Skip to content

SCF 2022.3
Compare
Choose a tag to compare
@securecontrolsframework securecontrolsframework released this 13 Dec 23:02
· 20 commits to main since this release
2022.3
d68fbc3

Version 2022.3 represents a minor update, where there is some new content and minor refinement of the risk catalog to standardize wording improve readability. This version also includes a new Evidence Request List (ERL) to help standardize naming for evidence artifacts.

Terminology Wordsmithing:
 security and privacy controls > cybersecurity and privacy controls
 security program > cybersecurity program
 sensitive data > sensitive/regulated data

Added Mapping:
 Australian Government Information Security Manual (ISM) September 2022
 BSI Standard 200-1
 California Privacy Rights Act (CPRA) - November 2022 version
 Cybersecurity Capability Maturity Model (C2M2) v2.1
 Illinois Biometric Information Privacy Act (PIPA)
 Illinois Identity Protection Act (IPA)
 ISO 27017:2015
 ISO 27001:2022
 Japan Information System Security Management and Assessment Program (ISMAP)
 New Zealand NZISM 3.6
 Shared Assessments SIG 2023
 US Centers for Medicare & Medicaid Services MARS-E Document Suite, Version 2.0

Updated Mapping:
 IRS Publication 1075

Removed Mapping:
 Australian Government Information Security Manual (ISM) November 2020
 California Consumer Privacy Act (CCPA)
 APAC - New Zealand NZISM 3.4

Added Controls:
 GOV-15 - Operationalizing Cybersecurity & Privacy Practices
 GOV-15.1 - Select Controls
 GOV-15.2 - Implement Controls
 GOV-15.3 - Assess Controls
 GOV-15.4 - Authorize Systems, Applications & Services
 GOV-15.5 - Monitor Controls
 BCD-15 - Reserve Hardware
 CLD-01.1 - Cloud Infrastructure Onboarding
 CLD-01.2 - Cloud Infrastructure Offboarding
 CFG-08 - Sensitive / Regulated Data Access Enforcement
 CFG-08.1 - Sensitive / Regulated Data Actions
 MON-16.4 - Account Creation and Modification Logging
 CRY-09.7 - External System Cryptographic Key Control
 CRY-11 - Certificate Authorities
 DCH-01.3 - Sensitive / Regulated Media Records
 IAC-10.12 - Biometric Authentication
 IAC-16.2 - Privileged Account Separation
 IRO-04.3 - Continuous Incident Response Improvements
 IAO-05.1 - Plan of Action & Milestones (POA&M) Automation
 MNT-05.7 - Separation of Maintenance Sessions
 NET-09.2 - Unique System-Generated Session Identifiers
 NET-18.3 - Route Privileged Network Access
 PRI-02.7 - Real-Time or Layered Notice
 PRI-03.7 - Active Participation By Data Subjects
 PRI-03.8 - Global Privacy Control (GPC)
 PRI-04.5 - Validate Collected Personal Data
 PRI-04.6 - Re-Validate Collected Personal Data
 PRI-17 - Data Subject Communications
 PRI-17.1 - Conspicuous Link To Privacy Notice
 PRI-17.2 - Notice of Financial Incentive
 TDA-02.7 - Security & Privacy Representatives For Product Changes
 TDA-09.7 - Manual Code Review
 TDA-14.2 - Hardware Integrity Verification

Renamed:
 BCD-09.3 - Alternate Site Priority of Service
 BCD-10.1 - Telecommunications Priority of Service Provisions
 CHG-02.3 - Security & Privacy Representative for Asset Lifecycle Changes
 CLD-03 - Cloud Infrastructure Security Subnet
 IAO-03.2 - Adequate Security for Sensitive / Regulated Data In Support of Contracts
 NET-03.1 - Limit Network Connections
 PRI-03.3 - Prohibition Of Selling or Sharing Personal Data (PD)
 PRI-03.6 - Authorized Agent
 VPM-01.1 - Attack Surface Scope

Wordsmithed Control:
 CHG-02.3
 CLD-12
 NET-03.1
 PRI-01.5
 PRI-03.3
 RSK-08
 RSK-10
 VPM-01.1

Updated Existing Mappings:

 CIS v8
o IRO-02
o IRO-04
o IRO-07
o IRO-09
o IRO-10

 FCT Act Part 314
o GOV-01

 ISO 27002:2013
o GOV-01
o GOV-01.1
o GOV-02
o GOV-09
o DCH-01
o HRS-03
o HRS-04
o HRS-05
o HRS-05.1
o HRS-05.4
o HRS-07
o IAC-01
o MDM-01
o RSK-01

 NIST SP 800-53 R4
o MON-03
o MON-14
o DCH-13.2
o DCH-23
o IAC-06.4
o NET-17
o PRI-02.3
o PRI-02.4
o PRI-03.1
o PRI-06.4
o OPS-03

 NIST SP 800-53 R5
o MON-14
o DCH-13.2
o IAC-06.4
o NET-17

Assets 9
Loading