Secure Controls Framework
↓ Download SCF
Start Here ▼
What Is The SCF?SCRMS – How To Implement The SCFSCF Domains & PrinciplesIncluded Laws, Regulations & Frameworks (LRF)Set Theory Relationship Mapping (STRM)NIST OLIR ParticipationESG Considerations
Free Content ▼
SCF DownloadRisk Management Model (SCR-RMM)Capability Maturity Model (SCR-CMM)Cybersecurity Assessment Standards (CDPAS)Mergers, Acquisitions & Divestitures (MA&D)Data Privacy Management Principles (DPMP)Evidence Request List (ERL)Unified Scoping Guide (USG)
SCF CORE
GRC Fundamentals ▼
Common Cybersecurity Frameworks
NIST CSF 2.0ISO 27001 / ISO 27002NIST SP 800-53PCI DSS
Word Crimes & Emerging Trends
Word CrimesEmerging Trends
US (FED) – CMMCUS (FED) – DFARS 252.204-70XXUS (NY) – NY DFS 23 NYCRR Part 500US (FED) – GLBAUS (FED) – HIPAA / HITECHUS (FED) – SOXUS (TX) – SB 2610EU – DORAEU – NIS2 DirectiveCIS Critical Security Controls (CSC)NIST SP 800-161NIST SP 800-171NIST SP 800-172Trust Services Criteria (SOC 2)Metaframework – HITRUSTMetaframework – Unified Compliance (UC)
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
TPRM & SCRMIntegrityResilienceMSP / MSSP Dumpster Fire
GRC Basics
The Output Of GRC PracticesCybersecurity MaterialityLaws vs Regulations vs Frameworks
Common Cybersecurity Laws
US (FED) - FedRampUS (FED) - GLBAUS (FED) - HIPAA / HITECHUS (FED) - SOXUS (CA) - CCPA / CPRAUS (TX) - SB 2610EU - DORAEU - GDPREU - NIS2 Directive
Common Cybersecurity Regulations
US (FED) - CMMCUS (FED) - DFARS 252.204-70xxUS (NY) - NY DFS 23 NYCRR Part 500
Common Cybersecurity Frameworks
CIS Critical Security Controls (CSC)ISO 27001 / ISO 27002NIST CSF 2.0NIST SP 800-53NIST SP 800-161NIST SP 800-171NIST SP 800-172PCI DSSTrust Services Criteria (SOC 2)Metaframework - HITRUSTMetaframework - Unified Compliance (UC)
Word Crimes
Policy vs Standard vs ProcedureRisks vs ThreatsStrategy vs Operations vs TacticsInheritance vs Reciprocity
Emerging Trends
TPRM & SCRMIntegrityResilienceCybersecurity MaterialityMSP / MSSP Dumpster Fire
SCF Certified ▼
Organization-Level SCF Certifications
SCF Conformity Assessment Program (CAP)SCF Assessment Guides
SCF Training & Individual-Level Certifications
SCF PractitionerSCF ArchitectSCF Assessor
Marketplace ▼
SCF Connect (SSOT)SCF Licensed Content Providers (LCPs)Registered Provider Organizations (RPOs)Authorized Control Integrator (ACI)Authorized Solution Provider (ASP)Third-Party Assessment Organizations (3PAOs)
FAQAboutSwag
Start Here

Set Theory Relationship Mapping (STRM)

Starting with release 2024.1, the SCF leverages NIST IR 8477 Set Theory Relationship Mapping for crosswalk mapping — the US Government's gold standard for evaluating cybersecurity and data privacy laws, regulations and frameworks.

5
Relationship Types
262+
LRF Mapped
NIST IR 8477
Gold Standard
EDC
Expert-Derived Content
View All 262+ LRFHow To Contribute
NIST IR 8477

The Gold Standard for Crosswalk Mapping

NIST IR 8477 provides the definitive practice for crosswalk mapping with no technology needed — it can be performed with a pencil and piece of paper.

Children learn the process of diagramming sentences in grade school (e.g., the Reed–Kellogg model) with pencil and paper. This same process of graphically identifying the relationships between elements forms the basis of STRM. What NIST IR 8477 does is formalize this with Set Theory mathematics to produce rigorous, defensible, and IP-protected crosswalk mappings.

STRM is part of NIST’s broader NIST OLIR Program — an effort to facilitate Subject Matter Experts in defining standardized Online Informative References between elements of their creation and NIST publications.

NIST IR 8477
SCF
Control
LRF
Requirement
STRM
Relationship
Set Theory Relationship Mapping
STRM Methodology

The 5 STRM Relationship Types

Every crosswalk mapping in the SCF uses exactly one of these five mathematically-defined relationship types, ensuring precision and consistency across all 262+ mapped LRF.

Subset Of

The LRF requirement is fully contained within the SCF control. The SCF control is broader in scope and coverage.

Intersects With

The LRF requirement and SCF control share partial overlap. Neither is fully contained within the other.

Equal To

The LRF requirement and SCF control are semantically equivalent — they address the same concept at the same scope.

Superset Of

The SCF control is contained within the LRF requirement. The LRF requirement is broader in scope and coverage.

No Relationship

The LRF requirement and SCF control have no meaningful semantic overlap. No mapping is established.

Relationship Strength (1–10): Each mapping also receives a numeric strength rating. A rating of 1 indicates a nominal relationship, 5 indicates moderately strong, and 10 indicates the strongest relationship — typically reserved for “Equal To” or where the LRF requirement is a “Subset Of” the SCF control.

Methodology Advantage

Expert-Derived Content (EDC) vs. NLP

The SCF exclusively uses human subject-matter experts to perform STRM crosswalk mapping — a deliberate choice with significant IP, legal and quality implications.

SCF: Expert-Derived Content (EDC)

The SCF leverages human SMEs to perform STRM mapping. This produces content that is:

  • Copyright-protected as original work by human creators
  • Patent-eligible under the “mental steps” doctrine
  • Defensible through documented expert judgment
  • Consistent with NIST IR 8477 gold standard practices

Other Vendors: Natural Language Processing (NLP)

AI/NLP-based crosswalk solutions face significant IP limitations:

  • AI-generated content is not copyright-protectable (no human creator)
  • Potentially free to copy under current US copyright rulings
  • Patent claims may be invalid under the 2014 Supreme Court “mental steps” doctrine
  • Quality depends on training data rather than professional expertise

Why it matters: The SCF’s EDC approach means its crosswalk mappings are both higher-quality and legally protected intellectual property — the same way that NIST IR 8477 itself was designed to work.

SCF Implementation

How the SCF Utilizes STRM

The SCF applies STRM to every one of its 262+ mapped laws, regulations and frameworks. Each mapping documents the precise set-theoretic relationship between every LRF requirement and the corresponding SCF control.

Focal Document Element (FDE)

Each LRF requirement is defined as a Focal Document Element with a unique identifier. Without a unique FDE value, no granular mapping is possible — there is nothing to map to.

SCF Control Mapping

Each FDE is mapped to the most appropriate SCF control with a documented relationship type (Subset Of, Intersects With, Equal To, Superset Of, or No Relationship) and a strength score of 1–10.

Multi-Framework Compliance

Because all LRF are mapped to common SCF controls using STRM, a single SCF control can simultaneously satisfy requirements across dozens of laws, regulations and frameworks — enabling true multi-framework compliance efficiency.

Community Involvement

How To Submit a Community STRM Mapping

The SCF welcomes community involvement. The SCF Council provides a downloadable Community STRM Template that practitioners can use to perform their own crosswalk mapping and submit for possible inclusion in a future SCF release.

01

Define the Focal Document

Open the STRM template’s “STRM Overview” tab and complete the two highlighted cells identifying:

  • The Focal Document (FD) — the law, regulation or framework you are mapping
  • The Reference Document (RD) — the SCF (the document being mapped to)

Prerequisites: familiarity with NIST IR 8477 and professional competence to conduct crosswalk mapping.

02

Perform the STRM Mapping

Complete the “Community STRM submission” tab using these columns:

  • AFDE number (mandatory unique identifier)
  • BFDE name (if available)
  • CFDE description (exact text of the requirement)
  • DProposed SCF control name
  • ESCF control number
  • FSCF control description
  • GSTRM relationship type (1 of 5 options)
  • HRelationship strength (1–10 rating)
  • IOptional notes / justification
03

Submit to the SCF Council

Once your STRM exercise is complete, email the completed Excel spreadsheet to the SCF Council for review:

support@securecontrolsframework.com

Submissions are evaluated by the SCF Council and may be included in a future SCF release. The SCF Council will contact you if there are questions about your submission.

Available STRMs

Published STRM Mappings

Excel versions of the STRM mappings are available for purchase at the SCF Store. The following STRM mappings are currently published:

General
CIS Critical Security Controls (CSC) v8.1
GovRAMP
IEC TR 60601-4-5:2021 – Medical Electrical Equipment
IMO Guidelines on Maritime Cyber Risk Management
ISO/IEC 27001:2022 – ISMS Requirements
ISO/IEC 27002:2022 – Information Security Controls
NIST CSF v2.0
NIST SP 800-53 R5
NIST SP 800-171 R2
NIST SP 800-171 R3
NIST SP 800-172
PCI DSS v4.0
SWIFT Customer Security Controls Framework
UL 2900-2-1 – Software Cybersecurity for Healthcare
US
CMMC v2.0 Level 1
CMMC v2.0 Level 2
CMMC v2.0 Level 3
CJIS Security Policy
CISA CPG Cross-Sector Performance Goals
DHS/CISA TIC 3.0 Security Capabilities Catalog
Executive Order 14028 (EO 14028)
Farm Credit Administration (FCA) Cyber Risk Management
Fair Information Practice Principles (FIPPs)
GLBA CFR 314 (Dec 2023)
HHS § 155.260 – Privacy and Security of PII
HIPAA Administrative Simplification (2013)
HIPAA Security Rule
IRS Publication 1075
NERC CIP 2024
NIST SP 800-66 R2 – Implementing HIPAA Security
NISPOM
NNPI – Naval Nuclear Propulsion Information
NY DFS 23 NYCRR 500
FedRAMP R4 / R5
SEC Cybersecurity Rule (17 CFR)
TX-RAMP Level 1 & Level 2
TX SB 2610
EMEA
EU AI Act (2024/1689)
EU DORA (2023)
EU GDPR
ENISA NIS2
Germany BSI C5:2020
Germany BAIT
Saudi Arabia ECC–1:2018
Saudi Arabia SAMA CSF
South Africa POPIA
UK Cyber Assessment Framework (CAF) v4.0
UK Cyber Essentials
UAE NIAF
APAC
Australia Essential Eight
Australian Government ISM (June 2024)
Australia CPS 234 Information Security
China Cybersecurity Law (2017)
China PIPL
India DPDP Act 2023
New Zealand NZISM v3.6
Singapore MAS TRM Guidelines (2021)
Americas
Brazil LGPD
Canada OSFI B-13
Canada ITSP.10.171
Canada PIPEDA

Purchase STRM Excel Bundles

Excel versions of all STRM mappings are available in the SCF Store. STRM downloads are available for 30 days from date of purchase.

Visit SCF Store — $20
Additional SCF Content

Explore Further

Included LRF

Browse all 262+ laws, regulations and frameworks mapped in the SCF across 5 global regions.

NIST OLIR Participation

The SCF is a recognized NIST OLIR Program participant with accepted OLIRs for NIST CSF v1.1 and SP 800-171 R2.

SCF Domains

Explore the 33 control domains that form the Common Controls Framework at the heart of the SCF.

Download the SCF

Get the free SCF spreadsheet with all controls, all LRF mappings, and all STRM relationships included.

Ready to Leverage STRM in Your GRC Program?

Download the free SCF and get immediate access to all 262+ STRM-powered crosswalk mappings — no licensing fees, no vendor lock-in.

↓ Download Free SCF
Explore SCF LRF →
Secure Controls Framework

FREE cybersecurity metaframework. Creative Commons licensed. Volunteer-driven. Used worldwide.

Terms and Conditions
Download the SCF
Join the SCF Discord
Blog
Sponsors
Donate to the SCF
Privacy Notice
Cookie Notice

Start Here

Free Content

Resources

© 2026 Secure Controls Framework Council. Common Controls Framework™ is a registered trademark.

Sitemap