Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

SCF Errata

This page will be periodically updated with errata (e.g., edits or changes) to the Secure Controls Framework (SCF) that reflect both minor and major revisions to the SCF. This page lists the current version of errata that is pertinent to the latest version of the SCF. For historical errata, that can be obtained from the SCF GitHub repository - https://github.com/securecontrolsframework/securecontrolsframework

Current Release Errata (2023-09-19)

Version 2023.3 represents a minor update. 

Added Mapping:

  • Australia Essential Eight
  • Canada OSFI B-13
  • Cybersecurity Maturity Model Certification (CMMC) 2.1 (draft release)
  • EU-US Data Privacy Framework
  • European Banking Authority (EBA) Guidelines on ICT and security risk management
  • FedRAMP R5
  • Kenya DPA 2019
  • MITRE ATT&CK
  • Nigeria DPR 2019
  • NIS2
  • NIST CSF v2.0 Initial Public Draft (IPD)
  • NSTC NSPM-33
  • PCI DSS Self-Assessment Questionnaires (SAQs)
  • Qatar PDPPL
  • Saudi Arabia SACS-002
  • SEC Cybersecurity Rule
  • Serbia 87/2018
  • SWIFT CSF 2023
  • UN R155
  • UK CAP 1850

Updated Mapping:

  • NIST SP 800-53 R5
    • GOV-02
    • GOV-03
    • BCD-11.4
    • CRY-01
    • CRY-05
    • CRY-05.2
    • NET-02.3
    • TDA-06.1
  • FAR 52.204-21
    • PES-04
    • PES-12
    • PES-12.1
    • PES-12.2
    • TPM-05.2
    • VPM-01
  • PCI DSS 4.0
    • VPM-01.1
    • VPM-02
    • VPM-06

Wordsmithing controls:

  • BCD-10.3 - Provider Continency Plan
  • CHG-06 - Cybersecurity Functionality Verification
  • PRI-15 - Register As A Data Controller and/or Data Processor
  • RSK-01.3 - Risk Tolerance
  • RSK-01.4 - Risk Threshold
  • SEA-07.1 - Technology Lifecycle Management
  • SAT-03 - Role-Based Cybersecurity & Data Privacy Training
  • TDA-02.4 - Pre-Established Secure Configurations
  • TDA-12 - Customized Development of Critical Components
  • TDA-17 - Unsupported Systems
  • TPM-04.3 - Conflict of Interests

Renamed controls:

  • GOV-01 - Cybersecurity & Data Protection Governance Program
  • GOV-03 - Periodic Review & Update of Cybersecurity & Data Protection Program
  • CHG-02.3 - Cybersecurity & Data Privacy Representative for Asset Lifecycle Changes
  • CPL-02 - Cybersecurity & Data Privacy Controls Oversight
  • CPL-03 - Cybersecurity & Data Privacy Assessments
  • CPL-03.2 - Functional Review Of Cybersecurity & Data Privacy Controls
  • CRY-10 - Transmission of Cybersecurity & Data Privacy Attributes
  • DCH-05 - Cybersecurity & Data Privacy Attributes
  • DCH-23.6 - Differential Data Privacy
  • HRS-13.2 - Identify Vital Cybersecurity & Data Privacy Staff
  • HRS-13.3 - Establish Redundancy for Vital Cybersecurity & Data Privacy Staff
  • IRO-02.4 - Incident Classification & Prioritization
  • PRI-01.3 - Dissemination of Data Privacy Program Information
  • PRI-07.1 - Data Privacy Requirements for Contractors & Service Providers
  • PRI-14 - Data Privacy Records & Reporting
  • PRI-15 - Register As A Data Controller and/or Data Processor
  • PRI-17.1 - Conspicuous Link To Data Privacy Notice
  • PRM-01 - Cybersecurity & Data Privacy Portfolio Management
  • PRM-02 - Cybersecurity & Data Privacy Resource Management
  • PRM-04 - Cybersecurity & Data Privacy In Project Management
  • PRM-05 - Cybersecurity & Data Privacy Requirements Definition
  • SAT-01 - Cybersecurity & Data Privacy-Minded Workforce
  • SAT-02 - Cybersecurity & Data Privacy Awareness Training
  • SAT-03 - Role-Based Cybersecurity & Data Privacy Training
  • SAT-03.4 -Vendor Cybersecurity & Data Privacy Training
  • SAT-03.7 -Continuing Professional Education (CPE) - Cybersecurity & Data Privacy Personnel
  • SAT-04 - Cybersecurity & Data Privacy Training Records
  • TDA-02.4 - Pre-Established Secure Configurations
  • TDA-02.7 - Cybersecurity & Data Privacy Representatives For Product Changes
  • TDA-09 - Cybersecurity & Data Privacy Testing Throughout Development