as part of the user experience to support work flows.

Commercial SCF License

The SCF currently offers two (2) versions of commercial licensing:

  • Tier 1 SCF Commercial License; and
  • Tier 2 SCF Commercial License.

Commercial license restrictions by business type:

  • Tier 1 and Tier 2 SCF Commercial Licenses are restricted to Governance, Risk & Compliance (GRC), or similar technology, platforms.
  • Tier 2 SCF Commercial Licenses are prohibited from selling SCF-based content (e.g., policies, standards, procedures, metrics, etc.) in any form of online storefront or marketplace, where the SCF-based content is restricted for sale within the GRC, or similar technology, platform.

Tier 1 SCF Commercial License

The Tier 1 SCF Commercial License enables an organization (e.g., GRC platform) to leverage the SCF to:

  1. Reproduce and Share the Licensed Material, in whole or in part; and
  2. Produce, reproduce and share Adapted Material that is restricted to the following:
    1. Custom-developed guidance on how to implement SCF controls (e.g., static answers, chatbot interaction, etc.) that includes:
      1. Reformatting SCF controls or control questions into a questionnaire format for readability purposes (e.g., Third-Party Risk Management (TPRM) survey);
      2. People, Processes, Technologies, Data & Facilities (PPTDF) applicability; 
      3. Risk calculators; and/or
      4. Control deficiency guidance (e.g., possible compensating controls); and
    2. Modify the following, existing SCF content:
      1. Maturity-level criteria;
      2. Possible solutions and considerations to implement SCF controls;
      3. Risk and/or threat catalogs tied to SCF controls; and/or
      4. Conformity Validation Criteria (CVC).

Tier 2 SCF Commercial License

The Tier 2 SCF Commercial License enables an organization (e.g., GRC platform) to leverage the SCF to:

  1. Reproduce and Share the Licensed Material, in whole or in part; and
  2. Produce, reproduce and share Adapted Material that is restricted to the following:
    1. Custom-developed guidance on how to implement SCF controls (e.g., static answers, chatbot interaction, etc.) that includes:
      1. Reformatting SCF controls or control questions into a questionnaire format for readability purposes (e.g., Third-Party Risk Management (TPRM) survey);
      2. People, Processes, Technologies, Data & Facilities (PPTDF) applicability; 
      3. Risk calculators; and/or
      4. Control deficiency guidance (e.g., possible compensating controls);
    2. Modify the following, existing SCF content:
      1. Maturity-level criteria;
      2. Possible solutions and considerations to implement SCF controls;
      3. Risk and/or threat catalogs tied to SCF controls; and/or
      4. Conformity Validation Criteria (CVC); and
    3. SCF-based:
      1. Policies;
      2. Control objectives;
      3. Standards;
      4. Guidelines;
      5. Procedures; and/or
      6. Metrics / analytics.

Prohibitions for Standard and Commercial Licenses

While an end user of the SCF is permitted modify content for their own internal use, the following prohibitions apply to both standard or commercial SCF licensees:

  1. Creating and/or changing core SCF content, including:
    1. SCF Domain Name;
    2. SCF Domain Acronym;
    3. SCF Control Number;
    4. SCF Control Name;
    5. SCF Control Description;
    6. SCF Assessment Objectives (AOs); 
    7. SCF Control Weighting values;
    8. Evidence Request List (ERL) items; and
    9. Mappings to Laws, Regulations and Frameworks (LRF).
  2. New controls cannot be added to the SCF without the express, written authorization by the SCF Council:
    1. New controls can be suggested for addition to the SCF control catalog.
    2. The SCF releases quarterly updates and it welcomes customer feedback for updates / modifications to mappings.

© 2026 Secure Controls Framework All rights reserved. | Sitemap