Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
Free Forever · No Registration · Creative Commons Licensed

SCF Download — The Common Controls Framework™ Free For Everyone

Download the most comprehensive free cybersecurity and data privacy metaframework available. A Living Control Set (LCS) continuously updated by volunteer experts — available in Excel, CSV, and NIST OSCAL JSON.

33
Domains
1,400+
Controls
200+
Frameworks Mapped
FREE
Creative Commons
⬇ Download Free NowView All FormatsWhat's Included
ABOUT THE SCF DOWNLOAD

One Download. Every Framework. No Cost.

The SCF download is not just a controls list — it is a complete GRC toolkit built by volunteer cybersecurity and data privacy experts and released free under Creative Commons.

A single download gives you the full 1,400+ control catalog, all 200+ framework mapping tabs, SCR-CMM maturity criteria for every control, proposed risk weightings, MCR/DSR classification, risk and threat catalog crosswalks, and assessment observation (AO) guidance — everything needed to build and assess a cybersecurity program from any starting point.

Because the SCF is a Living Control Set (LCS), the download is continuously updated whenever a new law is enacted, a framework releases a new version, or an emerging threat demands new controls. Organizations using the SCF never need to maintain separate crosswalk spreadsheets or manually track regulatory changes.

Volunteer-Driven. Creative Commons Licensed. All SCF content is developed by volunteer cybersecurity practitioners — CISOs, auditors, GRC specialists, privacy experts, and engineers — and released at no cost under Creative Commons Attribution 4.0.

GET THE SCF

Download the SCF

Fill out the short form to access the full SCF download. No account required — just basic contact info so we can keep you informed about new releases.

All formats are also available directly on GitHub with no form required — no account, no login, no paywall. The form simply helps the SCF Council understand who is using the framework worldwide.

Prefer to skip the form? The full SCF is always available on GitHub — no registration or login required. The form is optional but helps us understand adoption and improve the framework.

Access the Full SCF Download

We use this information to understand how the SCF is used worldwide and to notify you when new versions are released.

No spam. No paywall. We may send you release notifications.

AVAILABLE FORMATS

Choose Your Format — All Free

Every format contains the same complete SCF control catalog. Choose based on how you plan to use the data.

Excel / XLSX
Recommended

SCF Spreadsheet

The primary SCF download — the full control catalog with all framework mapping tabs, maturity criteria, risk catalog, and threat catalog in a single multi-tab workbook.

CSV
GRC Import

Flat-File CSV

Universal flat-file format for importing the SCF into GRC platforms, databases, and custom tooling. Compatible with every major compliance and risk management tool.

NIST OSCAL JSON
NIST Standard

NIST OSCAL JSON

Machine-readable Open Security Controls Assessment Language — the NIST standard for structured control data, enabling automated compliance workflows and OSCAL-native tool integration.

COMPLETE CONTENTS

What's Included in the SCF Download

The SCF download is a complete GRC toolkit — far more than a control catalog. Here is everything inside every download.

Control Catalog — 1,400+ Controls

The core of the SCF — controls organized across 33 domains. Every control includes a unique identifier, objective statement, plain-language description, and purpose statement aligned to the domain principle.

View All 33 Domains →

Framework Mappings — 200+ Laws & Frameworks

Every SCF control is mapped to all applicable laws, regulations, and industry frameworks using the transparent NIST IR 8477 STRM methodology. Directional mappings show whether SCF covers, partially covers, or exceeds each external requirement.

View Full LRF List →

SCR-CMM Maturity Criteria

Five-level maturity criteria (Ad Hoc through Optimized) for every SCF control — built directly into the spreadsheet so organizations can immediately score their current control maturity.

Proposed Control Weighting

Risk-based weighting for every control — essential for prioritizing remediation, allocating resources, and producing defensible risk scores for board-level reporting.

MCR / DSR Classification

Every control is classified as a Minimum Compliance Requirement (MCR) — externally mandated — or a Discretionary Security Requirement (DSR) — risk-based and internally driven.

Risk Catalog Crosswalk

Risks are mapped to the SCF controls that mitigate them — enabling risk-informed control selection and residual risk analysis when controls are partially implemented.

Threat Catalog Crosswalk

Threats are mapped to the SCF controls that address them — enabling threat-informed defense and right-sizing security investment based on the actual threat landscape.

Assessment Observations (AOs)

Examiner guidance per control — the criteria used to evaluate whether a control is effectively implemented. Removes ambiguity from both self-assessments and third-party audits.

GRC PLATFORM INTEGRATION

Import Into Any GRC Platform

The SCF is utilized by many leading GRC platforms worldwide. Import the full 1,400+ control catalog — with all mappings — via .CSV or NIST OSCAL JSON in minutes, not months.

Unlike proprietary frameworks that lock you into a single vendor ecosystem, the SCF uses open, standardized formats. Your control data is yours — portable, exportable, and not dependent on any single tool vendor.

The SCF CSV and OSCAL JSON are supported by GRC tools across every market segment: SCF Connect, ServiceNow GRC, OneTrust, Archer, LogicGate, Hyperproof, Drata, Vanta, MetricStream, ISMS.online, Sprinto, Eramba, SimpleRisk, Anecdotes, and many more.

Find GRC Partners →Licensed Content Providers
JOIN THE COMMUNITY

Get Connected & Stay Involved

The SCF is more than a download — it’s a living community of cybersecurity and GRC practitioners. Get the latest version on GitHub, ask questions in Discord, or support the mission with a donation.

Download on GitHub

The SCF is hosted on GitHub — the canonical source for all downloads. No account required. Watch the repository to be automatically notified when a new version of the Living Control Set is published.

View on GitHub

Join the Discord

Connect with thousands of cybersecurity and GRC practitioners in the SCF community Discord. Ask questions, share your experience, discuss emerging regulations, and stay up to date on releases.

Join the SCF Discord

Support the SCF

The SCF is built and maintained entirely by volunteers and funded through donations. If the SCF has saved your organization time, money, or compliance headaches, please consider donating.

Donate to the SCF

Download The Full SCF — Free

1,400+ controls, 33 domains, 200+ framework mappings, maturity criteria, control weightings, risk catalog, threat catalog, and NIST OSCAL JSON — all in one download.

⬇ Download Free NowImplementation GuideFind GRC Partners

Licensed under Creative Commons Attribution 4.0. Volunteer-driven by the SCF Council. No registration required.

Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap