Secure Controls Framework
Download The SCF
Start Here
Free Content
GRC Fundamentals
SCF Certified
Marketplace
The Common Controls Framework™

SCF Commercial License Overview

The non-commercial, Commercial License of the Secure Controls Framework (SCF) uses the Creative Commons Attribution-NoDerivatives 4.0 International Commercial License (CC BY-ND 4.0). The CC BY-ND 4.0 prohibits individuals and/or organizations from distributing derivative content based on the SCF. This prohibition on creating derivative works includes utilizing Artificial Intelligence (AI) (or similar technologies) to leverage SCF content to generate policies, standards, procedures, metrics, risks, threats or other derivative content. An organization needs to be a Licensed Content Provider (LCP) to offer derivative SCF content, which involves paying for a commercial license.

Download the SCFStart Here
Overview
SCF Licenses Overview
In order to generate derivative content based on the SCF, an organization needs to purchase a Commercial SCF License to share and/or sell that derivative SCF content.
Standard SCF License
The Standard SCF License utilizes the Creative Commons Attribution-NoDerivatives 4.0 International Public License to help maintain the integrity of the SCF. Under that standard license, two fundamental requirements are (1) attribution and (2) no derivatives:
  • Attribution requires anyone using the SCF to give appropriate credit, provide a link to the license and indicate if changes were made. Providing attribution is as simple as stating SCF controls are used in the solution, such as a GRC platform that includes SCF content is required to provide attribution that SCF controls are used; and
  • No Derivatives prohibits the distribution of modified SCF content. This prohibition on creating derivative works includes utilizing Artificial Intelligence (AI) (or similar technologies) to leverage SCF content to generate policies, standards, procedures, metrics, risks, threats or other derivative content.
Note
Graphically arranging existing SCF content for readability is not considered creating a derivative work. Many GRC platforms leverage the SCF and have flexibility into how SCF content is arranged as part of the user experience to support work flows.
Commercial SCF License
The SCF currently offers two (2) versions of commercial licensing:
  • Tier 1 SCF Commercial License; and
  • Tier 2 SCF Commercial License.
Commercial license restrictions by business type:
  • Tier 1 and Tier 2 SCF Commercial Licenses are restricted to Governance, Risk & Compliance (GRC), or similar technology, platforms.
  • Tier 2 SCF Commercial Licenses are prohibited from selling SCF-based content (e.g., policies, standards, procedures, metrics, etc.) in any form of online storefront or marketplace, where the SCF-based content is restricted for sale within the GRC, or similar technology, platform.
Tier 1 SCF Commercial License
Graphically arranging existing SCF content for readability is not considered creating a derivative work. Many GRC platforms leverage the SCF and have flexibility into how SCF content is arranged as part of the user experience to support work flows.
  • Reproduce and Share the Licensed Material, in whole or in part; and
  • Produce, reproduce and share Adapted Material that is restricted to the following:
  • Custom-developed guidance on how to implement SCF controls (e.g., static answers, chatbot interaction, etc.) that includes:
  • Reformatting SCF controls or control questions into a questionnaire format for readability purposes (e.g., Third-Party Risk Management (TPRM) survey);
  • People, Processes, Technologies, Data & Facilities (PPTDF) applicability;
  • Risk calculators; and/or
  • Control deficiency guidance (e.g., possible compensating controls); and
  • Modify the following, existing SCF content:
  • Maturity-level criteria;
  • Possible solutions and considerations to implement SCF controls;
  • Risk and/or threat catalogs tied to SCF controls; and/or
  • Conformity Validation Criteria (CVC).
Tier 2 SCF Commercial License
The Tier 2 SCF Commercial License enables an organization (e.g., GRC platform) to leverage the SCF to:
  • Reproduce and Share the Licensed Material, in whole or in part; and
  • Produce, reproduce and share Adapted Material that is restricted to the following:
  • Custom-developed guidance on how to implement SCF controls (e.g., static answers, chatbot interaction, etc.) that includes:
  • Reformatting SCF controls or control questions into a questionnaire format for readability purposes (e.g., Third-Party Risk Management (TPRM) survey);
  • People, Processes, Technologies, Data & Facilities (PPTDF) applicability;
  • Risk calculators; and/or
  • Control deficiency guidance (e.g., possible compensating controls); and
  • Modify the following, existing SCF content:
  • Maturity-level criteria;
  • Possible solutions and considerations to implement SCF controls;
  • Risk and/or threat catalogs tied to SCF controls; and/or
  • Conformity Validation Criteria (CVC).
  • SCF-based:
  • Policies;
  • Control objectives;
  • Standards;
  • Guidelines;
  • Procedures; and/or
  • Metrics / analytics.
Prohibitions
SCF Licensing Prohibitions Overview
Prohibitions for Standard and Commercial Licenses
While an end user of the SCF is permitted modify content for their own internal use, the following prohibitions apply to both standard or commercial SCF licensees:
  • Creating and/or changing core SCF content, including
  • SCF Domain Name;
  • SCF Domain Acronym;
  • SCF Control Number;
  • SCF Control Name;
  • SCF Control Description;
  • SCF Assessment Objectives (AOs);
  • SCF Control Weighting values;
  • Evidence Request List (ERL) items; and
  • Mappings to Laws, Regulations and Frameworks (LRF).
  • New controls cannot be added to the SCF without the express, written authorization by the SCF Council:
  • New controls can be suggested for addition to the SCF control catalog.
  • The SCF releases quarterly updates and it welcomes customer feedback for updates / modifications to mappings.

Join 25,000+ GRC Professionals

Get the latest SCF updates, cybersecurity insights, and community news delivered to your inbox. You know you want to do it!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Controls are your security, compliance & resilience program - A control is the power to influence or direct behaviors and the course of events.

DOWNLOAD THE SCF

Start Here

What Is The SCF?How To Implement (SCRMS)Domains & PrinciplesLaws & Frameworks (LRF)Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations

Free Content

SCF DownloadRisk Management (SCR-RMM)Maturity Model (SCR-CMM)Assessment Standards (CDPAS)Mergers & Acquisitions (MA&D)Privacy Principles (DPMP)Evidence Request List (ERL)Scoping Guide (USG)

Resources

GRC FundamentalsSCF CertifiedMarketplaceFAQAboutBlog

Support

DonateVolunteer

© 2026 Secure Controls Framework Council, LLC. All rights reserved.

Terms & ConditionsPrivacyCookiesSitemap