The SCF Is A Metaframework That Unifies Everything
In simple terms, the SCF is a metaframework (e.g., a “framework of frameworks”) that distills 200+ cybersecurity and data privacy laws, regulations, and frameworks into a single unified control catalog. Instead of maintaining separate control sets for HIPAA, SOC 2, ISO 27001, NIST CSF, and PCI DSS, organizations use a SCF-based Living Control Set (LCS) that satisfies all of them simultaneously, capable of changing and scaling as business processes and requirements evolve.
The Secure Controls Framework® (SCF) eliminates the need for separate compliance programs (e.g., siloed capabilities). Implement one tailored SCF control set that has the ability to simultaneously satisfy multiple laws, regulations and/or frameworks. The SCF is a FREE, comprehensive cybersecurity and data privacy metaframework designed to help organizations build secure, compliant and resilient capabilities. Instead of managing multiple, overlapping laws, regulations and frameworks independently, the SCF normalizes requirements into a Common Controls Framework (CCF) that supports multiple statutory, regulatory and contractual compliance requirements.
If your are unfamiliar with the SCF, please download the START HERE GUIDE to gain a solid understanding of what the SCF is and how to use it. The SCF focuses on internal controls, which are security, compliance and resilience-related policies, standards, procedures, technologies, and processes designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected, and corrected.
Common Controls Framework™ (CCF)
The SCF currently holds the rights to the Common Controls Framework™ trademark. The domains commoncontrolsframework.com and common-controls-framework.com both redirect to the SCF. This distinction is unique among all cybersecurity frameworks and furthers the claim that the it is THE common controls framework.
Building Your Cybersecurity & Data Privacy Program
The SCF can be viewed as a long-term tool. This not only to helps with compliance-related efforts, but to ensure security, compliance and resilience principles are properly designed, implemented, and maintained.
The SCF helps implement a holistic approach to protecting the Confidentiality, Integrity, Availability, and Safety (CIAS) of your data, systems, applications, and processes. The approach looks at the following spheres of influence to identify applicable controls:
- Statutory obligations: laws that apply to your organization
- Regulatory obligations: agency regulations and enforcement frameworks
- Contractual obligations: customer and partner security requirements
- Industry-recognized best practices: voluntary frameworks like CIS, NIST CSF, ISO 27001
It is best to visualize the SCF as a buffet of 1,500+ cybersecurity and privacy controls. Once you know your applicable requirements, you select the controls that are right-sized for your organization. Every organization has unique needs, so the expectation is each organization using the SCF tailors its controls for its specific requirements.

What The SCF Is and What It Is Not
Understanding what the SCF does and does not do is essential to using it effectively. There's no sales pitch. The SCF is free. But it's not a magic bullet either. To help answer this question, we highly encourage everyone to read the SCF Overview and Instructions.
The SCF Is
- A comprehensive catalog of 1,500+ cybersecurity & privacy controls
- A metaframework, the Common Controls Framework™ (CCF)
- A Living Control Set (LCS), designed to easily update as laws and frameworks evolve
- A “Rosetta Stone” for normalizing control language across organizations
- Free to use under Creative Commons licensing, with no cost and no registration required
- Expert-derived content from volunteer cybersecurity and data privacy specialists worldwide
- Importable as .CSV or NIST OSCAL JSON into any GRC platform
- Built with transparent NIST IR 8477 STRM mapping methodology
- Includes built-in risk catalog, threat catalog, and capability maturity criteria
The SCF Is Not
- A substitute for performing compliance due diligence specific to your organization
- A complete documentation solution (policies, standards, and procedures are still required)
- Infallible. Mappings are expert-derived assessments, not legally certified opinions
- A technology solution. It governs requirements, not implementations
- A guaranteed path to certification for any specific standard
- Designed for organizations with only 1–2 simple compliance requirements
- A replacement for qualified security professionals and legal counsel
- A one-size-fits-all template. It requires tailoring to your organizational context
Metaframework
For organizations with 3 or more compliance requirements (e.g., NIST CSF + ISO 27001 + HIPAA + SOC 2 + PCI DSS), the SCF is an extraordinarily efficient solution, where one well-worded control addresses multiple requirements simultaneously, since the same password requirement appears in dozens of laws and frameworks.
Built To Fix A Broken Industry
Cybersecurity is a protracted war on an asymmetric battlefield. As defenders, we have to work together, since we all suffer when massive data breaches occur or when cyber attacks have physical impacts.
The SCF was created to help organizations do better with their cybersecurity practices. Hackers share attack methods freely. Why shouldn't defenders share defense methods? The SCF was built by volunteers who believe that better security practices benefit everyone.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.
The SCF went live in 2018 and has grown to worldwide adoption where it is used by some of the largest corporations and governments globally. Its volunteers include auditors, engineers, architects, incident responders, consultants, and GRC specialists who donate their expertise because the security community wins when every organization has access to world-class controls guidance.

Free To Use
There is no financial incentive to push the SCF on anyone, since it is completely free. The SCF Council exists purely because improving the security posture of organizations everywhere benefits society as a whole.
More Than Just A Control Set
Where the SCF sets itself apart from every other metaframework is the depth of supporting content included, all for free.
Capability Maturity Criteria
Each control includes maturity criteria via the SCR-CMM, defining what “right” looks like at each maturity level. This spans from basic documentation through optimized, automated controls.
Proposed Control Weighting
Not all controls carry equal risk weight. The SCF includes proposed control weightings to help prioritize remediation and resource allocation, which are critical in risk management decisions.
Built-In Risk Catalog
Risks are mapped directly to SCF controls. The SCR-RMM describes how policies, standards, procedures, metrics, threats, and risks all connect through controls as the central nexus.
Built-In Threat Catalog
Threats are mapped to controls for threat-informed defense. Understanding which threats each control addresses helps right-size security investment based on your actual threat landscape.
Living Control Set (LCS)
The SCF is updated on a quarterly cadence (4x per year) as laws change, frameworks publish new versions, and emerging threats demand new controls. It evolves so your program stays current without heroic effort.
GRC Platform Integration
Import the entire SCF into your GRC platform via .CSV or NIST OSCAL JSON. Natively supported by dozens of enterprise GRC tools globally. No proprietary lock-in.
SCRMS: Controls at the Center of Everything
We want companies to be secure, compliant and resilient! Those are not just words, since we put a significant amount of time and energy into developing the Security, Compliance & Resilience Management System (SCRMS) that is a must-read for any CISO or GRC Director. The SCF can serve as a foundational component for your company to build secure, compliant and resilient capabilities that are able to withstand external scrutiny (e.g., regulators, class action lawsuits, insurers, etc.).
The SCF developed the SCRMS, which is a comprehensive implementation system that treats controls as the central nexus of cybersecurity and data privacy operations. Unlike traditional GRC which is often process-centric, the SCRMS is controls-centric. In the SCRMS, controls are viewed as the nexus , or central pivoting point, for an organization’s cybersecurity program. Not just policies and standards map to controls, but procedures, metrics, threats, and risks as well. This ties everything together into a cohesive, operationalizable framework that any CISO or GRC Director can implement.
The SCF focuses on internal controls. These are the cybersecurity and privacy-related policies, standards, procedures, technologies and associated processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.

MCR vs DSR: Compliant vs. Secure
Understanding the difference between Minimum Compliance Requirements and Discretionary Security Requirements is critical to building a mature GRC program. Compliant ≠ Secure.
MCR: Minimum Compliance Requirements
Controls that represent the minimum bar required by external obligations, including laws, regulations, and contracts. These are non-negotiable; not implementing them creates legal or contractual exposure.
- Externally influenced (laws, regs, contracts)
- "Must have" requirements (e.g., non-discretionary)
- Fact-finding, not risk assessment
- Forms compliance baseline
DSR: Discretionary Security Requirements
Controls selected based on the organization's own risk appetite and judgment. These go beyond the minimum and represent best-practice enhancements driven by internal risk management.
- Internally influenced (risk-based decisions)
- "Nice to have" (e.g., risk-informed choices, discretionary)
- Based on threat landscape and asset sensitivity
- Elevates posture beyond compliance floor

Why This Distinction Matters for Risk Management
Without clearly defining MCR and DSR thresholds, an organization’s cybersecurity program lacks anchoring to clear requirements. Clarifying the difference between “compliant” (MCR) and “secure” (MCR + DSR) is what elevates risk management discussions from checkbox compliance to genuine risk reduction. The SCF maps every MCR and DSR to specific controls across all 34 domains.
PDCA Approach to Cybersecurity & Data Protection
The SCF implements the PDCA (Plan-Do-Check-Act) cycle as the foundational approach to building and operating a cybersecurity program. Each phase maps directly to the SCRMS and the SCF control structure.
Plan
Define scope, applicable laws/regs/frameworks, and risk appetite. Identify MCR and DSR. Select applicable SCF controls. Build your Minimum Security Requirements (MSR) blueprint.
Do
Implement selected controls. Publish policies, standards, and procedures. Assign stakeholder accountability. Leverage the SCRMS as a “paint by numbers” implementation guide.
Check
Assess control effectiveness via the SCF Conformity Assessment Program (SCF-CAP). Measure maturity using the SCR-CMM. Monitor using built-in risk and threat catalogs.
Act
Remediate gaps from the Check phase. Update controls as laws change via the Living Control Set. Continuously improve. Prove compliance to regulators, auditors, insurers, and customers.
Cybersecurity & Privacy By Design
The SCF is built on the principle that security and privacy must be “baked in” and not bolted on. Two complementary design philosophies underpin the entire framework.
Security by Design (SbD)
Security by Design means security is addressed at the strategic, operational, and tactical levels that are built into the design of systems, processes, and products from the start rather than applied as an afterthought. The SCF’s 34-domain structure enforces SbD by providing controls at every layer of the organization that range from governance (GOV) through technical controls (NET, IAC, CRY) and operations (IRO, MON, VPM). Requirements originate from statutory law, regulatory agencies, contractual obligations, and industry best practices. The SCF distills all of these into a single, consistent security design language.
Privacy by Design (PbD)
Privacy by Design is the principle that privacy must be proactively embedded into the design of IT systems, business practices, and physical infrastructure that are not added on, but built as a default. The SCF’s Privacy (PRI) domain contains 40+ controls aligned to GDPR, CCPA/CPRA, PIPEDA, and global privacy regulations, covering DSARs, PIAs, DPIAs, consent management, and more. The SCF treats cybersecurity and privacy as inseparable where both are necessary conditions of a mature, defensible program that can withstand external scrutiny. The SCF distills all of these into a single, consistent privacy design language.
How The SCF Is Mapped
The SCF uses the NIST IR 8477 Set Theory Relationship Mapping (STRM) methodology, which is a transparent, rigorous approach to crosswalking disparate laws, regulations and frameworks.
Unlike frameworks that use subjective “close enough” mapping, the STRM methodology applies set theory concepts (e.g., subset, superset, intersection and equal) to define the precise relationship between any two controls in different frameworks.
- Mappings are transparent and reproducible, not black-box guesswork
- Relationships are directional, showing whether SCF fully satisfies a requirement or only partially
- Gaps are clearly identified with no hidden coverage holes
- Mappings can be validated, challenged, and updated by the community
NIST OLIR
The SCF participates in the NIST OLIR program to provide machine-readable, NIST-registered crosswalks that are publicly available and independently verifiable.
Explore The SCF Step by Step
Now that you understand what the SCF is, dive deeper into each component of the framework.
SCRMS Implementation
Learn how to implement the SCF using the Security, Compliance & Resilience Management System, the "how to use the SCF" guide for CISOs and GRC directors.
Domains & Principles
Explore all 34 SCF domains interactively. Search, filter by category, and understand the principles governing each area of cybersecurity and data privacy.
STRM Methodology
Understand NIST IR 8477 Set Theory Relationship Mapping, the transparent methodology behind the SCF's crosswalking of 200+ frameworks.
Download the SCF
Download the SCF now as an Excel spreadsheet, CSV, or via GitHub. No cost, no friction, no registration required. Start building today.
.png)

%20(white).png)