Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
Start Here

Included Laws, Regulations & Frameworks (LRF)

The SCF maps to 261+ unique laws, regulations, and frameworks across five geographic categories — General, US, EMEA, APAC, and Americas. When you implement SCF controls, you satisfy requirements across all mapped LRF simultaneously through Set Theory Relationship Mapping (STRM).

200+
Unique LRF Mapped
91
General Frameworks
5
Geographic Regions
2026.1
Current SCF Version
↓ Download the SCF
Browse All LRF
how lrf coverage works

One Control Set. Hundreds of Compliance Obligations.

The SCF Authoritative Sources tab in the downloadable spreadsheet contains every mapped LRF. Each SCF control includes columns showing which specific LRF requirements that control satisfies.

This is powered by Set Theory Relationship Mapping (STRM) per NIST IR 8477 — a mathematically rigorous methodology for demonstrating how a control parent (SCF control) satisfies child requirements across multiple frameworks.

The practical result: if your organization needs to comply with GDPR, HIPAA, and NIST CSF 2.0 simultaneously, you implement a single tailored set of SCF controls rather than three separate compliance programs. Each control tells you exactly which requirements from each framework it addresses.

Learn About STRM →

LRF categories in the SCF Authoritative Sources tab:

General Frameworks

Universal, not country/geo-specific — ISO, NIST, PCI DSS, CIS, OWASP, CSA, COBIT, and others.

US – United States

Federal laws, NIST special publications, DoD regulations, state laws, and sector-specific requirements

EMEA – Europe, Middle East & Africa

GDPR, NIS2, DORA, national data protection laws across EU member states, Middle East, and Africa

APAC – Asia Pacific

Data protection and cybersecurity regulations across Australia, Japan, India, Singapore, and broader APAC region

Americas (Non-US)

Canadian, Brazilian, and other North/Central/South American privacy and cybersecurity regulations

Browse by Region

Complete LRF Coverage Browser

Search and filter all 220+ included laws, regulations, and frameworks by geographic region. These are listed on the Authoritative Sources tab of the downloadable SCF spreadsheet.

Practical Application

How To Use the LRF Coverage in Your Program

Understanding which LRF are mapped to the SCF allows you to use the framework as a single source of truth for your compliance program. Here’s how practitioners apply LRF coverage in real-world programs.

01

Identify Your MCR — Determine which laws, regulations and frameworks apply to your organization. Each applicable LRF represents a Minimum Compliance Requirement (MCR) that must be satisfied.

02

Filter Controls by LRF — Use the SCF spreadsheet to filter controls by your applicable LRF. Every control mapped to that framework represents a requirement you need to address in your program.

03

Satisfy Multiple LRF Simultaneously — Because multiple LRF map to the same SCF controls, implementing a single control can satisfy requirements across several frameworks at once, dramatically reducing compliance effort.

Don’t See a Framework?

The SCF is a volunteer-maintained, open-source project. If a framework you need isn’t currently mapped, you can contribute to the project or contact the SCF team to request coverage. New LRF mappings are added with each quarterly release.

↓ Download the SCFContact the SCF Team

What To Explore Next

Understand the Full SCF Picture

The LRF coverage is just one part of what makes the SCF the most comprehensive free cybersecurity metaframework. Explore these related areas to get the full picture.

Set Theory Relationship Mapping (STRM) — Understand how the SCF uses NIST IR 8477 to create authoritative, mathematically-sound crosswalk mappings between frameworks.

SCF Domains & Principles — Explore the 33 control domains that organize the 1,400+ SCF controls and see how they align with the frameworks you care about.

SCRMS Implementation — Learn how to implement a Security, Compliance & Resilience Management System using the SCF as your foundational control framework.

Download the SCF — Get the complete SCF spreadsheet with all 1,400+ controls and every LRF mapping. Free. No registration required.

Ready to Consolidate Your Compliance Program?

Download the SCF and use the Authoritative Sources tab to filter controls by any of the 261+ mapped LRF. One download. Every framework. No cost.

↓ Free SCF DownloadLearn About STRM

Ready to Consolidate Your Compliance Program?

Download the SCF and use the Authoritative Sources tab to filter controls by any of the 261+ mapped LRF. One download. Every framework. No cost.

⬇ Free SCF DownloadLearn About STRMImplementation Guide (SCRMS)
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap