Free? Yes! The resources in this section are 100% free to use. It is all released under Creative Commons licensing by the SCF Council. Download the full Common Controls Framework™ (CCF), maturity models, risk frameworks, evidence templates, and more. No registration. No paywall. No catch.
The primary SCF download contains the full 1,400+ control catalog with all 200+ framework mappings, maturity criteria, control weightings, risk catalog, threat catalog, and assessment guidance. Available in multiple formats including Excel (CSV) and NIST OSCAL JSON.
The SCF control catalog spans all 33 cybersecurity and data privacy domains, from Governance and Asset Management through Cloud Security and Privacy. Each control includes a unique SCF identifier, control objective, capability maturity criteria at each SCR-CMM level (1–5), proposed weighting, and threat/risk catalog crosswalks.
Every SCF control is mapped to all applicable laws, regulations, and frameworks using the NIST IR 8477 Set Theory Relationship Mapping (STRM) methodology. Mappings include NIST SP 800-53, NIST CSF 2.0, ISO 27001/2, CIS Controls v8, HIPAA, PCI DSS v4, SOC 2, CMMC 2.0, GDPR, CCPA/CPRA, DORA, NIS2, FedRAMP, and 185+ more.
The SCF’s NIST OSCAL JSON export enables machine-readable exchange of control catalogs and profiles. It supports native import into FedRAMP automation pipelines, automated compliance workflows, interoperability with OSCAL-compatible GRC tools, and machine-readable crosswalk data for automated gap analysis.
We do ask for your name and email, mainly so that we can alert you to changes that are pertinent as a SCF user. We release quarterly updates and send out a newsletter to announce those releases.
The Secure, Compliant & Resilient (SCF) resouces give the SCF depth beyond basic controls. The maturity models and risk management frameworks integrate directly with the SCF control catalog.
The SCR-CMM defines six (6) maturity levels for every SCF control, from "Ad Hoc" (Level 1) through "Optimized" (Level 5). It gives organizations a precise benchmark for where their controls stand and what "right" looks like at each stage of program maturity.
The SCR-CMM is the only free, openly-licensed cybersecurity maturity model directly integrated with a 1,400+ control catalog. It enables organizations to produce board-level maturity scorecards without expensive consulting engagements.
The SCR-RMM describes how policies, standards, procedures, metrics, threats, and risks all connect through SCF controls as the central nexus. It is a structured risk management model that integrates directly with the SCF control catalog for risk-informed decision making.
The SCR-RMM enables organizations to move from checkbox compliance to genuine risk management. It helps you understand not just which controls are required, but which threats they address and what residual risk remains when controls are missing or immature.
The SCR models are a free differentiator unique to the SCF. No other free metaframework includes integrated capability maturity criteria and a risk management model covering 1,400+ controls.
Beyond the core control catalog, the SCF Council publishes specialized tools that support every phase of a cybersecurity program. All are free under Creative Commons licensing.
The CDPAS provides standardized assessment criteria for evaluating cybersecurity and data privacy programs against the SCF control catalog. Used by internal audit teams and third-party assessors to produce consistent, repeatable assessment results.
The CDPAS enables organizations to self-assess against the SCF using a structured observation-based methodology, producing defensible evidence of control effectiveness for regulators, insurers, and board audiences.
The ERL is a pre-built, comprehensive list of audit evidence items mapped to every SCF control. It tells auditors, assessors, and compliance teams exactly what documentation, configurations, and artifacts are needed to demonstrate control effectiveness.
The ERL eliminates the "what do you want to see?" ambiguity in audits. Both the assessed organization and the assessor start from the same, standardized evidence baseline, dramatically reducing audit preparation time and rework.
The USG provides structured guidance for defining assessment scope, which is the critical first step in any audit or compliance assessment. Proper scoping determines which systems, data flows, and processes are in-scope for each applicable law or framework.
The USG prevents both over-scoping (wasting resources assessing out-of-scope systems) and under-scoping (missing critical systems and creating audit exposure). It is essential for FedRAMP, PCI DSS, HIPAA, and SOC 2 engagements.
Domain-specific tools for organizations with unique compliance challenges, including M&A transactions, data privacy programs, and more.
The SCF MA&D toolkit provides specialized cybersecurity due diligence guidance for M&A transactions. It identifies the cybersecurity controls, data privacy obligations, and inherited risks that must be evaluated during any acquisition, merger, or divestiture process.
M&A transactions routinely expose acquiring organizations to inherited cybersecurity liabilities such as undisclosed breaches, non-compliant data practices, and technical debt. The SCF MA&D framework provides a structured methodology for evaluating and managing these risks before closing.
The DPMP provides structured guidance for building and operating a data privacy management program aligned with the SCF’s Privacy (PRI) domain. It covers GDPR, CCPA/CPRA, PIPEDA, and global privacy regulations through the lens of SCF controls.
The DPMP implements Privacy by Design (PbD) principles, helping organizations embed privacy requirements into systems, processes, and products from inception rather than retrofitting compliance after the fact. Covers DSARs, consent management, PIAs, DPIAs, and data retention.
We are committed to keeping the SCF a free resource for organizations to use. Therefore, we are using the Creative Commons Attribution-NoDerivatives 4.0 International Public License to help maintain the integrity of the SCF.
Attribution — You must give appropriate credit, provide a link to the license and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. Providing attribution is as simple as stating SCF controls are used in the solution, such as a GRC platform that includes SCF content is required to provide attribution that SCF controls are used.
NoDerivatives — If you remix, transform, or build upon the material, you may not distribute the modified material. For example, you are prohibited from leveraging SCF material to create a derivative solution (e.g., SCF 2.0). This prohibition on creating derivative works includes utilizing Artificial Intelligence (AI) (or similar technologies) to leverage SCF content to generate policies, standards, procedures, metrics, risks, threats or other derivative content. An organization needs to purchase a commercial license to offer derivative SCF content.
Unlike static frameworks that fall behind as laws change, the SCF is continuously updated. It is a true Living Control Set that evolves with the regulatory landscape.
When a new law is enacted, such as DORA, NIS2, state privacy laws, or sector-specific rules, the SCF is updated to map the new requirements to existing controls. Your organization's compliance coverage updates without rework.
When NIST releases CSF 2.0, ISO updates 27001, or CIS publishes new Controls, the SCF mappings are updated to reflect the new version. Never maintain separate crosswalk spreadsheets again.
New attack techniques, vulnerabilities, and threat patterns drive new control requirements. The SCF LCS incorporates these changes as expert volunteers identify gaps, ensuring controls stay relevant against real-world threats.
Downloaded the SCF? Here's what to do next, from implementation guidance to certification pathways.
%20(white).png)
.png)