{ "family_code": "GOV", "family_name": "Cybersecurity & Data Protection Governance", "control_count": 38, "controls": [ { "control_id": "GOV-01", "title": "Security, Compliance & Resilience Program (SCRP)", "family": "GOV", "description": "Mechanisms exist to facilitate the implementation of security, compliance and resilience governance controls.", "scf_question": "Does the organization facilitate the implementation of security, compliance and resilience governance controls?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-01", "E-GOV-02" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Basic procedures are established for important tasks, but are ad hoc and not formally documented.\n▪ The responsibility for developing and operating cybersecurity and data privacy procedures are up to the business process owner(s) to determine, including the definition and enforcement of roles and responsibilities.\n▪ Governance documentation is made available to internal personnel (e.g., policies, standards, procedures, etc.).\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel ensure cybersecurity policies and standards are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, NIST 800-171, ISO 27002 or NIST Cybersecurity Framework).\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to implement and manage the organization's internal control system.\n▪ Legal representation is consulted on an as-needed basis.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to facilitate the implementation of security, compliance and resilience governance controls.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ SCFConnect (https://scfconnect.com)\n∙ NIST Cybersecurity Framework (CSF) 2.0 (https://www.nist.gov/cyberframework)", "small": "∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ SCFConnect (https://scfconnect.com)\n∙ NIST Cybersecurity Framework (CSF) 2.0 (https://www.nist.gov/cyberframework)", "medium": "∙ Steering committee\n∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ GRC platform (e.g., OneTrust, ServiceNow GRC, LogicGate)\n∙ Secure Controls Framework (SCF), NIST SP 800-53 Rev 5 and/or ISO 27001:2022 alignment", "large": "∙ Steering committee\n∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Secure Controls Framework (SCF), NIST SP 800-53 Rev 5 and/or ISO 27001:2022 alignment", "enterprise": "∙ Steering committee\n∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ Enterprise GRC platform (e.g., Cyturus, Archer, MetricStream, ServiceNow IRM)\n∙ Secure Controls Framework (SCF), NIST SP 800-53 Rev 5 and/or ISO 27001:2022 alignment" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF6" ], "general-aicpa-tsc-2017": [ "CC1.1", "CC1.1-POF1", "CC1.2", "CC2.3-POF5" ], "general-bsi-200-1-1-0": [ "4.1.2", "4.1.3", "7.1", "8.1", "8.2", "8.3" ], "general-cobit-2019": [ "EDM01.02", "APO01.09", "APO04.01", "APO13.01", "APO13.03" ], "general-coso-2013": [ "2", "12" ], "general-csa-cmm-4-1-0": [ "GRC-01", "GRC-05" ], "general-csa-iot-2": [ "GVN-01", "GVN-02" ], "general-iec-62443-2-1-2024": [ "ORG 1.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5", "3.5.3" ], "general-iso-27001-2022": [ "4.4", "5.1", "5.1(a)", "5.1(b)", "5.1(c)", "5.1(d)", "5.1(e)", "5.1(f)", "5.1(g)", "5.1(h)", "6.1.1", "6.1.1(a)", "6.1.1(b)", "6.1.1(c)", "6.1.1(d)", "6.1.1(e)(1)", "6.1.1(e)(2)", "8.1", "10.1" ], "general-iso-27002-2022": [ "5.1", "5.4", "5.37" ], "general-iso-27017-2015": [ "5.1", "5.1.1", "7.2.1", "12.1.1" ], "general-iso-27018-2025": [ "5.1", "5.4", "5.37" ], "general-iso-27701-2025": [ "5.1", "6.1.3(c)", "7.5.1" ], "general-iso-31000-2018": [ "5.1", "5.3" ], "general-iso-42001-2023": [ "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.3", "7.5.3(a)", "7.5.3(b)" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.A", "4.B", "4.B(1)", "4.B(2)", "4.B(3)", "4.B(4)", "4.D(1)" ], "general-nist-600-1-gen-ai-profile": [ "GOVERN 1.1", "GOVERN 1.2", "GV-1.2-002", "GV-1.4-001", "GV-1.4-002", "GOVERN 4.1" ], "general-nist-privacy-framework-1-0": [ "ID-P", "ID.BE-P", "GV-P", "GV.PO-P1", "GV.PO-P6", "CM-P", "CM.PO-P", "PR-P", "PR.PT-P" ], "general-nist-800-53-r4": [ "PM-1" ], "general-nist-800-53-r5-2": [ "PM-01" ], "general-nist-800-53-r5-2-privacy": [ "PM-01" ], "general-nist-800-66-r2": [ "164.316(a)" ], "general-nist-800-82-r3": [ "PM-01" ], "general-nist-800-82-r3-low": [ "PM-01" ], "general-nist-800-82-r3-mod": [ "PM-01" ], "general-nist-800-82-r3-high": [ "PM-01" ], "general-nist-800-171-r3": [ "03.15.01.a" ], "general-nist-csf-2-0": [ "GV", "GV.RM-01", "GV.RM-03", "GV.RR-01", "GV.SC", "GV.SC-01", "GV.SC-03", "GV.SC-09", "ID.RA", "PR", "PR.IR" ], "general-pci-dss-4-0-1": [ "12.4", "A3.1.2" ], "general-scf-dpmp-2025": [ "1.0" ], "general-sparta": [ "CM0005" ], "general-tisax-6-0-3": [ "1.2.1" ], "general-un-155-2021": [ "7.2.2.2(a)" ], "general-un-ece-wp-29-2020": [ "7.2.2.2(a)" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG1", "ADM:GG2.GP1", "ADM:GG3", "AM:GG1", "AM:GG2.GP1", "AM:GG3", "COMM:GG1", "COMM:GG2.GP1", "COMM:GG3", "COMP:GG2.GP1", "COMP:GG3", "CTRL:GG1", "CTRL:GG1.GP1", "CTRL:GG2", "CTRL:GG2.GP1", "CTRL:GG2.GP2", "CTRL:GG3", "EC:GG1", "EC:GG2.GP1", "EC:GG3", "EF:GG1", "EF:GG2.GP1", "EF:GG3", "EXD:GG1", "EXD:GG2.GP1", "EXD:GG3", "FRM:GG1", "FRM:GG2.GP1", "FRM:GG3", "HRM:GG1", "HRM:GG2.GP1", "HRM:GG3", "ID:GG1", "ID:GG2.GP1", "ID:GG3", "IMC:GG1", "IMC:GG2.GP1", "IMC:GG3", "KIM:GG1", "KIM:GG2.GP1", "KIM:GG3", "MA:GG1", "MA:GG2.GP1", "MA:GG3", "MON:GG1", "MON:GG2.GP1", "MON:GG3", "OPD:GG1", "OPD:GG2.GP1", "OPD:GG3", "OPF:GG1", "OPF:GG2.GP1", "OPF:GG3", "OTA:GG1", "OTA:GG2.GP1", "OTA:GG3", "PM:GG1", "PM:GG2.GP1", "PM:GG3", "RISK:GG1", "RISK:GG2.GP1", "RISK:GG3", "RRD:GG1", "RRD:GG2.GP1", "RRD:GG3", "RRM:GG1", "RRM:GG2.GP1", "RRM:GG3", "RTSE:GG1", "RTSE:GG2.GP1", "RTSE:GG3", "SC:GG1", "SC:GG2.GP1", "SC:GG3", "TM:GG1", "TM:GG2", "TM:GG2.GP1", "TM:GG3", "VAR:GG1", "VAR:GG2.GP1", "VAR:GG3", "GG1", "GG1.GP1", "GG2", "GG2.GP1", "GG2.GP2", "GG3", "GG3.GP1" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.f" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.PEPAR" ], "usa-federal-fbi-cjis-6-0": [ "5.1", "5.1.1" ], "usa-federal-doe-c2m2-2-1": [ "PROGRAM-1f", "PROGRAM-1g", "PROGRAM-2b", "PROGRAM-2i" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-eo-14028": [ "4e(i)(F)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)", "609.930(d)" ], "usa-federal-gsa-fedramp-5-low": [ "PM-01" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-01" ], "usa-federal-gsa-fedramp-5-high": [ "PM-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-01" ], "usa-federal-sro-finra": [ "248.30(a)(2)(ii)", "248.201(e)" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.3(a)", "314.3(b)(1)", "314.3(b)(2)", "314.3(b)(3)", "314.4(a)", "314.4(b)", "314.4(c)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)", "164.306(a)(2)", "164.306(a)(3)", "164.316(a)", "164.530(c)(1)", "164.530(i)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)", "164.306(a)(2)", "164.306(a)(3)", "164.316(a)" ], "usa-federal-irs-1075-2021": [ "PM-1" ], "usa-federal-cms-marse-2-0": [ "PM-1", "PM-1.a", "PM-1.a.1", "PM-1.a.2", "PM-1.a.3", "PM-1.a.4", "PM-1.b", "PM-1.c", "PM-1.d" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 1.1.4" ], "usa-federal-nispom-2020": [ "§117.18(b)" ], "usa-federal-law-sox-2002": [ "404(a)(1)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(1)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(1)", "17.03(1)(a)", "17.03(1)(b)", "17.03(1)(c)", "17.03(1)(d)", "17.03(2)" ], "usa-state-nv-regulation-5-2024": [ "5.260.1" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(a)", "500.2(b)", "500.2(b)(1)", "500.2(b)(2)", "500.2(b)(3)", "500.2(b)(4)", "500.2(b)(5)", "500.2(b)(6)", "500.2(d)", "500.2(e)", "500.3(a)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)", "899-bb.2(c)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-01" ], "usa-state-tx-sb2610-2025": [ "542.004(a)(1)" ], "usa-state-vt-act-171-2018": [ "2447(a)(1)", "2447(a)(1)(A)", "2447(a)(1)(B)", "2447(a)(1)(C)", "2447(a)(1)(D)", "2447(b)", "2447(c)" ], "emea-eu-ai-act-2024": [ "Article 17.2" ], "emea-eu-dora-2023": [ "Article 5.1", "Article 9.4", "Article 16.1(a)", "Article 16.1(b)", "Article 16.1(c)", "Article 16.1(d)", "Article 16.1(e)", "Article 16.1(f)", "Article 16.1(g)", "Article 16.1(h)", "Article 16.2" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(a)", "1.1.1(b)", "6.7.1" ], "emea-us-psd2-2015": [ "3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-fdpa-2017": [ "Sec 9", "Sec 9a", "Annex" ], "emea-deu-bsrit-2017": [ "4.1" ], "emea-deu-c5-2020": [ "OIS-01" ], "emea-grc-pirppd-1997": [ "10" ], "emea-hun-isdfi-2011": [ "7" ], "emea-irl-dpa-2003": [ "2" ], "emea-isr-cmo-1-0": [ "3.2", "4.25" ], "emea-isr-ppl-5741-1981": [ "16", "17" ], "emea-ita-pdpc-2003": [ "31", "33", "34", "35" ], "emea-nor-pda-2018": [ "13", "14" ], "emea-pol-act-29-1997": [ "1", "36" ], "emea-rus-federal-law-27-2006": [ "7", "19" ], "emea-sau-cgiot-2024": [ "1-1-2" ], "emea-sau-ecc-1-2018": [ "1-2-1", "1-3-2" ], "emea-sau-otcc-1-2022": [ "1-1" ], "emea-sau-sacs-002-2022": [ "TPC-25" ], "emea-sau-sama-csf-1-2017": [ "3.1.1" ], "emea-zaf-popia-2013": [ "19", "21" ], "emea-esp-boe-a-2022-7191": [ "Article 5", "Article 6.1", "Article 6.2", "Article 13.1", "Article 35.1" ], "emea-esp-decree-311-2022": [ "13.1", "35.1", "5", "6.1", "6.2" ], "emea-esp-ccn-stic-825-2023": [ "6.1 [ORG.1]" ], "emea-che-fadp-2025": [ "7" ], "emea-tur-lppd-2016": [ "12" ], "emea-gbr-cap-1850-2020": [ "A1" ], "apac-aus-privacy-act-1998": [ "APP Part 1", "APP Part 11" ], "apac-aus-ism-2024-june": [ "ISM-0888" ], "apac-aus-ps-cps-234-2019": [ "13", "18", "19" ], "apac-chn-csnip-2012": [ "4" ], "apac-chn-pipl-2021": [ "58", "58(1)", "58(2)", "58(3)", "58(4)" ], "apac-hkg-pdo-2022": [ "Principle 4" ], "apac-ind-privacy-rules-2011": [ "8" ], "apac-ind-sebi-2024": [ "GV.OC.S1", "GV.OC.S2", "PR.IP.S17" ], "apac-jpn-ppi-2020": [ "20" ], "apac-jpn-ismap": [ "4.4.1.1", "4.4.1.2", "4.4.2.1", "4.5.4.1", "4.5.4.2", "4.8.1.1", "4.8.2.2", "5.1", "5.1.1", "6.1" ], "apac-mys-pdpa-2010": [ "9" ], "apac-nzl-ism-3-9": [ "5.1.14.C.01" ], "apac-phl-dpa-2012": [ "25", "27", "28" ], "apac-sgp-pdpa-2012": [ "12", "24" ], "apac-kor-pipa-2011": [ "3", "29", "30" ], "apac-twn-pdpa-2025": [ "27" ], "americas-bhs-dpa-2003": [ "6" ], "americas-bmu-mba-coc-2020": [ "4", "5.4" ], "amaericas-can-osfi-self-assessment": [ "6.5", "6.6", "6.7", "6.23" ], "americas-can-osfi-b13-2022": [ "1", "1.1.2", "1.3.1", "2.1.1", "3" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A" ], "americas-can-pipeda-2000": [ "Principle 7" ], "americas-chl-act-19628-1999": [ "7" ], "americas-col-law-1581-2012": [ "4" ], "americas-mex-fdpa-2010": [ "19" ] } }, { "control_id": "GOV-01.1", "title": "Steering Committee & Program Oversight", "family": "GOV", "description": "Mechanisms exist to align security, compliance and resilience capabilities with business requirements through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis.", "scf_question": "Does the organization align security, compliance and resilience capabilities with business requirements through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-03", "E-PRM-06" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ Organizational leadership maintains an informal process to review and respond to trends.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to align security, compliance and resilience capabilities with business requirements through a steering committee or advisory board, comprised of key cybersecurity, data protection and business executives, which meets formally and on a regular basis.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Third-party advisors (subject matter experts)\n∙ Virtual CISO (vCISO) service\n∙ Fractional security advisor", "small": "∙ Third-party advisors (subject matter experts)\n∙ Virtual CISO (vCISO) service\n∙ Informal security advisory committee", "medium": "∙ Steering committee / advisory board\n∙ Quarterly security committee meetings with documented minutes\n∙ Cross-functional representation (IT, Legal, HR, Operations)", "large": "∙ Formal steering committee / advisory board\n∙ Documented charter with defined roles and meeting cadence\n∙ Board-level cybersecurity reporting", "enterprise": "∙ Formal steering committee / advisory board\n∙ Board-level Cybersecurity Committee or subcommittee\n∙ Chief Information Security Officer (CISO) with board-level access\n∙ Independent security advisor / external audit committee" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2", "CC1.2-POF1", "CC1.2-POF2", "CC1.2-POF3", "CC1.2-POF4", "CC1.3-POF1", "CC1.3-POF3", "CC1.5-POF3", "CC1.5-POF4", "CC1.5-POF5", "CC2.2-POF4", "CC2.2-POF12", "CC2.3-POF3", "CC3.1-POF11", "CC3.4-POF3", "CC4.2", "CC4.2-POF1", "CC4.2-POF2" ], "general-bsi-200-1-1-0": [ "4.1.1", "4.1.2", "4.3", "4.4", "7.4", "7.5", "8.4" ], "general-cobit-2019": [ "APO14.01", "DSS06.01", "MEA01.04", "MEA03.02", "MEA04.03" ], "general-coso-2013": [ "1", "2" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3" ], "general-iso-22301-2019": [ "5.1", "5.1(a)", "5.1(b)", "5.1(c)", "5.1(d)", "5.1(e)", "5.1(f)", "5.1(g)", "5.1(h)", "9.3.1", "9.3.2", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(c)(1)", "9.3.2(c)(2)", "9.3.2(c)(3)", "9.3.2(d)", "9.3.2(e)", "9.3.2(f)", "9.3.2(g)", "9.3.2(h)", "9.3.2(i)", "9.3.2(j)", "9.3.2(k)", "9.3.3.1", "9.3.3.1(a)", "9.3.3.1(b)", "9.3.3.1(c)", "9.3.3.1(d)", "9.3.3.2", "9.3.3.2(a)", "9.3.3.2(b)" ], "general-iso-27001-2022": [ "4.4", "5.1", "5.3", "5.3(a)", "5.3(b)", "9.3.1", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(d)", "9.3.2(d)(1)", "9.3.2(d)(2)", "9.3.2(d)(3)", "9.3.2(d)(4)", "9.3.2(e)", "9.3.2(f)", "9.3.2(g)", "9.3.3", "10.1" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "5.1", "9.3.1", "9.3.2", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(d)", "9.3.2(e)", "9.3.3" ], "general-iso-31000-2018": [ "5.2", "5.4.2", "5.4.3" ], "general-iso-42001-2023": [ "9.2.2(c)", "9.3.1", "9.3.2", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(d)", "9.3.2(d)(1)", "9.3.2(d)(2)", "9.3.2(d)(3)", "9.3.2(e)" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.E(1)", "4.E(2)", "4.E(2)(a)", "4.E(2)(b)", "4.E(3)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.3", "MAP 3.5", "MAP 5.2" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-004" ], "general-nist-800-171-r3": [ "03.12.03" ], "general-nist-csf-2-0": [ "GV.RM-01", "GV.RM-03", "GV.RR-01", "GV.OV", "GV.OV-01", "GV.OV-02", "GV.OV-03", "GV.SC", "GV.SC-01", "GV.SC-03", "GV.SC-09", "ID", "ID.RA", "PR", "PR.IR" ], "general-tisax-6-0-3": [ "1.2.1" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG2.GP10", "AM:GG2.GP10", "COMM:GG2.GP10", "COMP:GG2.GP10", "CTRL:GG2.GP10", "EC:GG2.GP10", "EF:SG3", "EF:SG4", "EF:SG4.SP1", "EF:SG4.SP2", "EF:GG1.GP1", "EF:GG2", "EF:GG2.GP2", "EF:GG2.GP10", "EXD:GG2.GP10", "FRM:GG2.GP10", "HRM:GG2.GP10", "ID:GG2.GP10", "IMC:GG2.GP10", "KIM:GG2.GP10", "MA:GG2.GP10", "MON:GG2.GP10", "OPD:GG2.GP10", "OPF:GG2.GP10", "OTA:GG2.GP10", "PM:GG2.GP10", "RISK:GG2.GP10", "RRD:GG2.GP10", "RRM:GG2.GP10", "RTSE:GG2.GP10", "SC:GG2.GP10", "TM:GG2.GP10", "VAR:GG2.GP10", "GG2.GP10" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.UNI.PEPAR" ], "usa-federal-doe-c2m2-2-1": [ "RISK-1f", "PROGRAM-2a", "PROGRAM-2c", "PROGRAM-2d" ], "usa-federal-sro-fca-crm-2023": [ "609.930(b)(1)", "609.930(b)(2)" ], "usa-federal-sro-finra": [ "248.201(e)(1)", "248.201(e)(2)" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(a)(2)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)", "17 CFR 229.106(c)(1)", "17 CFR 229.106(c)(2)", "17 CFR 229.106(c)(2)(i)", "17 CFR 229.106(c)(2)(iii)", "Form 8-K Item 1.05(a)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(1)", "500.4(b)(2)", "500.4(b)(3)", "500.4(b)(4)", "500.4(b)(5)", "500.4(b)(6)", "500.4(d)", "500.4(d)(1)", "500.4(d)(2)", "500.4(d)(3)", "500.4(d)(4)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(2)", "3.2.1(3)", "3.2.1(4)" ], "emea-eu-dora-2023": [ "Article 5.2", "Article 5.2(a)", "Article 5.2(b)", "Article 5.2(c)", "Article 5.2(d)", "Article 5.2(e)", "Article 5.2(f)", "Article 5.2(g)", "Article 5.2(h)", "Article 5.2(i)(i)", "Article 5.2(i)(ii)", "Article 5.2(i)(iii)" ], "emea-eu-nis2-2022": [ "Article 21.2(f)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(k)" ], "emea-deu-bsrit-2017": [ "1.1", "1.2", "1.2(a)", "1.2(b)", "1.2(c)", "1.2(d)", "1.2(e)", "1.2(f)", "2.1", "2.2", "2.3", "2.4", "2.5" ], "emea-sau-cgiot-2024": [ "1-1-4" ], "emea-sau-sama-csf-1-2017": [ "3.1.1" ], "emea-esp-boe-a-2022-7191": [ "Article 5", "Article 27" ], "emea-esp-decree-311-2022": [ "27", "5" ], "emea-gbr-caf-4-0": [ "A1.a", "A1.c" ], "emea-gbr-def-stan-05-138-2024": [ "1101", "1103", "1202" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1202" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1101", "1103", "1202" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1101", "1103", "1202" ], "apac-aus-ism-2024-june": [ "ISM-0725" ], "apac-aus-ps-cps-230-2023": [ "20", "21", "22(a)", "22(b)", "22(c)", "23", "24", "25" ], "apac-aus-ps-cps-234-2019": [ "13", "19" ], "apac-ind-dpdpa-2023": [ "8(6)", "18(2)", "23(1)", "26(a)", "26(b)", "26(c)", "27(1)(a)", "27(1)(b)", "27(1)(c)", "27(1)(d)", "27(1)(e)", "27(2)", "27(3)", "28(1)", "28(2)", "28(3)", "28(4)", "28(5)", "28(6)" ], "apac-ind-sebi-2024": [ "GV.OV.S2", "GV.RR.S1", "GV.RR.S3", "GV.RR.S4" ], "apac-jpn-ismap": [ "4.4.1.1", "4.4.1.3", "4.4.5.3", "4.5.3.1", "4.6.3.1", "4.6.3.2", "4.6.3.3" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP12", "HML12", "HML21" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP10", "HSUP19" ], "apac-nzl-ism-3-9": [ "3.2.9.C.01" ], "apac-sgp-mas-trm-2021": [ "3.1.1", "3.1.2", "3.1.3", "3.1.4", "3.1.5", "3.1.6", "3.1.7(a)", "3.1.7(b)", "3.1.7(c)", "3.1.7(d)", "3.1.7(e)", "3.1.7(f)", "3.1.7(g)", "3.1.8(a)", "3.1.8(b)", "3.1.8(c)", "3.1.8(d)", "3.1.8(e)" ], "americas-bmu-mba-coc-2020": [ "5.1", "5.6" ], "amaericas-can-osfi-self-assessment": [ "6.5", "6.6", "6.7", "6.21", "6.22", "6.23", "6.24" ], "americas-can-osfi-b13-2022": [ "1", "1.1.2", "1.3.1" ], "americas-can-itsp-10-171-2025": [ "03.12.03" ] } }, { "control_id": "GOV-01.2", "title": "Status Reporting To Governing Body", "family": "GOV", "description": "Mechanisms exist to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's Security, Compliance & Resilience Program (SCRP).", "scf_question": "Does the organization provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's Security, Compliance & Resilience Program (SCRP)?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-CPL-05", "E-CPL-09", "E-GOV-03", "E-GOV-04", "E-GOV-05", "E-GOV-06", "E-GOV-07", "E-GOV-13" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ Organizational leadership maintains an informal process to review and respond to trends.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to provide governance oversight reporting and recommendations to those entrusted to make executive decisions about matters considered material to the organization's Security, Compliance & Resilience Program (SCRP).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Quarterly Business Review (QBR)\n∙ Simple security status dashboard (spreadsheet or slide deck)\n∙ Email status updates to owner/manager", "small": "∙ Quarterly Business Review (QBR)\n∙ Structured security metrics report (incidents, patching status, training completion)\n∙ Documented reporting cadence", "medium": "∙ Quarterly Business Review (QBR)\n∙ Formal security status reports to leadership\n∙ KPI/KRI dashboard (e.g., Power BI, Tableau, or GRC tool reporting)", "large": "∙ Quarterly Business Review (QBR)\n∙ Executive security dashboard with KPIs/KRIs\n∙ Board-level reporting on material risk indicators\n∙ Automated reporting via GRC platform", "enterprise": "∙ Quarterly Business Review (QBR)\n∙ Board and audit committee cybersecurity briefings\n∙ Integrated GRC dashboard with real-time metrics\n∙ SEC cybersecurity disclosure-ready reporting processes (if applicable)" }, "risks": [ "R-AC-1", "R-EX-3", "R-EX-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF2", "CC2.3-POF3", "CC2.3-POF5", "CC3.1-POF10", "CC3.1-POF11", "CC4.2", "CC4.2-POF1", "CC4.2-POF2" ], "general-bsi-200-1-1-0": [ "4.3", "7.5", "8.4" ], "general-cobit-2019": [ "BAI01.06" ], "general-coso-2013": [ "2" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3" ], "general-iso-27001-2022": [ "7.4", "7.4(a)", "7.4(b)", "7.4(c)", "7.4(d)", "9.1", "9.1(a)", "9.1(b)", "9.1(c)", "9.1(d)", "9.1(e)", "9.1(f)", "9.3.1", "9.3.2(a)", "9.3.2(b)", "9.3.2(c)", "9.3.2(d)", "9.3.2(d)(1)", "9.3.2(d)(2)", "9.3.2(d)(3)", "9.3.2(d)(4)", "9.3.2(e)", "9.3.2(f)", "9.3.2(g)", "9.3.3" ], "general-iso-27701-2025": [ "5.1", "5.3(b)", "9.3.1" ], "general-iso-31000-2018": [ "5.2", "6.6" ], "general-iso-42001-2023": [ "5.1", "9.3.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 2.3", "MAP 3.5" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P6" ], "general-nist-800-171-r3": [ "03.12.03" ], "general-nist-csf-2-0": [ "GV.OV", "GV.OV-01", "GV.OV-03", "GV.SC", "GV.SC-09", "ID" ], "general-scf-dpmp-2025": [ "11.5", "11.8" ], "usa-federal-doe-c2m2-2-1": [ "PROGRAM-2g" ], "usa-federal-sro-fca-crm-2023": [ "609.930(e)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(i)", "314.4(i)(1)", "314.4(i)(2)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(iii)", "17 CFR 229.106(c)(1)", "17 CFR 229.106(c)(2)(ii)", "17 CFR 229.106(c)(2)(iii)" ], "usa-state-nv-regulation-5-2024": [ "5.260.4(b)", "5.260.4(c)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(c)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(13)(e)", "3.3.5(24)" ], "emea-eu-dora-2023": [ "Article 5.2(i)", "Article 13.5" ], "emea-eu-nis2-annex-2024": [ "1.2.3", "2.1.1", "2.2.1", "2.2.2", "2.3.3", "13.2.2(c)" ], "emea-deu-bsrit-2017": [ "3.9", "3.11", "4.10", "7.5" ], "apac-aus-ism-2024-june": [ "ISM-0718" ], "apac-aus-ps-cps-230-2023": [ "30", "58(a)", "58(b)", "58(c)" ], "apac-ind-dpdpa-2023": [ "10(2)(c)(ii)" ], "apac-ind-sebi-2024": [ "GV.OV.S1" ], "apac-jpn-ismap": [ "4.6.1.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP46", "HHSP75", "HML12", "HML46", "HML75" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP10", "HSUP38", "HSUP65" ], "americas-can-osfi-b13-2022": [ "1", "1.1.2" ], "americas-can-itsp-10-171-2025": [ "03.12.03" ] } }, { "control_id": "GOV-01.3", "title": "Commitment To Continual Improvements", "family": "GOV", "description": "Mechanisms exist to commit appropriate resources needed for continual improvement of the organization's Security, Compliance & Resilience Program (SCRP), including:\n(1) Staffing;\n(2) Budget;\n(3) Processes; and\n(4) Technologies.", "scf_question": "Does the organization commit appropriate resources needed for continual improvement of the organization's Security, Compliance & Resilience Program (SCRP), including:\n(1) Staffing;\n(2) Budget;\n(3) Processes; and\n(4) Technologies?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Organizational leadership maintains an informal process to review and respond to observed trends.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ Appropriate resources needed for continual improvement of the organization's Security, Compliance & Resilience Program (SCRP), including:\n(1) Staffing;\n(2) Budget;\n(3) Processes; and\n(4) Technologies.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS" ], "possible_solutions": { "micro_small": "∙ Document budget/staffing commitments in a written plan", "small": "∙ Annual review of security budget and staffing needs\n∙ Written improvement roadmap", "medium": "∙ Formal SCRP improvement plan with defined budget\n∙ Annual steering committee review of progress", "large": "∙ Formal Security Program roadmap with dedicated budget\n∙ Quarterly steering committee reviews\n∙ KPIs and metrics tracking", "enterprise": "∙ Enterprise security program roadmap\n∙ Board-approved cybersecurity budget\n∙ Dedicated GRC team for continual improvement tracking\n∙ Metrics dashboard for program maturity" }, "risks": [ "R-AC-1", "R-EX-3", "R-EX-4", "R-GV-1", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.3-POF4" ], "general-bsi-200-1-1-0": [ "4.4", "7.4", "7.5", "8.4" ], "general-cobit-2019": [ "APO14.01" ], "general-coso-2013": [ "2" ], "general-iso-21434-2021": [ "RQ-05-08" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "5.1", "9.3.3", "10.1" ], "general-iso-31000-2018": [ "5.2" ], "general-nist-privacy-framework-1-0": [ "PR.PO-P5" ], "usa-federal-dow-cert-rmm-1-2": [ "EF:SG3.SP1", "EF:SG3.SP3", "EF:SG4.SP3" ], "emea-eu-nis2-annex-2024": [ "1.1.1(d)", "1.1.1(e)" ], "apac-jpn-ismap": [ "4.6.1.1", "4.6.1.2", "4.6.3.3" ] } }, { "control_id": "GOV-02", "title": "Publishing Security, Compliance & Resilience Documentation", "family": "GOV", "description": "Mechanisms exist to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "scf_question": "Does the organization establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-08", "E-GOV-09", "E-GOV-11" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Basic procedures are established for important tasks, but are ad hoc and not formally documented.\n▪ No formal cybersecurity and/or data protection principles are identified for the organization.\n▪ Informal recommendations are leveraged to update existing policies and standards.\n▪ The responsibility for developing and operating cybersecurity and data privacy procedures are up to the business process owner(s) to determine, including the definition and enforcement of roles and responsibilities.\n▪ Governance documentation is made available to internal personnel (e.g., policies, standards, procedures, etc.).\n▪ People affected by documentation changes are provided notification of the policy and standard changes.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel ensure cybersecurity policies and standards are aligned with a leading cybersecurity framework (e.g., SCF, NIST 800-53, NIST 800-171, ISO 27002 or NIST Cybersecurity Framework).\n▪ The organization's cybersecurity policies and standards are made available to internal personnel.\n▪ Documented procedures exist for requesting a deviation from approved standards.\n▪ The responsibility for enforcing cybersecurity and data protection control implementation is assigned to business / process owners and asset custodians.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to establish, maintain and disseminate policies, standards and procedures necessary for secure, compliant and resilient capabilities.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ SCFConnect (https://scfconnect.com)\n∙ Shared drive or intranet for policy distribution (e.g., Google Drive, SharePoint Online)", "small": "∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ SCFConnect (https://scfconnect.com)\n∙ Document management system (e.g., SharePoint, Confluence, Notion)", "medium": "∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ ComplianceForge - Cybersecurity & Data Protection Program (CDPP) (https://complianceforge.com)\n∙ Document management / intranet portal (e.g., SharePoint, Confluence)\n∙ Policy acknowledgement tracking (e.g., KnowBe4, Absorb LMS)", "large": "∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ Policy management platform\n∙ Version-controlled policy repository with access controls\n∙ Automated policy attestation and acknowledgement tracking", "enterprise": "∙ ComplianceForge - Security, Compliance & Resilience Program (SCRP) (https://complianceforge.com)\n∙ Enterprise policy management platform\n∙ Integrated GRC policy module with automated review workflows\n∙ Enterprise-wide policy acknowledgement and training integration" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.0", "M1.2", "M1.2-POF8", "D6.1-POF1" ], "general-aicpa-tsc-2017": [ "CC1.2-POF1", "CC1.4-POF1", "CC2.2-POF1", "CC2.2-POF7", "CC5.3", "CC5.3-POF1", "CC7.2-POF1", "P1.1-POF5" ], "general-bsi-200-1-1-0": [ "7.3" ], "general-cobit-2019": [ "APO01.09" ], "general-coso-2013": [ "12" ], "general-csa-cmm-4-1-0": [ "A&A-01", "AIS-01", "BCR-01", "CCC-01", "CEK-01", "DCS-01", "DSP-01", "GRC-01", "IAM-01", "IAM-02", "IPY-01", "I&S-01", "LOG-01", "SEF-01", "SEF-02", "STA-01", "TVM-01", "TVM-02", "TVM-04", "UEM-01" ], "general-csa-iot-2": [ "GVN-01", "GVN-02", "POL-03" ], "general-govramp": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-low-plus": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5.1", "3.5.3.8", "3.5.3.9" ], "general-iso-21434-2021": [ "RQ-05-01", "RQ-05-01(a)", "RQ-05-01(b)", "RQ-05-02", "RQ-05-02(a)", "RQ-05-02(b)", "RQ-05-03", "RQ-05-04", "RQ-05-05", "RQ-05-05(a)", "RQ-05-05(b)" ], "general-iso-22301-2019": [ "5.2.1", "5.2.1(a)", "5.2.1(b)", "5.2.1(c)", "5.2.1(d)", "5.2.2", "5.2.2(a)", "5.2.2(b)", "5.2.2(c)" ], "general-iso-27001-2022": [ "5.1(a)", "5.2", "5.2(a)", "5.2(b)", "5.2(c)", "5.2(d)", "5.2(e)", "5.2(f)", "5.2(g)", "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.2(a)", "7.5.2(b)", "7.5.2(c)", "7.5.3", "7.5.3(a)", "7.5.3(b)", "7.5.3(c)", "7.5.3(d)", "7.5.3(e)", "7.5.3(f)" ], "general-iso-27002-2022": [ "5.1", "5.37" ], "general-iso-27017-2015": [ "5.1.1", "12.1.1" ], "general-iso-27018-2025": [ "5.1", "5.37" ], "general-iso-27701-2025": [ "5.1", "5.2", "5.2(a)", "5.2(b)", "5.2(c)", "5.2(d)", "6.1.3(c)", "7.5.1(b)", "7.5.2", "7.5.3" ], "general-iso-31000-2018": [ "5.4.5", "6.2" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "5.1", "5.2", "5.2(a)", "5.2(b)", "5.2(c)", "5.2(d)", "7.5.1", "7.5.1(a)", "7.5.1(b)", "7.5.2", "7.5.3", "7.5.3(a)", "7.5.3(b)", "A.2", "A.2.2", "A.2.3" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.0", "GOVERN 1.2", "GOVERN 1.3", "GOVERN 1.4", "GOVERN 3.2", "GOVERN 4.1", "GOVERN 5.1", "GOVERN 6.0", "GOVERN 6.1", "MAP 3.5" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.5-002" ], "general-nist-privacy-framework-1-0": [ "ID.DE-P1", "GV.PO-P", "GV.PO-P1", "GV.PO-P6", "GV.MT-P", "GV.MT-P4", "GV.MT-P5", "GV.MT-P6", "GV.MT-P7", "CT.PO-P", "CT.PO-P1", "CT.PO-P2", "CT.PO-P3", "CM.PO-P1", "PR.PO-P", "PR.PO-P4" ], "general-nist-800-37-r2": [ "TASK P-5" ], "general-nist-800-53-r4": [ "PM-1" ], "general-nist-800-53-r5-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-53-r5-2-privacy": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-53-r5-2-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-66-r2": [ "164.308(a)(1)", "164.308(a)(3)", "164.308(a)(4)", "164.308(a)(6)", "164.308(a)(7)", "164.310(a)", "164.310(b)", "164.310(d)", "164.312(a)", "164.312(c)", "164.316(a)", "164.316(b)" ], "general-nist-800-82-r3": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-161-r1": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-cscrm": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-flowdown": [ "AC-1", "IR-1", "MA-1", "PS-1" ], "general-nist-800-161-r1-level-1": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-level-2": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-level-3": [ "AC-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "PE-1", "PS-1", "RA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-171-r3": [ "03.15.01.a" ], "general-nist-800-171a": [ "3.4.9[a]", "3.9.2[a]" ], "general-nist-800-171a-r3": [ "A.03.15.01.a[01]", "A.03.15.01.a[02]", "A.03.15.01.a[03]", "A.03.15.01.a[04]" ], "general-nist-csf-2-0": [ "GV.PO", "GV.PO-01", "GV.SC-01", "GV.SC-03", "ID.RA" ], "general-pci-dss-4-0-1": [ "1.1.1", "2.1.1", "3.1.1", "3.7.1", "3.7.2", "3.7.3", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1", "11.1.1", "12.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-a": [ "3.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "8.1.1", "8.3.8", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-b": [ "3.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.1.1", "8.1.1", "9.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "2.1.1", "3.1.1", "5.1.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.1.1", "3.1.1", "8.1.1", "9.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.1", "2.1.1", "3.1.1", "3.7.1", "3.7.2", "3.7.3", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1", "11.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.1", "2.1.1", "3.1.1", "3.7.1", "3.7.2", "3.7.3", "3.7.5", "3.7.6", "3.7.7", "3.7.8", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "8.3.8", "9.1.1", "10.1.1", "11.