Secure, Compliant & Resilient · Risk Management · Free Forever

SCR-RMM — Risk Management Model

The SCR Risk Management Model (SCR-RMM) provides a structured, scalable approach to cybersecurity and privacy risk management — built directly on the Common Controls Framework™ and aligned to leading risk standards including NIST RMF, ISO 31000, and FAIR.

Risk Tiers

Risk Functions

Domains Covered

FREE

Creative Commons

⬇ Download the SCR-RMM Explore Additional SCF Content

Common Controls Framework™

The SCF is the exclusive, trademarked Common Controls Framework™ (CCF™) — a Living Control Set with 33 domains, 1,400+ controls, and mappings to 200+ laws, regulations & frameworks. SCR-RMM is the risk management model built on the CCF™ foundation. Free. Always.

SCR stands for Secure, Compliant & Resilient — the three outcomes the SCF program is designed to produce. The SCR-RMM structures risk management to achieve all three. Available in .CSV and NIST OSCAL JSON.

About SCR-RMM

Risk Management That Produces Secure, Compliant & Resilient Organizations

Most organizations treat cybersecurity risk management as a compliance exercise — checking boxes to satisfy an auditor. The SCR-RMM is designed around a different premise: risk management should produce organizations that are genuinely Secure, Compliant, and Resilient.

The SCR-RMM provides a tiered, structured approach that scales from the smallest SMB to the largest enterprise. It integrates directly with the SCF control catalog — every risk identified in the RMM maps to SCF controls that mitigate it, and every SCF control includes proposed risk weighting that informs RMM scoring.

Rather than treating risk as an abstract metric, the SCR-RMM is built on the SCF’s MCR/DSR classification system — distinguishing between externally mandated compliance requirements and risk-based, discretionary controls so organizations understand not just their risk score, but the nature of each gap.

Included in the SCF Download — No Separate Download Required

The SCR-RMM is fully integrated into the SCF spreadsheet download. Risk tiers, risk functions, control weightings, and MCR/DSR classifications are all built into the SCF Excel/CSV/OSCAL files.

SCR Framework

What Does SCR Mean?

SCR stands for Secure, Compliant & Resilient — the three interconnected outcomes every cybersecurity and risk management program should produce. The SCR-RMM is designed around achieving all three simultaneously.

Secure

Controls are implemented and operating effectively. Technical and administrative safeguards are in place, documented, and tested. The organization has reduced its attack surface and can defend against the threats most relevant to its risk profile.

In the SCR-RMM, Secure is measured by the proportion of SCF controls implemented at or above the required SCR-CMM maturity level for the organization’s risk tier.

Compliant

All applicable Minimum Compliance Requirements (MCRs) — laws, regulations, and contractual obligations — are satisfied. The organization can demonstrate compliance to regulators, auditors, customers, and business partners.

In the SCR-RMM, Compliant is measured by the completion rate of SCF controls classified as MCRs across all applicable regulatory frameworks in the organization’s LRF scope.

Resilient

The organization can withstand, respond to, and recover from cybersecurity incidents without catastrophic disruption. Business continuity plans are current, incident response capabilities are tested, and backup/recovery controls are verified.

In the SCR-RMM, Resilient is measured by the maturity of controls in the BCD, IRO, and related domains relative to the organization’s recovery time and point objectives.

SCR-RMM Risk Tiers

Three Risk Tiers — Scalable To Any Organization

The SCR-RMM is structured around three risk tiers — allowing organizations of any size and sector to apply a calibrated level of rigor proportional to their actual risk profile, regulatory obligations, and organizational capacity.

Tier

Foundational Risk Management

For small organizations, SMBs, and entities with limited IT resources and low regulatory complexity. Focus is on achieving the MCR baseline — satisfying all mandated compliance requirements — and implementing high-priority DSR controls to address the most common threat scenarios.

SCF CORE Fundamentals

MCR Baseline

CMM Level 2 Target

Tier

Intermediate Risk Management

For mid-market organizations with moderate regulatory complexity, third-party risk exposure, and a defined security team. Extends beyond the MCR baseline to address key DSRs across all 33 domains — implementing formal risk management processes, third-party risk management, and continuous monitoring.

Full SCF Catalog

MCR + Priority DSRs

CMM Level 3 Target

Tier

Advanced Risk Management

For large enterprises, regulated entities, government contractors, and organizations with high-risk profiles or complex regulatory obligations. Full implementation of the SCF catalog with continuous monitoring, formal risk treatment plans, threat intelligence integration, and board-level risk reporting.

Full SCF Catalog

All MCRs + All DSRs

CMM Level 4–5 Target

Risk Management Functions

Five Core Risk Management Functions

The SCR-RMM organizes risk management activity into five functions — aligned to NIST CSF and NIST RMF but expressed through the SCF CCF™ control lens for direct actionability.

Function 1

Identify

Establish organizational understanding of the cybersecurity and privacy risk environment — asset inventory, data classification, regulatory obligations mapping, threat identification, and business impact analysis. Maps to SCF GOV, AST, RSK, and CPL domains.

Function 2

Protect

Implement safeguards to limit or contain the impact of a cybersecurity event — access controls, data protection, endpoint security, network security, cryptography, and security awareness training. Maps to SCF IAC, DCH, NET, CRY, END, and SAT domains.

Function 3

Detect

Develop and implement activities to identify the occurrence of a cybersecurity event — continuous monitoring, anomaly detection, log management, and vulnerability scanning. Maps to SCF MON, VPM, and TVM domains.

