Secure Controls Framework
Download The SCF
Start Here
Free Content
GRC Fundamentals
SCF Certified
Marketplace
Free Content

SCR-RMM: Risk Management Model

The Secure, Compliant & Resilient Risk Management Model (SCR-RMM) is a free, structured methodology to identify, assess, report and mitigate risk. Jointly developed by ComplianceForge and the SCF Council, the SCR-RMM breaks risk management down into seventeen (17) distinctive steps, from establishing risk management principles through implementing and documenting risk treatment.

17
Risk Steps
27
Threats Cataloged
4
Risk Determinations
FREE
Creative Commons
Download the SCR-RMM
Browse Free Content
About SCR-RMM

An Efficient Methodology to Identify, Assess, Report & Mitigate Risk

The concept of creating the SCR-RMM was to establish an efficient methodology to identify, assess, report and mitigate risk across the entire organization. The project was a collaboration between ComplianceForge and the SCF, approached from the perspective of asking: "How should I manage risk?"

The SCR-RMM is designed to be an integral tool of an organization's ability to demonstrate evidence of due diligence and due care. This not only benefits your organization by having solid risk management practices, but it can also serve as a way to reduce risk for those who have to initiate the hard discussions on risk management topics.

The most important concept to understand is that cybersecurity and IT departments generally do not "own" technology-related risks. That "risk ownership" primarily resides with Line of Business (LOB) management. The SCR-RMM exists to help cybersecurity and data privacy functions create a repeatable methodology that guides the decision to a risk treatment option: reduce, avoid, transfer, or accept.

"Don't Shoot The Messenger" Protections

Quality risk management documentation can prove that reasonable steps were taken to identify, assess, report and mitigate risk. This provides evidence of due diligence and due care that firmly puts responsibility back on the management that "owns" the risk.

Risk Management Hierarchy

Strategic, Operational & Tactical Risk Considerations

The SCR-RMM integrates risk management with business planning at three levels: strategic, operational, and tactical. Each level has distinct risk management considerations and decision-making authority. If you worry about having to preface risk management discussions with, “Please don't shoot the messenger!” then the SCR-RMM can be an additional layer of protection for your professional reputation. Where the SCR-RMM benefits security, technology and privacy personnel is the potential “get out of jail” documentation that quality risk assessments and risk management practices can provide. Just like with compliance documentation, if risk management discussions are not documented then risk management practices do not exist.

Instead of executive leadership hanging blame on the CIO or CISO, quality risk management documentation can prove that reasonable steps were taken to identify, assess, report and mitigate risk. This type of documentation can provide evidence of due diligence and due care on the part of the CIO/CISO/CRO, which firmly puts the responsibility back on the management of the team/department/line of business that “owns” the risk.

Based on the applicable statutory, regulatory and contractual obligations that impact the scope of a risk assessment, an organization is expected to have an applicable set of cybersecurity and data privacy controls to cover those needs.

SCR Risk Management Model (SCR-RMM) product card showing ComplianceForge and SCF logos with Security Compliant Resilient branding and link to view example PDF

Strategic (Risk Appetite)

Risk appetite is defined at the corporate level. It affects strategic actions and decisions that define the types and amount of risk an organization is willing to accept. Strategic risk management considers organizational objectives, mergers & acquisitions, competitive advantage, and the overall cybersecurity program.

  • Mission & Vision
  • Strategy
  • Compliance Obligations
  • Risk Appetite

Operational (Risk Tolerance)

Risk tolerance is put into practice at the Line of Business (LOB) level. It affects operational actions, decisions and resource allocation. Operational risk management considers LOB objectives, capability maturity targets, resource prioritization, and the level of risk the entity is willing to assume.

  • LOB Objectives
  • Capability Maturity Targets
  • Resource Prioritization
  • Risk Tolerance

Tactical (Risk Thresholds)

Risk thresholds affect actions and decisions at the department and team levels. They influence processes, technologies, staffing levels, and the supply chain. Defined risk thresholds provide concrete criteria to assess operational risks that exist in the course of conducting business.

  • Processes & Technologies
  • Staffing & Supply Chain
  • Compliance Obligations
  • Risk Appetite
SCR-RMM Process

Seventeen Steps, Start to Finish

The SCR-RMM breaks risk management down into 17 distinctive steps, providing coverage from start to finish. This spans from establishing risk management principles through implementing and documenting risk treatment.

Step
Name
Activity
1
Identify Risk Management Principles
Establish the foundational risk management principles that will govern the organization's approach.
2
Identify, Implement & Document Critical Dependencies
Identify risk management dependencies (2A), technology dependencies (2B), and business dependencies (2C).
3
Formalize Risk Management Practices
Establish formal, documented risk management practices integrated into business-as-usual activities.
4
Establish a Risk Catalog
Define the applicable risks based on control deficiencies, organized by grouping (Access Control, Asset Management, Business Continuity, Exposure, Governance, Incident Response, Situational Awareness, Supply Chain).
5
Establish a Threat Catalog
Identify natural threats (5A) and man-made threats (5B) that affect the ability of controls to exist or operate properly.
6
Establish a Controls Catalog
Define the applicable set of cybersecurity and data privacy controls based on statutory, regulatory, and contractual obligations.
7
Define CMM Targets
Set Capability Maturity Model targets for the organization's controls using the SCR-CMM.
8
Define Assessment Rigor
Select the appropriate rigor level: Standard (8A), Enhanced (8B), or Comprehensive (8C).
9
Establish Context for Assessing Risks
Establish the organizational and environmental context for the risk assessment.
10
Conformity Assessment (Controls Gap Assessment)
Conduct the gap assessment against the controls catalog to identify deficiencies.
11
Control Assessment Methods & Findings
Apply assessment methods (11A), methodologies (11B), and document assessment findings (11C).
12
Determine Risk Exposure
Calculate Impact Effect (12A), Occurrence Likelihood (12B), Inherent Risk (12C), and Residual Risk (12D).
13
Prioritize & Document Identified Deficiencies
Prioritize findings based on risk exposure and document all identified deficiencies.
14
Risk Determination: Report on Conformity (ROC)
Categorize results as: Strictly Conforms (14A), Conforms (14B), Significant Deficiency (14C), or Material Weakness (14D).
15
Identify the Appropriate Management Audience
Determine which level of management has legitimate authority for risk decisions.
16
Management Determines Risk Treatment
LOB management decides: reduce, avoid, transfer, or accept the risk.
17
Implement & Document Risk Treatment
Cybersecurity and data protection practitioners implement and document the selected treatment.
SCR-RMM example PDF preview showing the cyber risk management workflow with risk assessment matrices, threat mapping diagrams, control selection flowcharts, and risk scoring tables used in the Secure Controls Framework
SCF Threat Catalog

Natural & Man-Made Threats

The SCF Threat Catalog answers the question: "What natural and man-made threats affect control execution?" If the threat materializes, will the control function as expected? A threat is a person or thing likely to cause damage or danger. A risk exists due to the absence of or a deficiency with a control. The SCR-RMM catalogs both to provide complete risk coverage.

Natural Threats
Man-Made Threats
Threat
#
Threat Name
Threat Description
NT-1
Drought & Water Shortage
Regardless of geographic location, periods of reduced rainfall are expected. For non-agricultural industries, drought may not be impactful to operations until it reaches the extent of water rationing.
NT-2
Earthquakes
Earthquakes are sudden rolling or shaking events caused by movement under the earth’s surface. Although earthquakes usually last less than one minute, the scope of devastation can be widespread and have long-lasting impact.
NT-3
Fire & Wildfires
Regardless of geographic location or even building material, fire is a concern for every business. When thinking of a fire in a building, envision a total loss to all technology hardware, including backup tapes, and all paper files being consumed in the fire.
NT-4
Floods
Flooding is the most common of natural hazards and requires an understanding of the local environment, including floodplains and the frequency of flooding events. Location of critical technologies should be considered (e.g., server room is in the basement or first floor of the facility).
NT-5
Hurricanes & Tropical Storms
Hurricanes and tropical storms are among the most powerful natural disasters because of their size and destructive potential. In addition to high winds, regional flooding and infrastructure damage should be considered when assessing hurricanes and tropical storms.
NT-6
Landslides & Debris Flow
Landslides occur throughout the world and can be caused by a variety of factors including earthquakes, storms, volcanic eruptions, fire, and by human modification of land. Landslides can occur quickly, often with little notice. Location of critical technologies should be considered (e.g., server room is in the basement or first floor of the facility).
NT-7
Pandemic (Disease) Outbreaks
Due to the wide variety of possible scenarios, consideration should be given both to the magnitude of what can reasonably happen during a pandemic outbreak (e.g., COVID-19, Influenza, SARS, Ebola, etc.) and what actions the business can be taken to help lessen the impact of a pandemic on operations.
NT-8
Severe Weather
Severe weather is a broad category of meteorological events that include events that range from damaging winds to hail.
NT-9
Space Weather
Space weather includes natural events in space that can affect the near-earth environment and satellites. Most commonly, this is associated with solar flares from the Sun, so an understanding of how solar flares may impact the business is of critical importance in assessing this threat.
NT-10
Thunderstorms & Lightning
Thunderstorms are most prevalent in the spring and summer months and generally occur during the afternoon and evening hours, but they can occur year-round and at all hours. Many hazardous weather events are associated with thunderstorms. Under the right conditions, rainfall from thunderstorms causes flash flooding and lightning is responsible for equipment damage, fires and fatalities.
NT-11
Tornadoes
Tornadoes occur in many parts of the world, including the US, Australia, Europe, Africa, Asia, and South America. Tornadoes can happen at any time of year and occur at any time of day or night, but most tornadoes occur between 4–9 p.m. Tornadoes (with winds up to about 300 mph) can destroy all but the best-built man-made structures.
NT-12
Tsunamis
All tsunamis are potentially dangerous, even though they may not damage every coastline they strike. A tsunami can strike anywhere along most of the US coastline. The most destructive tsunamis have occurred along the coasts of California, Oregon, Washington, Alaska and Hawaii.
NT-13
Volcanoes
While volcanoes are geographically fixed objects, volcanic fallout can have significant downwind impacts for thousands of miles. Far outside of the blast zone, volcanoes can significantly damage or degrade transportation systems and also cause electrical grids to fail.
NT-14
Winter Storms & Extreme Cold
Winter storms is a broad category of meteorological events that include events that range from ice storms, to heavy snowfall, to unseasonably (e.g., record breaking) cold temperatures. Winter storms can significantly impact business operations and transportation systems over a wide geographic region.
Threat
#
Threat Name
Threat Description
MT-1
Civil or Political Unrest
Civil or political unrest can be singular or wide-spread events that can be unexpected and unpredictable. These events can occur anywhere, at any time.
MT-2
Hacking & Other Cybersecurity Crimes
Unlike physical threats that prompt immediate action (e.g., "stop, drop, and roll" in the event of a fire), cyber incidents are often difficult to identify as the incident is occurring. Detection generally occurs after the incident has occurred, with the exception of "denial of service" attacks. The spectrum of cybersecurity risks is limitless and threats can have wide-ranging effects on the individual, organizational, geographic, and national levels.
MT-3
Hazardous Materials Emergencies
Hazardous materials emergencies are focused on accidental disasters that occur in industrialized nations. These incidents can range from industrial chemical spills to groundwater contamination.
MT-4
Nuclear, Biological and Chemical (NBC) Weapons
The use of NBC weapons are in the possible arsenals of international terrorists and it must be a consideration. Terrorist use of a "dirty bomb" is considered far more likely than use of a traditional nuclear explosive device. This may be a combination a conventional explosive device with radioactive / chemical / biological material and be designed to scatter lethal and sub-lethal amounts of material over a wide area.
MT-5
Physical Crime
Physical crime includes "traditional" crimes of opportunity. These incidents can range from theft, to vandalism, riots, looting, arson and other forms of criminal activities.
MT-6
Terrorism & Armed Attacks
Armed attacks, regardless of the motivation of the attacker, can impact a businesses. Scenarios can range from single actors (e.g., "disgruntled" employee) all the way to a coordinated terrorist attack by multiple assailants. These incidents can range from the use of blade weapons (e.g., knives), blunt objects (e.g., clubs), to firearms and explosives.
MT-7
Utility Service Disruption
Utility service disruptions are focused on the sustained loss of electricity, Internet, natural gas, water, and/or sanitation services. These incidents can have a variety of causes but directly impact the fulfillment of utility services that your business needs to operate.
MT-8
Dysfunctional Management Practices
Dysfunctional management practices are a manmade threat that expose an organization to significant risk. The threat stems from the inability of weak, ineffective and/or incompetent management to (1) make a risk-based decision and (2) support that decision. The resulting risk manifests due (1) an absence of a required control or (2) a control deficiency.
MT-9
Human Error
Human error is a broad category that includes non-malicious actions that are unexpected and unpredictable by humans. These incidents can range from misconfigurations, to misunderstandings or other unintentional accidents.
MT-10
Technical / Mechanical Failure
Technical /mechanical failure is a broad category that includes non-malicious failure due to a defect in the technology, materials or workmanship. Technical / mechanical failures are unexpected and unpredictable, even when routine and preventative maintenance is performed. These incidents can range from malfunctions, to reliability concerns to catastrophic damage (including loss of life).
MT-11
Statutory / Regulatory / Contractual Obligation
Laws, regulations and/or contractual obligations that directly or indirectly weaken an organization's security & privacy controls. This includes hostile nation states that leverage statutory and/or regulatory means for economic or political espionage and/or cyberwarfare activities.
MT-12
Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) Data
Redundant, Obsolete/Outdated, Toxic or Trivial (ROT) data is information an organization utilizes for business processes even though the data is untrustworthy, due to the data's currency, accuracy, integrity and/or applicability.
MT-13
Artificial Intelligence & Autonomous Technologies (AAT)
Artificial Intelligence & Autonomous Technologies (AAT) is a broad category that range from non-malicious failure due to a defect in the algorithm to emergent properties or unintended consequences. AAT failures can be due to hardware failures, inherent biases or other flaws in the underlying algorithm. These incidents can range from malfunctions, to reliability concerns to catastrophic damage (including loss of life).
MT-14
Fraud, Corruption and/or Willful Criminal Conduct
Willful criminal conduct is a broad category that includes consciously-committed criminal acts performed by individuals (e.g., mens rea). These incidents can include a wide-range of activities that includes fraud, corruption, theft and illegal content. Criminal conduct generally involves one of the following kinds of mens rea: (1) intent, (2) knowledge, (3) recklessness and/or (4) negligence.
MT-15
Conflict of Interest (COI)
Conflict of Interest (COI) is a broad category but pertains to an ethical incompatibility. COI exist when (1) the concerns or goals of different parties are incompatible or (2) a person in a decision-making position is able to derive personal benefit from actions taken or decisions made in their official capacity.
MT-16
Macroeconomics
Macroeconomic factors that can negatively affect the global supply chain. Macroeconomic factors directly impact unemployment rates, interest rates, exchange rates and commodity prices. Due to how fiscal and monetary policies can negatively affect the global supply chain, this can disrupt or degrade an organization's business operations.
MT-17
Foreign Ownership, Control, or Influence (FOCI)
Foreign Ownership, Control, or Influence (FOCI) is a Supply Chain Risk Management (SCRM) threat category that pertains to the ownership of, control of, or influence over an organization. Primarily, the concern is if a foreign interest (e.g., foreign government or parties owned or controlled by a foreign government) has the direct or indirect ability to influence decisions that affect the management or operations of the organization.
MT-18
Geopolitical
Geopolitical is a Supply Chain Risk Management (SCRM) threat category that pertains to a specific geographic location, or region of relevance, that affects the supply chain. Primarily, the concern is if a foreign state can affect the supply chain through political intervention within the host nation.
MT-19
Sanctions
Sanctions is a Supply Chain Risk Management (SCRM) threat category that pertains to past or present fraudulent activity or corruption. Primarily, the concern is if the third-party is subject to suspension, exclusion or other sanctions that can affect the supply chain.
MT-20
Counterfeit / Non-Conforming Products
Counterfeit / Non-Conforming Products is a Supply Chain Risk Management (SCRM) threat category that pertains to the integrity of components within the supply chain. Counterfeits are products introduced to the supply chain that falsely claim to be produced by the legitimate Original Equipment Manufacturer (OEM), whereas non-conforming are OEM products / materials that fail to meet the customer specifications. Both can have a detrimental effect on the supply chain.
MT-21
Operational Environment
Operational Environment is a Supply Chain Risk Management (SCRM) threat category that pertains to the user environment (e.g., place of performance). Primarily, the concern is if the operational environment is hazardous that could expose the organization operationally or financially.
MT-22
Manufacturing & Supply
Manufacturing & Supply is a Supply Chain Risk Management (SCRM) threat category pertaining to interdependencies related to data, systems and mission functions. Concerns include the availability of supply, capacity to surge, sole-source and concentration within or over-reliance on a single source.

At issue is a single supplier or sector/market that is incapable of meeting market demand. This can be due to reduced throughput or production delays caused by capacity constraints, obsolescence, industrial limitations, market conditions, disrupted material delivery and other conditions.
MT-23
Product Quality & Design
Product Quality & Design s a Supply Chain Risk Management (SCRM) threat category that pertains to inherent design and quality problems (e.g., raw materials, ingredients, production, logistics, packaging) that result in the product and/or service failing to meet performance specifications and quality standards. This includes an understanding of the quality assurance practices associated with preventing mistakes or defects in manufactured/ developed products and avoiding problems when delivering solutions or services to customers.
MT-24
Financial
Financial is a Supply Chain Risk Management (SCRM) threat category that pertains to financial distress that can lead to the inability to meet contractual obligations, hostile takeovers, or bankruptcy. This involves situations where a supplier cannot generate revenue or income resulting in the inability to meet financial obligations.
MT-25
Human Capital
Human Capital is a threat category that pertains to human skills, knowledge and actions that may impact a market's ability to produce goods and/or services to meet demand. This includes industrial disputes, labor availability and unrest, attrition of required skills and consumer behavior that disrupts a given market or industry.
MT-26
Transportation & Distribution
Transportation & Distribution is a threat category that pertains to dynamic disruptions within the transportation and logistics of moving a product from one point to another. The transportation industry is among the most risk-prone of all industries due to accidents, losses of cargo, driver shortages and deteriorating infrastructure. These risks can cause shipment delays, supply chain disruptions, increased costs and damaged reputations. In addition, the inability to predict and plan for disruptions in the logistics plan presents risk in meeting delivery requirements and maintaining operations.
MT-27
Infrastructure
Infrastructure is a threat category that pertains to the availability and functioning of fundamental facilities and systems necessary to support an industry and its supply chains within a country. This includes buildings, transportation networks, utilities and equipment. Additionally, this includes how well those facilities and systems are protected from both natural and man-made threats.SCF Risk Catalog
SCF Risk Catalog

