Secure Controls Framework
Download The SCF
Start Here
Free Content
SCF CORE
GRC Fundamentals
SCF Certified
Marketplace
FAQAboutContact
SCF CertifieD

SCF Certification Assessment Guides

SCF Assessment Guides provide the detailed assessment criteria, control scoping, and assessment objectives for each SCF CAP certification. Each guide defines what a 3PAO assessor will evaluate, how controls are scored, and the evidence requirements for a successful conformity assessment.

Learn More About SCF Certifications
Assessment Criteria & Control Scoping

What Are SCF Assessment Guides?

SCF Assessment Guides are the authoritative reference documents that define the assessment criteria for each available SCF CAP certification. They serve three primary audiences: Organizations Seeking Assessment (OSAs), Registered Provider Organizations (RPOs), and Third-Party Assessment Organizations (3PAOs).

Each Assessment Guide provides a comprehensive mapping of the certification-specific requirements to the corresponding SCF controls, including the specific Assessment Objectives (AOs) that a 3PAO assessor will evaluate. The guides define the Minimum Security Requirements (MSR) control set for each certification, the tailored subset of SCF controls that must be implemented and assessed.

Assessment Guides also specify the evidence types expected for each control (examine, interview, and test artifacts), the scoring methodology used to determine conformity, and the thresholds required for successful certification.

What Each Assessment Guide Contains

Control Mapping: Complete mapping of certification requirements to SCF controls and Assessment Objectives.

MSR Control Set: The specific Minimum Security Requirements controls applicable to the certification.

Evidence Requirements: Detailed specifications for examine, interview, and test evidence artifacts. Scoring

Methodology: How controls are evaluated and scored. Certification Thresholds: Pass/fail criteria and conformity designation requirements.

Certification Thresholds: Pass/fail criteria and conformity designation requirements.

Available Assessment Guides

SCF CAP Certification Assessment Guides

The following Assessment Guides are available for download. Each guide corresponds to an available SCF CAP certification and provides the complete assessment criteria for that specific conformity designation.

CMMC Level 1
This CMMC Level 1 assessment guide is designed for organizations that want independent validation of Cybersecurity Maturity Model Certification (CMMC) Level 1 requirements.
This is ideal for organizations that want independent validation of CMMC Level 1 requirements (at the assessment objective level) through a third-party assessment that results in a certification.
NIST Cybersecurity Framework 2.0
This NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) assessment guide is designed for organizations that align with the cybersecurity governance framework established by NIST CSF 2.0.
This is ideal for organizations that want to demonstrate conformity with NIST CSF 2.0 through a third-party assessment that results in a certification.
HIPAA Security Rule
The HIPAA Security Rule (NIST SP 800-66 R2) assessment guide is designed for organizations required to comply wiht the HIPAA Security Rule (e.g., NIST SP 800-66 R2).
This is ideal for both Covered Entities (CE) and Business Associates (BA) that want to demonstrate conformity with the HIPAA Security Rule through a third-party assessment that results in a certification.
SCF CORE Fundamentals
The SCF Cybersecurity Oversight, Resilience and Enablement (CORE) Fundamentals assessment guide is designed for organizations that align with the principles established by the SCF CORE Fundamentals control set.
This is ideal for organizations that want to demonstrate conformity with SCF CORE Fundamentals through a third-party assessment that results in a certification.
NY DFS 23 NYCRR Part 500
This New York Department of Financial Services 23 NYCRR Part 500 assessment guide is designed for organizations that must comply with the NY DFS 23 NYCRR Part 500 regulation.
This is ideal for organizations that want to demonstrate conformity with NY DFS 23 NYCRR Part 500 through a third-party assessment that results in a certification.
CISA SSDAF
This CISA Secure Software Development Attestation Form (SSDAF) assessment guide is designed for organizations that must attest to secure software develop practices to the US Government.
This is ideal for organizations that want to demonstrate conformity with Executive Order 14028 through a third-party assessment that results in a certification.
NIST SP 800-161 R1 C-SCRM
This NIST SP 800-161 R1 Cybersecurity Supply Chain Risk Management (C-SCRM) Baseline assessment guide is designed for organizations that must comply with the NIST SP 800-161 R1 C-SCRM baseline practices.
This is ideal for organizations that want to demonstrate conformity with the C-SCRM baseline of NIST SP 800-161 R1 through a third-party assessment that results in a certification.
NIST SP 800-171 R3
This NIST SP 800-171 R3 assessment guide is designed for organizations that must comply with the NIST SP 800-171 R3.
This is not a CMMC assessment. This is ideal for organizations that want to demonstrate conformity with NIST SP 800-171 R3 through a third-party assessment that results in a certification.
NIST SP 800-218 R1
This NIST SP 800-218 R1 assessment guide is designed for organizations that must demonstrate alignment with the Secure Software Development Framework (SSDF).
This is ideal for organizations that want to demonstrate conformity with NIST SP 800-218 R1 through a third-party assessment that results in a certification.
New Zealand HISF
This New Zealand Health Information Security Framework (HISF) - Guidance for Suppliers is designed for organizations that must comply with the NZ HISF for suppliers.
This is ideal for organizations in New Zealand that want to demonstrate conformity with NZ HISF for Suppliers through a third-party assessment that results in a certification.
CMMC Level 2 to NIST CSF 2.0
This CMMC Level 2 to NIST CSF 2.0 is designed for organizations that must comply with CMMC and want to achieve reciprocity with NIST CSF 2.0.
This is ideal for organizations that have a current Cybersecurity Maturity Model Certification (CMMC) Level 2 certification and want to leverage reciprocity towards NIST CSF 2.0 certification.
SCF Tailored
This SCF Tailored assessment guide is designed for organizations that want to create a tailored control set to achieve compliance for multiple laws, regulations & frameworks.
This is ideal for organizations  that want to create a bespoke control set for a SCF assessment (e.g., unique control set, multiple laws/regulations/frameworks, etc.).
Using Assessment Guides

How to Use the SCF Assessment Guides

Assessment Guides serve different purposes depending on your role in the SCF CAP ecosystem. Here is how each audience should use them to prepare for or conduct a successful conformity assessment.

For Organizations Seeking Assessment (OSAs)

Use the Assessment Guide for your target certification to understand exactly which SCF controls are in scope, what evidence you need to prepare, and how your controls will be scored. The MSR control set defined in the guide becomes your implementation checklist. Start with the guide before engaging an RPO or 3PAO.

For Registered Provider Organizations (RPOs)

RPOs use Assessment Guides to structure their advisory and preparation services. The control mappings and evidence requirements define the scope of work for client engagements. RPOs should ensure their clients’ implementations address every Assessment Objective before recommending readiness for a 3PAO assessment.

For Third-Party Assessment Organizations (3PAOs)

3PAOs use Assessment Guides as the authoritative reference during conformity assessments. The guides define the examine, interview, and test procedures, the scoring methodology, and the certification thresholds. All assessment findings must be documented against the specific Assessment Objectives.

Assessment Guide Updates

SCF Assessment Guides are updated in alignment with changes to the underlying laws, regulations, and frameworks they cover. When a new version of a mapped authority is released, the corresponding Assessment Guide is updated to reflect revised control mappings and assessment criteria. Always verify you are using the current version before beginning an assessment.

Join 25,000+ GRC Professionals

Get the latest SCF updates, cybersecurity insights, and community news delivered to your inbox. You know you want to do it!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Controls are your security, compliance & resilience program - A control is the power to influence or direct behaviors and the course of events.

DOWNLOAD THE SCF

Start Here

What Is The SCF?How To Implement (SCRMS)Domains & PrinciplesLaws & Frameworks (LRF)Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations

Free Content

SCF DownloadRisk Management (SCR-RMM)Maturity Model (SCR-CMM)Assessment Standards (CDPAS)Mergers & Acquisitions (MA&D)Privacy Principles (DPMP)Evidence Request List (ERL)Scoping Guide (USG)

Resources

GRC FundamentalsSCF CertifiedMarketplaceBlogFAQAbout

Support

DonateVolunteer

© 2026 Secure Controls Framework Council, LLC. All rights reserved.

Terms & ConditionsPrivacyCookiesSitemap