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-pci-dss-4-0-1-saq-p2pe": [ "3.1.1", "9.1.1", "12.1.1", "12.1.2", "12.1.3" ], "general-scf-dpmp-2025": [ "11.2" ], "general-sparta": [ "CM0088" ], "general-tisax-6-0-3": [ "1.1.1", "1.5.1", "7.1.1", "9.1.1" ], "usa-federal-dhs-cisa-tic-3-0": [ "3.PEP.WE.ACONT", "3.UNI.IDMRP", "3.UNI.PEPAR", "3.UNL.GPAUD" ], "usa-federal-fbi-cjis-6-0": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-5c", "THREAT-3c", "RISK-5c", "ACCESS-4c", "SITUATION-4c", "RESPONSE-5c", "THIRD-PARTIES-3c", "WORKFORCE-5c", "ARCHITECTURE-6c", "PROGRAM-3c" ], "usa-federal-dow-zt-roadmap-1-1": [ "6.1.1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(c)(5)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.10" ], "usa-federal-gsa-fedramp-5-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-sro-finra": [ "248.30(a)(1)", "248.30(a)(2)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(c)", "314.4(c)(8)", "314.4(e)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(d)", "155.260(d)(1)", "155.260(d)(2)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(1)(i)", "164.308(a)(3)(i)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(A)", "164.308(a)(6)(i)", "164.308(a)(7)(i)", "164.310(a)(1)", "164.310(a)(2)(ii)", "164.310(a)(2)(iv)", "164.310(b)", "164.310(d)(1)", "164.310(d)(2)(i)", "164.312(a)(1)", "164.312(c)(1)", "164.316(a)", "164.316(b)(1)(i)", "164.530(j)(1)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(1)(i)", "164.308(a)(3)(i)", "164.308(a)(4)(i)", "164.308(a)(4)(ii)(A)", "164.308(a)(6)(i)", "164.308(a)(7)(i)", "164.310(a)(1)", "164.310(a)(2)(ii)", "164.310(a)(2)(iv)", "164.310(b)", "164.310(d)(1)", "164.310(d)(2)(i)", "164.312(a)(1)", "164.312(c)(1)", "164.316(a)", "164.316(b)(1)(i)" ], "usa-federal-irs-1075-2021": [ "2.C.2", "2.C.2-1", "2.C.2-2", "2.C.2-3", "2.C.2-4", "2.C.2-5", "2.C.2-6", "2.C.2-7", "2.C.2-8", "2.C.2-9", "2.C.2-10", "2.C.2-11", "2.C.2-12", "2.C.2-13", "2.C.2-14", "2.C.2-15", "2.C.2-16", "2.C.2-17", "2.C.2-18", "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PM-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "usa-federal-cms-marse-2-0": [ "AC-1", "AC-1.a", "AT-1", "AT-1.a", "AT-1.c", "AT-1.d", "AU-1", "AU-1.a", "CA-1", "CA-1.a", "CA-1.c", "CM-1", "CM-1.a", "CP-1", "CP-1.a", "IA-1", "IA-1.a", "IR-1", "IR-1.a", "MA-1", "MA-1.a", "MP-1", "MP-1.a", "MP-1-IS.1", "PE-1", "PE-1.a", "PL-1", "PL-1.a", "PS-1", "PS-1.a", "RA-1", "SA-1", "SA-1.a", "SC-1", "SC-1.a", "SI-1", "SI-1.a", "PM-1" ], "usa-federal-nispom-2020": [ "§117.18(b)(1)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "13-2.b(2)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B", "III.B.1.d", "III.C.1", "III.C.1.a", "III.C.1.b", "III.C.3", "III.D" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(1)" ], "usa-state-il-ipa-2009": [ "35(a)", "37(a)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(1)", "17.03(2)(c)", "17.04" ], "usa-state-nv-regulation-5-2024": [ "5.260.6" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.2(b)(2)", "500.3", "500.3(a)", "500.3(b)", "500.3(c)", "500.3(d)", "500.3(e)", "500.3(f)", "500.3(g)", "500.3(h)", "500.3(i)", "500.3(j)", "500.3(k)", "500.3(l)", "500.3(m)", "500.3(n)", "500.3(o)", "500.5", "500.7(b)", "500.8(a)", "500.11(a)", "500.13(a)", "500.14(a)(1)", "500.15(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-01", "AC-18-SID", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-state-tx-sb820-2019": [ "11.175(b)", "11.175(b)(1)", "11.175(b)(2)" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "emea-eu-eba-ict-srm-2025": [ "3.4.1(28)", "3.4.1(29)", "3.4.5(38)" ], "emea-eu-dora-2023": [ "Article 6.2", "Article 9.4(a)", "Article 9.4(d)", "Article 9.4(e)", "Article 9.4(f)" ], "emea-eu-gdpr-2016": [ "Article 24.2" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(f)", "1.1.1(i)", "1.1.1(k)", "5.1.6", "7.1", "9.1", "11.1.1" ], "emea-us-psd2-2015": [ "3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "4.2", "4.3", "4.8" ], "emea-deu-c5-2020": [ "OIS-01", "OIS-02", "SP-01" ], "emea-isr-cmo-1-0": [ "1.1", "4.1", "4.25", "5.2", "5.3", "9.1", "10.1", "11.2", "12.1", "13.1", "14.1", "15.1", "17.1", "18.1", "20.1", "21.1", "22.1", "24.1", "25.1" ], "emea-nga-dpr-2019": [ "4.1(1)" ], "emea-qat-pdppl-2020": [ "8.4" ], "emea-sau-cgiot-2024": [ "1-2-1" ], "emea-sau-ecc-1-2018": [ "1-3-1", "1-3-3" ], "emea-sau-otcc-1-2022": [ "1-1", "1-1-1" ], "emea-sau-sacs-002-2022": [ "TPC-25" ], "emea-sau-sama-csf-1-2017": [ "3.1.3" ], "emea-esp-boe-a-2022-7191": [ "Article 12.1", "Article 12.1(a)", "Article 12.1(b)", "Article 12.1(c)", "Article 12.1(d)", "Article 12.1(e)", "Article 12.1(f)", "Article 12.2", "Article 12.6", "Article 12.6(a)", "Article 12.6(b)", "Article 12.6(c)", "Article 12.6(d)", "Article 12.6(e)", "Article 12.6(f)", "Article 12.6(g)", "Article 12.6(h)", "Article 12.6(i)", "Article 12.6(j)", "Article 12.6(k)", "Article 12.6(l)", "Article 12.6(m)", "Article 12.6(n)", "Article 12.6(ñ)", "Article 12.7" ], "emea-esp-decree-311-2022": [ "12.1", "12.1(a)", "12.1(b)", "12.1(c)", "12.1(d)", "12.1(e)", "12.1(f)", "12.2", "12.6", "12.6(a)", "12.6(b)", "12.6(c)", "12.6(d)", "12.6(e)", "12.6(f)", "12.6(g)", "12.6(h)", "12.6(i)", "12.6(j)", "12.6(k)", "12.6(l)", "12.6(m)", "12.6(n)", "12.6(ñ)", "12.7" ], "emea-esp-ccn-stic-825-2023": [ "6.1 [ORG.1]", "6.2 [ORG.2]" ], "emea-gbr-caf-4-0": [ "A1", "B1", "B1.b" ], "emea-gbr-cap-1850-2020": [ "A1", "A5" ], "emea-gbr-def-stan-05-138-2024": [ "1100", "1101", "2100", "2101" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1100", "2100" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1100", "1101", "2100", "2101" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1100", "1101", "2100", "2101" ], "apac-aus-privacy-principles-2026": [ "APP 1" ], "apac-aus-ism-2024-june": [ "ISM-0047", "ISM-0888", "ISM-1478", "ISM-1551", "ISM-1602", "ISM-1784", "ISM-1785" ], "apac-aus-ps-cps-234-2019": [ "18", "19" ], "apac-ind-sebi-2024": [ "GV.PO.S1" ], "apac-jpn-ismap": [ "4.4.5.1", "4.4.5.3", "4.5.2.1", "4.8.2.1", "5", "5.1.1", "5.1.1.1", "5.1.1.8", "5.1.1.21", "6", "6.2.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HML01", "HHSP01" ], "apac-nzl-hisf-microsmall-2023": [ "HMS02" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP01" ], "apac-nzl-ism-3-9": [ "5.1.7.C.01", "5.1.14.C.01", "5.1.16.C.01", "5.1.16.C.02", "5.1.17.C.01", "5.1.18.C.01", "5.1.19.C.01", "5.1.20.C.01", "5.1.20.C.02", "5.2.3.C.01", "5.2.3.C.02" ], "apac-sgp-mas-trm-2021": [ "3.2.1" ], "amaericas-can-osfi-self-assessment": [ "6.1", "6.3" ], "americas-can-osfi-b13-2022": [ "1", "3" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A" ] } }, { "control_id": "GOV-02.1", "title": "Exception Management", "family": "GOV", "description": "Mechanisms exist to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded.", "scf_question": "Does the organization prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-18" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to prohibit exceptions to standards, except when the exception has been formally assessed for risk impact, approved and recorded.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manual exception management process\n∙ Documented exception request form (Word/PDF template)\n∙ SCFConnect (https://scfconnect.com)", "small": "∙ Manual exception management process\n∙ Formalized exception request and approval workflow\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "medium": "∙ Documented exception management process with approval authority matrix\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Risk acceptance tracking with time-bound exceptions", "large": "∙ Formal exception management program with defined risk acceptance criteria\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Time-limited exceptions with mandatory compensating controls\n∙ Periodic exception review and recertification process", "enterprise": "∙ Enterprise exception management program integrated with GRC platform\n∙ Automated exception workflows with defined approval chains\n∙ Exception-to-risk register linkage with ongoing monitoring\n∙ Audit-ready exception documentation and closure tracking" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-cobit-2019": [ "DSS06.04" ], "general-csa-cmm-4-1-0": [ "CCC-08", "GRC-04" ], "general-nist-csf-2-0": [ "ID.RA-07" ], "general-tisax-6-0-3": [ "1.5.1" ], "usa-federal-dow-zt-roadmap-1-1": [ "2.3.7", "2.7.3" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(d)(3)(ii)(B)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(d)(3)(ii)(B)(1)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.C.1", "III.C.1.b", "III.C.3" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.9(b)(3)", "500.12(b)", "500.15(b)" ], "apac-ind-sebi-2024": [ "GV.PO.S3" ], "apac-jpn-ismap": [ "5.1.1.7" ] } }, { "control_id": "GOV-03", "title": "Periodic Review & Update of Security, Compliance & Resilience Program", "family": "GOV", "description": "Mechanisms exist to review the Security, Compliance & Resilience Program (SCRP), including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.", "scf_question": "Does the organization review the Security, Compliance & Resilience Program (SCRP), including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-12" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ IT and/or cybersecurity personnel perform an annual documentation review process that includes the scope of applicable statutory, regulatory and/or contractual obligations.\n▪ Recommendations for documentation edits are submitted for review and are handled in accordance with documentation change control processes.\n▪ Updated documentation versions are published, based on no less than an annual review cycle.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to review the Security, Compliance & Resilience Program (SCRP), including policies, standards and procedures, at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy and effectiveness.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Annual human reviews of policies and procedures\n∙ Documentation change control (version history in document)\n∙ Calendar reminders for review cycles", "small": "∙ Annual human reviews with documented review log\n∙ Documentation change control with version history\n∙ Defined policy review and approval process", "medium": "∙ Documented review cycle (minimum annual) with ownership assignment\n∙ Change control process with approval workflows\n∙ Document management system with review reminders (e.g., SharePoint, PolicyTech)", "large": "∙ Formalized policy lifecycle management (create, review, retire)\n∙ Automated review reminders via policy management platform\n∙ GRC-integrated documentation change control\n∙ Triggered reviews for significant regulatory or organizational changes", "enterprise": "∙ Enterprise policy lifecycle management integrated with GRC platform\n∙ Automated review workflows with escalation paths\n∙ Regulatory change monitoring integrated with policy review triggers\n∙ Audit-ready documentation of all policy changes and approvals" }, "risks": [ "R-AC-1", "R-BC-4", "R-BC-5", "R-EX-2", "R-EX-5", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-3", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF5", "M1.3-POF4" ], "general-aicpa-tsc-2017": [ "CC2.2-POF7", "CC5.3", "CC5.3-POF6" ], "general-bsi-200-1-1-0": [ "7.3" ], "general-cobit-2019": [ "EDM01.01", "EDM01.03", "EDM05.01", "APO02.02", "APO14.01", "MEA03.02" ], "general-coso-2013": [ "12" ], "general-csa-cmm-4-1-0": [ "A&A-01", "AIS-01", "BCR-01", "CCC-01", "CEK-01", "DCS-01", "GRC-03", "IAM-01", "IAM-02", "IPY-01", "I&S-01", "LOG-01", "SEF-01", "SEF-02", "STA-01", "TVM-01", "TVM-02", "TVM-04", "UEM-01" ], "general-govramp": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-low-plus": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-govramp-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "general-iso-27001-2022": [ "7.5.2", "7.5.2(a)", "7.5.2(b)", "7.5.2(c)" ], "general-iso-27002-2022": [ "5.1", "5.37" ], "general-iso-27017-2015": [ "5.1.1", "5.1.2", "12.1.1" ], "general-iso-27018-2025": [ "5.1", "5.37" ], "general-iso-42001-2023": [ "7.5.2", "A.2.4" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-nist-privacy-framework-1-0": [ "GV.MT-P2" ], "general-nist-800-53-r4": [ "PM-1" ], "general-nist-800-53-r5-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-53-r5-2-privacy": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-53-r5-2-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-66-r2": [ "164.316(b)" ], "general-nist-800-82-r3": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-low": [ "AC-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-mod": [ "AC-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-82-r3-high": [ "AC-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "general-nist-800-161-r1": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-cscrm": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-flowdown": [ "AC-1", "IR-1", "MA-1", "PS-1", "PT-1" ], "general-nist-800-161-r1-level-1": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-level-2": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-161-r1-level-3": [ "AC-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "PE-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "general-nist-800-171-r3": [ "03.15.01.b", "03.15.03.d" ], "general-nist-800-171a-r3": [ "A.03.15.01.ODP[01]", "A.03.15.01.b[01]", "A.03.15.01.b[02]" ], "general-nist-csf-2-0": [ "GV.PO-02", "GV.OV", "GV.OV-01", "GV.OV-02" ], "general-pci-dss-4-0-1": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "9.1.1", "10.1.1", "11.1.1", "12.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-a": [ "3.1.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "8.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-b": [ "3.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-b-ip": [ "3.1.1", "8.1.1", "9.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-c": [ "2.1.1", "3.1.1", "5.1.1", "8.1.1", "9.1.1", "10.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-c-vt": [ "2.1.1", "3.1.1", "8.1.1", "9.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "9.1.1", "10.1.1", "11.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.1", "2.1.1", "3.1.1", "4.1.1", "5.1.1", "6.1.1", "7.1.1", "8.1.1", "9.1.1", "10.1.1", "11.1.1", "12.1.1", "12.1.2" ], "general-pci-dss-4-0-1-saq-p2pe": [ "3.1.1", "9.1.1", "12.1.1", "12.1.2" ], "general-scf-dpmp-2025": [ "11.3" ], "general-tisax-6-0-3": [ "1.5.1" ], "usa-federal-fbi-cjis-6-0": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "usa-federal-doe-c2m2-2-1": [ "PROGRAM-1h" ], "usa-federal-gsa-fedramp-5-low": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-mod": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-high": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-gsa-fedramp-5-li-saas": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "PT-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(b)", "314.4(g)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(5)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.316(b)(1)(ii)", "164.316(b)(2)(iii)", "164.530(i)(2)(i)", "164.530(i)(2)(ii)", "164.530(i)(2)(iii)", "164.530(i)(3)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.316(b)(1)(ii)", "164.316(b)(2)(iii)" ], "usa-federal-irs-1075-2021": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PM-1", "PS-1", "PT-1", "RA-1", "SA-1", "SC-1", "SI-1", "SR-1" ], "usa-federal-cms-marse-2-0": [ "AC-1", "AT-1", "AU-1", "CA-1", "CM-1", "CP-1", "IA-1", "IR-1", "MA-1", "MP-1", "PE-1", "PL-1", "PS-1", "RA-1", "SA-1", "SC-1", "SI-1", "PM-1" ], "usa-federal-nerc-cip-2024": [ "CIP-002-5.1a 2.1", "CIP-002-5.1a 2.2", "CIP-003-8 R1" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.8(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(A)(6)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PM-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01", "SR-01" ], "usa-state-tx-txramp-2-0-level-1": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "usa-state-tx-txramp-2-0-level-2": [ "AC-01", "AT-01", "AU-01", "CA-01", "CM-01", "CP-01", "IA-01", "IR-01", "MA-01", "MP-01", "PE-01", "PL-01", "PS-01", "RA-01", "SA-01", "SC-01", "SI-01" ], "usa-state-vt-act-171-2018": [ "2447(b)(8)(B)", "2447(b)(9)", "2447(b)(9)(A)", "2447(b)(9)(B)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(14)" ], "emea-eu-nis2-annex-2024": [ "1.1.2", "2.3.1", "5.1.6", "6.7.3" ], "emea-us-psd2-2015": [ "3" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "4.2", "4.8" ], "emea-deu-c5-2020": [ "OIS-01", "SP-02" ], "emea-isr-cmo-1-0": [ "1.1", "5.2", "9.1", "10.1", "11.2", "13.1", "14.1", "15.1", "17.1", "18.1", "21.1", "22.1", "24.1", "25.1" ], "emea-sau-cgiot-2024": [ "1-1-4", "1-2-3", "1-4-6", "1-8-3" ], "emea-sau-ecc-1-2018": [ "1-1-3", "1-3-4", "1-6-4", "1-9-6", "1-10-5", "2-2-4", "2-3-4", "2-4-4", "2-5-4", "2-6-4", "2-7-4", "2-8-4", "2-9-4", "2-10-4", "2-11-4", "2-12-4", "2-13-4", "2-14-4", "2-15-4", "3-1-4", "4-1-4", "4-2-4", "5-1-4" ], "emea-sau-otcc-1-2022": [ "1-1-3" ], "emea-esp-boe-a-2022-7191": [ "Article 27" ], "emea-esp-decree-311-2022": [ "27" ], "emea-gbr-caf-4-0": [ "B1.a" ], "emea-gbr-def-stan-05-138-2024": [ "2100", "2101" ], "emea-gbr-def-stan-05-138-l1-2024": [ "2100" ], "emea-gbr-def-stan-05-138-l2-2024": [ "2100", "2101" ], "emea-gbr-def-stan-05-138-l3-2024": [ "2100", "2101" ], "apac-aus-ism-2024-june": [ "ISM-1617" ], "apac-aus-ps-cps-234-2019": [ "19" ], "apac-ind-sebi-2024": [ "GV.PO.S2", "GV.PO.S3", "GV.PO.S4" ], "apac-jpn-ismap": [ "4.5.3.1", "4.7.1.5", "4.8.2.1", "5.1.1", "5.1.2", "5.1.2.2", "5.1.2.3", "5.1.2.4" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP67", "HML66" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP58" ], "apac-nzl-ism-3-9": [ "5.1.14.C.01", "5.1.21.C.01", "5.1.21.C.02" ], "apac-sgp-mas-trm-2021": [ "3.2.2" ], "americas-can-osfi-b13-2022": [ "1", "1.3.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.B", "03.15.03.D" ] } }, { "control_id": "GOV-04", "title": "Assigned Security, Compliance & Resilience Responsibilities", "family": "GOV", "description": "Mechanisms exist to assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP).", "scf_question": "Does the organization assign one or more qualified individuals with the mission and resources to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP)?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-01", "E-HRS-05", "E-HRS-06", "E-HRS-07", "E-HRS-08", "E-HRS-09", "E-HRS-10", "E-HRS-13", "E-HRS-15" ], "pptdf": "People", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ A qualified individual is assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data protection program (e.g., cybersecurity director or Chief Information Security Officer (CISO)).\n▪ The individual assigned the role and responsibilities to centrally manage, coordinate, develop, implement and maintain a cybersecurity and data protection program develops plans to implement the organization's security, compliance and resiliency-related objectives.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ A qualified individual is assigned the role and responsibilities to centrally-manage, coordinate, develop, implement and maintain an enterprise-wide Security, Compliance & Resilience Program (SCRP) (e.g., cybersecurity director or Chief Information Security Officer (CISO)).", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Third-party advisors (e.g., virtual CISO (vCISO), Managed Security Services Provider (MSSP))\n∙ Designated internal security point of contact\n∙ vCISO services (e.g., Truvantis, private vCISO firms)", "small": "∙ Third-party advisors (e.g., virtual CISO (vCISO), Managed Security Services Provider (MSSP))\n∙ Part-time or shared security manager\n∙ vCISO services with defined scope and deliverables", "medium": "∙ Dedicated Information Security Manager (ISM) or fractional CISO\n∙ Chief Information Security Officer (CISO) or equivalent role\n∙ Defined Information Security Management System (ISMS) ownership", "large": "∙ Chief Information Security Officer (CISO) with defined authority and budget\n∙ Security leadership team (CISO, DPO, IAM lead, etc.)\n∙ Security organizational structure with clear reporting lines", "enterprise": "∙ Chief Information Security Officer (CISO) with C-suite authority and board access\n∙ Security leadership organization (CISO, Deputy CISO, DPO, domain leads)\n∙ Security Center of Excellence (CoE)\n∙ Defined succession planning for key security roles" }, "risks": [ "R-AC-1", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF1" ], "general-aicpa-tsc-2017": [ "CC1.1", "CC1.3", "CC5.3-POF2" ], "general-bsi-200-1-1-0": [ "4.1.1", "4.1.6", "7.2" ], "general-cobit-2019": [ "APO01.05" ], "general-coso-2013": [ "1", "3", "5" ], "general-csa-cmm-4-1-0": [ "GRC-06" ], "general-csa-iot-2": [ "GVN-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3", "3.5.1.1", "3.5.1.2" ], "general-iso-22301-2019": [ "5.3" ], "general-iso-27001-2022": [ "5.1(f)", "5.1(h)", "5.3", "5.3(a)", "5.3(b)" ], "general-iso-27002-2022": [ "5.2" ], "general-iso-27017-2015": [ "5.1", "6.1", "6.1.1", "7.2.1" ], "general-iso-27018-2025": [ "5.2", "5.4" ], "general-iso-27701-2025": [ "5.1", "5.3", "5.3(a)" ], "general-iso-31000-2018": [ "5.2", "5.4.3" ], "general-iso-42001-2023": [ "5.3", "5.3(a)", "5.3(b)", "A.3.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.C(1)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "GOVERN 2.1", "GOVERN 2.3", "GOVERN 5.0" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P3", "CM.PO-P2" ], "general-nist-800-37-r2": [ "TASK P-1" ], "general-nist-800-53-r4": [ "PL-9", "PM-2", "PM-6" ], "general-nist-800-53-r5-2": [ "PL-09", "PM-02", "PM-06", "PM-29" ], "general-nist-800-53-r5-2-privacy": [ "PL-09", "PM-06", "PM-29" ], "general-nist-800-66-r2": [ "164.308(a)(2)" ], "general-nist-800-82-r3": [ "PL-09", "PM-02", "PM-06", "PM-29" ], "general-nist-800-82-r3-low": [ "PM-02", "PM-06", "PM-29" ], "general-nist-800-82-r3-mod": [ "PM-02", "PM-06", "PM-29" ], "general-nist-800-82-r3-high": [ "PM-02", "PM-06", "PM-29" ], "general-nist-800-161-r1": [ "PL-9", "PM-2", "PM-6", "PM-29" ], "general-nist-800-161-r1-level-1": [ "PL-9", "PM-2", "PM-6", "PM-29" ], "general-nist-800-161-r1-level-2": [ "PL-9", "PM-2", "PM-6" ], "general-nist-800-218": [ "PO.2.3" ], "general-nist-csf-2-0": [ "GV.RM", "GV.RM-05", "GV.RR-01", "GV.RR-02" ], "general-pci-dss-4-0-1": [ "1.1.2", "2.1.2", "3.1.2", "4.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.1.4", "12.4", "A3.1.1", "A3.1.3" ], "general-pci-dss-4-0-1-saq-a-ep": [ "12.1.3", "12.1.4" ], "general-pci-dss-4-0-1-saq-b": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-b-ip": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-c": [ "12.1.3" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "1.1.2", "2.1.2", "3.1.2", "4.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.1.4" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "1.1.2", "2.1.2", "3.1.2", "5.1.2", "6.1.2", "7.1.2", "8.1.2", "9.1.2", "10.1.2", "11.1.2", "12.1.3", "12.1.4" ], "general-pci-dss-4-0-1-saq-p2pe": [ "12.1.3" ], "general-tisax-6-0-3": [ "1.2.1", "1.2.2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.B", "1.C" ], "usa-federal-fbi-cjis-6-0": [ "PL-9" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-5d", "THREAT-3d", "RISK-5d", "ACCESS-4d", "SITUATION-4d", "RESPONSE-5d", "THIRD-PARTIES-3d", "WORKFORCE-5d", "ARCHITECTURE-6d", "PROGRAM-2e", "PROGRAM-3d" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(b)(3)" ], "usa-federal-gsa-fedramp-5-low": [ "PL-09", "PM-06", "PM-29" ], "usa-federal-gsa-fedramp-5-mod": [ "PL-09", "PM-06", "PM-29" ], "usa-federal-gsa-fedramp-5-high": [ "PL-09", "PM-06", "PM-29" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PL-09", "PM-06", "PM-29" ], "usa-federal-law-glba-cfr-314-2023": [ "314.4(a)", "314.4(a)(1)", "314.4(a)(2)", "314.4(a)(3)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.308(a)(2)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.308(a)(2)" ], "usa-federal-irs-1075-2021": [ "PM-2", "PM-29" ], "usa-federal-cms-marse-2-0": [ "PM-2", "PM-6" ], "usa-federal-nerc-cip-2024": [ "CIP-003-8 R4" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(ii)", "17 CFR 229.106(c)(1)", "17 CFR 229.106(c)(2)(i)", "Form 8-K Item 1.05(a)" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(3)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(a)" ], "usa-state-nv-regulation-5-2024": [ "5.260.5(a)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(a)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(A)(1)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-02", "PM-02-SID", "PM-06" ], "usa-state-tx-sb820-2019": [ "11.175(d)" ], "usa-state-vt-act-171-2018": [ "2447(b)(1)" ], "emea-eu-ai-act-2024": [ "Article 17.1(m)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(11)", "3.3.1(12)", "3.7.5(91)" ], "emea-eu-dora-2023": [ "Article 5.2", "Article 5.2(a)", "Article 5.2(b)", "Article 5.2(c)", "Article 5.2(d)", "Article 5.2(e)", "Article 5.2(f)", "Article 5.2(g)", "Article 5.2(h)", "Article 5.2(i)(i)", "Article 5.2(i)(ii)", "Article 5.2(i)(iii)", "Article 5.3" ], "emea-eu-nis2-annex-2024": [ "1.1.1(g)", "1.2.1", "1.2.4" ], "emea-aut-fappd-2000": [ "Sec 14", "Sec 15" ], "emea-bel-act-8-1992": [ "16" ], "emea-deu-bsrit-2017": [ "4.4", "4.5", "4.6" ], "emea-deu-c5-2020": [ "OIS-03" ], "emea-sau-ecc-1-2018": [ "1-2-2", "1-4-1", "1-4-2", "1-5-2" ], "emea-sau-otcc-1-2022": [ "1-2", "1-2-1-2" ], "emea-sau-sama-csf-1-2017": [ "3.1.4" ], "emea-gbr-caf-4-0": [ "A1.b", "A1.c" ], "emea-gbr-def-stan-05-138-2024": [ "1102", "1103" ], "emea-gbr-def-stan-05-138-l1-2024": [ "1102" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1102", "1103" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1102", "1103" ], "apac-aus-ism-2024-june": [ "ISM-0714", "ISM-0717", "ISM-0720", "ISM-0724", "ISM-0725", "ISM-0726", "ISM-0731", "ISM-0732", "ISM-0733", "ISM-0734", "ISM-0735" ], "apac-aus-ps-cps-230-2023": [ "21", "24" ], "apac-aus-ps-cps-234-2019": [ "14", "19" ], "apac-chn-data-security-law-2021": [ "45", "46" ], "apac-chn-pipl-2021": [ "52" ], "apac-ind-dpdpa-2023": [ "19(3)" ], "apac-ind-sebi-2024": [ "GV.RR.S1", "GV.RR.S2", "GV.RR.S3" ], "apac-jpn-ismap": [ "4.4.1.2", "5.1.1.6", "5.1.2.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP21", "HHSP27", "HML21", "HML27" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP19", "HSUP23" ], "apac-nzl-ism-3-9": [ "3.1.8.C.01", "3.1.8.C.02", "3.1.8.C.03", "3.1.9.C.01", "3.2.8.C.01", "3.2.8.C.02", "3.2.8.C.03", "3.2.8.C.04", "3.2.8.C.05", "3.2.9.C.01", "3.2.10.C.01", "3.2.10.C.02", "3.2.10.C.03", "3.2.10.C.04", "3.2.11.C.01", "3.2.11.C.02", "3.2.11.C.03", "3.2.12.C.01", "3.2.12.C.02", "3.2.12.C.03", "3.2.13.C.01", "3.2.13.C.02", "3.2.14.C.01", "3.2.15.C.01", "3.2.16.C.01", "3.2.17.C.01", "3.2.18.C.01", "3.2.19.C.01" ], "apac-sgp-mas-trm-2021": [ "3.1.7(a)", "3.1.7(b)", "3.1.7(c)", "3.1.7(d)", "3.1.7(e)", "3.1.7(f)", "3.1.7(g)", "3.1.8(a)", "3.1.8(b)", "3.1.8(c)", "3.1.8(d)", "3.1.8(e)" ], "americas-bmu-mba-coc-2020": [ "5.2" ], "amaericas-can-osfi-self-assessment": [ "1.1", "1.2", "6.2" ], "americas-can-osfi-b13-2022": [ "1", "1.1", "1.1.1", "1.1.2" ] } }, { "control_id": "GOV-04.1", "title": "Stakeholder Accountability Structure", "family": "GOV", "description": "Mechanisms exist to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks.", "scf_question": "Does the organization enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-15" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to enforce an accountability structure so that appropriate teams and individuals are empowered, responsible and trained for mapping, measuring and managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented roles and responsibilities (RACI matrix or equivalent)\n∙ Job descriptions with security duties clearly defined", "small": "∙ Documented RACI matrix for cybersecurity responsibilities\n∙ Formal security role assignments in job descriptions\n∙ Access control aligned to defined roles", "medium": "∙ Documented RACI matrix for cybersecurity responsibilities\n∙ Role-based accountability framework\n∙ Performance metrics tied to security responsibilities", "large": "∙ Formal accountability framework (RACI/RASCI) maintained in GRC platform\n∙ Security role definitions with measurable performance criteria\n∙ Control ownership assigned and tracked in GRC platform", "enterprise": "∙ Enterprise accountability framework integrated with GRC and HR systems\n∙ Control ownership model with documented accountability for each control domain\n∙ Security KPIs tied to role-based performance management\n∙ Third-party accountability structures for key vendors" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-6", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF1", "M1.2-POF2" ], "general-aicpa-tsc-2017": [ "CC1.2-POF1", "CC1.3", "CC1.3-POF1", "CC1.3-POF2", "CC1.3-POF3", "CC1.3-POF4", "CC1.3-POF5", "CC1.3-POF6", "CC1.5-POF1", "CC5.3-POF2" ], "general-bsi-200-1-1-0": [ "4.1.6", "7.2" ], "general-cobit-2019": [ "BAI01.03" ], "general-coso-2013": [ "3", "5" ], "general-csa-cmm-4-1-0": [ "GRC-06" ], "general-csa-iot-2": [ "GVN-01" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3", "3.5.1.2" ], "general-iso-22301-2019": [ "5.3", "5.3(a)", "5.3(b)", "8.4.2.1" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "5.1", "5.3(a)" ], "general-iso-31000-2018": [ "5.2", "5.4.2", "5.4.3" ], "general-iso-42001-2023": [ "5.1", "A.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "GOVERN 2.0", "GOVERN 2.1", "GOVERN 5.0", "MANAGE 2.4" ], "general-nist-800-37-r2": [ "TASK P-9" ], "general-nist-800-218": [ "PO.2.3" ], "general-nist-csf-2-0": [ "GV.RM-05", "GV.RR-01" ], "general-shared-assessments-sig-2025": [ "R.6" ], "general-tisax-6-0-3": [ "1.2.1", "1.2.2", "1.2.4" ], "usa-federal-dow-cert-rmm-1-2": [ "ADM:SG1.SP3" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.B", "1.C" ], "usa-federal-doe-c2m2-2-1": [ "RISK-1e", "PROGRAM-2f" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(c)(1)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(6)" ], "emea-eu-ai-act-2024": [ "Article 17.1(m)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.1(11)", "3.7.5(91)" ], "emea-deu-bsrit-2017": [ "4.5", "4.6", "4.10" ], "emea-gbr-caf-4-0": [ "A1.b" ], "emea-gbr-def-stan-05-138-2024": [ "1101", "1103" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1101", "1103" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1101", "1103" ], "apac-aus-ps-cps-230-2023": [ "21" ], "apac-ind-sebi-2024": [ "GV.RR.S1", "GV.RR.S2" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP21", "HHSP27", "HML21", "HML27" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP19", "HSUP23" ], "americas-can-osfi-b13-2022": [ "1", "1.1", "1.1.1", "1.1.2" ] } }, { "control_id": "GOV-04.2", "title": "Authoritative Chain of Command", "family": "GOV", "description": "Mechanisms exist to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks.", "scf_question": "Does the organization establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-HRS-15" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to establish an authoritative chain of command with clear lines of communication to remove ambiguity from individuals and teams related to managing Technology Assets, Applications, Services and/or Data (TAASD)-related risks.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Organization chart with security escalation paths\n∙ Documented incident escalation contact list", "small": "∙ Organization chart with defined security escalation paths\n∙ Documented escalation procedures for security decisions\n∙ Clear IT/security reporting relationships", "medium": "∙ Organization chart with cybersecurity reporting lines\n∙ Formal escalation matrix for security decisions and incidents\n∙ Defined authority levels for security-related approvals", "large": "∙ Formal organizational structure with clear cybersecurity authority chain\n∙ Documented delegation of authority for security decisions\n∙ Defined escalation procedures published in the SCRP", "enterprise": "∙ Enterprise organizational structure with defined CISO authority and reporting chain\n∙ Board-level visibility into security command structure\n∙ Integrated HR/org management system reflecting security authority\n∙ Formalized delegation of authority matrix for security decisions" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-6", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-pmf-2020": [ "M1.2-POF1" ], "general-aicpa-tsc-2017": [ "CC1.2-POF1", "CC1.3", "CC1.3-POF1", "CC1.3-POF2", "CC1.3-POF3", "CC1.3-POF4", "CC1.3-POF5", "CC1.3-POF6", "CC1.5-POF1" ], "general-bsi-200-1-1-0": [ "4.1.6", "7.2" ], "general-coso-2013": [ "3", "5" ], "general-csa-cmm-4-1-0": [ "GRC-06" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3", "3.5.1.2" ], "general-iso-22301-2019": [ "5.3" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-31000-2018": [ "5.2", "5.4.2", "5.4.3" ], "general-iso-42001-2023": [ "5.1", "A.3" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.3", "GOVERN 2.1" ], "general-tisax-6-0-3": [ "1.2.1", "1.2.2" ], "usa-federal-dhs-cisa-cpg-2-0": [ "1.B", "1.C" ], "usa-federal-doe-c2m2-2-1": [ "RISK-1e", "PROGRAM-2f" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(c)(1)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-deu-bsrit-2017": [ "4.5", "4.6", "4.10" ], "emea-gbr-caf-4-0": [ "A1.b" ], "emea-gbr-def-stan-05-138-2024": [ "1103" ], "emea-gbr-def-stan-05-138-l2-2024": [ "1103" ], "emea-gbr-def-stan-05-138-l3-2024": [ "1103" ], "apac-aus-ps-cps-230-2023": [ "21" ], "apac-ind-sebi-2024": [ "GV.OC.S1", "GV.PO.S5" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP21" ], "americas-can-osfi-b13-2022": [ "1", "1.1.2" ] } }, { "control_id": "GOV-05", "title": "Measures of Performance", "family": "GOV", "description": "Mechanisms exist to develop, report and monitor Security, Compliance & Resilience Program (SCRP) measures of performance.", "scf_question": "Does the organization develop, report and monitor Security, Compliance & Resilience Program (SCRP) measures of performance?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-13" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ Basic metrics are developed to provide operational oversight of a limited scope of cybersecurity and data protection controls.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to develop, report and monitor Security, Compliance & Resilience Program (SCRP) measures of performance.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manually-generated metrics (spreadsheet-based dashboard)\n∙ Basic security scorecard (patch %, training completion %, incident count)", "small": "∙ Manually-generated metrics with structured reporting template\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Simple security dashboard (e.g., Power BI free tier, Google Looker Studio)", "medium": "∙ Automated metrics via GRC or security tool integrations\n∙ Security dashboard with defined KPIs/KRIs (e.g., Power BI, GRC platform reporting)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "large": "∙ GRC platform with integrated metrics and dashboards\n∙ Automated data collection from security tools (SIEM, vulnerability scanner, etc.)\n∙ Defined measurement cadence aligned with board reporting schedule", "enterprise": "∙ Enterprise GRC platform with automated metrics collection and reporting\n∙ Security metrics integrated with business intelligence platform (e.g., Tableau, Power BI)\n∙ Automated benchmarking against industry standards (e.g., CIS Benchmarks, CISA metrics)\n∙ Real-time security posture dashboards for executive and board reporting" }, "risks": [ "R-AC-1", "R-GV-1", "R-GV-2", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF3", "CC1.2", "CC1.5", "CC1.5-POF2", "CC1.5-POF5", "CC2.1-POF4", "CC2.2", "CC4.1", "CC4.1-POF2", "CC4.2-POF1", "CC5.3-POF6" ], "general-bsi-200-1-1-0": [ "4.3" ], "general-cobit-2019": [ "EDM01.03", "EDM05.01", "EDM05.03", "APO02.02", "DSS06.01", "MEA01.02", "MEA01.03" ], "general-coso-2013": [ "2", "5", "14", "16" ], "general-csa-cmm-4-1-0": [ "AIS-03", "DCS-17", "SEF-05", "TVM-12" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.3" ], "general-iso-22301-2019": [ "9.1", "9.1(a)", "9.1(b)", "9.1(c)", "9.1(d)" ], "general-iso-27001-2022": [ "9.1", "9.1(a)", "9.1(b)", "9.1(c)", "9.1(d)", "9.1(e)", "9.1(f)" ], "general-iso-27701-2025": [ "9.1" ], "general-iso-31000-2018": [ "5.2", "5.4.2", "6.6" ], "general-iso-42001-2023": [ "5.1", "9.3.2(d)", "9.3.2(d)(1)", "9.3.2(d)(2)", "9.3.2(d)(3)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 1.5", "MAP 5.2", "MEASURE 1.0", "MEASURE 1.1", "MEASURE 1.2", "MEASURE 4.0", "MEASURE 4.3" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-002", "MS-2.7-004" ], "general-nist-privacy-framework-1-0": [ "GV.MT-P4", "PR.PO-P5", "PR.PO-P6" ], "general-nist-800-53-r4": [ "PM-6" ], "general-nist-800-53-r5-2": [ "PM-06" ], "general-nist-800-53-r5-2-privacy": [ "PM-06" ], "general-nist-800-82-r3": [ "PM-06" ], "general-nist-800-82-r3-low": [ "PM-06" ], "general-nist-800-82-r3-mod": [ "PM-06" ], "general-nist-800-82-r3-high": [ "PM-06" ], "general-nist-800-161-r1": [ "PM-6" ], "general-nist-800-161-r1-level-1": [ "PM-6" ], "general-nist-800-161-r1-level-2": [ "PM-6" ], "general-nist-800-171-r3": [ "03.12.03" ], "general-nist-800-207": [ "NIST Tenet 7" ], "general-nist-csf-2-0": [ "GV", "GV.OV", "GV.OV-01", "GV.OV-03", "GV.SC", "GV.SC-09", "ID.IM-03" ], "general-scf-dpmp-2025": [ "11.5" ], "general-tisax-6-0-3": [ "1.2.1" ], "usa-federal-dow-cert-rmm-1-2": [ "MA:SG1", "MA:SG1.SP1", "MA:SG1.SP2", "MA:SG1.SP3", "MA:SG1.SP4", "MA:SG2", "MA:SG2.SP1", "MA:SG2.SP2", "MA:SG2.SP3", "MA:SG2.SP4", "MA:GG1.GP1", "MA:GG2", "MA:GG2.GP2" ], "usa-federal-doe-c2m2-2-1": [ "ASSET-5f", "THREAT-3f", "RISK-5f", "ACCESS-4f", "SITUATION-3d", "SITUATION-4f", "RESPONSE-5f", "THIRD-PARTIES-3f", "WORKFORCE-5f", "ARCHITECTURE-6f", "PROGRAM-2g", "PROGRAM-3f" ], "usa-federal-gsa-fedramp-5-low": [ "PM-06" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-06" ], "usa-federal-gsa-fedramp-5-high": [ "PM-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-06" ], "usa-federal-cms-marse-2-0": [ "PM-6" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-06" ], "emea-eu-dora-2023": [ "Article 13.4" ], "emea-eu-nis2-2022": [ "Article 21.2(f)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(j)" ], "emea-us-psd2-2015": [ "3" ], "emea-deu-c5-2020": [ "COM-04" ], "emea-sau-cgiot-2024": [ "1-1-4" ], "emea-esp-ccn-stic-825-2023": [ "7.6.2 [OP.MON.2]" ], "apac-aus-ism-2024-june": [ "ISM-0724" ], "apac-ind-sebi-2024": [ "GV.OV.S3", "GV.OV.S4", "PR.IP.S10" ], "apac-jpn-ismap": [ "4.6.2.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP46", "HML46" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP38" ], "apac-sgp-mas-trm-2021": [ "4.5.3", "7.8.3" ], "americas-bmu-mba-coc-2020": [ "5.7" ], "amaericas-can-osfi-self-assessment": [ "6.9" ], "americas-can-osfi-b13-2022": [ "1", "1.2", "2.8.1" ], "americas-can-itsp-10-171-2025": [ "03.12.03" ] } }, { "control_id": "GOV-05.1", "title": "Key Performance Indicators (KPIs)", "family": "GOV", "description": "Mechanisms exist to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP).", "scf_question": "Does the organization develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to develop, report and monitor Key Performance Indicators (KPIs) to assist organizational management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP).", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manually-generated metrics (spreadsheet)\n∙ Key security KPIs: patch compliance %, training completion %, incident count, open vulnerability age", "small": "∙ Manually-generated metrics with defined KPI thresholds\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Monthly/quarterly KPI reporting to leadership", "medium": "∙ Defined security KPI library (CIS, CISA, or custom)\n∙ Automated KPI collection via GRC or SIEM integration\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "large": "∙ Formal KPI program with defined targets, thresholds, and owners\n∙ GRC platform with automated KPI dashboards (e.g., SCFConnect, Cyturus, etc.)\n∙ Board-level security KPI reporting cadence", "enterprise": "∙ Enterprise KPI program aligned to NIST, CIS, or custom security frameworks\n∙ Automated KPI collection and reporting via GRC/SIEM integration\n∙ Board and audit committee KPI reporting with trend analysis\n∙ KPIs mapped to business risk appetite and strategic objectives" }, "risks": [ "R-AC-1", "R-GV-1", "R-GV-2", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2", "CC1.5", "CC2.2", "CC4.1" ], "general-cobit-2019": [ "APO02.02" ], "general-coso-2013": [ "2", "5", "14", "16" ], "general-iso-31000-2018": [ "5.2" ], "general-nist-100-1-ai-rmf": [ "MEASURE 4.1", "MEASURE 4.3" ], "general-nist-600-1-gen-ai-profile": [ "GV-1.3-002" ], "emea-sau-cgiot-2024": [ "1-1-3" ], "americas-can-osfi-b13-2022": [ "2.8.1" ] } }, { "control_id": "GOV-05.2", "title": "Key Risk Indicators (KRIs)", "family": "GOV", "description": "Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP).", "scf_question": "Does the organization develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP)?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-13" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Organizational leadership maintains an informal process to review and respond to observed trends.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to develop, report and monitor Key Risk Indicators (KRIs) to assist senior management in performance monitoring and trend analysis of the Security, Compliance & Resilience Program (SCRP).", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Manually-generated metrics (spreadsheet)\n∙ Basic risk indicators: critical unpatched vulnerabilities, failed logins, open security incidents", "small": "∙ Manually-generated KRI tracking with alert thresholds\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)\n∙ Documented risk tolerance thresholds", "medium": "∙ Defined KRI library tied to organizational risk register\n∙ Automated KRI monitoring via GRC platform or SIEM (e.g., Splunk, Microsoft Sentinel)\n∙ GRC solution (e.g., SCFConnect, Cyturus, SureCloud, SimpleRisk, Ignyte, ZenGRC, Galvanize, MetricStream, Archer, etc.)", "large": "∙ Formal KRI program with defined risk appetite thresholds\n∙ Automated KRI monitoring with escalation triggers\n∙ GRC platform with KRI dashboards linked to risk register\n∙ Regular KRI reporting to risk committee", "enterprise": "∙ Enterprise KRI program integrated with risk management framework\n∙ Automated real-time KRI monitoring with AI-assisted anomaly detection\n∙ Board-level risk indicator reporting with trend analysis\n∙ KRIs linked to enterprise risk appetite and materiality thresholds" }, "risks": [ "R-AC-1", "R-GV-1", "R-GV-2", "R-GV-6", "R-GV-7", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2", "CC1.5", "CC2.2", "CC4.1" ], "general-cobit-2019": [ "APO02.02" ], "general-coso-2013": [ "2", "5", "14", "16" ], "general-iso-31000-2018": [ "5.2" ], "general-nist-100-1-ai-rmf": [ "MEASURE 4.1", "MEASURE 4.3" ], "general-nist-csf-2-0": [ "GV.RM-01" ] } }, { "control_id": "GOV-06", "title": "Contacts With Authorities", "family": "GOV", "description": "Mechanisms exist to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "scf_question": "Does the organization identify and document appropriate contacts with relevant law enforcement and regulatory bodies?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity personnel identify and maintain contact information for local and national law enforcement (e.g., FBI field office) in case of cybersecurity incidents that require law enforcement involvement.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to identify and document appropriate contacts with relevant law enforcement and regulatory bodies.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Documented list of law enforcement and regulatory contacts (FBI, CISA, state AG)\n∙ MS-ISAC free membership (https://www.cisecurity.org/ms-isac)", "small": "∙ Documented contacts with FBI Cyber Division, CISA, and relevant regulators\n∙ MS-ISAC or sector-specific ISAC membership\n∙ Pre-established law enforcement liaisons for incident response", "medium": "∙ Integrated Security Incident Response Team (ISIRT) with defined authority contacts\n∙ CISA Cyber Liaison and FBI Cyber Division contacts\n∙ Sector ISAC membership (e.g., FS-ISAC, H-ISAC, E-ISAC)\n∙ Regulatory notification contact list (e.g., FTC, OCR, state regulators)", "large": "∙ Integrated Security Incident Response Team (ISIRT) with pre-established authority relationships\n∙ Formal engagement with law enforcement (FBI, USSS, CISA)\n∙ Sector ISAC active membership with information sharing participation\n∙ Regulatory breach notification contacts and documented procedures", "enterprise": "∙ Dedicated government liaison program (FBI, CISA, NSA, sector regulators)\n∙ Active ISAC membership with classified threat briefing access (where applicable)\n∙ Pre-established breach notification workflows for all applicable regulators\n∙ Integrated Security Incident Response Team (ISIRT) with 24/7 law enforcement contact protocols" }, "risks": [ "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF4", "CC2.3", "CC3.1-POF10" ], "general-coso-2013": [ "15" ], "general-govramp": [ "IR-06" ], "general-govramp-core": [ "IR-06" ], "general-govramp-low": [ "IR-06" ], "general-govramp-low-plus": [ "IR-06" ], "general-govramp-mod": [ "IR-06" ], "general-govramp-high": [ "IR-06" ], "general-iso-27002-2022": [ "5.5" ], "general-iso-27017-2015": [ "6.1.3" ], "general-iso-27018-2025": [ "5.5" ], "general-nist-600-1-gen-ai-profile": [ "GV-2.1-004" ], "general-nist-800-53-r4": [ "IR-6" ], "general-nist-800-53-r5-2": [ "IR-06" ], "general-nist-800-53-r5-2-privacy": [ "IR-06" ], "general-nist-800-53-r5-2-low": [ "IR-06" ], "general-nist-800-82-r3": [ "IR-06" ], "general-nist-800-82-r3-low": [ "IR-06" ], "general-nist-800-82-r3-mod": [ "IR-06" ], "general-nist-800-82-r3-high": [ "IR-06" ], "general-nist-800-161-r1": [ "IR-6" ], "usa-federal-dhs-cisa-cpg-2-0": [ "4.A" ], "usa-federal-fbi-cjis-6-0": [ "IR-6" ], "usa-federal-gsa-fedramp-5-low": [ "IR-06" ], "usa-federal-gsa-fedramp-5-mod": [ "IR-06" ], "usa-federal-gsa-fedramp-5-high": [ "IR-06" ], "usa-federal-gsa-fedramp-5-li-saas": [ "IR-06" ], "usa-federal-irs-1075-2021": [ "IR-6" ], "usa-federal-cms-marse-2-0": [ "IR-6" ], "usa-federal-sec-cybersecurity-rule-2023": [ "Form 8-K Item 1.05(a)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "IR-06" ], "usa-state-tx-txramp-2-0-level-1": [ "IR-06" ], "usa-state-tx-txramp-2-0-level-2": [ "IR-06" ], "emea-eu-eba-ict-srm-2025": [ "3.7.5(91)" ], "emea-eu-dora-2023": [ "Article 31.4" ], "emea-deu-c5-2020": [ "OIS-05" ], "emea-esp-boe-a-2022-7191": [ "Article 32.1", "Article 32.2", "Article 32.3" ], "emea-esp-decree-311-2022": [ "32.1", "32.2", "32.3" ], "apac-aus-ps-cps-230-2023": [ "33", "42", "51", "59(a)", "59(b)" ], "apac-aus-ps-cps-234-2019": [ "35", "35(a)", "35(b)", "36" ], "apac-jpn-ismap": [ "6.1.3", "6.1.3.1", "6.1.3.3.PB" ] } }, { "control_id": "GOV-07", "title": "Contacts With Groups & Associations", "family": "GOV", "description": "Mechanisms exist to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "scf_question": "Does the organization establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-THR-02" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.\n▪ Cybersecurity and data privacy personnel identify and maintain contact information for local, regional and national cybersecurity / data privacy groups and associations.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to establish contact with selected groups and associations within the security, compliance and resilience communities to: \n(1) Facilitate ongoing cybersecurity and data protection education and training for organizational personnel;\n(2) Maintain currency with recommended cybersecurity and data protection practices, techniques and technologies; and\n(3) Share current cybersecurity and/or data protection-related information including threats, vulnerabilities and incidents.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes. \n▪ Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ISACA chapters (https://www.isaca.org)\n∙ ISC2 chapters (https://www.isc2.org)\n∙ IAPP chapters (https://iapp.org)\n∙ CISA free resources and advisories (https://www.cisa.gov)\n∙ SANS reading room, vendor security blogs", "small": "∙ ISACA chapters (https://www.isaca.org)\n∙ ISC2 chapters (https://www.isc2.org)\n∙ IAPP chapters (https://iapp.org)\n∙ CISA free resources and advisories (https://www.cisa.gov)\n∙ MS-ISAC free membership (https://www.cisecurity.org/ms-isac)", "medium": "∙ ISACA chapters (https://www.isaca.org)\n∙ ISC2 chapters (https://www.isc2.org)\n∙ IAPP chapters (https://iapp.org)\n∙ CISA advisories and threat alerts (https://www.cisa.gov)\n∙ Sector-specific ISAC membership", "large": "∙ ISACA chapters (https://www.isaca.org)\n∙ ISC2 chapters (https://www.isc2.org)\n∙ IAPP chapters (https://iapp.org)\n∙ Sector ISAC active membership (e.g., FS-ISAC, H-ISAC)\n∙ CISA Cyber Information Sharing program\n∙ InfraGard membership (https://www.infragard.org)", "enterprise": "∙ ISACA enterprise membership (https://www.isaca.org)\n∙ ISC2 enterprise programs (https://www.isc2.org)\n∙ IAPP enterprise membership (https://iapp.org)\n∙ Sector ISAC leadership participation\n∙ InfraGard and CISA partnership programs\n∙ Sector-specific policy engagement (FS-ISAC, NTIA, etc.)" }, "risks": [ "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.2-POF4", "CC2.3" ], "general-csa-cmm-4-1-0": [ "GRC-08" ], "general-iec-62443-2-1-2024": [ "EVENT 1.3" ], "general-iso-27002-2022": [ "5.6" ], "general-iso-27017-2015": [ "6.1.4" ], "general-iso-27018-2025": [ "5.6" ], "general-nist-800-53-r4": [ "PM-15" ], "general-nist-800-53-r5-2": [ "PM-15" ], "general-nist-800-53-r5-2-privacy": [ "PM-15" ], "general-nist-800-82-r3": [ "PM-15" ], "general-nist-800-82-r3-low": [ "PM-15" ], "general-nist-800-82-r3-mod": [ "PM-15" ], "general-nist-800-82-r3-high": [ "PM-15" ], "general-nist-800-161-r1": [ "PM-15" ], "general-nist-800-161-r1-level-1": [ "PM-15" ], "general-nist-800-161-r1-level-2": [ "PM-15" ], "general-nist-csf-2-0": [ "ID.RA-02" ], "general-pci-dss-4-0-1": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-a-ep": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-b-ip": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-c-vt": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-merchant": [ "6.3.1" ], "general-pci-dss-4-0-1-saq-d-service-provider": [ "6.3.1" ], "usa-federal-doe-c2m2-2-1": [ "PROGRAM-2j" ], "usa-federal-gsa-fedramp-5-low": [ "PM-15" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-15" ], "usa-federal-gsa-fedramp-5-high": [ "PM-15" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-15" ], "usa-federal-cms-marse-2-0": [ "PM-15", "PM-15.a", "PM-15.b", "PM-15.c" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PM-15" ], "emea-eu-dora-2023": [ "Article 45.1", "Article 45.1(a)", "Article 45.1(b)", "Article 45.1(c)", "Article 45.2" ], "apac-jpn-ismap": [ "6.1.4", "6.1.4.1", "6.1.4.2", "6.1.4.3", "6.1.4.4", "6.1.4.5", "6.1.4.6" ], "amaericas-can-osfi-self-assessment": [ "3.7" ] } }, { "control_id": "GOV-08", "title": "Defining Business Context & Mission", "family": "GOV", "description": "Mechanisms exist to define the context of its business model and document the organization's mission.", "scf_question": "Does the organization define the context of its business model and document the mission of the organization?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-PRM-01" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ The context of the entity's business model and its mission are documented.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document mission statement and business context in writing", "small": "∙ Written mission statement and business context document\n∙ Annual review", "medium": "∙ Formal business context document\n∙ Integrated into risk management process", "large": "∙ Formal business context and mission documentation\n∙ Linked to enterprise risk management (ERM)\n∙ Stakeholder review process", "enterprise": "∙ Enterprise business context framework\n∙ Integrated ERM platform\n∙ Formal mission alignment review process\n∙ Strategic planning documentation" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2-POF1", "CC2.2-POF10", "CC3.1-POF1", "CC3.1-POF3", "CC3.1-POF15", "CC5.1-POF2" ], "general-cobit-2019": [ "EDM05.01", "EDM05.02", "EDM05.03", "APO01.01", "APO01.02", "APO01.03", "APO01.04", "APO01.06", "APO02.01", "APO02.05", "APO08.01", "APO08.02", "APO08.03", "APO08.04" ], "general-coso-2013": [ "6", "10" ], "general-iso-22301-2019": [ "4.1", "4.2.1", "4.2.1(a)", "4.2.1(b)" ], "general-iso-27001-2022": [ "4.1", "4.2(a)", "4.3", "5.1" ], "general-iso-27701-2025": [ "4.1", "6.1.1" ], "general-iso-31000-2018": [ "5.4.1" ], "general-iso-42001-2023": [ "6.2" ], "general-nist-100-1-ai-rmf": [ "MAP 1.3" ], "general-nist-privacy-framework-1-0": [ "ID.IM-P5", "ID.BE-P1", "ID.BE-P2", "GV.RM-P3" ], "general-nist-csf-2-0": [ "GV.OC", "GV.OC-01", "GV.OC-04", "GV.OV-01", "GV.SC-03" ], "general-scf-dpmp-2025": [ "11.1" ], "general-shared-assessments-sig-2025": [ "B.1" ], "general-tisax-6-0-3": [ "1.1.1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(2)(i)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(2)(i)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(4)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(b)" ], "emea-sau-ecc-1-2018": [ "1-1-1" ], "americas-can-osfi-b13-2022": [ "1.2", "2.1.1" ] } }, { "control_id": "GOV-09", "title": "Define Control Objectives", "family": "GOV", "description": "Mechanisms exist to establish control objectives as the basis for the selection, implementation and management of the organization's internal security, compliance and resilience control system.", "scf_question": "Does the organization establish control objectives as the basis for the selection, implementation and management of the organization's internal security, compliance and resilience control system?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-10" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to establish control objectives as the basis for the selection, implementation and management of the organization's internal security, compliance and resilience control system.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats" ], "possible_solutions": { "micro_small": "∙ Document basic security control objectives in a policy", "small": "∙ Written control objectives tied to applicable requirements", "medium": "∙ Formal control objectives framework\n∙ Mapped to applicable laws and regulations", "large": "∙ Enterprise control objectives library\n∙ Mapped to regulatory requirements\n∙ GRC platform for control tracking", "enterprise": "∙ Enterprise GRC platform (e.g., ServiceNow GRC, RSA Archer)\n∙ Control objectives library\n∙ Automated compliance mapping\n∙ Continuous control monitoring" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF1", "CC2.2", "CC2.2-POF1", "CC2.2-POF7", "CC3.1", "CC3.1-POF1", "CC3.1-POF8", "CC3.1-POF9", "CC3.1-POF15" ], "general-cobit-2019": [ "APO01.04" ], "general-coso-2013": [ "6", "10" ], "general-iso-27001-2022": [ "4.1", "4.2", "4.2(b)", "4.2(c)", "5.2(b)", "6.2", "6.2(a)", "6.2(b)", "6.2(c)", "6.2(d)", "6.2(e)", "6.2(f)", "6.2(g)", "6.2(h)", "6.2(i)", "6.2(j)", "6.2(k)", "6.2(l)" ], "general-iso-27701-2025": [ "6.1.3(d)" ], "general-iso-31000-2018": [ "5.4.1" ], "general-iso-42001-2023": [ "5.1", "6.2", "8.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)" ], "general-nist-800-66-r2": [ "164.308(a)(1)" ], "general-nist-csf-2-0": [ "GV.SC-03" ], "general-tisax-6-0-3": [ "1.1.1", "7.1.2" ], "usa-federal-dow-cert-rmm-1-2": [ "CTRL:SG1", "CTRL:SG1.SP1" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)", "609.930(c)(6)" ], "usa-federal-law-glba-cfr-314-2023": [ "314.3(b)(1)", "314.3(b)(2)", "314.3(b)(3)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(b)(1)", "164.308(a)(1)(ii)(B)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(b)(1)", "164.308(a)(1)(ii)(B)" ], "emea-eu-eba-ict-srm-2025": [ "3.2.1(5)(c)" ], "emea-eu-nis2-annex-2024": [ "1.1.1(c)" ], "emea-deu-c5-2020": [ "OIS-01", "OIS-02" ], "emea-sau-cscc-1-2019": [ "1-1" ], "apac-ind-sebi-2024": [ "GV.OC.S1", "GV.RM.S1" ], "apac-jpn-ismap": [ "4.4.4.1", "5.1.1.5" ], "americas-can-osfi-b13-2022": [ "1.2", "2.1.1" ] } }, { "control_id": "GOV-10", "title": "Data Governance", "family": "GOV", "description": "Mechanisms exist to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "scf_question": "Does the organization facilitate data governance to oversee its policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Administrative processes require all employees and contractors to apply cybersecurity and data protection principles in their daily work (e.g., policies & standards).\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to facilitate data governance to oversee the organization's policies, standards and procedures so that sensitive/regulated data is effectively managed and maintained in accordance with applicable statutory, regulatory and contractual obligations.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Basic data inventory (spreadsheet)\n∙ Designated data owner / data custodian role\n∙ Informal data classification policy", "small": "∙ Data governance policy and data classification standard\n∙ Designated data owner(s) by data type\n∙ Basic data inventory with sensitivity classification", "medium": "∙ Formal data governance program with data classification scheme\n∙ Data steward and data owner roles defined\n∙ Data catalog tool (e.g., Microsoft Purview free tier, OpenMetadata)", "large": "∙ Chief Data Officer (CDO) or equivalent role\n∙ Formal data governance committee\n∙ Enterprise data catalog and classification tool (e.g., Microsoft Purview, Collibra)\n∙ Data quality and lineage management program", "enterprise": "∙ Chief Data Officer (CDO) with executive authority\n∙ Enterprise Data Governance Council\n∙ Enterprise data catalog, classification, and lineage platform (e.g., Collibra, Alation, Informatica)\n∙ Data governance integrated with privacy, compliance, and risk programs" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.2-POF1" ], "general-iso-27002-2022": [ "5.12" ], "general-iso-27017-2015": [ "8.2.1" ], "general-iso-27018-2025": [ "5.12" ], "general-nist-800-53-r5-2": [ "PM-23", "PM-24" ], "general-nist-800-53-r5-2-privacy": [ "PM-23", "PM-24" ], "general-nist-800-82-r3": [ "PM-23", "PM-24" ], "general-nist-800-82-r3-low": [ "PM-23", "PM-24" ], "general-nist-800-82-r3-mod": [ "PM-23", "PM-24" ], "general-nist-800-82-r3-high": [ "PM-23", "PM-24" ], "general-nist-800-161-r1": [ "PM-23" ], "general-nist-800-161-r1-level-1": [ "PM-23" ], "general-pci-dss-4-0-1": [ "A3.2.5" ], "general-scf-dpmp-2025": [ "5.9" ], "general-shared-assessments-sig-2025": [ "P.8" ], "usa-federal-dow-zta-reference-architecture-2-0": [ "8.5" ], "usa-federal-gsa-fedramp-5-low": [ "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-mod": [ "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-high": [ "PM-23", "PM-24" ], "usa-federal-gsa-fedramp-5-li-saas": [ "PM-23", "PM-24" ], "apac-chn-pipl-2021": [ "58", "58(1)", "58(2)", "58(3)", "58(4)" ] } }, { "control_id": "GOV-11", "title": "Purpose Validation", "family": "GOV", "description": "Mechanisms exist to monitor mission/business-critical Technology Assets, Applications and/or Services (TAAS) to ensure those resources are being used consistent with their intended purpose.", "scf_question": "Does the organization monitor mission/business-critical Technology Assets, Applications and/or Services (TAAS) to ensure those resources are being used consistent with their intended purpose?", "relative_weight": 5, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to monitor mission/business-critical Technology Assets, Applications and/or Services (TAAS) to ensure those resources are being used consistent with their intended purpose.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Document intended use for critical systems", "small": "∙ Documented intended use policy for critical systems\n∙ Periodic review", "medium": "∙ Asset purpose documentation\n∙ Log review for anomalous use patterns", "large": "∙ SIEM for usage monitoring\n∙ Asset management system with intended-use tagging\n∙ Periodic usage audits", "enterprise": "∙ SIEM platform (e.g., Splunk, IBM QRadar)\n∙ UEBA for anomaly detection\n∙ Asset inventory with purpose classification\n∙ Automated alerting for out-of-purpose usage" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-7", "MT-1", "MT-2", "MT-7", "MT-8", "MT-9", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-iso-42001-2023": [ "6.2" ], "general-nist-800-53-r5-2": [ "PM-32" ], "general-nist-800-82-r3": [ "PM-32" ], "general-nist-800-82-r3-low": [ "PM-32" ], "general-nist-800-82-r3-mod": [ "PM-32" ], "general-nist-800-82-r3-high": [ "PM-32" ], "general-nist-800-160-vol-2-r1": [ "PM-32" ], "general-nist-800-161-r1": [ "PM-32" ], "general-nist-800-161-r1-level-2": [ "PM-32" ], "general-nist-800-161-r1-level-3": [ "PM-32" ] } }, { "control_id": "GOV-12", "title": "Forced Technology Transfer (FTT)", "family": "GOV", "description": "Mechanisms exist to avoid and/or constrain the forced exfiltration of sensitive/regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.", "scf_question": "Does the organization avoid and/or constrain the forced exfiltration of sensitive/regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to avoid and/or constrain the forced exfiltration of sensitive/regulated information (e.g., Intellectual Property (IP)) to the host government for purposes of market access or market management practices.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Legal review", "small": "∙ Legal review", "medium": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "apac-chn-cybersecurity-law-2017": [ "Article 28" ], "apac-chn-data-security-law-2021": [ "7", "8", "9", "11", "14", "15", "16", "18", "19", "20", "28", "31", "32", "33", "36", "37", "38", "48", "53" ], "apac-chn-pipl-2021": [ "38", "38(4)", "40" ] } }, { "control_id": "GOV-13", "title": "State-Sponsored Espionage", "family": "GOV", "description": "Mechanisms exist to constrain the host government's ability to leverage the organization's Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.", "scf_question": "Does the organization constrain the host government's ability to leverage its Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities?", "relative_weight": 10, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to constrain the host government's ability to leverage the organization's Technology Assets, Applications and/or Services (TAAS) for economic or political espionage and/or cyberwarfare activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ Legal review", "small": "∙ Legal review", "medium": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)", "large": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)", "enterprise": "∙ Legal review\n∙ Steering committee\n∙ Board of Directors (BoD)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "apac-chn-cybersecurity-law-2017": [ "Article 28" ], "apac-chn-data-security-law-2021": [ "7", "8", "9", "11", "14", "15", "16", "18", "19", "20", "28", "31", "32", "33", "36", "37", "38", "48", "53" ], "apac-chn-pipl-2021": [ "11", "12", "38(4)", "40", "47(5)", "60", "63(3)", "63(4)", "64" ] } }, { "control_id": "GOV-14", "title": "Business As Usual (BAU) Security, Compliance & Resilience Practices", "family": "GOV", "description": "Mechanisms exist to incorporate security, compliance and resilience principles into Business As Usual (BAU) practices through executive leadership involvement.", "scf_question": "Does the organization incorporate security, compliance and resilience principles into Business As Usual (BAU) practices through executive leadership involvement?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to incorporate security, compliance and resilience principles into Business As Usual (BAU) practices through executive leadership involvement.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "small": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "medium": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "large": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "enterprise": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)" }, "risks": [ "R-AC-1", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-8", "MT-9", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC1.1-POF1", "CC5.3-POF1" ], "general-bsi-200-1-1-0": [ "4.1.3" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.7" ], "general-iso-21434-2021": [ "RQ-05-06" ], "general-iso-27701-2025": [ "5.1" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "5.1" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(g)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.0" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P2" ], "general-pci-dss-4-0-1": [ "A3.3", "A3.3.3" ], "general-shared-assessments-sig-2025": [ "K.1" ], "usa-federal-dow-cert-rmm-1-2": [ "EF:SG3.SP2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "apac-aus-ps-cps-230-2023": [ "24" ], "apac-ind-sebi-2024": [ "GV.RR.S1" ], "apac-jpn-ismap": [ "4.5.2.1", "7.2.1.8" ], "americas-can-osfi-b13-2022": [ "1.1.1", "3.2.1" ] } }, { "control_id": "GOV-15", "title": "Operationalizing Security, Compliance & Resilience Capabilities", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to operationalize security, compliance and resilience practices for each Technology Asset, Application and/or Service (TAAS) under their control.", "scf_question": "Does the organization compel data and/or process owners to operationalize security, compliance and resilience practices for each Technology Asset, Application and/or Service (TAAS) under their control?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-19" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to operationalize security, compliance and resilience practices for each Technology Asset, Application and/or Service (TAAS) under their control.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Fundamentals", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "small": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "medium": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "large": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)", "enterprise": "∙ ComplianceForge - Cybersecurity Standardized Operating Procedures (CSOP) (https://complianceforge.com)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC2.1-POF1", "CC2.1-POF2", "CC2.1-POF3", "CC2.1-POF4", "CC3.1-POF5", "CC5.1", "CC5.1-POF1", "CC5.1-POF2", "CC5.1-POF3", "CC5.1-POF4", "CC5.1-POF5", "CC5.1-POF6" ], "general-bsi-200-1-1-0": [ "4.1.3" ], "general-iec-tr-60601-4-5-2021": [ "4.1", "4.6.1", "5.1" ], "general-imo-maritime-cyber-risk-management-2025": [ "3.5" ], "general-iso-22301-2019": [ "8.1", "8.1(a)", "8.1(b)", "8.1(c)" ], "general-iso-27017-2015": [ "5.1", "7.2.1" ], "general-iso-27018-2025": [ "5.4" ], "general-iso-27701-2025": [ "5.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-31010-2009": [ "4.3.2" ], "general-iso-42001-2023": [ "5.1", "8.1" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.D(2)(g)" ], "general-nist-100-1-ai-rmf": [ "GOVERN 4.0" ], "general-nist-privacy-framework-1-0": [ "GV.PO-P2" ], "general-nist-800-37-r2": [ "TASK P-17" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-nist-800-171a-r3": [ "A.03.16.01" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-swift-cscf-2025": [ "2.4" ], "general-tisax-6-0-3": [ "1.2.1", "5.3.1", "5.3.2" ], "usa-federal-dhs-cisa-ssdaf-2024": [ "1.f" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1f" ], "usa-federal-doc-data-privacy-framework-2023": [ "II.4.a" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-eo-14028": [ "4e(i)(F)" ], "usa-federal-far-52-204-21": [ "52.204-21(b)(1)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-fda-21-cfr-part-11-2025": [ "11.30" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(3)(viii)", "155.260(a)(4)", "155.260(a)(4)(i)", "155.260(a)(4)(iii)", "155.260(c)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)", "164.306(b)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)", "164.306(b)(1)" ], "usa-federal-irs-1075-2021": [ "3.3.1.l" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.106(b)(1)(i)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B", "III.C.1", "III.C.3", "III.D", "III.D.1" ], "usa-state-ca-ccpa-cpra-2026": [ "7123(b)(3)" ], "usa-state-il-ipa-2009": [ "35(c)", "37(c)" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-ai-act-2024": [ "Article 17.2" ], "emea-eu-eba-ict-srm-2025": [ "3.3.4(22)", "3.4.1(30)(a)", "3.4.1(30)(b)", "3.4.1(30)(c)", "3.4.1(30)(d)", "3.4.1(30)(e)", "3.4.1(30)(f)", "3.4.1(30)(g)" ], "emea-eu-dora-2023": [ "Article 7", "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)", "Article 9.3" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-eu-nis2-annex-2024": [ "6.2.1", "6.7.1" ], "emea-deu-bsrit-2017": [ "5.1" ], "emea-qat-pdppl-2020": [ "8.3" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-esp-boe-a-2022-7191": [ "Article 5", "Article 5(a)", "Article 5(b)", "Article 5(c)", "Article 5(d)", "Article 5(e)", "Article 5(f)", "Article 5(g)", "Article 8.1", "Article 8.2", "Article 8.3", "Article 8.4", "Article 8.5", "Article 28.1", "Article 37" ], "emea-esp-decree-311-2022": [ "28.1", "37", "5", "5(a)", "5(b)", "5(c)", "5(d)", "5(e)", "5(f)", "5(g)", "8.1", "8.2", "8.3", "8.4", "8.5" ], "emea-gbr-caf-4-0": [ "B4.a" ], "emea-gbr-cap-1850-2020": [ "A5" ], "apac-aus-ism-2024-june": [ "ISM-1633", "ISM-1634", "ISM-1635", "ISM-1636" ], "apac-aus-ps-cps-230-2023": [ "29" ], "apac-ind-sebi-2024": [ "GV.RM.S2" ], "apac-jpn-ismap": [ "4.4.4.1", "4.5.2.1" ], "apac-nzl-hisf-mlhsp-2023": [ "HHSP11", "HHSP16", "HHSP28", "HML11", "HML16", "HML28" ], "apac-nzl-hisf-suppliers-2023": [ "HSUP14", "HSUP24" ], "apac-nzl-ism-3-9": [ "3.2.10.C.04", "3.4.11.C.01" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1", "3.2.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.1", "title": "Select Controls", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to select required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control.", "scf_question": "Does the organization compel data and/or process owners to select required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to select required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.1" ], "general-iec-tr-60601-4-5-2021": [ "4.1", "4.6.1" ], "general-iso-22301-2019": [ "8.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-42001-2023": [ "8.1" ], "general-mpa-csbp-5-3-1": [ "OR-1.0" ], "general-nist-800-37-r2": [ "TASK P-5", "TASK S-1" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-tisax-6-0-3": [ "1.2.1", "1.2.4", "5.3.1", "5.3.2" ], "usa-federal-dow-cert-rmm-1-2": [ "CTRL:SG2.SP1", "EC:SG2", "EC:SG2.SP2", "KIM:SG2", "KIM:SG2.SP2", "TM:SG2", "TM:SG2.SP2" ], "usa-federal-doe-c2m2-2-1": [ "ARCHITECTURE-1f", "ARCHITECTURE-1g" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)", "252.204-7012(b)(2)(i)", "252.204-7012(b)(2)(ii)(A)", "252.204-7012(b)(3)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)" ], "usa-federal-irs-1075-2021": [ "3.3.1.l" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(a)(2)", "§117.18(e)(1)", "§117.18(e)(2)", "§117.18(e)(3)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B", "III.C.1", "III.C.3", "III.D" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-eba-ict-srm-2025": [ "3.3.4(22)", "3.3.4(23)", "3.4.1(30)(a)", "3.4.1(30)(b)", "3.4.1(30)(c)", "3.4.1(30)(d)", "3.4.1(30)(e)", "3.4.1(30)(f)", "3.4.1(30)(g)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-deu-bsrit-2017": [ "5.1" ], "emea-qat-pdppl-2020": [ "8.3", "11.1" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-esp-boe-a-2022-7191": [ "Article 3.3", "Article 28.1(a)", "Article 28.1(b)", "Article 28.1(c)", "Article 28.2", "Article 28.3", "Article 37" ], "emea-esp-decree-311-2022": [ "28.1(a)", "28.1(b)", "28.1(c)", "28.2", "28.3", "3.3", "37" ], "emea-gbr-caf-4-0": [ "B4.a" ], "emea-gbr-cap-1850-2020": [ "A5", "A6" ], "apac-aus-ism-2024-june": [ "ISM-1634" ], "apac-aus-ps-cps-230-2023": [ "29" ], "apac-jpn-ismap": [ "4.4.4.1" ], "apac-nzl-ism-3-9": [ "3.2.10.C.04" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.2", "title": "Implement Controls", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to implement required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control.", "scf_question": "Does the organization compel data and/or process owners to implement required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control?", "relative_weight": 9, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to implement required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC5.1" ], "general-iec-tr-60601-4-5-2021": [ "4.1", "4.6.1", "5.1" ], "general-iso-22301-2019": [ "8.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-42001-2023": [ "8.1" ], "general-nist-800-37-r2": [ "TASK P-17", "TASK S-3", "TASK I-1" ], "general-nist-800-66-r2": [ "164.308(a)(1)" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-tisax-6-0-3": [ "5.3.1", "5.3.2" ], "usa-federal-dow-cert-rmm-1-2": [ "CTRL:SG2" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)", "164.306(d)(3)(ii)(A)", "164.308(a)(1)(ii)(B)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)", "164.306(d)(3)(ii)(A)", "164.308(a)(1)(ii)(B)" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)(4)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "III.B", "III.C.1", "III.C.3", "III.D" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-ai-act-2024": [ "Article 17.1(e)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.1(30)(a)", "3.4.1(30)(b)", "3.4.1(30)(c)", "3.4.1(30)(d)", "3.4.1(30)(e)", "3.4.1(30)(f)", "3.4.1(30)(g)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-eu-nis2-2022": [ "Article 21.1", "Article 21.2(a)", "Article 21.2(b)", "Article 21.2(c)", "Article 21.2(d)", "Article 21.2(e)", "Article 21.2(f)", "Article 21.2(g)", "Article 21.2(h)", "Article 21.2(i)", "Article 21.2(j)" ], "emea-deu-bsrit-2017": [ "5.2" ], "emea-qat-pdppl-2020": [ "8.3", "11.3", "11.5", "11.6" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-esp-boe-a-2022-7191": [ "Article 3.3", "Article 37" ], "emea-esp-decree-311-2022": [ "3.3", "37" ], "emea-gbr-caf-4-0": [ "B4.a" ], "emea-gbr-cap-1850-2020": [ "A5", "A6", "B4" ], "apac-aus-ism-2024-june": [ "ISM-1635" ], "apac-nzl-ism-3-9": [ "3.4.11.C.01" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.3", "title": "Assess Controls", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to assess if required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control are:\n(1) Implemented correctly; and \n(2) Operating as intended.", "scf_question": "Does the organization compel data and/or process owners to assess if required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control are:\n(1) Implemented correctly; and \n(2) Operating as intended?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to assess if required security, compliance and resilience controls for each Technology Asset, Application and/or Service (TAAS) under their control are:\n(1) Implemented correctly; and \n(2) Operating as intended.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC4.2-POF1" ], "general-iso-22301-2019": [ "8.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-42001-2023": [ "8.1" ], "general-nist-800-37-r2": [ "TASK A-3", "TASK M-2" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-tisax-6-0-3": [ "5.3.1" ], "usa-federal-dow-cert-rmm-1-2": [ "CTRL:SG3", "CTRL:SG3.SP1", "CTRL:SG4", "CTRL:SG4.SP1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)(5)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)", "899-bb.2(b)(ii)(B)(4)" ], "emea-eu-eba-ict-srm-2025": [ "3.4.6(41)", "3.4.6(42)", "3.4.6(43)", "3.4.6(43)(a)", "3.4.6(43)(b)", "3.4.6(44)", "3.4.6(45)", "3.4.6(46)", "3.4.6(47)", "3.4.6(48)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-qat-pdppl-2020": [ "8.3", "11.1", "11.2" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-gbr-cap-1850-2020": [ "A5", "A6", "B4" ], "apac-aus-ism-2024-june": [ "ISM-1636" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.4", "title": "Authorize Technology Assets, Applications and/or Services (TAAS)", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to obtain authorization for the production use of each Technology Asset, Application and/or Service (TAAS) under their control.", "scf_question": "Does the organization compel data and/or process owners to obtain authorization for the production use of each Technology Asset, Application and/or Service (TAAS) under their control?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to obtain authorization for the production use of each Technology Asset, Application and/or Service (TAAS) under their control.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-iso-22301-2019": [ "8.1" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-nist-800-37-r2": [ "TASK R-4" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "general-tisax-6-0-3": [ "5.3.1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-hhs-45-cfr-155-260-2016": [ "155.260(a)(4)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)(6)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b", "9-3.a", "9-3.b", "9-3.d" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-qat-pdppl-2020": [ "8.3", "11.1" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-gbr-cap-1850-2020": [ "A5" ], "apac-aus-ism-2024-june": [ "ISM-0027" ], "apac-nzl-ism-3-9": [ "23.2.16.C.03", "23.2.16.C.04" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-15.5", "title": "Monitor Controls", "family": "GOV", "description": "Mechanisms exist to compel data and/or process owners to monitor Technology Assets, Applications, Services and/or Data (TAASD) under their control on an ongoing basis for applicable threats and risks, as well as to ensure security, compliance and resilience controls are operating as intended.", "scf_question": "Does the organization compel data and/or process owners to monitor Technology Assets, Applications, Services and/or Data (TAASD) under their control on an ongoing basis for applicable threats and risks, as well as to ensure security, compliance and resilience controls are operating as intended?", "relative_weight": 8, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": true }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to compel data and/or process owners to monitor Technology Assets, Applications, Services and/or Data (TAASD) under their control on an ongoing basis for applicable threats and risks, as well as to ensure security, compliance and resilience controls are operating as intended.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "small": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "medium": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "large": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)", "enterprise": "∙ SCF Security, Compliance & Resilience Management System (SCRMS)" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-1", "R-EX-2", "R-EX-3", "R-EX-4", "R-EX-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-IR-1", "R-IR-2", "R-IR-3", "R-IR-4", "R-SA-1", "R-SA-2", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-1", "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-11", "MT-12", "MT-13", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-iso-27001-2022": [ "9.2.2" ], "general-iso-29100-2024": [ "6.12" ], "general-iso-31000-2018": [ "5.2" ], "general-iso-42001-2023": [ "8.1" ], "general-nist-800-37-r2": [ "TASK M-1" ], "general-nist-800-171-r3": [ "03.15.01.a", "03.17.01.a" ], "general-scf-dpmp-2025": [ "7.0", "7.1" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)" ], "usa-federal-sro-fca-crm-2023": [ "609.930(a)" ], "usa-federal-omb-fipps-1973": [ "2" ], "usa-federal-law-ftc-act": [ "45(a)(1)" ], "usa-federal-law-hipaa-simplification-2013": [ "164.306(a)(1)" ], "usa-federal-law-hipaa-security-rule-2013": [ "164.306(a)(1)" ], "usa-federal-nispom-2020": [ "§117.18(a)(1)", "§117.18(e)(7)", "§117.18(e)(7)(i)", "§117.18(e)(7)(ii)", "§117.18(e)(7)(iii)", "§117.18(e)(7)(iv)" ], "usa-federal-dow-safeguarding-nnpi-2010": [ "9-2.b" ], "usa-state-ma-201-cmr-17-2008": [ "17.03(2)(b)" ], "usa-state-ny-shield-act-2019": [ "899-bb.2(b)(ii)(B)" ], "emea-eu-dora-2023": [ "Article 7(a)", "Article 7(b)", "Article 7(c)", "Article 7(d)" ], "emea-qat-pdppl-2020": [ "8.3", "11.7", "11.8" ], "emea-sau-cgiot-2024": [ "1-6-1" ], "emea-sau-otcc-1-2022": [ "2-3", "2-3-2" ], "emea-srb-act-9-2018": [ "50", "51" ], "emea-gbr-cap-1850-2020": [ "A5" ], "apac-aus-ism-2024-june": [ "ISM-1526" ], "apac-aus-ps-cps-230-2023": [ "30" ], "apac-nzl-ism-3-9": [ "23.2.18.C.01" ], "americas-can-osfi-b13-2022": [ "1.1.1", "2.1.1" ], "americas-can-itsp-10-171-2025": [ "03.15.01.A", "03.17.01.A" ] } }, { "control_id": "GOV-16", "title": "Materiality Determination", "family": "GOV", "description": "Mechanisms exist to define materiality threshold criteria capable of designating an incident as material.", "scf_question": "Does the organization define materiality threshold criteria capable of designating an incident as material?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-14" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": false, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define materiality threshold criteria capable of designating an incident as material.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE ESP Level 1 Foundational", "CORE ESP Level 2 Critical Infrastructure", "CORE ESP Level 3 Advanced Threats", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Simple materiality threshold definition (document what constitutes a material incident)", "small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Documented materiality criteria aligned to business impact and applicable regulations", "medium": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Documented materiality thresholds (financial, reputational, operational, regulatory)\n∙ SEC cybersecurity disclosure rules considered (if applicable)", "large": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal materiality determination process aligned to SEC cybersecurity disclosure rules (if public)\n∙ Cross-functional materiality review team (Legal, Finance, CISO, Operations)", "enterprise": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Enterprise materiality determination framework (SEC Item 1.05, PCAOB, SOX alignment)\n∙ Board-approved materiality thresholds with regular review cycle\n∙ Automated materiality scoring integrated with incident response workflows" }, "risks": [ "R-EX-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1-POF6" ], "general-iso-31000-2018": [ "5.4.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.E(2)(b)" ], "general-nist-csf-2-0": [ "DE.AE-04" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.105(b)", "17 CFR 229.106(a)", "17 CFR 229.106(b)(2)", "17 CFR 229.106(c)(2)", "Form 8-K Item 1.05(a)" ], "usa-state-nv-regulation-5-2024": [ "5.260.4" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(3)", "500.4(b)(5)", "500.9(b)(1)", "500.9(b)(2)" ] } }, { "control_id": "GOV-16.1", "title": "Material Risks", "family": "GOV", "description": "Mechanisms exist to define criteria necessary to designate a risk as a material risk.", "scf_question": "Does the organization define criteria necessary to designate a risk as a material risk?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-15" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define criteria necessary to designate a risk as a material risk.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Basic risk register with materiality threshold criteria", "small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Risk register with documented materiality criteria\n∙ Defined risk scoring methodology", "medium": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal risk register with quantitative/qualitative materiality thresholds\n∙ GRC platform risk management module", "large": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal materiality criteria for risks aligned to risk appetite\n∙ Board-approved material risk thresholds\n∙ GRC platform with automated risk scoring and materiality flagging", "enterprise": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Enterprise material risk framework aligned to SEC, SOX, and applicable regulators\n∙ Quantitative risk analysis (e.g., FAIR methodology)\n∙ Automated material risk identification and escalation" }, "risks": [ "R-EX-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-csa-iot-2": [ "RSM-01" ], "general-iso-31000-2018": [ "5.4.2" ], "general-iso-42001-2023": [ "6.1.2(c)", "6.1.2(d)", "6.1.2(d)(1)", "6.1.2(d)(2)", "6.1.2(d)(3)", "6.1.2(e)", "6.1.2(e)(1)", "6.1.2(e)(2)" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.E(2)(b)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.105(b)", "17 CFR 229.106(b)(2)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(3)", "500.4(b)(5)", "500.9(b)(1)", "500.9(b)(2)" ] } }, { "control_id": "GOV-16.2", "title": "Material Threats", "family": "GOV", "description": "Mechanisms exist to define criteria necessary to designate a threat as a material threat.", "scf_question": "Does the organization define criteria necessary to designate a threat as a material threat?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [ "E-GOV-16" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define criteria necessary to designate a threat as a material threat.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE Mergers, Acquisitions & Divestitures (MA&D)" ], "possible_solutions": { "micro_small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Basic threat assessment against organizational context", "small": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Documented threat assessment with materiality criteria\n∙ CISA Known Exploited Vulnerabilities (KEV) catalog reference", "medium": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal threat assessment with materiality thresholds\n∙ MITRE ATT&CK framework threat modeling\n∙ Threat intelligence integration (e.g., CISA advisories, sector ISAC feeds)", "large": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Formal material threat designation process with executive review\n∙ Threat intelligence platform (e.g., Recorded Future, Anomali, MISP)\n∙ MITRE ATT&CK-based threat modeling", "enterprise": "∙ SCF Secure, Compliant & Resilient (SCR) Risk Management Model (SCR-RMM) (https://securecontrolsframework.com/risk-management-model)\n∙ Enterprise material threat framework integrated with SEC disclosure process\n∙ Dedicated threat intelligence platform (e.g., Recorded Future, Mandiant Threat Intelligence)\n∙ Board-level material threat reporting cadence" }, "risks": [ "R-EX-5", "R-GV-6", "R-GV-7", "R-IR-4", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "MT-8", "MT-9", "MT-14", "MT-15", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-csa-iot-2": [ "RSM-01" ], "general-iso-31000-2018": [ "5.4.2" ], "general-naic-insurance-data-security-model-law-668-2017": [ "4.E(2)(b)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(a)", "17 CFR 229.105(b)", "17 CFR 229.106(a)", "17 CFR 229.106(b)(2)" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.4(b)", "500.4(b)(3)", "500.4(b)(5)", "500.9(b)(1)", "500.9(b)(2)" ] } }, { "control_id": "GOV-17", "title": "Security, Compliance & Resilience Status Reporting", "family": "GOV", "description": "Mechanisms exist to submit status reporting of the organization's security, compliance and/or resilience program to applicable statutory and/or regulatory authorities, as required.", "scf_question": "Does the organization submit status reporting of the organization's security, compliance and/or resilience program to applicable statutory and/or regulatory authorities, as required?", "relative_weight": 8, "conformity_cadence": "Semi-Annual", "evidence_requests": [ "E-GOV-17" ], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "SCR-CMM Level 1 criteria definitions are not available for this control:\n▪ A reasonable person would conclude this control requires a structured process.\n▪ At this level of maturity, the \"ad hoc\" nature of performing a capability informally would indicate the intent of the control is not met due to a lack of consistency and formality.", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to submit status reporting of the organization's security, compliance and/or resilience program to applicable statutory and/or regulatory authorities, as required.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [], "possible_solutions": { "micro_small": "∙ Maintain records for any required compliance filings", "small": "∙ Designate a compliance contact for required reporting\n∙ Track reporting deadlines", "medium": "∙ Compliance calendar for required submissions\n∙ Documented reporting procedures", "large": "∙ Compliance tracking platform\n∙ Dedicated compliance officer\n∙ Standardized reporting templates", "enterprise": "∙ Enterprise GRC platform for compliance reporting\n∙ Dedicated compliance team\n∙ Automated regulatory submission tracking\n∙ Legal and compliance integration" }, "risks": [ "R-EX-5" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "errata": "- renamed\n- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-aicpa-tsc-2017": [ "CC3.1-POF10", "CC3.2-POF3" ], "usa-federal-dow-dfars-252-204-7012": [ "252.204-7012(b)(2)(ii)(B)" ], "usa-federal-far-52-204-25": [ "52.204-25(d)(2)(i)", "52.204-25(d)(2)(ii)", "52.204-25(d)" ], "usa-federal-sec-cybersecurity-rule-2023": [ "17 CFR 229.105(b)", "17 CFR 229.106(d)" ], "usa-federal-tsa-security-directive-1580-82-2022-01": [ "II.B.1", "III.F.3", "V.A.1", "VI.A", "VI.B", "VI.B.1", "VI.B.2", "VI.C", "VI.D" ], "usa-state-ca-ccpa-cpra-2026": [ "7124(a)", "7124(b)", "7124(c)", "7124(c)(1)", "7124(c)(2)", "7124(c)(3)", "7124(d)", "7124(d)(1)", "7124(d)(2)", "7124(d)(3)", "7124(d)(4)", "7124(d)(5)", "7157(a)", "7157(a)(1)", "7157(a)(2)", "7157(b)", "7157(b)(1)", "7157(b)(2)", "7157(b)(3)", "7157(b)(4)", "7157(b)(5)", "7157(b)(6)", "7157(c)", "7157(c)(1)", "7157(c)(2)", "7157(c)(3)", "7157(d)", "7157(e)" ], "usa-state-il-ipa-2009": [ "35(b)", "37(b)" ], "usa-state-il-pipa-2006": [ "12(f)", "25" ], "usa-state-ny-dfs-23-nycrr500-2023-amd2": [ "500.17(a)(1)", "500.17(a)(2)" ], "usa-state-tx-dir-security-control-standards-catalog-2-2": [ "PL-01-SID" ], "usa-state-va-cdpa-2023": [ "59.1-580.C" ], "emea-eu-nis2-annex-2024": [ "1.2.3" ], "apac-aus-ism-2024-june": [ "ISM-1587" ], "apac-chn-cybersecurity-law-2017": [ "Article 38", "Article 54(1)" ], "apac-jpn-ismap": [ "4.5.3.1" ] } }, { "control_id": "GOV-18", "title": "Quality Management System (QMS)", "family": "GOV", "description": "Mechanisms exist to govern a Quality Management System (QMS) to ensure security, compliance and resilience processes conform with applicable statutory, regulatory and/or contractual obligations.", "scf_question": "Does the organization govern a Quality Management System (QMS) to ensure security, compliance and resilience processes conform with applicable statutory, regulatory and/or contractual obligations?", "relative_weight": 4, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Unstructured review of the cybersecurity and/or data privacy program is performed on an annual basis.\n▪ Administrative processes require all employees and contractors to apply cybersecurity and data protection principles in their daily work (e.g., policies & standards).", "2": "SCR-CMM Level 2 criteria definitions are not available for this control:\n▪ A reasonable person would conclude a well-defined and standardized process is required.\n▪ At this level of maturity, the “requirements-driven” nature of performing the control is focused on a localized and/or regionalized implementation, not uniform and consistent across the organization.\n▪ Requirements are narrowly scoped for applicability and are primarily derived from compliance obligations (e.g., laws, regulations and contracts).", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to govern a Quality Management System (QMS) to ensure security, compliance and resilience processes conform with applicable statutory, regulatory and/or contractual obligations.", "4": "Cybersecurity & Data Protection Governance (GOV) capabilities, in addition to being standardized across the entity and centrally managed to ensure consistency across Technology Assets, Applications, Services and/or Data (TAASD), efforts are metrics driven to provide sufficient insight for decision makers to predict optimal performance, ensure continued operations and/or identify areas for improvement. Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Applicable SCR-CMM Level 3 (Well Defined) capabilities are implemented and operational.\n▪ Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).\n▪ Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).\n▪ Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.\n▪ Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).\n▪ Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.\n▪ Business and technical stakeholders are involved in reviewing and approving proposed changes to evolve capabilities.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "SCRMS", "CORE AI Model Deployment" ], "possible_solutions": { "micro_small": "∙ Document basic quality checkpoints for security processes", "small": "∙ Written quality standards for key security processes", "medium": "∙ Formal QMS procedures for security processes\n∙ Internal quality reviews", "large": "∙ ISO 9001-aligned QMS for security operations\n∙ Formal QA function\n∙ Periodic internal audits", "enterprise": "∙ ISO 9001 certified QMS\n∙ Dedicated quality assurance team\n∙ Continuous process improvement program\n∙ Integrated QMS platform" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-3", "R-AC-4", "R-AM-1", "R-AM-2", "R-AM-3", "R-BC-1", "R-BC-2", "R-BC-3", "R-BC-4", "R-BC-5", "R-EX-6", "R-EX-7", "R-GV-1", "R-GV-2", "R-GV-3", "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-GV-8", "R-SA-1", "R-SA-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "general-cobit-2019": [ "APO11.01", "APO14.04", "BAI01.07" ], "general-iso-21434-2021": [ "RQ-05-11", "RQ-05-11(a)", "RQ-05-11(b)", "RQ-05-11(c)", "RQ-05-11(d)" ], "emea-eu-ai-act-2024": [ "Article 16(c)", "Article 17.1" ] } }, { "control_id": "GOV-19", "title": "Assurance", "family": "GOV", "description": "Mechanisms exist to define the basis for confidence that implemented practices conform to applicable security, compliance and resilience controls, where the control implementation performs as intended.", "scf_question": "Does the organization define the basis for confidence that implemented practices conform to applicable security, compliance and resilience controls, where the control implementation performs as intended?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define the basis for confidence that implemented practices conform to applicable security, compliance and resilience controls, where the control implementation performs as intended.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived", "SCRMS" ], "possible_solutions": { "micro_small": "∙ Annual self-assessment against documented controls", "small": "∙ Annual internal assessment against documented controls\n∙ Track findings and remediation", "medium": "∙ Formal internal assessment program\n∙ Track assurance evidence\n∙ Third-party assessments as needed", "large": "∙ Formal assurance program\n∙ Third-party assessments\n∙ Internal audit function\n∙ Control testing schedule", "enterprise": "∙ Enterprise assurance program\n∙ Dedicated internal audit team\n∙ Third-party assessments (SOC 2, ISO 27001)\n∙ Continuous control monitoring platform" }, "risks": [ "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "errata": "- wordsmithed", "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "emea-gbr-caf-4-0": [ "A2.c" ] } }, { "control_id": "GOV-19.1", "title": "Assurance Levels (AL)", "family": "GOV", "description": "Mechanisms exist to utilize defined Assurance Levels (AL) for assessment activities to standardize the following assurance attributes:\n(1) Depth that addresses the rigor and level of detail of the assessment; and\n(2) Coverage that addresses the scope and breadth of the assessment.", "scf_question": "Does the organization utilize defined Assurance Levels (AL) for assessment activities to standardize the following assurance attributes:\n(1) Depth that addresses the rigor and level of detail of the assessment; and\n(2) Coverage that addresses the scope and breadth of the assessment?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to utilize defined Assurance Levels (AL) for assessment activities to standardize the following assurance attributes:\n(1) Depth that addresses the rigor and level of detail of the assessment; and\n(2) Coverage that addresses the scope and breadth of the assessment.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Define basic assessment depth (documentation review vs. testing)", "small": "∙ Define assessment depth and coverage criteria in policy", "medium": "∙ Assurance level definitions in assessment procedures\n∙ Apply appropriate AL per control criticality", "large": "∙ Formal assurance level framework\n∙ Tiered assessment approach by risk level", "enterprise": "∙ Enterprise assurance level framework\n∙ Automated control testing for lower-risk controls\n∙ In-depth testing for critical systems\n∙ Risk-based assessment scheduling" }, "risks": [ "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": {} }, { "control_id": "GOV-19.2", "title": "Assessment Objectives (AO)", "family": "GOV", "description": "Mechanisms exist to utilize defined Assessment Objectives (AO) to assess the implementation of requirements, when available.", "scf_question": "Does the organization utilize defined Assessment Objectives (AO) to assess the implementation of requirements, when available?", "relative_weight": 7, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to utilize defined Assessment Objectives (AO) to assess the implementation of requirements, when available.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "micro_small": "∙ Use control descriptions as the basis for assessment questions", "small": "∙ Define assessment objectives for key controls", "medium": "∙ Formal assessment objectives derived from control statements\n∙ Map AOs to test procedures", "large": "∙ Assessment objectives library\n∙ Linked to control framework and test procedures", "enterprise": "∙ Enterprise assessment objectives repository\n∙ GRC platform with automated assessment workflows\n∙ Linkage to risk register and control library" }, "risks": [ "R-GV-4", "R-GV-5", "R-GV-6", "R-GV-7", "R-SC-1", "R-SC-2", "R-SC-3", "R-SC-4", "R-SC-5", "R-SC-6" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": { "usa-federal-dow-cert-rmm-1-2": [ "ADM:GG2.GP9", "AM:GG2.GP9", "COMM:GG2.GP9", "COMP:GG2.GP9", "CTRL:GG2.GP9", "EC:GG2.GP9", "EF:GG2.GP9", "EXD:GG2.GP9", "FRM:GG2.GP9", "HRM:GG2.GP9", "ID:GG2.GP9", "IMC:GG2.GP9", "KIM:GG2.GP9", "MA:GG2.GP9", "MON:GG2.GP9", "OPD:GG2.GP9", "OPF:GG2.GP9", "OTA:GG2.GP9", "PM:GG2.GP9", "RISK:GG2.GP9", "RRD:GG2.GP9", "RRM:GG2.GP9", "RTSE:GG2.GP9", "SC:GG2.GP9", "TM:GG2.GP9", "VAR:GG2.GP9", "GG2.GP9" ] } }, { "control_id": "GOV-20", "title": "Mergers, Acquisitions & Divestitures (MA&D)", "family": "GOV", "description": "Mechanisms exist to define standardized practices to conduct Mergers, Acquisitions and Divestiture (MA&D) activities.", "scf_question": "Does the organization define standardized practices to conduct Mergers, Acquisitions and Divestiture (MA&D) activities?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": true, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data privacy governance practices are informally assigned as an additional duty to existing IT/cybersecurity personnel.\n▪ IT /cyber engineering governance is decentralized, with the responsibility for implementing and testing cybersecurity and data protection controls being assigned to the business process owner(s), including the definition and enforcement of roles and responsibilities.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to define standardized practices to conduct Mergers, Acquisitions and Divestiture (MA&D) activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "medium": "∙ Documented M&A/divestiture security procedures", "large": "∙ Formal M&A security due diligence checklist\n∙ Documented integration/separation procedures", "enterprise": "∙ Enterprise M&A security playbook\n∙ Dedicated M&A security team\n∙ Legal and compliance integration\n∙ Technical due diligence framework" }, "risks": [ "R-AC-4", "R-EX-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-26", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": {} }, { "control_id": "GOV-20.1", "title": "Virtual Data Room (VDR)", "family": "GOV", "description": "Mechanisms exist to provision a Virtual Data Room (VDR), or similar technology, to securely share documentation among stakeholders to conduct Mergers, Acquisitions and Divestiture (MA&D) activities.", "scf_question": "Does the organization provision a Virtual Data Room (VDR), or similar technology, to securely share documentation among stakeholders to conduct Mergers, Acquisitions and Divestiture (MA&D) activities?", "relative_weight": 6, "conformity_cadence": "Annual", "evidence_requests": [], "pptdf": "Process", "nist_csf_function": "Govern", "scrm_focus": { "strategic": false, "operational": true, "tactical": false }, "maturity": { "0": "Practices are non-existent, based on the inability to demonstrate an implemented and operational capability. A reasonable person would conclude the control is not being performed.", "1": "Cybersecurity & Data Protection Governance (GOV) domain capabilities are ad hoc and inconsistent. Capability criteria associated with this control may include:\n▪ Policies, standards & procedures associated with GOV domain capabilities provide limited coverage due to the depth and breadth of the existing documentation.\n▪ Governance-related activities are decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT/cybersecurity personnel.\n▪ Cybersecurity and data protection governance is informally assigned as an additional duty to existing IT/cybersecurity personnel.", "2": "Cybersecurity & Data Protection Governance (GOV) capabilities are requirements-driven, but are not standardized across the entity (e.g., local/regional level consistency). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are documented and maintained by process owners.\n▪ IT and/or cybersecurity personnel work with business stakeholders and process owners to appropriately scope and reasonably implement cybersecurity and data protection controls associated with GOV domain capabilities to address applicable statutory, regulatory and/or contractual requirements for Technology Assets, Applications, Services and/or Data (TAASD).\n▪ Governance-related controls are primarily administrative and preventative in nature (e.g., policies, standards, procedures & guidelines).\n▪ No formal Governance, Risk & Compliance (GRC) team exists. GRC roles are assigned to existing IT and/or cybersecurity personnel.", "3": "Cybersecurity & Data Protection Governance (GOV) capabilities are standardized across the entity for applicability to People, Processes, Technologies, Data and/or Facilities (PPTDF) to ensure consistency for Technology Assets, Applications, Services and/or Data (TAASD). Capability criteria associated with this control reasonably expect the following criteria to exist:\n▪ Policies and standards associated with GOV domain capabilities are formally documented and centrally-managed by the entity's Governance, Risk & Compliance (GRC) team, or similar function.\n▪ Standardized Operating Procedures (SOP) associated with GOV domain capabilities are well-documented and kept current by process owners.\n▪ The entity's GRC team, or similar function, is appropriately staffed and supported to implement and maintain GOV domain capabilities to address Minimum Compliance Requirements (MCR) (e.g., applicable statutory, regulatory and/or contractual requirements) and Discretionary Security Requirements (DSR) (e.g., entity-required controls).\n▪ Technology is leveraged to enhance the efficiency and accuracy of governance, risk management and compliance operations (e.g., GRC platform).\n▪ An implemented and operational capability exists to provision a Virtual Data Room (VDR), or similar technology, to securely share documentation among stakeholders to conduct Mergers, Acquisitions and Divestiture (MA&D) activities.", "4": "Utilize SCR-CMM Level 3 criteria definitions:\n▪ There are no defined Level 4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to operationalize this control. \n▪ While it may be possible to develop “metrics-driven” capabilities for this control, the criteria would be organization-specific to define.", "5": "Utilize SCR-CMM Level 3 or Level 4 (if available) criteria definitions:\n▪ There are no defined Level 5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to operationalize this control. \n▪ Level 5 capabilities should be considered “world-class” where the control builds on Level 4 capabilities, but are continuously improving through Artificial Intelligence (AI) and/or Machine Learning (ML) technologies.\n▪ While it may be possible to develop responsive capabilities for this control through the use of AI and/or ML technologies, the criteria would be organization-specific to define." }, "profiles": [ "Community Derived" ], "possible_solutions": { "medium": "∙ Secure file-sharing platform (e.g., SharePoint, Box) for M&A documentation", "large": "∙ Dedicated VDR solution (e.g., Intralinks, Merrill DatasiteOne)\n∙ Access controls and audit logs", "enterprise": "∙ Enterprise VDR solution (e.g., Intralinks, Datasite, Ansarada)\n∙ Formal access management\n∙ Audit logging\n∙ NDA and legal controls" }, "risks": [ "R-AC-1", "R-AC-2", "R-AC-4", "R-AM-1", "R-AM-2", "R-EX-1" ], "threats": [ "NT-2", "NT-3", "NT-4", "NT-5", "NT-6", "NT-7", "NT-8", "NT-9", "NT-10", "NT-11", "NT-12", "NT-13", "NT-14", "MT-1", "MT-2", "MT-3", "MT-4", "MT-5", "MT-6", "MT-7", "MT-8", "MT-9", "MT-10", "MT-12", "MT-14", "MT-15", "MT-16", "MT-17", "MT-18", "MT-19", "MT-20", "MT-21", "MT-22", "MT-23", "MT-24", "MT-25", "MT-27" ], "family_name": "Cybersecurity & Data Protection Governance", "crosswalks": {} } ] }