Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

SCF Cybersecurity Oversight, Resilience and Enablement (CORE)

The Secure Controls Framework Council (SCF Council) created the Cybersecurity Oversight, Resilience and Enablement (CORE) initiative as a means to help an organization tailor cybersecurity and data protection controls for its specific needs. The SCF Council has the following SCF CORE control sets on the roadmap for 2025:

  • SCF CORE Fundamentals (designed for smaller entities and Texas SB2610 compliance).
  • SCF CORE MA&D (designed for Mergers, Acquisitions & Divestitures (MA&D) activities).
  • SCF CORE AI-Enabled Operations (designed for entities that use AI in business operations).
  • SCF CORE AI Implementation (designed for entities that implement or customize an AI model for specific business purposes)
  • SCF CORE AI Developer (designed for entities that are solely engaged in algorithm design, training data labeling, feature extraction, model training and optimization, testing deployment, and related AI research and development)
  • SCF CORE External Service Provider (ESP) Level 1 – Foundational (industry agnostic, reasonable baseline for Managed Service Providers (MSP) and Managed Security Services Providers (MSSP)).
  • SCF CORE ESP Level 2 – Critical Infrastructure (builds on ESP Level 1 by addressing the protection of critical infrastructure assets, including Controlled Unclassified Information (CUI)).
  • SCF CORE ESP Level 3 – Advanced Threats (builds on ESP Level 2 by addressing Zero Trust (ZT) and Advanced Persistent Threats (APTs)).

As part of this initiative, we are pleased to announce the release of the SCF CORE Fundamentals, a tailored set of sixty-eight (68) controls that are specifically designed for smaller organizations to protect People, Processes, Technologies, Data and Facilities (PPTDF) against common threats. The SCF CORE Fundamentals is the first release in several planned control sets with the purpose of helping companies with cybersecurity governance. The SCF CORE Fundamentals controls are built into the SCF (column JV in the SCF 2025.2.2 release).

SCF CORE Fundamentals

SCF CORE Fundamentals Origin

The concept for SCF CORE Fundamentals came from Texas SB 2610 that named the SCF as one of a select few cybersecurity frameworks with adequacy to provide necessary security coverage. The law is the newest in a line of US State-level “cybersecurity safe harbor” laws that provide legal protection for businesses if at the time of the incident the business can prove it implemented reasonable cybersecurity practices. This type of legislation is meant to encourage Small and Medium Businesses (SMBs) to invest in cybersecurity to reduce legal exposure. This incentivization can enhance business resilience and that benefits the everyone involved.

The controls in the SCF CORE Fundamentals are scoped for SMBs and are designed to meet the requirements in Texas SB 2610:

  • Contain administrative, technical, and physical safeguards for the protection of personal identifying information and sensitive personal information (Section 542.004(1));
  • Protect the security of personal identifying information and sensitive personal information (Section 542.004(3)(a));
  • Protect against any threat or hazard to the integrity of personal identifying information and sensitive personal information(Section 542.003(4)(b)); and
  • Protect against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates (Section 542.004(3)(c)).

Not only is Texas SB2610 a safe harbor to protect businesses from lawsuits, it creates a hard set of requirements that will determine the threshold for negligence. This is a “double edged sword” from the perspective that it protects businesses doing the right thing, but can also be used to easily demonstrate negligence if a business fails to implement reasonable practices.

Leveraging the Creative Commons licensing model, there is no cost for organizations to use SCF content. This further removes barriers to entry for businesses to improve their cybersecurity capabilities.

Adequate and Reasonable Cybersecurity Controls That Are Tailored For SMBs

Implementing cybersecurity has to be attainable for SMBs and the SCF CORE Fundamentals control set is designed to enable smaller organizations to successfully implement and maintain fundamental cybersecurity practices. This control set includes many of the requirements found in the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), so the SCF CORE Fundamentals can be an excellent starting point towards a path of maturity towards NIST CSF 2.0 alignment. SMBs have to start somewhere and the SCF CORE Fundamentals makes for an achievable objective in cybersecurity.

SCF CORE Fundamentals Roadmap

While the control catalog of the SCF contains 1,342 unique controls, the 68 controls of the SCF CORE Fundamentals represents a mere 5% of the SCF and that is by design. Ever since the SCF was first released in 2018, there has never been an expectation for any organization, regardless of its size or industry, to implement every SCF control. The reason is simple - the SCF was designed to be tailored to an organization’s specific needs, based on “must have” versus “nice to have” requirements:

  • Minimum Compliance Requirements (MCR) are the absolute minimum requirements that must be addressed to comply with applicable laws, regulations and contracts.
  • Discretionary Security Requirements (DSR) are tied to the organization’s risk appetite since DSR are “above and beyond” MCR, where the organization self-identifies additional cybersecurity and data protection controls to address voluntary industry practices or internal requirements, such as findings from internal audits or risk assessments.

Plan, Do, Check & Act (PDCA) Approach To Cybersecurity

This concept of scoping the SCF is described in the SCF’s Integrated Controls Management (ICM) model. The ICM utilizes a Plan, Do, Check & Act (PDCA) approach that is a logical way to design a cybersecurity governance structure:

  • Plan. The overall cybersecurity governance process beings with planning. This planning will define the policies, standards and controls for the organization. It will also directly influence the tools and services that an organization purchases, since technology purchases should address needs that are defined by policies and standards.
  • Do. Arguably, this is the most important section for cybersecurity practitioners. Controls are the “security glue” that make processes, applications, systems and services secure. Procedures (also referred to as control activities) are the processes in which the controls are actually implemented and performed.
  • Check. In simple terms, this is situational awareness. Situational awareness is only achieved through reporting through metrics and reviewing the results of audits/assessments.
  • Act. This is essentially risk management, which is an encompassing area that deals with addressing two main concepts (1) real deficiencies that currently exist and (2) possible threats to the organization.

SCF CORE Fundamentals Coverage

The SCF CORE Fundamentals covers twenty (20) domains and contains sixty-eight (68) controls:

  • Cybersecurity & Data Protection Governance Domain (GOV)
    • GOV-02. Publishing Cybersecurity & Data Protection Documentation
    • GOV-04. Assigned Cybersecurity & Data Protection Responsibilities
    • GOV-15. Operationalizing Cybersecurity & Data Protection Practices
  • Asset Management Domain (AST)
    • AST-02. Asset Inventories
    • AST-02.8. Data Action Mapping
    • AST-04. Network Diagrams & Data Flow Diagrams (DFDs)
    • AST-09. Secure Disposal, Destruction or Re-Use of Equipment
    • AST-16. Bring Your Own Device (BYOD) Usage
  • Business Continuity & Disaster Recovery Domain (BCD)
    • BCD-04. Contingency Plan Testing & Exercises
    • BCD-11. Data Backups
  • Change Management Domain (CHG)
    • CHG-02. Configuration Change Control
    • CHG-03. Security Impact Analysis for Changes
  • Cloud Security Domain (CLD)
    • CLD-01. Cloud Services
    • CLD-10. Sensitive Data In Public Cloud Providers
  • Compliance Domain (CPL)
    • CPL-01. Statutory, Regulatory & Contractual Compliance
  • Configuration Management Domain (CPL)
    • CFG-02. System Hardening Through Baseline Configurations
    • CFG-03. Least Functionality
  • Continuous Monitoring Domain (MON)
    • MON-01.8. Security Event Monitoring
    • MON-03. Content of Event Logs
    • MON-16. Anomalous Behavior
  • Cryptographic Protections Domain (CRY)
    • CRY-03. Transmission Confidentiality
    • CRY-05. Encrypting Data At Rest
    • CRY-09. Cryptographic Key Management
  • Data Classification & Handling Domain (DCH)
    • DCH-01.2. Sensitive / Regulated Data Protection
    • DCH-01.4. Defining Access Authorizations for Sensitive/Regulated Data
    • DCH-02. Data & Asset Classification
    • DCH-13. Use of External Information Systems
    • DCH-17. Ad-Hoc Transfers
  • Endpoint Security Domain (END)
    • END-04. Malicious Code Protection (Anti-Malware)
    • END-08. Phishing & Spam Protection
  • Human Resources Security Domain (HRS)
    • HRS-04. Personnel Screening
    • HRS-05. Terms of Employment
  • Identification & Authentication Domain (IAC)
    • IAC-01.3. User & Service Account Inventories
    • IAC-06. Multi-Factor Authentication (MFA)
    • IAC-07. User Provisioning & De-Provisioning
    • IAC-08. Role-Based Access Control (RBAC)
    • IAC-10. Authenticator Management
    • IAC-10.8. Default Authenticators
    • IAC-15. Account Management
    • IAC-16. Privileged Account Management (PAM)
    • IAC-17. Periodic Review of Account Privileges
    • IAC-21. Least Privilege
  • Incident Response Domain (IRO)
    • IRO-02. Incident Handling
    • IRO-04. Incident Response Plan (IRP)
  • Network Security Domain (NET)
    • NET-02. Layered Network Defenses
    • NET-02.2. Guest Networks
    • NET-03. Boundary Protection
    • NET-04. Data Flow Enforcement – Access Control Lists (ACLs)
    • NET-14. Remote Access
    • NET-14.5. Work From Anywhere (WFA) - Telecommuting Security
    • NET-15. Wireless Networking
    • NET-18. DNS & Content Filtering
  • Physical & Environmental Security Domain (PES)
    • PES-02. Physical Access Authorizations
    • PES-03. Physical Access Control
    • PES-06. Visitor Control
  • Risk Management Domain (RSK)
    • RSK-03. Risk Identification
    • RSK-04. Risk Assessment
    • RSK-04.1. Risk Register
    • RSK-06. Risk Remediation
  • Security Awareness & Training Domain (SAT)
    • SAT-02. Cybersecurity & Data Privacy Awareness Training
  • Third-Party Management Domain (TPM)
    • TPM-01.1. Third-Party Inventories
    • TPM-03. Supply Chain Risk Management (SCRM)
    • TPM-05. Third-Party Contract Requirements
    • TPM-05.4. Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix
    • TPM-08. Review of Third-Party Services
  • Vulnerability & Patch Management Domain (VPM)
    • VPM-02. Vulnerability Remediation Process
    • VPM-05. Software & Firmware Patching
    • VPM-06. Vulnerability Scanning

Clear Use Case For Third-Party Risk Management (TPRM)

The SCF CORE Fundamentals can serve as a baseline for Third-Party Risk Management (TPRM) to evaluate an organization’s supply chain. Businesses struggle with trying to find the right questions to leverage for risk analysis purposes. The SCF has control questions written for all of its controls, so the SCF CORE Fundamentals is already available in question format. There are also:

  • Control weighting to determine how important each control is;
  • An Evidence Request List (ERL) that identifies reasonable evidence to ask for to evaluate a control;
  • Assessment Objectives (AOs) that can be used to objectively evaluate each control; and
  • A risk and threat catalog to understand the risks and threats associated with each control.

Third-Party Assessable

The SCF Conformity Assessment Program (SCF CAP) published an assessment guide for the SCF CORE Fundamentals, so a business can obtain a third-party certification to demonstrate conformity with those controls. This is a great feature for businesses that want assurance that the controls are implemented and operating as expected, so a SCF Certified – CORE Fundamentals certification carries far more validity than a self-assessment. For laws such as the Texas SB 2610, having third-party validated conformity can be valuable in case there is an incident and it is necessary for the business to prove it was compliant with expected security practices at the time of the incident.

© 2025 Secure Controls Framework All rights reserved. | Sitemap