CDPAS is developed by volunteer cybersecurity assessors, auditors, and GRC practitioners and released at no cost under Creative Commons Attribution 4.0. No license, no fee, no registration.

CDPAS is developed by volunteer cybersecurity assessors, auditors, and GRC practitioners and released at no cost under Creative Commons Attribution 4.0. No license, no fee, no registration.

How CDPAS connects to the other SCF tools and models

Internal Self-Assessment

Conducted by the organization's own team using CDPAS methodology. Produces a baseline maturity score and gap register for internal use — program planning, budget justification, and remediation prioritization. Not suitable for external assurance but establishes the foundation for all other assessment types.

Independent Third-Party Assessment

Conducted by a qualified external assessor using CDPAS methodology. Produces a formal assessment report with findings, recommendations, and CMM scores that can be shared with customers, partners, regulators, and boards as an assurance artifact. Basis for SCF-CAP conformity certification.

Regulatory Examination Support

Structures the organization's evidence package for regulatory examinations and audits — HIPAA audits, NY DFS examinations, FedRAMP assessments, CMMC C3PAO assessments, and others. CDPAS maps the regulator's specific evidence requirements to the SCF ERL so organizations can assemble a complete, well-organized examination package.

Third-Party / Vendor Assessment

Applies CDPAS methodology to assess the cybersecurity posture of vendors, suppliers, and business partners. Produces a comparable, standardized security rating for third parties — enabling apples-to-apples comparison across the vendor portfolio and supporting TPRM program requirements.

Sample CDPAS Finding — IAC-09

Unified Scoping Guide (USG)

Defines what is in scope for the CDPAS assessment — systems, data, locations, and applicable laws. The USG output is the direct input to CDPAS-1 (Scope Definition). Without proper scoping, no assessment is reliable.

Evidence Request List (ERL)

Defines exactly what evidence must be collected for each SCF control. CDPAS uses the ERL in phases 3 and 4 to drive evidence planning and collection — ensuring no required evidence is overlooked and every finding is supported by documented proof.

SCR-CMM Maturity Model

Provides the scoring standard for CDPAS Phase 5 assessments. Every control is scored on the 1–5 CMM scale. CDPAS findings always include a CMM score, making results comparable across organizations and over time.

SCR-RMM Risk Management Model

Provides the risk context for CDPAS findings. CDPAS Phase 6 uses RMM risk scores to prioritize findings by residual risk — ensuring remediation plans address the highest-risk gaps first, not just the most numerous.

SCF Control Catalog

The 1,400+ control catalog is the assessment object — every control is a potential assessment point. CDPAS uses the MCR/DSR classification and proposed risk weighting from the catalog to scope and prioritize assessment activity.

SCF-CAP Conformity Assessment

CDPAS Type 2 (Third-Party Assessment) is the methodology used in the SCF Conformity Assessment Program (SCF-CAP). Organizations pursuing SCF-CAP certification must undergo a CDPAS Type 2 assessment by an accredited SCF assessor.

Unified Scoping Guide (USG)

Defines what is in scope for the CDPAS assessment — systems, data, locations, and applicable laws. The USG output is the direct input to CDPAS-1 (Scope Definition). Without proper scoping, no assessment is reliable.

Evidence Request List (ERL)

Defines exactly what evidence must be collected for each SCF control. CDPAS uses the ERL in phases 3 and 4 to drive evidence planning and collection — ensuring no required evidence is overlooked and every finding is supported by documented proof.

SCR-CMM Maturity Model

Provides the scoring standard for CDPAS Phase 5 assessments. Every control is scored on the 1–5 CMM scale. CDPAS findings always include a CMM score, making results comparable across organizations and over time.

SCR-RMM Risk Management Model

Provides the risk context for CDPAS findings. CDPAS Phase 6 uses RMM risk scores to prioritize findings by residual risk — ensuring remediation plans address the highest-risk gaps first, not just the most numerous.

SCF Control Catalog

The 1,400+ control catalog is the assessment object — every control is a potential assessment point. CDPAS uses the MCR/DSR classification and proposed risk weighting from the catalog to scope and prioritize assessment activity.

SCF-CAP Conformity Assessment

CDPAS Type 2 (Third-Party Assessment) is the methodology used in the SCF Conformity Assessment Program (SCF-CAP). Organizations pursuing SCF-CAP certification must undergo a CDPAS Type 2 assessment by an accredited SCF assessor.

CISOs & Security Teams

Use CDPAS Type 1 (self-assessment) to establish baseline maturity, identify gaps, prioritize remediation, and prepare for external audits. CDPAS provides the structured methodology that turns the SCF spreadsheet into a formal internal assessment.

GRC Practitioners

Use CDPAS to structure compliance assessments across multiple regulatory frameworks simultaneously. Map regulator requirements to SCF controls once, collect evidence once, satisfy multiple auditors — eliminating redundant evidence collection across overlapping frameworks.

External Auditors & Assessors

Use CDPAS as the standard methodology for third-party cybersecurity and privacy assessments. Delivers consistent, comparable results across clients. Accredited SCF assessors use CDPAS for SCF-CAP conformity assessments.

Procurement & Vendor Risk Teams

Use CDPAS Type 4 (vendor assessment) to standardize third-party risk evaluation. Replace ad-hoc vendor questionnaires with a structured, CMM-scored methodology that produces comparable ratings across the entire vendor portfolio.

Regulators & Examiners

CDPAS provides a recognized, publicly available assessment methodology that regulated entities can use to self-assess and prepare for regulatory examinations. Regulators benefit from examined organizations having a common, structured evidence package format.

Privacy Officers

CDPAS covers both cybersecurity and data protection — applying the same evidence-based assessment methodology to privacy controls (SCF PRI domain) that is applied to all other security domains, unifying the cyber/privacy assessment under one methodology.

CISOs & Security Teams

Use CDPAS Type 1 (self-assessment) to establish baseline maturity, identify gaps, prioritize remediation, and prepare for external audits. CDPAS provides the structured methodology that turns the SCF spreadsheet into a formal internal assessment.

GRC Practitioners

Use CDPAS to structure compliance assessments across multiple regulatory frameworks simultaneously. Map regulator requirements to SCF controls once, collect evidence once, satisfy multiple auditors — eliminating redundant evidence collection across overlapping frameworks.

External Auditors & Assessors

Use CDPAS as the standard methodology for third-party cybersecurity and privacy assessments. Delivers consistent, comparable results across clients. Accredited SCF assessors use CDPAS for SCF-CAP conformity assessments.

Procurement & Vendor Risk Teams

Use CDPAS Type 4 (vendor assessment) to standardize third-party risk evaluation. Replace ad-hoc vendor questionnaires with a structured, CMM-scored methodology that produces comparable ratings across the entire vendor portfolio.

Regulators & Examiners

CDPAS provides a recognized, publicly available assessment methodology that regulated entities can use to self-assess and prepare for regulatory examinations. Regulators benefit from examined organizations having a common, structured evidence package format.

Privacy Officers

CDPAS covers both cybersecurity and data protection — applying the same evidence-based assessment methodology to privacy controls (SCF PRI domain) that is applied to all other security domains, unifying the cyber/privacy assessment under one methodology.

PLAN

Define assessment scope using USG. Select assessment type (self, third-party, regulatory, vendor). Identify in-scope SCF controls. Build the evidence request package using the ERL. Schedule assessment activities and notify stakeholders.

DO

Collect and validate evidence against the ERL. Conduct control assessments using CDPAS Phase 5 methodology. Score each control using SCR-CMM criteria. Document all findings in the structured CDPAS finding format.

CHECK

Aggregate control scores to domain and program level. Review findings for accuracy and completeness. Validate scores against evidence. Produce the assessment report. Compare results to prior assessment cycles to measure improvement.

ACT

Develop remediation plans prioritized by MCR/DSR classification and risk weighting. Assign owners and timelines. Track remediation progress. Schedule the next CDPAS assessment cycle to validate that gaps have been closed.

PLAN

Define assessment scope using USG. Select assessment type (self, third-party, regulatory, vendor). Identify in-scope SCF controls. Build the evidence request package using the ERL. Schedule assessment activities and notify stakeholders.

DO

Collect and validate evidence against the ERL. Conduct control assessments using CDPAS Phase 5 methodology. Score each control using SCR-CMM criteria. Document all findings in the structured CDPAS finding format.

CHECK

Aggregate control scores to domain and program level. Review findings for accuracy and completeness. Validate scores against evidence. Produce the assessment report. Compare results to prior assessment cycles to measure improvement.

ACT

Develop remediation plans prioritized by MCR/DSR classification and risk weighting. Assign owners and timelines. Track remediation progress. Schedule the next CDPAS assessment cycle to validate that gaps have been closed.