Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag

SCF Free Content

Unified Scoping Guide

A free, data-centric resource for defining the scope of sensitive data environments — helping organizations identify where sensitive data is stored, transmitted, and processed.

9

Scoping Zones

10

Data Types Covered

⬇ Download the USGExplore Additional SCF Content

Overview

What Is the USG?

The Unified Scoping Guide (USG) is a free resource intended to help organizations define the scope of sensitive data where it is stored, transmitted, and/or processed. The guide refers to both sensitive and regulated data as “sensitive data” to simplify the concept.

This scoping guide categorizes system components according to several factors:

Whether sensitive data is being stored, processed, or transmitted

The functionality that the system component provides (e.g., access control, logging, antimalware, etc.)

The connectivity between the system and the sensitive data environment

✓ Whether sensitive data is being stored, processed, or transmitted

✓ The functionality that the system component provides (e.g., access control, logging, antimalware, etc.)

✓ The connectivity between the system and the sensitive data environment

✓ Whether sensitive data is being stored, processed, or transmitted

✓ The functionality that the system component provides (e.g., access control, logging, antimalware, etc.)

✓ The connectivity between the system and the sensitive data environment

9

Zones for Sensitive Data Compliance

9

Zones for Sensitive Data Compliance

Data-Centric Security

Applicable Sensitive Data Types

The USG’s data-centric security approach is applicable to the following sensitive data types — any type of data that requires protection due to regulatory, contractual, or organizational requirements.

CUI

Controlled Unclassified Information

PII

Personally Identifiable Information

CHD

Cardholder Data

ACPI

Attorney-Client Privilege Info

ITAR

Export-Controlled Data (ITAR / EAR)

FCI

Federal Contract Information

PHI

Protected Health Information

IP

Intellectual Property

FERPA

Student Educational Records

CII

Critical Infrastructure Information

Scope & Limitations

What the Guide Covers

What the USG Does Address

✓ Assists in determining which system components fall in and out of scope

✓ Facilitates constructive communication between your organization and an assessor/regulator by providing a reasonable methodology to describe your technology infrastructure

✓ Provides a means to categorize different types of assets, each with a different risk profile

✓ Provides a starting point to potentially reduce the scope of sensitive data by re-architecting technologies to isolate and control access

Assists in determining which system components fall in and out of scope

Facilitates constructive communication between your organization and an assessor/regulator by providing a reasonable methodology to describe your technology infrastructure

Provides a means to categorize different types of assets, each with a different risk profile

Provides a starting point to potentially reduce the scope of sensitive data by re-architecting technologies to isolate and control access

What the USG Does Not Address

✕ Does not define which statutory, regulatory, and/or contractual controls are required for each category

✕ Since every organization is different, it is up to each organization and its assessor to determine the nature, extent, and effectiveness of each control

✕ For defining control applicability, see the Integrated Controls Management (ICM) model

Does not define which statutory, regulatory, and/or contractual controls are required for each category

Since every organization is different, it is up to each organization and its assessor to determine the nature, extent, and effectiveness of each control

For defining control applicability, see the Integrated Controls Management (ICM) model

Key Capabilities

How the USG Helps Your Organization

🎯

Determine In-Scope vs Out-of-Scope Components

The USG provides clear criteria for identifying which system components are within the boundary of your sensitive data environment and which fall outside of it.

🗣️

Facilitate Communication with Assessors

Provides a common, reasonable methodology for describing your technology infrastructure and sensitive data environment to assessors and regulators.

📊

Categorize Assets by Risk Profile

Offers a structured approach to categorize different types of assets, where each type has a different risk profile associated with it.

🔒

Reduce Scope Through Re-Architecture

Provides a starting point for potentially reducing your sensitive data scope by re-architecting technologies to isolate and control access to the sensitive data environment.

🧩

Zone-Based Compliance Model

Uses a nine-zone model for sensitive data compliance purposes, helping organizations visualize and manage the boundaries and connections within their data environment.

Get Started

Download the USG Today

The USG is a free resource available as part of the SCF download. No registration required.

⬇ Download the USGExplore Additional SCF Content

Licensed under Creative Commons. Volunteer-driven by the SCF Council. No registration required.

Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap