Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
The Common Controls Framework™

The Secure Controls Framework (SCF)

The SCF is the Common Controls Framework™ (CCF) — the world’s most comprehensive, free cybersecurity and data privacy metaframework. One unified control catalog. 262+ laws and frameworks mapped. Used globally by organizations of every size.

1,400+
Controls
33
Domains
200+
Laws & Frameworks
FREE
Creative Commons
⬇ Download Free SCFWhat Is The SCF?Explore 33 Domains
The Common Controls Framework™

The SCF is the exclusively trademarked Common Controls Framework™ (CCF). A Living Control Set (LCS) with 33 domains, 1,400+ controls, and mappings to 262+ laws, regulations and frameworks — available in .csv and NIST OSCAL .json formats for direct import into any GRC platform. Free. Always.

Why Choose the SCF?

One Framework to Address Every Compliance Obligation

The SCF eliminates the need for separate compliance programs. Implement one tailored SCF control set — it simultaneously satisfies HIPAA, ISO 27001, NIST CSF, SOC 2, PCI DSS, GDPR, and every other applicable framework.

262+ Laws & Frameworks Mapped

The SCF maps to 262+ unique laws, regulations, and frameworks across General, US, EMEA, APAC, and Americas jurisdictions. HIPAA, GDPR, NIST CSF 2.0, ISO 27001, CMMC, PCI DSS, SOC 2 — and hundreds more — all mapped through rigorous STRM methodology.

Native GRC Platform Integration

The SCF is importable into any GRC platform in two formats: standard .CSV for universal compatibility, and NIST OSCAL JSON for machine-readable, standards-based integration. No proprietary lock-in. No licensing fees for the core framework.

Transparent STRM Mapping

Starting with SCF 2024.1, all crosswalk mappings use NIST IR 8477 Set Theory Relationship Mapping (STRM) — the US Government’s gold standard. Every mapping documents a precise mathematical relationship type and strength score, making coverage defensible and auditable.

The Common Controls Framework™

The SCF is the exclusively trademarked Common Controls Framework™ (CCF). No other framework holds this designation. The domains commoncontrolsframework.com and common-controls-framework.com both redirect to the SCF, reflecting its singular status as the definitive CCF.

Learn More →

A Living Control Set (LCS)

The SCF is never static. As laws change, new frameworks emerge, and threat landscapes evolve, the SCF is continuously updated by its expert volunteer community. Your compliance program stays current without heroic manual effort or expensive vendor updates.

Volunteer-Driven by Industry Experts

The SCF is built and maintained entirely by volunteer cybersecurity and GRC professionals — CISOs, architects, engineers, auditors, privacy experts, and consultants — who donate their expertise because stronger security practices benefit everyone. No vendor bias. No sales agenda.

By The Numbers

The Most Comprehensive Cybersecurity Metaframework Available

1,400+
Controls across 33 domains
262+
Laws, regulations & frameworks mapped
5
Geographic regions covered
2025.4
Current SCF version
NIST IR 8477 · STRM

Transparency You Can Trust and Verify

The SCF is the only major metaframework that uses NIST IR 8477 Set Theory Relationship Mapping (STRM) — a mathematically rigorous, transparent methodology for every crosswalk mapping.

Every mapping between an SCF control and an LRF requirement documents a precise relationship type and a numeric strength score. Auditors, assessors, and regulators can verify exactly how and why an SCF control satisfies a given requirement.

The SCF's participation in the NIST OLIR Program — with accepted OLIRs for NIST CSF v1.1 and SP 800-171 R2 — provides independent government-recognized validation of the SCF's mapping quality.

STRM MethodologyNIST OLIR Participation
The 5 STRM Relationship Types
Subset Of
SCF control is broader in scope than the requirement
Intersects
Partial semantic overlap between the two elements
=
Equal To
Semantically equivalent — complete coverage
Superset Of
LRF requirement is broader than the SCF control
No Relation
No meaningful semantic overlap exists
GRC Platform Integration

Drop Into Any GRC Platform Instantly

The SCF is designed for real-world implementation — not just documentation. Import the complete control catalog directly into the GRC tools your organization already uses.

Available as a standard .CSV for universal compatibility, or as NIST OSCAL JSON for standards-based, machine-readable integration. The SCF’s stable control ID taxonomy (e.g., GOV-03, IAC-06) means version management across GRC systems is predictable and reliable.

Stable control IDs across all SCF versions
NIST OSCAL JSON for DevSecOps and API-driven workflows
No vendor lock-in — open and freely licensed
Natively supported by leading enterprise GRC platforms
Download Now — Free
Import Formats
.csv
Comma-Separated Values

Universal compatibility. Import directly into any GRC platform, spreadsheet tool, or custom database. No special tooling required.

Oscal .json
NIST OSCAL JSON Format

Machine-readable format adhering to the NIST Open Security Controls Assessment Language (OSCAL) standard — ideal for automated GRC pipelines and DevSecOps integration.

The SCF is natively supported by dozens of enterprise GRC platforms. No proprietary lock-in. No licensing fees for the core framework.

33 Domains

Complete Coverage Across Every Dimension of Cybersecurity

Every control in the SCF is organized into one of 33 logically structured domains — providing a universal taxonomy that means the same thing to every organization using the SCF, worldwide.

GOV — Governance
AST — Asset Management
IAC — Identity & Access Control
NET — Network Security
CRY — Cryptography
DCH — Data Classification & Handling
PRI — Privacy
RSK — Risk Management
CPL — Compliance
IRO — Incident Response
BCD — Business Continuity & DR
VPM — Vulnerability & Patch Management
MON — Continuous Monitoring
END — Endpoint Security
CLD — Cloud Security
TPM — Third-Party Management
PES — Physical & Environmental Security
SAT — Security Awareness & Training
HRS — Human Resources Security
SEA — Secure Engineering & Architecture
CHG — Change Management
CFG — Configuration Management
THR — Threat Management
TDA — Technology Development & Acquisition
WEB — Web Security
EMB — Embedded Technology
MDM — Mobile Device Management
OPS — Security Operations
IAO — Infrastructure & Operations
MNT — Maintenance
PRM — Project & Resource Management
CAP — Cybersecurity Assessment
AAT — Awareness & Training
Explore All 33 Domains →
Volunteer-Driven

Built by the Community, for the Community

The SCF is developed and maintained by volunteer cybersecurity and GRC professionals from around the world — with no financial incentive to push a particular agenda.

The security community wins when every organization has access to world-class controls guidance. Attackers share methods freely. Defenders should too. That conviction is the foundation of the SCF.

The SCF Council's volunteer contributors include CISOs, security architects, engineers, auditors, GRC specialists, privacy experts, and compliance consultants who donate their expertise because improving security practices everywhere benefits society as a whole.

About the SCF CouncilGet Involved

CISOs & Security Leaders

Senior practitioners defining enterprise security strategy and governance structures.

GRC Specialists

Governance, risk, and compliance professionals with deep regulatory expertise.

Security Architects

Technical architects who translate governance requirements into implementable designs.

Privacy & Legal Experts

Data privacy attorneys and privacy engineers contributing to PRI domain controls.

Security Engineers

Operational security professionals ensuring controls reflect real-world implementation realities.

Independent Auditors

Third-party assessors ensuring controls are audit-ready and defensible under scrutiny.

Get Started

Three Ways to Start Using the SCF Today

01

Download the SCF

Get the full SCF spreadsheet in .CSV or NIST OSCAL JSON format. No registration. No cost. No strings attached.

Free Download →
02

Understand the Framework

Work through the “Start Here” section to understand what the SCF is, how the SCRMS works, and how STRM mapping proves compliance coverage.

Start Here →
03

Implement with SCRMS

Use the Security, Compliance and Resilience Management System (SCRMS) as your operational guide for building a mature, auditable cybersecurity program.

View SCRMS →

The Most Comprehensive Free Cybersecurity Framework. Period.

Download the SCF — 1,400+ controls, 33 domains, 262+ laws and frameworks mapped — and start building your unified cybersecurity program today.

⬇ Download Free SCFWhat Is The SCF?

No registration. No cost. Licensed under Creative Commons. Volunteer-maintained by the SCF Council.

Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap