Purpose-Built Control Sets for Every Organization
The SCF Council created the CORE initiative to address a critical gap. While the SCF catalog provides comprehensive coverage, many organizations, especially small and mid-sized businesses, need a focused, actionable starting point to tailor controls for their specific needs
The CORE initiative defines 7 tailored control sets, each calibrated to specific organization types, sizes, and risk profiles. These are not arbitrary subsets. Each CORE set is derived from the broader Common Controls Framework™ (e.g., SCF control set).
The SCF was notably recognized in Texas Senate Bill 2610, which named the SCF as meeting cybersecurity framework adequacy for purposes of providing legal protection to businesses implementing reasonable cybersecurity practices. This was the first time a state legislature directly referenced the SCF in statute. The SCF developed the CORE Fundamentals control set to meet the needs of TX SB 2610 for smaller organizations.

Volunteer-Driven. Creative Commons Licensed.
All SCF CORE content is developed by volunteer cybersecurity practitioners and released under Creative Commons licensing. There is no cost to access or implement SCF CORE.
Texas SB 2610: Why SCF CORE Fundamentals Matters
Texas Senate Bill 2610 represents a landmark moment for Small and Medium Business (SMB) cybersecurity, since it is focused on businesses with less than 250 employees. The law provides legal protection for Texas businesses that implement and maintain a recognized cybersecurity framework and SCF CORE Fundamentals is specifically designed to meet those requirements.
Under TX SB 2610, businesses that implement reasonable cybersecurity practices gain an affirmative defense against data breach liability claims. The SCF was recognized in the law as a framework meeting adequacy standards.
Legal Protection Through Reasonable Cybersecurity
The law’s affirmative defense applies when organizations can demonstrate implemented, documented cybersecurity controls that are appropriate to their size, complexity, and the sensitivity of data they handle.
SCF CORE Fundamentals Meets Requirements For:
Administrative Safeguards (e.g., Governance, HR, risk management, and compliance controls)
Technical Safeguards (e.g., Identity management, network security, cryptography, endpoint protection controls)
Physical Safeguards (e.g., Physical & environmental security controls)
Data Integrity Protection (e.g., Change management, monitoring, data classification controls)
Unauthorized Access Prevention (e.g., IAM, network segmentation, encryption at rest & in transit controls)
SCF CORE External Service Provider (ESP) Baselines
The SCF is working with the Cyber AB and ESP Collective to standardize reasonble security, compliance and resilience practices for External Service Providers (ESP) that include Manage Service Provider (MSP) and Managed Security Services Provider (MSSP) entities. It is a well-known issue in the IT / cyber industry that ESPs are the "soft underbelly" for organizations, regardless of industry or size and we intend to help the industry by establishing baseline standards that any ESP can adopt to be secure, compliant and resilient.
There are three CORE ESP levels defined for the North America (NA) market:
1. Fundamental;
2. Critical Infrastructure; and
3. Advanced Threats
Note: ESPs with a valid CMMC Level 2 certification can apply applicable controls towards the ESP Level 2 certification.
SCF CORE Roadmap: 7 Tailored Control Sets
Each CORE set targets a distinct organization type, risk profile, or operational context, derived from the full Common Controls Framework™ (CCF) catalog using STRM methodology.
SCF CORE Fundamentals
68 controls across 20 domains for smaller entities. Specifically designed to meet Texas SB 2610 reasonable cybersecurity requirements.
SCF CORE MA&D
Mergers, Acquisitions & Divestitures control set covering cybersecurity requirements specific to M&A transaction environments.
SCF CORE ESP Level 1
Essential Security Practices: Foundational control set for organizations beginning their cybersecurity program journey.
SCF CORE ESP Level 2
Essential Security Practices: Critical Infrastructure control set for organizations operating critical systems and services.
SCF CORE ESP Level 3
Essential Security Practices: Advanced Threats control set for organizations facing sophisticated threat actor activity.
SCF CORE AI-Enabled Operations
AI-specific cybersecurity controls for organizations augmenting AI capabilities into business operations.
SCF CORE AI Model Deployment
AI-specific cybersecurity controls for organizations developing and/or deploying AI/ML capabilities into business operations (e.g., custom chatbot).
68 Controls Across 20 Domains
SCF CORE Fundamentals covers 20 of the 33 SCF domains, focusing on the domains most critical for SMB cybersecurity programs. Each control is drawn from the full CCF™ and calibrated to SMB implementation realities.
When used for TPRM, CORE Fundamentals provides a structured questionnaire framework across all 20 domains, with built-in weighting based on control criticality.
MCR: Minimum Compliance Requirements
Controls that represent the minimum bar required by external obligations such as laws, regulations, and contracts. These are non-negotiable. Not implementing them creates legal or contractual exposure.
- Externally influenced (laws, regs, contracts)
- "Must have" requirements (e.g., non-discretionary)
- Fact-finding, not risk assessment
- Forms compliance baseline
DSR: Discretionary Security Requirements
Controls selected based on the organization's own risk appetite and judgment. These go beyond the minimum and represent best-practice enhancements driven by internal risk management.
- Internally influenced (risk-based decisions)
- "Nice to have" (e.g., risk-informed choices, discretionary)
- Based on threat landscape and asset sensitivity
- Elevates posture beyond compliance floor
All 68 SCF CORE Fundamentals Controls
Organized by domain. Each control is drawn from the full CCF™ and calibrated to SMB implementation realities. Below are the SCF CORE Fundamentals controls, updated as of the 2026.1 version of the SCF.
(1) Accurately reflects the current TAASD in use;
(2) Identifies authorized software products, including business justification details;
(3) Is at the level of granularity deemed necessary for tracking and reporting;
(4) Includes organization-defined information deemed necessary to achieve effective property accountability; and
(5) Is available for review and audit by designated organizational personnel.
(1) Contain sufficient detail to assess the security of the network's architecture;
(2) Reflect the current architecture of the network environment; and
(3) Document all sensitive/regulated data flows.
(1) Establish what type of event occurred;
(2) When (date and time) the event occurred;
(3) Where the event occurred;
(4) The source of the event;
(5) The outcome (success or failure) of the event; and
(6) The identity of any user/subject associated with the event.
(1) Remote network access;
(2) Third-party Technology Assets, Applications and/or Services (TAAS); and/ or
(3) Non-console access to critical TAAS that store, transmit and/or process sensitive/regulated data.
(1) Preparation;
(2) Automated event detection or manual incident report intake;
(3) Analysis;
(4) Containment;
(5) Eradication; and
(6) Recovery.
(1) Evaluate security risks and threats associated with Technology Assets, Applications and/or Services (TAAS) supply chains; and
(2) Take appropriate remediation actions to minimize the organization's exposure to those risks and threats, as necessary.hanisms exist to remediate risks to an acceptable level.
Third-Party Risk Management (TPRM)
SCF CORE Fundamentals serves as an effective TPRM baseline. Organizations can use it to assess vendors, suppliers, and service providers against a standardized control set calibrated to SMB realities.
When used for TPRM, CORE Fundamentals provides a structured questionnaire framework across all 20 domains, with built-in weighting based on control criticality. The SCF’s External Reference Library (ERL) links each control to authoritative sources for evidence verification.
TPRM Assessment Components in SCF CORE
- Control questionnaire: 68 questions mapped to control objectives.
- Control weighting: based on MCR vs DSR classification.
- External Reference Library (ERL): evidence source links.
- Assessment Observations (AOs): examiner guidance.
- Risk and threat catalog crosswalk.
- Scoring methodology for aggregate risk rating.
TPRM Control Areas
CORE Fundamentals maps directly to common vendor risk questionnaire formats, enabling side-by-side comparison of vendor posture against the SCF baseline.
Third-Party Assessable
SCF CORE Fundamentals is designed to be independently assessed through the SCF Conformity Assessment Program (SCF-CAP). Organizations seeking documented, third-party validated conformity, including for Texas SB 2610 purposes, can engage an SCF-authorized assessor.
SCF-CAP Assessment Guide Covers:
- Scoping and boundary definition
- Control-level assessment criteria
- Evidence collection requirements (ERL-aligned)
- Assessment Observation (AO) templates
- Scoring and rating methodology
- Non-conformance and remediation tracking
- Conformity statement and report generation
Plan-Do-Check-Act (PDCA)
SCF CORE Fundamentals is designed to operate within a continuous PDCA improvement cycle, not as a one-time compliance exercise.
PLAN
Identify applicable controls. Assess current state vs CORE Fundamentals baseline. Define remediation priorities and resource requirements. Establish risk appetite and MCR obligations.
DO
Implement controls across all 20 domains. Document policies, standards, and procedures. Deploy technical controls. Train personnel. Engage third-party assessor if pursuing SCF-CAP.
CHECK
Monitor control effectiveness. Conduct internal assessments against CORE Fundamentals criteria. Review Evidence Request List (ERL) satisfaction. Validate against MCR obligations.
ACT
Remediate gaps identified in the Check phase. Update policies and standards. Elevate from CORE Fundamentals toward higher-maturity control sets (ESP Level 1, 2, 3) as organizational capacity grows.
.png)


%20(white).png)