SCF Errata

This page will be periodically updated with errata (e.g., edits or changes) to the Secure Controls Framework (SCF) that reflect both minor and major revisions to the SCF. This page lists the current version of errata that is pertinent to the latest version of the SCF. For historical errata, that can be obtained from the SCF GitHub repository - https://github.com/securecontrolsframework/securecontrolsframework

Current Release Errata

Version 2023.1 represents a major update, due to the inclusion of a new domain, as well as some other new content and minor refinements to improve readability. This version also includes a new Assessment Objectives (AOs) list that is intended to be used to help assess against controls to come to an objective determination if the intent of the control is or is not met.

Added Mapping:

NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0)
Australia ISM December 2022
CISA Cross-Sector Cybersecurity Performance Goals (CPG)
EU Digital Operational Resilience Act (DORA)
MPA Content Security Best Practices v5.1
SpainICT Security Guide CCN-STIC 825
Saudi ArabiaOperational Technology Cybersecurity Controls (OTCC -1: 2022)
TSA / DHS Security Directive 1580/82-2022-01 (Rail Cybersecurity Mitigation Actions and Testing)

Updated Mapping:

SCF-I (Cyber Insurance) baseline
NIST SP 800-171A (Assessment Objectives)
Virginia CDPA 2023 (numbering)

Threat Catalog:

MT-12: Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) Data
MT-13: Artificial Intelligence & Autonomous Technologies (AAT)

Risk Catalog:

R-AM-3: Emergent property and/or unintended consequences

Removed Mapping:

MPA Content Security Best Practices v4.1

Added Controls:

GOV-04.1
GOV-04.2
AAT-01
AAT-01.1
AAT-01.2
AAT-01.3
AAT-02
AAT-02.1
AAT-02.2
AAT-03
AAT-03.1
AAT-04
AAT-04.1
AAT-04.2
AAT-04.3
AAT-04.4
AAT-05
AAT-06
AAT-07
AAT-07.1
AAT-07.2
AAT-07.3
AAT-08
AAT-09
AAT-10
AAT-10.1
AAT-10.2
AAT-10.3
AAT-10.4
AAT-10.5
AAT-10.6
AAT-10.7
AAT-10.8
AAT-10.9
AAT-10.10
AAT-10.11
AAT-10.12
AAT-10.13
AAT-10.14
AAT-11
AAT-11.1
AAT-11.2
AAT-11.3
AAT-11.4
AAT-12
AAT-13
AAT-13.1
AAT-14
AAT-14.1
AAT-14.2
AAT-15
AAT-15.1
AAT-15.2
AAT-16
AAT-16.1
AAT-16.2
AAT-16.3
AAT-16.4
AAT-16.5
AAT-16.6
AAT-16.7
AAT-17
AAT-17.1
AAT-17.2
AAT-17.3
AAT-18
AAT-18.1
AST-31
AST-31.1
BCD-11.9
BCD-11.10
BCD-16
RSK-01.2
RSK-01.3
RSK-01.4
RSK-09.2
RSK-12
TPM-05.7

Renamed:

GOV-01
GOV-01.1
GOV-02
GOV-03
GOV-04
DCH-18.1
DCH-18.2
MON-03

Updated Mapping:

NIST SP 800-53 R5

TPM-05

NIST SP 800-171A

GOV-02
BCD-11.4
CPL-02
CFG-01
CFG-03
CFG-03.1
CFG-05
MON-01
MON-01.3
MON-01.8
MON-02
MON-02.1
MON-03
MON-03.2
MON-03.7
MON-07
MON-07.1
MON-10
CRY-01
CRY-01.1
CRY-04
CRY-05
DCH-01
DCH-03
DCH-09
DCH-10
DCH-10.2
END-01
END-03.2
END-04
END-04.1
END-04.7
HRS-01
HRS-05.1
HRS-07
HRS-08
HRS-09
IAC-02
IAC-03
IAC-05
IAC-06.1
IAC-06.2
IAC-06.3
IAC-10
IAC-10.1
IAC-15
IAC-15.3
IAC-20
IAC-21.4
IAC-21.5
IRO-01
IRO-10
IAO-02
IAO-03
IAO-05
MNT-02
MNT-04
MNT-04.2
MNT-05
MNT-06
MDM-03
NET-06
NET-13
PES-01
PES-03
PES-03.3
PES-05.2
PES-06
SEA-01
SAT-02
SAT-03
TDA-06
THR-03
VPM-01
VPM-02
VPM-05
VPM-06

Control Wordsmithing:

GOV-01.1
BCD-11.1
CLD-04
CFG-02
CRY-01.1
DCH-04.1
DCH-23.9
IAC-09.2
IAC-20.2
IRO-02.6
NET-02
NET-10.1
NET-15.1
PES-06.3
PES-18
PRI-07
PRI-07.1
PRM-02
RSK-02
SEA-08.1
VPM-06.7