Function 4

Respond

Develop and implement appropriate activities to take action regarding a detected cybersecurity incident — incident response planning, communications, analysis, mitigation, and improvements. Maps to SCF IRO domain.

Function 5

Recover

Develop and implement activities to maintain plans for resilience and restore impaired capabilities — business continuity, disaster recovery, backup and restore, and post-incident restoration planning. Maps to SCF BCD domain.

Risk Classification

MCR vs DSR — Two Types of Risk

At the core of the SCR-RMM is the distinction between compliance risk and security risk — captured through the SCF’s Minimum Compliance Requirement (MCR) and Discretionary Security Requirement (DSR) classification system.

This distinction matters because compliance risk and security risk require different treatment strategies, different stakeholders, and different measurement approaches. An organization that is fully compliant but not secure has a different risk profile — and requires a different response — than an organization that is secure but non-compliant.

MCR — Minimum Compliance Requirement: Controls mandated by an applicable law, regulation, or contractual obligation. Non-compliance creates legal liability. MCRs are non-discretionary — the organization must implement them regardless of cost-benefit analysis.

DSR — Discretionary Security Requirement: Controls that reduce security risk but are not externally mandated. DSRs are implemented based on the organization’s risk appetite, resource availability, and threat exposure. Prioritized by the proposed control weighting in the SCF spreadsheet.

Risk Assessment Approach

SCR-RMM Risk Assessment Process

The SCR-RMM provides a structured, repeatable process for assessing cybersecurity and privacy risk — from initial scoping through risk treatment and monitoring.

Step	Activity	SCF Integration	Output
RMM-1	Scope Definition — Define organizational boundaries, applicable laws/regulations, and system scope using the Unified Scoping Guide (USG)	USG Scoping Template, LRF Registry	Defined scope, applicable MCR list
RMM-2	Asset Inventory — Identify and classify all in-scope information assets, systems, and data using the SCF AST domain controls	SCF AST Domain Controls	Asset register with data classification
RMM-3	Threat Identification — Map applicable threats to in-scope assets using the SCF Threat Catalog crosswalk	SCF Threat Catalog, VPM Domain	Threat register with likelihood ratings
RMM-4	Control Gap Analysis — Assess current control implementation status against the SCF catalog; score using SCR-CMM maturity levels	SCF Control Catalog, SCR-CMM	Gap register with MCR/DSR flags
RMM-5	Risk Scoring — Calculate residual risk using SCF proposed control weightings, threat likelihood, and current CMM scores	SCF Control Weighting, Risk Catalog	Risk register with residual risk scores
RMM-6	Risk Treatment — Define treatment plans: remediate MCR gaps, prioritize DSR gaps by risk score, accept residual risk with documented rationale	ERL Evidence Requirements, CAP	Risk treatment plan with owners and timelines
RMM-7	Monitor & Review — Continuously monitor control effectiveness, track remediation progress, and reassess risk on a defined schedule using SCF MON domain controls	SCF MON Domain, PDCA Cycle	Updated risk register, executive risk reports

Continuous Improvement

Plan-Do-Check-Act (PDCA)

The SCR-RMM is designed to operate within a continuous PDCA improvement cycle — treating risk management as an ongoing organizational capability, not a one-time compliance exercise.

Phase 1

PLAN

Define scope, identify applicable laws and obligations, conduct asset inventory, identify threats, and perform initial control gap analysis against the SCF catalog. Establish risk appetite and treatment thresholds.

Phase 2

DO

Implement risk treatment plans. Deploy controls, document policies and procedures, train personnel, and engage third-party assessors if pursuing SCF-CAP. Prioritize MCR gaps over DSR gaps in resource allocation.

Phase 3

CHECK

Evaluate control effectiveness through internal assessments, evidence review using the ERL, and SCR-CMM maturity scoring. Compare residual risk scores against the defined risk appetite and treatment thresholds.

Phase 4

ACT

Update risk treatment plans based on assessment results. Escalate unresolved MCR gaps. Accept residual DSR risk with documented rationale. Advance maturity level targets for the next PDCA cycle.

Related SCR Models

SCR-RMM Works With SCR-CMM

The SCR-RMM and SCR-CMM are designed as companion models — risk management and maturity measurement work together within the same SCF-based framework.

You Are Here

SCR-RMM — Risk Management Model

Defines the risk management process — how to identify, assess, score, treat, and monitor cybersecurity and privacy risk using the SCF control catalog as the treatment vehicle.

✓

Three scalable risk tiers (Foundational, Intermediate, Advanced)

✓

Five risk functions (Identify, Protect, Detect, Respond, Recover)

✓

MCR/DSR classification for compliance vs security risk

✓

Seven-step risk assessment process

Companion Model

SCR-CMM — Capability Maturity Model

Defines how to measure and score control implementation maturity — providing the measurement system that informs SCR-RMM risk scores. The CMM is how the RMM knows how well each control is working.

✓

Five maturity levels (Ad Hoc → Optimized)

✓

CMM criteria for every SCF control in the spreadsheet

✓

Domain-level and program-level maturity scoring

✓

Direct integration with RMM risk scoring

Learn About SCR-CMM →

Creative Commons — No Cost — No Registration Required

Download the SCR-RMM — Free

The SCR-RMM is fully integrated into the SCF download — including risk tiers, MCR/DSR classifications, control weightings, and the risk and threat catalogs. No separate download required.

⬇ Download the SCR-RMM Explore Additional SCF Content

Licensed under Creative Commons Attribution 4.0. Volunteer-driven by the SCF Council. No registration required.