Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
🎉 Everything Free · Creative Commons · No Registration

Free Cybersecurity & GRC Content

Every resource on this page is 100% free — released under Creative Commons licensing by the volunteer experts of the SCF Council. Download the full Common Controls Framework™ (CCF™), maturity models, risk frameworks, evidence templates, and more. No registration. No paywall. No catch.

8+
Free Resources
1,400+
Controls
200+
Frameworks Mapped
$0
Forever
⬇ Download SCF NowSCR ModelsTemplates & Tools
CORE FRAMEWORK

The SCF — Download the Common Controls Framework™

The primary SCF download contains the full 1,400+ control catalog with all 200+ framework mappings, maturity criteria, control weightings, risk catalog, threat catalog, and assessment guidance. Available in multiple formats including Excel, CSV, and NIST OSCAL JSON.

Full Control Catalog — 1,400+ Controls

The SCF control catalog spans all 33 cybersecurity and data privacy domains — from Governance and Asset Management through Cloud Security and Privacy. Each control includes a unique SCF identifier, control objective, capability maturity criteria at each SCR-CMM level (1–5), proposed weighting, and threat/risk catalog crosswalks.

200+ Framework Mappings via STRM

Every SCF control is mapped to all applicable laws, regulations, and frameworks using the NIST IR 8477 Set Theory Relationship Mapping (STRM) methodology. Mappings include NIST SP 800-53, NIST CSF 2.0, ISO 27001/2, CIS Controls v8, HIPAA, PCI DSS v4, SOC 2, CMMC 2.0, GDPR, CCPA/CPRA, DORA, NIS2, FedRAMP, and 185+ more.

NIST OSCAL JSON Export

The SCF’s NIST OSCAL JSON export enables machine-readable exchange of control catalogs and profiles. It supports native import into FedRAMP automation pipelines, automated compliance workflows, interoperability with OSCAL-compatible GRC tools, and machine-readable crosswalk data for automated gap analysis.

⬇ Download The Full SCF — Free

No registration required. No email capture. Creative Commons Attribution 4.0 license.

SECURE, COMPLIANT & RESILIENT (SCR)

SCR Models — Free Maturity & Risk Frameworks

The SCR models give the SCF depth beyond basic controls — free maturity models and risk management frameworks that integrate directly with the SCF control catalog.

SCR Capability Maturity Model (SCR-CMM)

The SCR-CMM defines five maturity levels for every SCF control — from "Ad Hoc" (Level 1) through "Optimized" (Level 5). It gives organizations a precise benchmark for where their controls stand and what "right" looks like at each stage of program maturity.

The SCR-CMM is the only free, openly-licensed cybersecurity maturity model directly integrated with a 1,400+ control catalog. It enables organizations to produce board-level maturity scorecards without expensive consulting engagements.

Level 1 — Ad Hoc
Level 2 — Basic
Level 3 — Defined
Level 4 — Managed
Level 5 — Optimized
Learn About SCR-CMM →

SCR Risk Management Model (SCR-RMM)

The SCR-RMM describes how policies, standards, procedures, metrics, threats, and risks all connect through SCF controls as the central nexus. It is a structured risk management model that integrates directly with the SCF control catalog for risk-informed decision making.

The SCR-RMM enables organizations to move from checkbox compliance to genuine risk management — understanding not just which controls are required, but which threats they address and what residual risk remains when controls are missing or immature.

Risk Catalog
Threat Catalog
Control Weighting
Learn About SCR-RMM →

The SCR models are a free differentiator unique to the SCF — no other free metaframework includes integrated capability maturity criteria and a risk management model covering 1,400+ controls.

ASSESSMENT & TEMPLATES

Free Assessment Tools & Templates

Beyond the core control catalog, the SCF Council publishes specialized tools that support every phase of a cybersecurity program — all free under Creative Commons licensing.

Cybersecurity & Data Privacy Assessment Standards (CDPAS)

The CDPAS provides standardized assessment criteria for evaluating cybersecurity and data privacy programs against the SCF control catalog. Used by internal audit teams and third-party assessors to produce consistent, repeatable assessment results.

CDPAS enables organizations to self-assess against the CCF™ using a structured observation-based methodology, producing defensible evidence of control effectiveness for regulators, insurers, and board audiences.

Excel
PDF
Self-Assessment
Third-Party Ready
Learn About CDPAS →⬇ Download

Evidence Request List (ERL)

The ERL is a pre-built, comprehensive list of audit evidence items mapped to every SCF control. It tells auditors, assessors, and compliance teams exactly what documentation, configurations, and artifacts are needed to demonstrate control effectiveness.

The ERL eliminates the "what do you want to see?" ambiguity in audits. Both the assessed organization and the assessor start from the same, standardized evidence baseline — dramatically reducing audit preparation time and rework.

Excel
.CSV
Audit-Ready
TPRM
Learn About ERL →⬇ Download

Unified Scoping Guide (USG)

The USG provides structured guidance for defining assessment scope — the critical first step in any audit or compliance assessment. Proper scoping determines which systems, data flows, and processes are in-scope for each applicable law or framework.

The USG prevents both over-scoping (wasting resources assessing out-of-scope systems) and under-scoping (missing critical systems and creating audit exposure). It is essential for FedRAMP, PCI DSS, HIPAA, and SOC 2 engagements.

PDF
Excel
Scoping
Risk-Based
Learn About USG →⬇ Download
SPECIALIZED CONTENT

Specialized GRC Tools & Guidance

Domain-specific tools for organizations with unique compliance challenges — M&A transactions, data privacy programs, and more.

Mergers, Acquisitions & Divestitures (MA&D)

The SCF MA&D toolkit provides specialized cybersecurity due diligence guidance for M&A transactions. It identifies the cybersecurity controls, data privacy obligations, and inherited risks that must be evaluated during any acquisition, merger, or divestiture process.

M&A transactions routinely expose acquiring organizations to inherited cybersecurity liabilities — undisclosed breaches, non-compliant data practices, and technical debt. The SCF MA&D framework provides a structured methodology for evaluating and managing these risks before closing.

Excel
Due Diligence
Deal Risk
Learn About MA&D →

Data Privacy Management Principles (DPMP)

The DPMP provides structured guidance for building and operating a data privacy management program aligned with the SCF’s Privacy (PRI) domain. It covers GDPR, CCPA/CPRA, PIPEDA, and global privacy regulations through the lens of SCF controls.

The DPMP implements Privacy by Design (PbD) principles — helping organizations embed privacy requirements into systems, processes, and products from inception rather than retrofitting compliance after the fact. Covers DSARs, consent management, PIAs, DPIAs, and data retention.

PDF
GDPR
CCPA
Privacy by Design
Learn About DPMP →
LICENSING & RIGHTS

Creative Commons Licensed. Free. Always.

Every piece of free content on this page — and the entire SCF framework itself — is released under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. This means you are free to download, share, distribute, adapt, and use the SCF for any purpose — commercial or non-commercial.

You can import the SCF into commercial GRC platforms and tools, build internal programs based on SCF controls, and reference SCF controls in contracts, assessments, and audit reports. The only requirement is attribution to the SCF Council.

Common Controls Framework™ Trademark Notice: While the SCF content is Creative Commons licensed, the Common Controls Framework™ designation is exclusively trademarked by the SCF Council. No other framework may use this designation.

Download and use the SCF for any purpose — commercial or non-commercial

Share, distribute, and adapt the framework within your organization

Import the SCF into commercial GRC platforms and tools

Build internal programs, policies, and standards based on SCF controls

Reference SCF controls in contracts, assessments, and audit reports

View Licensing Terms
ALWAYS CURRENT

The SCF Is A Living Control Set (LCS)

Unlike static frameworks that fall behind as laws change, the SCF is continuously updated — a true Living Control Set that evolves with the regulatory landscape.

Updated with Every New Law & Regulation

When a new law is enacted — DORA, NIS2, state privacy laws, sector-specific rules — the SCF is updated to map the new requirements to existing controls. Your organization’s compliance coverage updates without rework.

Proactive
Law-Aware

Updated with Framework Revisions

When NIST releases CSF 2.0, ISO updates 27001, or CIS publishes new Controls — the SCF mappings are updated to reflect the new version. Never maintain separate crosswalk spreadsheets again.

NIST CSF 2.0
ISO 27001:2022

Updated with Emerging Threats

New attack techniques, vulnerabilities, and threat patterns drive new control requirements. The SCF LCS incorporates these changes as expert volunteers identify gaps — ensuring controls stay relevant against real-world threats.

Threat-Informed
Always Relevant

Subscribe to SCF update notifications to be alerted when the LCS is updated with new mappings or controls.

Get Update Notifications
EXPLORE FURTHER

Put The SCF To Work

Downloaded the SCF? Here’s what to do next — from implementation guidance to certification pathways.

Start Here — What Is The SCF?

New to the SCF? Start with the overview — understand what the Common Controls Framework™ is, why it exists, and how to use it effectively.

01

SCRMS Implementation Guide

The SCRMS is the step-by-step guide for implementing the SCF in your organization using the Plan-Do-Check-Act (PDCA) management cycle.

02

SCF Certification Programs

Get your organization or team certified against the SCF through the Conformity Assessment Program (CAP) or individual certification paths.

Everything You Need to Build a World-Class GRC Program

1,400+ controls. 200+ framework mappings. Maturity models. Risk frameworks. Evidence templates. All free. Forever.

⬇ Download Everything FreeWhat Is The SCF?Find a GRC Partner

No registration. No cost. Licensed under Creative Commons Attribution 4.0.

Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap