Organized by domain. Each control is drawn from the full CCF™ and calibrated to SMB implementation realities. Below are the SCF CORE Fundamentals controls, updated as of the 2026.1 version of the SCF.
GOV: Governance (3 Controls)
GOV-02
Publishing Security, Compliance & Resilience Documentation
Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.
GOV-04
Assigned Security, Compliance & Resilience Responsibilities
Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).
GOV-15
Operationalizing Security, Compliance & Resilience Capabilities
Mechanisms exist to compel data and/or process owners to operationalize security, compliance and resilience practices for each Technology Asset, Application and/or Service (TAAS) under their control.
AST: Asset Management (5 Controls)
AST-02
Asset Inventories
Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that:
(1) Accurately reflects the current TAASD in use;
(2) Identifies authorized software products, including business justification details;
(3) Is at the level of granularity deemed necessary for tracking and reporting;
(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and
(5) Is available for review and audit by designated organizational personnel.
AST-02.8
Data Action Mapping
Mechanisms exist to create and maintain a map of Technology Assets, Applications and/or Services (TAAS) where sensitive/regulated data is stored, transmitted or processed.
AST-04
Network Diagrams & Data Flow Diagrams (DFDs)
Mechanisms exist to maintain network architecture diagrams that:
(1) Contain sufficient detail to assess the security of the network's architecture;
(2) Reflect the current architecture of the network environment; and
(3) Document all sensitive/regulated data flows.
AST-09
Secure Disposal, Destruction or Re-Use of Equipment
Mechanisms exist to securely dispose of, destroy or repurpose system components using organization-defined techniques and methods to prevent information being recovered from these components.
AST-16
Bring Your Own Device (BYOD) Usage
Mechanisms exist to implement and govern a Bring Your Own Device (BYOD) program to reduce risk associated with personally-owned devices in the workplace.
BCD: Business Continuity & Disaster Recovery (2 Controls)
BCD-04
Contingency Plan Testing & Exercises
Mechanisms exist to conduct tests and/or exercises to evaluate the contingency plan's effectiveness and the organization's readiness to execute the plan.
BCD-11
Data Backups
Mechanisms exist to create recurring backups of data, software and/or system images, as well as verify the integrity of these backups, to ensure the availability of the data to satisfy Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
CHG: Change Management (2 Controls)
CHG-02
Configuration Change Control
Mechanisms exist to govern the technical configuration change control processes.
CHG-03
Security Impact Analysis for Changes
Mechanisms exist to analyze proposed changes for potential security impacts, prior to the implementation of the change.
CLD: Cloud Security (2 Controls)
CLD-01
Cloud Services
Mechanisms exist to facilitate the implementation of cloud management controls to ensure cloud instances are secure and in-line with industry practices.
CLD-10
Sensitive Data In Public Cloud Providers
Mechanisms exist to limit and manage the storage of sensitive/regulated data in public cloud providers.
CPL: Compliance (1 Control)
CPL-01
Statutory, Regulatory & Contractual Compliance
Mechanisms exist to facilitate the identification and implementation of relevant statutory, regulatory and contractual controls.
CFG: Configuration Management (2 Controls)
CFG-02
Secure Baseline Configurations
Mechanisms exist to develop, document and maintain secure baseline configurations for Technology Assets, Applications and/or Services (TAAS) that are consistent with industry-accepted system hardening standards.
CFG-03
Least Functionality
Mechanisms exist to configure systems to provide only essential capabilities by specifically prohibiting or restricting the use of ports, protocols, and/or services.
MON: Continuous Monitoring (3 Controls)
MON-01.8
Security Event Monitoring
Mechanisms exist to review event logs on an ongoing basis and escalate incidents in accordance with established timelines and procedures.
MON-03
Content of Event Logs
Mechanisms exist to configure Technology Assets, Applications and/or Services (TAAS) to produce event logs that contain sufficient information to, at a minimum:
(1) Establish what type of event occurred;
(2) When (date and time) the event occurred;
(3) Where the event occurred;
(4) The source of the event;
(5) The outcome (success or failure) of the event; and
(6) The identity of any user/subject associated with the event.
MON-16
Anomalous Behavior
Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
CRY — Cryptographic Protections (3 Controls)
CRY-03
Transmission Confidentiality
Cryptographic mechanisms exist to protect the confidentiality of data being transmitted.
CRY-05
Encrypting Data At Rest
Cryptographic mechanisms exist to prevent unauthorized disclosure of data at rest.
CRY-09
Cryptographic Key Management
Mechanisms exist to facilitate cryptographic key management controls to protect the confidentiality, integrity and availability of keys.
DCH — Data Classification & Handling (5 Controls)
DCH-01.2
Sensitive / Regulated Data Protection
Mechanisms exist to protect sensitive/regulated data wherever it is processed and/or stored.
DCH-01.4
Defining Access Authorizations for Sensitive / Regulated Data
Mechanisms exist to explicitly define authorizations for specific individuals and/or roles for logical and /or physical access to sensitive/regulated data.
DCH-02
Data & Asset Classification
Mechanisms exist to ensure data and assets are categorized in accordance with applicable statutory, regulatory and contractual requirements.
DCH-13
Use of External Technology Assets, Applications and/or Services (TAAS)
Mechanisms exist to govern how external parties, including Technology Assets, Applications and/or Services (TAAS), are used to securely store, process and transmit data.
DCH-17
Ad-Hoc Transfers
Mechanisms exist to secure ad-hoc exchanges of large digital files with internal or external parties.
END — Endpoint Security (2 Controls)
END-04
Malicious Code Protection (Anti-Malware)
Mechanisms exist to utilize antimalware technologies to detect and eradicate malicious code.
END-08
Phishing & Spam Protection
Mechanisms exist to utilize anti-phishing and spam protection technologies to detect and take action on unsolicited messages transported by electronic mail.
HRS — Human Resources Security (2 Controls)
HRS-04
Personnel Screening
Mechanisms exist to manage personnel security risk by screening individuals prior to authorizing access.
HRS-05
Terms of Employment
Mechanisms exist to require all employees and contractors to apply cybersecurity and data protection principles in their daily work to enable secure, compliant and resilient capabilities.
IAC — Identification & Authentication Domain (10 Controls)
IAC-01.3
User & Service Account Inventories
Mechanisms exist to maintain a current list of authorized users and service accounts.
IAC-06
Multi-Factor Authentication (MFA)
Automated mechanisms exist to enforce Multi-Factor Authentication (MFA) for:
(1) Remote network access;
(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or
(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.
IAC-07
User Provisioning & De-Provisioning
Mechanisms exist to utilize a formal user registration and de-registration process that governs the assignment of access rights.
IAC-08
Role-Based Access Control (RBAC)
Mechanisms exist to enforce Role-Based Access Control (RBAC) for Technology Assets, Applications, Services and/or Data (TAASD) to restrict access to individuals assigned specific roles with legitimate business needs.
IAC-10
Authenticator Management
Mechanisms exist to:(1) Securely manage authenticators for users and devices; and(2) Ensure the strength of authentication is appropriate to the classification of the data being accessed.
IAC-10.8
Default Authenticators
Mechanisms exist to ensure default authenticators are changed as part of account creation or system installation.
IAC-15
Account Management
Mechanisms exist to proactively govern account management of individual, group, system, service, application, guest and temporary accounts.
IAC-16
Privileged Account Management (PAM)
Mechanisms exist to restrict and control privileged access rights for users and Technology Assets, Applications and/or Services (TAAS).
IAC-17
Periodic Review of Account Privileges
Mechanisms exist to periodically-review the privileges assigned to individuals and service accounts to validate the need for such privileges and reassign or remove unnecessary privileges, as necessary.
IAC-21
Least Privilege
Mechanisms exist to utilize the concept of least privilege, allowing only authorized access to processes necessary to accomplish assigned tasks in accordance with organizational business functions.
IRO — Incident Response (2 Controls)
IAC-02
Incident Handling
Mechanisms exist to cover:
(1) Preparation;
(2) Automated event detection or manual incident report intake;
(3) Analysis;
(4) Containment;
(5) Eradication; and
(6) Recovery.
IAC-04
Incident Response Plan (IRP)
Mechanisms exist to maintain and make available a current and viable Incident Response Plan (IRP) to all stakeholders.
NET — Network Security (8 Controls)
NET-02
Layered Network Defenses
Mechanisms exist to implement security functions as a layered structure that minimizes interactions between layers of the design and avoids any dependence by lower layers on the functionality or correctness of higher layers.
NET-02.2
Guest Networks
Mechanisms exist to implement and manage a secure guest network.
NET-03
Boundary Protection
Mechanisms exist to monitor and control communications at the external network boundary and at key internal boundaries within the network.
NET-04
Data Flow Enforcement – Access Control Lists (ACLs)
Mechanisms exist to implement and govern Access Control Lists (ACLs) to provide data flow enforcement that explicitly restrict network traffic to only what is authorized.
NET-14
Remote Access
Mechanisms exist to define, control and review organization-approved, secure remote access methods.
NET-14.5
Work From Anywhere (WFA) - Telecommuting Security
Mechanisms exist to define secure telecommuting practices and govern remote access to Technology Assets, Applications, Services and/or Data (TAASD) for remote workers.
NET-15
Wireless Networking
Mechanisms exist to control authorized wireless usage and monitor for unauthorized wireless access.
NET-18
DNS & Content Filtering
Mechanisms exist to force Internet-bound network traffic through a proxy device (e.g., Policy Enforcement Point (PEP)) for URL content filtering and DNS filtering to limit a user's ability to connect to dangerous or prohibited Internet sites.
PES — Physical & Environmental Security (3 Controls)
PES-02
Physical Access Authorizations
Physical access control mechanisms exist to maintain a current list of personnel with authorized access to organizational facilities (except for those areas within the facility officially designated as publicly accessible).
PES-03
Physical Access Control
Physical access control mechanisms exist to enforce physical access authorizations for all physical access points (including designated entry/exit points) to facilities (excluding those areas within the facility officially designated as publicly accessible).
PES-06
Visitor Control
Physical access control mechanisms exist to identify, authorize and monitor visitors before allowing access to the facility (other than areas designated as publicly accessible).
RSK — Risk Management (4 Controls)
RSK-03
Risk Identification
Mechanisms exist to identify and document risks, both internal and external.
RSK-04
Risk Assessment
Mechanisms exist to conduct recurring assessments of risk that includes the likelihood and magnitude of harm, from unauthorized access, use, disclosure, disruption, modification or destruction of the organization's Technology Assets, Applications, Services and/or Data (TAASD).
RSK-4.1
Risk Register
Mechanisms exist to maintain a risk register that facilitates monitoring and reporting of risks.
RSK-06
Risk Remediation
Mechanisms exist to remediate risks to an acceptable level.
SAT — Security Awareness & Training (1 Control)
SAT-02
Security, Compliance & Resilience Awareness Training
Mechanisms exist to provide all employees and contractors appropriate security, compliance and resilience awareness education and training that is relevant for their job function.
TPM — Third-Party Management (5 Controls)
TPM-01.1
Third-Party Inventories
Mechanisms exist to maintain a current, accurate and complete list of External Service Providers (ESPs) that can potentially impact the Confidentiality, Integrity, Availability and/or Safety (CIAS) of the organization's Technology Assets, Applications, Services and/or Data (TAASD).
TPM-03
Supply Chain Risk Management (SCRM)
MecMechanisms exist to:
(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and
(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary.hanisms exist to remediate risks to an acceptable level.
TPM-05
Third-Party Contract Requirements
Mechanisms exist to require contractual requirements for applicable security, compliance and resilience requirements with third-parties, reflecting the organization's needs to protect its Technology Assets, Applications, Services and/or Data (TAASD).
TPM-05.4
Responsible, Accountable, Supportive, Consulted & Informed (RASCI) Matrix
Mechanisms exist to document and maintain a Responsible, Accountable, Supportive, Consulted & Informed (RASCI) matrix, or similar documentation, to delineate assignment for security, compliance and resilience controls between internal stakeholders and External Service Providers (ESPs).
TPM-08
Review of Third-Party Services
Mechanisms exist to monitor, regularly review and assess External Service Providers (ESPs) for compliance with established contractual requirements for security, compliance and resilience controls.
VPM — Vulnerability & Patch Management (3 Controls)
VPM-02
Vulnerability Remediation Process
Mechanisms exist to ensure that vulnerabilities are properly identified, tracked and remediated.
VPM-05
Software & Firmware Patching
Mechanisms exist to conduct software patching for all deployed Technology Assets, Applications and/or Services (TAAS), including firmware.
VPM-06
Vulnerability Scanning
Mechanisms exist to detect vulnerabilities and configuration errors by routine vulnerability scanning of systems and applications.
%20(white).png)
.png)