Risk Categories: What Happens When Controls Fail

The SCF Risk Catalog answers: "What are the risks associated with a control deficiency?" If the control fails, what risk(s) is the organization exposed to? Risks are organized into eight groupings.

Access Control
Asset Management
Business Continuity
Exposure
Governance
Incident Response
Situational Awareness
Supply Chain
Risk #
Risk Name
Risk Description
R-AC-1
Inability to maintain individual accountability
The inability to maintain accountability (e.g., asset ownership, non-repudiation of actions or inactions, etc.).
R-AC-2
Improper assignment of privileged functions
The inability to implement least privileges (e.g., Role-Based Access Control (RBAC), Privileged Account Management (PAM), etc.).
R-AC-3
Privilege escalation
The inability to restrict access to privileged functions.
R-AC-4
Unauthorized access
The inability to restrict access to only authorized individuals, groups or services.
Risk #
Risk Name
Risk Description
R-AM-1
Lost, damaged or stolen asset(s)
Lost, damaged or stolen assets.
R-AM-2
Loss of integrity through unauthorized changes
Unauthorized changes that corrupt the integrity of the system / application / service.
R-AM-3
Emergent properties and/or unintended consequences
Emergent properties and/or unintended consequences from Artificial Intelligence & Autonomous Technologies (AAT).
Risk #
Risk Name
Risk Description
R-BC-1
Business interruption
Increased latency, or a service outage, that negatively impact business operations.
R-BC-2
Data loss / corruption
The inability to maintain the confidentiality of the data (compromise) or prevent data corruption (loss).
R-BC-3
Reduction in productivity
Diminished user productivity.
R-BC-4
Information loss / corruption or system compromise due to technical attack
A technical attack that compromises data, systems, applications or services (e.g., malware, phishing, hacking, etc.).
R-BC-5
Information loss / corruption or system compromise due to non-technical attack
A non-technical attack that compromises data, systems, applications or services (e.g., social engineering, sabotage, etc.).
Risk #
Risk Name
Risk Description
R-EX-1
Loss of revenue
A negatively impact on the ability to generate revenue (e.g., a loss of clients or an inability to generate future revenue).
R-EX-2
Cancelled contract
A cancelled contract with a client or other entity for cause (e.g., failure to fulfill obligations for secure practices).
R-EX-3
Diminished competitive advantage
Diminished competitive advantage (e.g., lose market share, internal dysfunction, etc.).
R-EX-4
Diminished reputation
Diminished brand value (e.g., tarnished reputation).
R-EX-5
Fines and judgements
Financial damages due to fines and/or judgements from statutory / regulatory / contractual non-compliance.
R-EX-6
Unmitigated vulnerabilities
Unmitigated technical vulnerabilities that lack compensating controls or other mitigation actions.
R-EX-7
System compromise
A compromise of a system, application or service that affects confidentiality, integrity, availability and/or safety.
Risk #
Risk Name
Risk Description
R-GV-1
Inability to support business processes
Insufficient cybersecurity and/or privacy practices that cannot securely support the organization's technologies & processes.
R-GV-2
Incorrect controls scoping
Missing or incorrect cybersecurity and/or privacy controls due to incorrect or inadequate control scoping practices.
R-GV-3
Lack of roles & responsibilities
Insufficient cybersecurity and/or privacy roles & responsibilities that cannot securely support the organization's technologies & processes.
R-GV-4
Inadequate internal practices
Insufficient cybersecurity and/or privacy practices that can securely support the organization's technologies & processes.
R-GV-5
Inadequate third-party practices
Insufficient Cybersecurity Supply Chain Risk Management (C-SCRM) practices that cannot securely support the organization's technologies & processes.
R-GV-6
Lack of oversight of internal controls
The inability to demonstrate appropriate evidence of due diligence and due care in overseeing the organization's internal cybersecurity and/or privacy controls.
R-GV-7
Lack of oversight of third-party controls
The inability to demonstrate appropriate evidence of due diligence and due care in overseeing the organization's internal cybersecurity and/or privacy controls.
R-GV-8
Illegal content or abusive action
Disruptive content or actions that negatively affect business operations (e.g., abusive content, harmful speech, threats of violence, illegal content, etc.).
Risk #
Risk Name
Risk Description
R-IR-1
Inability to investigate / prosecute incidents
Insufficient incident response practices that prevent the organization from investigating and/or prosecuting incidents (e.g., chain of custody corruption, available sources of evidence, etc.).
R-IR-2
Improper response to incidents
The inability to appropriately respond to incidents in a timely manner.
R-IR-3
Ineffective remediation actions
The inability to ensure incident response actions were correct and/or effective.
R-IR-4
Expense associated with managing a loss event
Financial repercussions from responding to an incident or loss.
Risk #
Risk Name
Risk Description
R-SA-1
Inability to maintain situational awareness
The inability to detect cybersecurity and/or privacy incidents (e.g., a lack of situational awareness).
R-SA-2
Lack of a security-minded workforce
The inability to appropriately educate and train personnel to foster a security-minded workforce.
Risk #
Risk Name
Risk Description
R-SC-1
Third-party cybersecurity exposure
Loss of Confidentiality, Integrity, Availability and/or Safety (CIAS) from third-party cybersecurity practices, vulnerabilities and/or incidents that affects the supply chain through impacted products and/or services.
R-SC-2
Third-party physical security exposure
Loss of Confidentiality, Integrity, Availability and/or Safety (CIAS) from physical security exposure of third-party structures, facilities and/or other physical assets that affects the supply chain through impacted products and/or services.
R-SC-3
Third-party supply chain relationships, visibility and controls
Loss of Confidentiality, Integrity, Availability and/or Safety (CIAS) from "downstream" third-party relationships, visibility and controls that affect the supply chain through impacted products and/or services.
R-SC-4
Third-party compliance / legal exposure
The inability to maintain compliance due to third-party non-compliance, criminal acts, or other relevant legal action(s).
R-SC-5
Use of product / service
The misuse of the product / service in a manner that it was not designed or how it was approved for use.
R-SC-6
Reliance on the third-party
The inability to continue business operations, due to the reliance on the third-party product and/or service.
Risk Determinations

Four Risk Conformity Designations

The goal of the SCR-RMM is to categorize risk assessment results according to one of four risk determinations, normalizing the terminology associated with the level of conformity an organization achieves to its applicable cybersecurity and data protection controls.

1

Strictly Conforms

The organization demonstrates full conformity to all applicable controls with no identified deficiencies.

2

Conforms

The organization demonstrates conformity with minor deficiencies that do not materially impact the overall risk posture.

3

Significant Deficiency

One or more identified control deficiencies that, individually or in combination, are less severe than a material weakness but significant enough to warrant attention.

4

Material Weakness

A deficiency, or combination of deficiencies, where reasonable threats will not be prevented or detected in a timely manner, directly affecting assurance that the organization can adhere to its stated risk tolerance.

SCF Tool Integration

SCR-RMM Works With the SCF Ecosystem

The SCR-RMM integrates with the full SCF assessment ecosystem. Each SCF tool plays a specific role in the risk management process.

SCR-CMM Maturity Model

Step 7 of the SCR-RMM uses the SCR-CMM to define capability maturity targets. CMM scores directly inform risk exposure calculations in Step 12. The maturity level determines how effectively controls mitigate identified risks.

Learn About SCR-CMM →

SCF Control Catalog

Step 6 establishes the controls catalog from the SCF's 1,400+ controls. Every risk in the Risk Catalog and every threat in the Threat Catalog maps directly to SCF controls, providing complete linkage from risk to treatment.

Download the SCF

CDPAS Assessment Standards

The CDPAS provides the standards for third-party assessments that feed into the SCR-RMM conformity assessment (Step 10). CDPAS-governed assessments produce the findings that the RMM uses for risk determination.

Learn About CDPAS →

Evidence Request List (ERL)

The ERL defines what evidence must be collected during the conformity assessment (Step 10) and control assessment (Step 11). Standardized evidence expectations enable consistent risk determination.

Learn About ERL →

Unified Scoping Guide (USG)

The USG helps establish the organizational and environmental context for assessing risks (Step 9) by defining the People, Processes, Technologies, Data, and Facilities (PPTDF) that comprise the assessment boundary.

Learn About USG →

SCF-CAP Conformity Assessment

The Report on Conformity (ROC) produced in Step 14 of the SCR-RMM directly supports the SCF Conformity Assessment Program. Organizations pursuing SCF-CAP certification use the RMM risk determinations as part of their conformity evidence.

Learn About SCF-CAP →
Continuous Improvement

Plan-Do-Check-Act (PDCA)

The SCR-RMM is designed to operate within a continuous PDCA improvement cycle, treating risk management as an ongoing organizational capability integrated into business-as-usual activities.

P

PLAN

Identify risk management principles (Step 1). Document critical dependencies (Step 2). Formalize risk management practices (Step 3). Establish risk, threat, and controls catalogs (Steps 4–6). Define CMM targets and assessment rigor (Steps 7–8).

D

DO

Establish context (Step 9). Conduct conformity assessment (Step 10). Apply assessment methods and document findings (Step 11). Determine risk exposure by calculating inherent and residual risk (Step 12).

C

CHECK

Prioritize and document deficiencies (Step 13). Produce the Report on Conformity categorizing results as Strictly Conforms, Conforms, Significant Deficiency, or Material Weakness (Step 14).

A

ACT

Identify the appropriate management audience (Step 15). Management determines risk treatment: reduce, avoid, transfer, or accept (Step 16). Implement and document risk treatment (Step 17).

Join 25,000+ GRC Professionals

Get the latest SCF updates, cybersecurity insights, and community news delivered to your inbox. You know you want to do it!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Controls are your security, compliance & resilience program - A control is the power to influence or direct behaviors and the course of events.

DOWNLOAD THE SCF

Start Here

What Is The SCF?How To Implement (SCRMS)Domains & PrinciplesLaws & Frameworks (LRF)Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations

Free Content

SCF DownloadRisk Management (SCR-RMM)Maturity Model (SCR-CMM)Assessment Standards (CDPAS)Mergers & Acquisitions (MA&D)Privacy Principles (DPMP)Evidence Request List (ERL)Scoping Guide (USG)

Resources

GRC FundamentalsSCF CertifiedMarketplaceFAQAboutBlog

Support

DonateVolunteer

© 2026 Secure Controls Framework Council, LLC. All rights reserved.

Terms & ConditionsPrivacyCookiesSitemap