Starting with release 2024.1, the SCF leverages NIST IR 8477 Set Theory Relationship Mapping for crosswalk mapping. This is the US Government's gold standard for evaluating cybersecurity and data privacy laws, regulations and frameworks.
NIST IR 8477 provides the definitive practice for crosswalk mapping with no technology needed. It can be performed with a pencil and piece of paper.
Children learn the process of diagramming sentences in grade school (e.g., the Reed–Kellogg model) with pencil and paper. This same process of graphically identifying the relationships between elements forms the basis of STRM. What NIST IR 8477 does is formalize this with Set Theory mathematics to produce rigorous, defensible, and IP-protected crosswalk mappings.
STRM is part of NIST’s broader NIST OLIR Program, an effort to facilitate Subject Matter Experts in defining standardized Online Informative References between elements of their creation and NIST publications.
You can click on the image to the side to see a PDF version of how the SCF is utilizing STRM, as well as an example for what that looks like with a few NIST CSF 2.0 controls:
The SCF offers editable Excel versions of all STRM mappings. The bundle of Excel versions is $25 (access to redownload is availabe for 30 days from date of purchase).
Every crosswalk mapping in the SCF uses exactly one of these five mathematically-defined relationship types, ensuring precision and consistency across all 200+ mapped LRF.
The LRF requirement is fully contained within the SCF control. The SCF control is broader in scope and coverage.
The LRF requirement and SCF control share partial overlap. Neither is fully contained within the other.
The LRF requirement and SCF control are semantically equivalent. They address the same concept at the same scope.
The SCF control is contained within the LRF requirement. The LRF requirement is broader in scope and coverage.
The LRF requirement and SCF control have no meaningful semantic overlap. No mapping is established.
Relationship Strength (1–10)
Relationship Strength (1–10): Each mapping also receives a numeric strength rating. A rating of 1 indicates a nominal relationship, 5 indicates moderately strong, and 10 indicates the strongest relationship, typically reserved for "Equal To" or where the LRF requirement is a "Subset Of" the SCF control.
The SCF exclusively uses human subject-matter experts to perform STRM crosswalk mapping. This is a deliberate choice with significant IP, legal and quality implications.
The SCF leverages human SMEs to perform STRM mapping. This produces content that is:
AI/NLP-based crosswalk solutions face significant IP limitations:
Why it matters
The SCF's EDC approach means its crosswalk mappings are both higher-quality and legally protected intellectual property, which is exactly how NIST IR 8477 itself was designed to work.
The SCF applies STRM to every one of its 200+ mapped laws, regulations and frameworks. Each mapping documents the precise set-theoretic relationship between every LRF requirement and the corresponding SCF control.
Each LRF requirement is defined as a Focal Document Element with a unique identifier. Without a unique FDE value, no granular mapping is possible because there is nothing to map to.
Each FDE is mapped to the most appropriate SCF control with a documented relationship type (Subset Of, Intersects With, Equal To, Superset Of, or No Relationship) and a strength score of 1–10.
Because all LRF are mapped to common SCF controls using STRM, a single SCF control can simultaneously satisfy requirements across dozens of laws, regulations and frameworks. This enables true multi-framework compliance efficiency.
Excel versions of the STRM mappings are available for purchase at the SCF Store. The following STRM mappings are currently published:
The SCF welcomes community involvement. The SCF Council provides a downloadable Community STRM Template that practitioners can use to perform their own crosswalk mapping and submit for possible inclusion in a future SCF release.
Open the STRM template’s “STRM Overview” tab and complete the two highlighted cells identifying:
Prerequisites: familiarity with NIST IR 8477 and professional competence to conduct crosswalk mapping.
Complete the “Community STRM submission” tab using these columns:
Once your STRM exercise is complete, email the completed Excel spreadsheet to the SCF Council for review:
support@securecontrolsframework.com
Submissions are evaluated by the SCF Council and may be included in a future SCF release. The SCF Council will contact you if there are questions about your submission.
Browse all 200+ laws, regulations and frameworks mapped in the SCF across 5 global regions.
The SCF is a recognized NIST OLIR Program participant with accepted OLIRs for NIST CSF v1.1 and SP 800-171 R2.
Explore the 33 control domains that form the Common Controls Framework at the heart of the SCF.
Get the free SCF spreadsheet with all controls, all LRF mappings, and all STRM relationships included.
%20(white).png)
.png)