version 2025.

2 Secure Controls Framework (SCF) High-Level Domains

# SCF Domain SCF Identifier Cybersecurity & Data Privacy by Design (C|P) Principles Principle Intent
Execute a documented, risk-based program that supports business Organizations specify the development of an organization's
Cybersecurity & Data Privacy objectives while encompassing appropriate cybersecurity & data cybersecurity & data protection program, including criteria to
1 GOV protection principles that addresses applicable statutory, regulatory measure success, to ensure ongoing leadership engagement and risk
Governance
and contractual obligations. management.
Ensure trustworthy and resilient Artificial Intelligence (AI) and Organizations ensure Artificial Intelligence (AI) and autonomous
autonomous technologies to achieve a beneficial impact by technologies are designed to be reliable, safe, fair, secure, resilient,
2 Artificial and Autonomous Technology AAT informing, advising or simplifying tasks, while minimizing emergent transparent, explainable and data privacy-enhanced. In addition, AI-
properties or unintended consequences. related risks are governed according to technology-specific
considerations to minimize emergent properties or unintended
consequences.
Manage all technology assets from purchase through disposition, Organizations ensure technology assets are properly managed
both physical and virtual, to ensure secured use, regardless of the throughout the lifecycle of the asset, from procurement through
3 Asset Management AST asset’s location. disposal, ensuring only authorized devices are allowed to access the
organization's network and to protect the organization's data that is
stored, processed or transmitted on its assets.

Maintain a resilient capability to sustain business-critical functions Organizations establish processes that will help the organization
4 Business Continuity & Disaster Recovery BCD while successfully responding to and recovering from incidents recover from adverse situations with minimal impact to operations,
through well-documented and exercised processes. as well as provide the capability for e-discovery.
Govern the current and future capacities and performance of Organizations prevent avoidable business interruptions caused by
technology assets. capacity and performance limitations by proactively planning for
5 Capacity & Performance Planning CAP growth and forecasting, as well as requiring both technology and
business leadership to maintain situational awareness of current and
future performance.
Manage change in a sustainable and ongoing manner that involves Organizations ensure both technology and business leadership
active participation from both technology and business stakeholders proactively manage change, including the assessment, authorization
6 Change Management CHG to ensure that only authorized changes occur. and monitoring of technical changes across the enterprise so as to
not impact production systems uptime and allow easier
troubleshooting of issues.
Govern cloud instances as an extension of on-premise technologies Organizations govern the use of private and public cloud
with equal or greater security protections than the organization's environments (e.g., IaaS, PaaS and SaaS) to holistically manage risks
7 Cloud Security CLD own internal cybersecurity & data privacy controls. associated with third-party involvement and architectural decisions,
as well as to ensure the portability of data to change cloud providers,
if needed.
Oversee the execution of cybersecurity & data privacy controls to Organizations ensure controls are in place to ensure adherence to
ensure appropriate evidence required due care and due diligence applicable statutory, regulatory and contractual compliance
8 Compliance CPL exists to meet compliance with applicable statutory, regulatory and obligations, as well as internal company standards.
contractual obligations.
Enforce secure configurations according to vendor-recommended Organizations establish and maintain the integrity of systems.
and industry-recognized secure practices that enforce the concepts Without properly documented and implemented configuration
9 Configuration Management CFG of “least privilege” and “least functionality” for all systems, management controls, security features can be inadvertently or
applications and services. deliberately omitted or rendered inoperable, allowing processing
irregularities to occur or the execution of malicious code.

Maintain situational awareness of security-related events through Organizations establish and maintain ongoing situational awareness
the centralized collection and analysis of event logs from systems, across the enterprise through the centralized collection and review
applications and services. of security-related event logs. Without comprehensive visibility into
infrastructure, operating system, database, application and other
10 Continuous Monitoring MON
logs, the organization will have “blind spots” in its situational
awareness that could lead to system compromise, data exfiltration,
or unavailability of needed computing resources.

Utilize appropriate cryptographic solutions and industry-recognized Organizations ensure the confidentiality and integrity of its data
11 Cryptographic Protections CRY key management practices to protect the confidentiality and through implementing appropriate cryptographic technologies to
integrity of sensitive/regulated data both at rest and in transit. protect systems, applications, services and data.

Page 1 of 196
Licensed by Creative Commons Attribution-NoDerivatives
version 2025.2 Secure Controls Framework (SCF) High-Level Domains

# SCF Domain SCF Identifier Cybersecurity & Data Privacy by Design (C|P) Principles Principle Intent
Enforce a standardized data classification methodology to objectively Organizations ensure that technology assets, both electronic and
determine the sensitivity and criticality of all data and technology physical, are properly classified and measures implemented to
assets so that proper handling and disposal requirements can be protect the organization's data from unauthorized disclosure, or
followed. modification, regardless if it is being transmitted or stored.
12 Data Classification & Handling DCH
Applicable statutory, regulatory and contractual compliance
requirements dictate the minimum safeguards that must be in place
to protect the confidentiality, integrity and availability of data.

Provide additional scrutiny to reduce the risks associated with Organizations specify the development, proactive management and
embedded technology, based on the potential damages posed from ongoing review of security embedded technologies, including
13 Embedded Technology EMB malicious use of the technology. hardening of the “stack” from the hardware, firmware and software
to transmission and service protocols used for Internet of Things
(IoT) and Operational Technology (OT) devices.

Harden endpoint devices to protect against reasonable threats to Organizations ensure that endpoint devices are appropriately
those devices and the data those devices store, transmit and protected from security threats to the device and its data. Applicable
14 Endpoint Security END process. statutory, regulatory and contractual compliance requirements
dictate the minimum safeguards that must be in place to protect the
confidentiality, integrity, availability and safety considerations.

Execute sound hiring practices and ongoing personnel management Organizations create a cybersecurity & data privacy-minded
to cultivate a cybersecurity & data privacy-minded workforce. workforce and an environment that is conducive to innovation,
15 Human Resources Security HRS considering issues such as culture, reward and collaboration.

Enforce the concept of “least privilege” consistently across all Organizations implement the concept of “least privilege” through
systems, applications and services for individual, group and service limiting access to the organization's systems and data to authorized
16 Identification & Authentication IAC accounts through a documented and standardized Identity and users only.
Access Management (IAM) capability.
Maintain a viable incident response capability that trains personnel Organizations establish and maintain a viable and tested capability
on how to recognize and report suspicious activities so that trained to respond to cybersecurity or data privacy-related incidents in a
17 Incident Response IRO incident responders can take the appropriate steps to handle timely manner, where organizational personnel understand how to
incidents, in accordance with a documented Incident Response Plan detect and report potential incidents.
(IRP).
Execute an impartial assessment process to validate the existence Organizations ensure the adequacy of cybersecurity & data privacy
18 Information Assurance IAO and functionality of appropriate cybersecurity & data privacy controls in development, testing and production environments.
controls, prior to a system, application or service being used in a
production environment.
Proactively maintain technology assets, according to current vendor Organizations ensure that technology assets are properly maintained
19 Maintenance MNT recommendations for configurations and updates, including those to ensure continued performance and effectiveness. Maintenance
supported or hosted by third-parties. processes apply additional scrutiny to the security of end-of-life or
unsupported assets.
Implement measures to restrict mobile device connectivity with Organizations govern risks associated with mobile devices,
critical infrastructure and sensitive/regulated data that limit the regardless of ownership (organization-owned, employee-owned or
20 Mobile Device Management MDM attack surface and potential data exposure from mobile device third-party owned). Wherever possible, technologies are employed to
usage. centrally manage mobile device access and data storage practices.
Architect and implement a secure and resilient defense-in-depth Organizations ensure sufficient cybersecurity & data privacy controls
methodology that enforces the concept of “least functionality” are architected to protect the confidentiality, integrity, availability
21 Network Security NET through restricting network access to systems, applications and and safety of the organization's network infrastructure, as well as to
services. provide situational awareness of activity on the organization's
networks.
Protect physical environments through layers of physical security Organizations minimize physical access to the organization's
and environmental controls that work together to protect both systems and data by addressing applicable physical security controls
22 Physical & Environmental Security PES physical and digital assets from theft and damage. and ensuring that appropriate environmental controls are in place
and continuously monitored to ensure equipment does not fail due to
environmental threats.
Align data privacy practices with industry-recognized data privacy Organizations align data privacy engineering decisions with the
principles to implement appropriate administrative, technical and organization's overall data privacy strategy and industry-recognized
23 Data Privacy PRI physical controls to protect regulated personal data throughout the leading practices to secure Personal Data (PD) that implements the
lifecycle of systems, applications and services. concept of data privacy by design and by default.

Page 2 of 196
Licensed by Creative Commons Attribution-NoDerivatives
version 2025.2 Secure Controls Framework (SCF) High-Level Domains

# SCF Domain SCF Identifier Cybersecurity & Data Privacy by Design (C|P) Principles Principle Intent
Operationalize a viable strategy to achieve cybersecurity & data Organizations ensure that security-related projects have both
privacy objectives that establishes cybersecurity as a key resource and project/program management support to ensure
24 Project & Resource Management PRM stakeholder within project management practices to ensure the successful project execution.
delivery of resilient and secure solutions.
Proactively identify, assess, prioritize and remediate risk through Organizations ensure that the business unit(s) that own the assets
alignment with industry-recognized risk management principles to and / or processes involved are made aware of and understand all
25 Risk Management RSK ensure risk decisions adhere to the organization's risk threshold. applicable cybersecurity & data privacy-related risks. The
cybersecurity & data privacy teams advise and educate on risk
management matters, while it is the business units and other key
stakeholders that ultimately own the risk.
Utilize industry-recognized secure engineering and architecture Organizations align cybersecurity engineering and architecture
26 Secure Engineering & Architecture SEA principles to deliver secure and resilient systems, applications and decisions with the organization's overall technology architectural
services. strategy and industry-recognized leading practices to secure
networked environments.
Execute the delivery of cybersecurity & data privacy operations to Organizations ensure appropriate resources and a management
27 Security Operations OPS provide quality services and secure systems, applications and structure exists to enable the service delivery of cybersecurity,
services that meet the organization's business needs. physical security and data privacy operations.
Foster a cybersecurity & data privacy-minded workforce through Organizations develop a cybersecurity & data privacy-minded
28 Security Awareness & Training SAT ongoing user education about evolving threats, compliance workforce through continuous education activities and practical
obligations and secure workplace practices. exercises.
Develop and/or acquire systems, applications and services according Organizations ensure that cybersecurity & data privacy principles are
to a Secure Software Development Framework (SSDF) to reduce the implemented into any products/solutions, either developed internally
29 Technology Development & Acquisition TDA potential impact of undetected or unaddressed vulnerabilities and or acquired, to make sure that the concepts of “least privilege” and
design flaws. “least functionality” are incorporated.
Execute Supply Chain Risk Management (SCRM) practices so that Organizations ensure that cybersecurity & data privacy risks
30 Third-Party Management TPM only trustworthy third-parties are used for products and/or service associated with third-parties are minimized and enable measures to
delivery. sustain operations should a third-party become compromised,
untrustworthy or defunct.
Proactively identify and assess technology-related threats, to both Organizations establish a capability to proactively identify and
31 Threat Management THR assets and business processes, to determine the applicable risk and manage technology-related threats to the cybersecurity & data
necessary corrective action. privacy of the organization's systems, data and business processes.
Leverage industry-recognized Attack Surface Management (ASM) Organizations proactively manage the risks associated with technical
32 Vulnerability & Patch Management VPM practices to strengthen the security and resilience systems, vulnerability management that includes ensuring good patch and
applications and services against evolving and sophisticated attack change management practices are utilized.
vectors.
Ensure the security and resilience of Internet-facing technologies Organizations address the risks associated with Internet-accessible
33 Web Security WEB through secure configuration management practices and monitoring technologies by hardening devices, monitoring system file integrity,
for anomalous activity. enabling auditing, and monitoring for malicious activities.

Page 3 of 196
Licensed by Creative Commons Attribution-NoDerivatives
version 2025.2 Secure Controls Framework (SCF) Authoritative Sources

Mapping Column
Geography Source Authoritative Source - Law, Regulation or Framework (LRF) URL - Authoritative Source Set Theory Relationship Mapping (STRM)
Header

AICPA
TSC 2017 https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-
Universal AICPA AICPA Trust Services Criteria (TSC) with (2022 points of focus) https://securecontrolsframework.com/content/strm/scf-strm-general-aicpa-tsc-2017.pdf
(with 2022 revised revised-points-of-focus-2022
POF)
https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/
BSI Standards-und-Zertifizierung/IT-Grundschutz/BSI-Standards/BSI-Standard-200-1-
Universal BSI Standard 200-1
Standard 200-1 Managementsysteme-fuer-Informationssicherheit/bsi-standard-200-1-
managementsysteme-fuer-informationssicherheit_node.html
CIS
Universal CSC CIS Critical Security Controls (CSC) version 8.1 https://www.cisecurity.org/controls/v8-1 https://securecontrolsframework.com/content/strm/scf-strm-general-cis-csc-8-1.pdf
v8.1

CIS
Universal CSC v8.1 CIS Critical Security Controls (CSC) version 8.1 - IG1 https://www.cisecurity.org/controls/v8-1 https://securecontrolsframework.com/content/strm/scf-strm-general-cis-csc-8-1.pdf
IG1

CIS
Universal CSC v8.1 CIS Critical Security Controls (CSC) version 8.1 - IG2 https://www.cisecurity.org/controls/v8-1 https://securecontrolsframework.com/content/strm/scf-strm-general-cis-csc-8-1.pdf
IG2

CIS
Universal CSC v8.1 CIS Critical Security Controls (CSC) version 8.1 - IG3 https://www.cisecurity.org/controls/v8-1 https://securecontrolsframework.com/content/strm/scf-strm-general-cis-csc-8-1.pdf
IG3

COBIT
Universal ISACA Control Objectives for Information and Related Technologies (COBIT) 2019 https://store.isaca.org/s/store#/store/browse/detail/a2S4w000004Ko9ZEAS
2019

COSO https://www.coso.org/_files/ugd/
Universal COSO Committee of Sponsoring Organizations (COSO) 2017 Framework
v2017 3059fc_61ea5985b03c4293960642fdce408eaa.pdf

CSA
Universal CCM CSA Cloud Controls Matrix (CCM) v4 https://cloudsecurityalliance.org/group/cloud-controls-matrix/#_overview
v4

CSA
Universal IoT SCF CSA CSA IoT Security Controls Framework v2 https://cloudsecurityalliance.org/artifacts/csa-iot-security-controls-framework-v2/
v2

ENISA https://resilience.enisa.europa.eu/article-13/guideline-for-minimum-security-
Universal EU European Union Agency for Network and Information Security (ENISA)
v2.0 measures/Article_13a_ENISA_Technical_Guideline_On_Security_Measures_v2_0.pdf

https://www.scribd.com/document/92949889/10-229-AICPA-CICA-Privacy-Maturity-
Universal GAPP AICPA Generally Accepted Privacy Principles (GAPP)
Model-Finale-Book

IEC TR 60601-4-5 IEC TR 60601-4-5:2021 - Medical electrical equipment - Part 4-5: Guidance and
Universal IEC https://webstore.iec.ch/publication/64703 https://securecontrolsframework.com/content/strm/scf-strm-general-iec-tr-60601-4-5.pdf
v2021 interpretation - Safety-related technical security specifications

IEC 62443-4-2:2019 - Security for industrial automation and control systems

Universal IEC 62443-4-2 IEC https://webstore.iec.ch/publication/34421
Part 4-2: Technical security requirements for IACS components

ISO/SAE
Universal 21434 IEC ISO/SAE 21434:2021 - Road vehicles — Cybersecurity engineering https://www.iso.org/standard/70918.html
v2021

ISO
ISO/IEC 22301:2019 - Security and resilience — Business continuity management
Universal 22301 ISO https://www.iso.org/standard/75106.html
systems — Requirements
v2019

ISO
ISO/IEC 27001:2013 - Information Security Management Systems (ISMS) -
Universal 27001 ISO https://www.iso.org/standard/54534.html
Requirements
v2013

ISO
ISO/IEC 27001:2022 - Information Security Management Systems (ISMS) -
Universal 27001 ISO https://www.iso.org/standard/27001 https://securecontrolsframework.com/content/strm/scf-strm-general-iso-27001-2022.pdf
Requirements
v2022

ISO
Universal 27002 ISO ISO/IEC 27002:2013 - Code of Practice for Information Security Controls https://www.iso.org/standard/54533.html
v2013

ISO
ISO/IEC 27002:2022 - Information security, cybersecurity and privacy protection -
Universal 27002 ISO https://www.iso.org/standard/75652.html https://securecontrolsframework.com/content/strm/scf-strm-general-iso-27002-2022.pdf
Information security controls
v2022

ISO ISO/IEC 27017:2015 - Information technology — Security techniques — Code of

Universal 27017 ISO practice for information security controls based on ISO/IEC 27002 for cloud https://www.iso.org/standard/43757.html
v2015 services

ISO
ISO/IEC 27018:2014 - Code of Practice for PI in Public Clouds Acting as PI
Universal 27018 ISO https://www.iso.org/standard/61498.html
Processors
v2014

ISO ISO/IEC 27701:2019 - Security techniques - Extension to ISO/IEC 27001 and

Universal 27701 ISO ISO/IEC 27002 for privacy information management — Requirements and https://www.iso.org/standard/71670.html
v2019 guidelines

ISO
Universal 29100 ISO ISO/IEC 29100:2011 - Privacy Framework https://www.iso.org/standard/45123.html
v2011

ISO
Universal 31000 ISO ISO/IEC 31000:2009 - Risk Management https://www.iso.org/iso-31000-risk-management.html
v2009

ISO
Universal 31010 ISO ISO/IEC 31010:2009 - Risk Assessment Techniques https://www.iso.org/standard/51073.html
v2009

ISO
ISO/IEC 42001:2023 - Information technology - Artificial intelligence - Management
Universal 42001 ISO https://www.iso.org/standard/81230.html https://securecontrolsframework.com/content/strm/scf-strm-general-iso-42001-2023.pdf
system
v2023

MITRE
Universal ATT&CK MITRE MITRE ATT&CK - NIST 800-53 mappings https://mitre-engenuity.org/blog/2022/01/13/nist-800-53-control-mappings/
10
MPA
Content Security https://www.motionpictures.org/what-we-do/safeguarding-creativity/additional-
Universal MPA MPA Content Security Best Practices Common Guidelines v5.1
Program resources/#content-protection-best-practices
v5.1
NAIC
Insurance Data https://securecontrolsframework.com/content/strm/scf-strm-general-naic-insurance-data-security-model-law-
Universal NAIC Insurance Data Security Model Law (MDL-668) https://content.naic.org/sites/default/files/inline-files/MDL-668.pdf
Security Model Law 668.pdf
(MDL-668)
NIST
AI RMF
Universal NIST NIST AI 100-1 (Artificial Intelligence Risk Management Framework 1.0) https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf https://securecontrolsframework.com/content/strm/scf-strm-general-nist-ai-100-1-rmf.pdf
AI 100-1
v1.0

NIST
Universal NIST NIST AI 600-1 (AI RMF Generative Artificial Intelligence Profile) https://doi.org/10.6028/NIST.AI.600-1 https://securecontrolsframework.com/content/strm/scf-strm-general-nist-ai-600-1.pdf
AI 600-1

NIST Privacy
Universal Framework NIST NIST Privacy Framework v1.0 https://www.nist.gov/privacy-framework
v1.0

NIST
Universal 800-37 NIST NIST SP 800-37 - Guide for Applying the RMF to Federal Information Systems rev2 https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
rev 2

NIST
Universal NIST NIST SP 800-39 - Managing Information Security Risk https://csrc.nist.gov/publications/detail/sp/800-39/final
800-39

NIST
NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and
Universal 800-53 NIST http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Organizations
rev4

NIST
NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and
Universal 800-53 rev4 NIST http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Organizations (low baseline)
(low)

NIST
NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and
Universal 800-53 rev4 NIST http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Organizations (moderate baseline)
(moderate)

NIST
NIST SP 800-53 R4 - Security and Privacy Controls for Information Systems and
Universal 800-53 rev4 NIST http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
Organizations (high baseline)
(high)

NIST
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and
Universal 800-53 NIST https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-53-r5-1-1.pdf
Organizations
rev5
NIST
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and
800-53B
Universal NIST Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-53-r5-1-1.pdf
rev5
Privacy Baseline
(privacy)
NIST
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and
800-53B
Universal NIST Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-53-r5-1-1.pdf
rev5
Low Baseline
(low)
NIST
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and
800-53B
Universal NIST Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-53-r5-1-1.pdf
rev5
Moderate Baseline
(moderate)
NIST
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and
800-53B
Universal NIST Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-53-r5-1-1.pdf
rev5
High Baseline
(high)
NIST
NIST SP 800-53 R5 - Security and Privacy Controls for Information Systems and
800-53
Universal NIST Organizations https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
rev5
Select Not Otherwise Categorized (NOC) controls
(NOC)

Page 4 of 196
Licensed by Creative Commons Attribution-NoDerivatives
version 2025.2 Secure Controls Framework (SCF) Authoritative Sources

Mapping Column
Geography Source Authoritative Source - Law, Regulation or Framework (LRF) URL - Authoritative Source Set Theory Relationship Mapping (STRM)
Header

NIST
Universal 800-63B NIST NIST SP 800-63B - Digital Identity Guidelines (partial mapping) https://pages.nist.gov/800-63-3/sp800-63b.html
(partial mapping)
NIST
800-82 rev3
Universal NIST NIST SP 800-82 R3 - Guide to Industrial Control Systems (ICS) Security https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
LOW
OT Overlay
NIST
800-82 rev3
Universal NIST NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
MODERATE
OT Overlay
NIST
800-82 rev3
Universal NIST NIST SP 800-82 - Guide to Industrial Control Systems (ICS) Security https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf
HIGH
OT Overlay

NIST
Universal NIST NIST SP 800-160 - Systems Security Engineering https://csrc.nist.gov/publications/detail/sp/800-160/final
800-160

NIST
NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for
Universal 800-161 NIST https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-161-r1.pdf
Systems and Organizations
rev 1
NIST
800-161 NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for
Universal NIST https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-161-r1.pdf
rev 1 Systems and Organizations (C-SCRM Baseline)
C-SCRM Baseline
NIST
800-161 NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for
Universal NIST https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-161-r1.pdf
rev 1 Systems and Organizations (Flow Down)
Flow Down
NIST
800-161 NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for
Universal NIST https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-161-r1.pdf
rev 1 Systems and Organizations (Level 1)
Level 1
NIST
800-161 NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for
Universal NIST https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-161-r1.pdf
rev 1 Systems and Organizations (Level 2)
Level 2
NIST
800-161 NIST SP 800-161 R1 - Cybersecurity Supply Chain Risk Management Practices for
Universal NIST https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-161-r1.pdf
rev 1 Systems and Organizations (Level 3)
Level 3
NIST
Universal 800-171 NIST NIST SP 800-171 R2 - Protecting CUI in Nonfederal Systems and Organizations https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-171-r2.pdf
rev 2

NIST
Universal 800-171 NIST NIST SP 800-171 R3 - Protecting CUI in Nonfederal Systems and Organizations https://csrc.nist.gov/pubs/sp/800/171/r3/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-171-r3.pdf
rev 3

NIST NIST SP 800-171A - Assessing Security Requirements for Controlled Unclassified

Universal NIST https://csrc.nist.gov/publications/detail/sp/800-171a/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-171a.pdf
800-171A Information

NIST
Universal 800-171A NIST NIST 800-171A R3 https://csrc.nist.gov/pubs/sp/800/171/a/r3/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-171a-r3.pdf
rev 3

NIST SP 800-172 - Protecting Controlled Unclassified Information in Nonfederal

NIST
Universal NIST Systems and Organizations: Enhanced Security Requirements for Critical https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf
800-172
Programs and High Value Assets

NIST
Universal NIST NIST SP 800-207 - Zero Trust Architecture https://csrc.nist.gov/pubs/sp/800/207/final https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-207.pdf
800-207

NIST
800-218
Universal NIST NIST SP 800-218 - Secure Software Development Framework (SSDF) Version 1.1: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-218.pdf https://securecontrolsframework.com/content/strm/scf-strm-general-nist-800-218.pdf
v1.1
SSDF
NIST
Universal CSF NIST NIST Cybersecurity Framework (CSF) v1.1 https://www.nist.gov/cyberframework
v1.1

NIST
Universal CSF NIST NIST Cybersecurity Framework (CSF) v2.0 https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf https://securecontrolsframework.com/content/strm/scf-strm-general-nist-csf-2-0.pdf
v2.0

OWASP
Universal Top 10 OWASP OWASP Top 10 Most Critical Web Application Security Risks https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
v2021

PCIDSS
Universal PCI SSC Payment Card Industry Data Security Standard (PCI DSS) https://www.pcisecuritystandards.org/document_library
v3.2

PCIDSS
Universal PCI SSC Payment Card Industry Data Security Standard (PCI DSS) v4.01 https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
v4.0.1

PCIDSS
Universal v4.0 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
SAQ A

PCIDSS
Universal v4.0.1 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ A-EP https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
SAQ A-EP

PCIDSS
Universal v4.0.1 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
SAQ B

PCIDSS
Universal v4.0.1 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ B-IP https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
SAQ B-IP

PCIDSS
Universal v4.0.1 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
SAQ C

PCIDSS
Universal v4.0.1 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ C-VT https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
SAQ C-VT

PCIDSS
Universal v4.0.1 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Merchant https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
SAQ D Merchant
PCIDSS
v4.0.1 Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ D Service
Universal PCI SSC https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
SAQ D Service Provider
Provider
PCIDSS
Universal v4.0.1 PCI SSC Payment Card Industry Data Security Standard (PCI DSS) v4.0.1 - SAQ P2PE https://www.pcisecuritystandards.org/document_library https://securecontrolsframework.com/content/strm/scf-strm-general-pci-dss-4-0-1.pdf
SAQ P2PE

Shared Assessments
Universal Shared Assessments Shared Assessments Standard Information Gathering Questionnaire (SIG) 2024 https://sharedassessments.org/sig/
SIG 2024

Universal SPARTA SPARTA Space Attack Research & Tactic Analysis (SPARTA) Countermeasures https://sparta.aerospace.org/countermeasures/SPARTA https://securecontrolsframework.com/content/strm/scf-strm-general-sparta.pdf

SWIFT
https://www.swift.com/myswift/customer-security-programme-csp/security-
Universal CSF SWIFT SWIFT Customer Security Controls Framework 2021
controls
v2023

TISAX
Universal TISAX Trusted Information Security Assessment Exchange (TISAX) ISA 6.0.3 https://portal.enx.com/en-us/TISAX/downloads/ https://securecontrolsframework.com/content/strm/scf-strm-general-tisax-6-0-3.pdf
ISA v6

UL https://webstore.ansi.org/standards/ul/ansiul29002023?
Universal UL UL 2900-1 - Software Cybersecurity for Network-Connectable Products
2900-1 srsltid=AfmBOooyD9mE75SD8skM6pRIbgMY0izMHm8IonblOI5P_onzRRA6h7OT

UN https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-
Universal United Nations UN Regulation No. 155 - Cyber security and cyber security management system
R155 cyber-security-and-cyber-security

UN https://unece.org/fileadmin/DAM/trans/doc/2020/wp29/ECE-TRANS-WP29-2020-
Universal United Nations UNECE WP.29
ECE WP.29 079e.pdf

US
US C2M2 Federal Cybersecurity Capability Maturity Model (C2M2) v2.1 https://c2m2.doe.gov/
v2.1

US CERT
US RMM Federal CERT Resilience Management Model v1.2 https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=508084
v1.2
US
CISA
US Federal CISA Cross-Sector Cybersecurity Performance Goals (CPG) https://www.cisa.gov/cpg https://securecontrolsframework.com/content/strm/scf-strm-us-fed-dhs-cisa-cpg.pdf
CPG
v2022
US
US DHS CISA Federal CISA Secure Software Development Attestation Form (SSDAF) https://www.cisa.gov/secure-software-attestation-form https://securecontrolsframework.com/content/strm/scf-strm-us-fed-dhs-cisa-ssdaf.pdf
SSDAF

US
US CJIS Security Policy Federal Criminal Justice Information Services (CJIS) Security Policy v5.9.3 https://le.fbi.gov/cjis-division/cjis-security-policy-resource-center https://securecontrolsframework.com/content/strm/scf-strm-us-fed-cjis-5-9-3.pdf
5.9.3

US
US CMMC 2.0 Federal Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 1 https://www.acq.osd.mil/asda/dpc/cp/cyber/cmmc.html https://securecontrolsframework.com/content/strm/scf-strm-us-fed-dod-cmmc-2-level-1.pdf
Level 1

Page 5 of 196
Licensed by Creative Commons Attribution-NoDerivatives
version 2025.2 Secure Controls Framework (SCF) Authoritative Sources

Mapping Column
Geography Source Authoritative Source - Law, Regulation or Framework (LRF) URL - Authoritative Source Set Theory Relationship Mapping (STRM)
Header

US
US CMMC 2.0 Federal Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 2 https://www.acq.osd.mil/asda/dpc/cp/cyber/cmmc.html
Level 2

US
US CMMC 2.0 Federal Cybersecurity Maturity Model Certification (CMMC) v2.0 Level 3 https://www.acq.osd.mil/asda/dpc/cp/cyber/cmmc.html
Level 3

US
https://www.cms.gov/CCIIO/Resources/Regulations-and-Guidance/Downloads/3-
US CMS Federal US Centers for Medicare & Medicaid Services MARS-E Document Suite, Version 2.0
MARS-E-v2-0-Catalog-of-Security-and-Privacy-Controls-11102015.pdf
MARS-E v2.0

US http://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-
US Federal Children's Online Privacy Protection Act (COPPA)
COPPA section6501&edition=prelim

US
US Data Privacy Federal Data Privacy Framework (DPF) https://www.dataprivacyframework.gov/Program-Overview https://securecontrolsframework.com/content/strm/scf-strm-us-fed-data-privacy-framework.pdf
Framework (DPF)
US
DoD https://dodcio.defense.gov/Portals/0/Documents/Library/
US Federal DoD Zero Trust Reference Architecture v2 https://securecontrolsframework.com/content/strm/scf-strm-us-fed-dod-zta-reference-architecture-2-0.pdf
Zero Trust Reference (U)ZT_RA_v2.0(U)_Sep22.pdf
Architecture v2.0
US
DFARS
US Federal Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008 - 7012 https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm
Cybersecurity
252.204-70xx
US
Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security https://www.cisa.gov/sites/default/files/2023-12/CISA%20TIC%203.0%20Security
US DHS CISA Federal https://securecontrolsframework.com/content/strm/scf-strm-us-fed-dhs-cis-tic-3-0.pdf
Agency (CISA) Trusted Internet Connections 3.0 Security Capabilities Catalog %20Capabilities%20Catalog_508c.pdf
TIC 3.0

US
US Federal Department of Homeland Security (DHS) Zero Trust Capability Framework (ZTCF) Draft release - not yet publicly available Draft release - not yet publicly available
DHS ZTCF

US http://www.consumer.ftc.gov/sites/default/files/articles/pdf/pdf-0111-fair-credit-
US Federal Fair & Accurate Credit Transactions Act (FACTA) / Fair Credit Reporting Act (FCRA)
FACTA reporting-act.pdf

US
US FAR Federal Federal Acquisition Regulation (FAR) 52.204-21 https://www.acquisition.gov/far/52.204-21
52.204-21

US
Federal Acquisition Regulation (FAR) 52.204-27 Prohibition on a ByteDance
US FAR Federal https://www.acquisition.gov/far/52.204-27
Covered Application
52.204-27

US
https://www.federalregister.gov/documents/2020/07/14/2020-15293/federal-
US FAR Federal Federal Acquisition Regulation (FAR) 889
acquisition-regulation-prohibition-on-contracting-with-entities-using-certain
Section 889

US https://www.federalregister.gov/documents/2023/12/11/2023-27102/cyber-risk-
US Federal Farm Credit Administration (FCA) Cyber Risk Management https://securecontrolsframework.com/content/strm/scf-strm-us-fed-fca-crm.pdf
FCA CRM management#sectno-citation-609.905

US
https://www.gpo.gov/fdsys/pkg/CFR-2012-title21-vol1/pdf/CFR-2012-title21-vol1-
US FDA Federal Food & Drug Administration (FDA) 21 CFR Part 11
part11.pdf
21 CFR Part 11

US
US FedRAMP Federal Federal Risk and Authorization Management Program R4 (FedRAMP R4) https://www.fedramp.gov/
R4

US
Federal Risk and Authorization Management Program R4 (FedRAMP R4) (low
US FedRAMP Federal https://www.fedramp.gov/
baseline)
R4 (low)

US
Federal Risk and Authorization Management Program R4 (FedRAMP R4) (moderate
US FedRAMP Federal https://www.fedramp.gov/
baseline)
R4 (moderate)

US
Federal Risk and Authorization Management Program R4 (FedRAMP R4) (high
US FedRAMP Federal https://www.fedramp.gov/
baseline)
R4 (high)

US
Federal Risk and Authorization Management Program R4 (FedRAMP R4) (Li-SAAS)
US FedRAMP Federal https://www.fedramp.gov/
baseline)
R4 (LI-SaaS)

US
US FedRAMP Federal Federal Risk and Authorization Management Program R5 (FedRAMP) https://www.fedramp.gov/
R5
US
FedRAMP Federal Risk and Authorization Management Program R5 (FedRAMP R5) (low
US Federal https://www.fedramp.gov/
R5 baseline)
(low)
US
FedRAMP Federal Risk and Authorization Management Program R5 (FedRAMP R5) (moderate
US Federal https://www.fedramp.gov/
R5 baseline)
(moderate)
US
FedRAMP Federal Risk and Authorization Management Program R5 (FedRAMP R5) (high
US Federal https://www.fedramp.gov/
R5 baseline)
(high)
US
FedRAMP Federal Risk and Authorization Management Program R5 (FedRAMP R5) (Li-SAAS)
US Federal https://www.fedramp.gov/
R5 baseline)
(LI-SaaS)

US https://www.gpo.gov/fdsys/pkg/USCODE-2010-title20/pdf/USCODE-2010-title20-
US Federal Family Educational Rights and Privacy Act (FERPA)
FERPA chap31-subchapIII-part4-sec1232g.pdf

US https://www.ffiec.gov/pdf/cybersecurity/
US Federal Federal Financial Institutions Examination Council (FFIEC)
FFIEC FFIEC_CAT_App_B_Map_to_NIST_CSF_June_2015_PDF4.pdf

US
US Federal Financial Industry Regulatory Authority (FINRA) http://www.finra.org/industry/cybersecurity
FINRA

US
US Federal Federal Trade Commission (FTC) Act https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act
FTC Act

US
GLBA
US Federal Gramm Leach Bliley Act (GLBA) - CFR 314 (Dec 2023) https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-314 https://securecontrolsframework.com/content/strm/scf-strm-us-fed-glba-cfr-314.pdf
CFR 314
(Dec 2023)
US
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/
US HIPAA Administrative Federal HIPAA Administrative Simplification (2013) https://securecontrolsframework.com/content/strm/scf-strm-us-fed-hipaa-hitech.pdf
combined/hipaa-simplification-201303.pdf
Simplification (2013)
US
HIPAA
US Federal HIPAA Security Rule (includes mapping to NIST SP 800-66 R2) https://www.hhs.gov/hipaa/for-professionals/security/index.html https://securecontrolsframework.com/content/strm/scf-strm-us-fed-hipaa-hitech.pdf
Security Rule / NIST
SP 800-66 R2

HIPAA - HICP
US Federal Health Industry Cybersecurity Practices (HICP) - Small Practice https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx
Small Practice

HIPAA - HICP
US Federal Health Industry Cybersecurity Practices (HICP) - Medium Practice https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx
Medium Practice

HIPAA - HICP
US Federal Health Industry Cybersecurity Practices (HICP) - Large Practice https://www.phe.gov/Preparedness/planning/405d/Pages/hic-practices.aspx
Large Practice

US
US Federal Internal Revenue Service (IRS) 1075 https://www.irs.gov/pub/irs-utl/p1075.pdf
IRS 1075

ITAR https://www.ecfr.gov/cgi-bin/text-idx?
US Part 120 Federal International Traffic in Arms Regulation (ITAR) [limited to Part 120] SID=70e390c181ea17f847fa696c47e3140a&mc=true&node=pt22.1.120&rgn=di
[limited] v

US
North American Electric Reliability Corporation Critical Infrastructure Protection https://www.nerc.com/pa/Stand/Reliability%20Standards%20Complete%20Set/
US NERC Federal https://securecontrolsframework.com/content/strm/scf-strm-us-fed-nerc-cip-2024.pdf
(NERC CIP) 2024 RSCompleteSet.pdf
CIP 2024

US https://www.federalregister.gov/documents/2020/12/21/2020-27698/national-
US Federal National Industrial Security Program Operating Manual (NISPOM)
NISPOM industrial-security-program-operating-manual-nispom

US https://www.secnav.navy.mil/doni/Directives/09000%20General%20Ship
US NNPI Federal Naval Nuclear Propulsion Information (NNPI) %20Design%20and%20Support/09-200%20Propulsion%20Plants%20Support/
(unclass) N9210.3%20(Unclas%20Portion).pdf

US
https://bidenwhitehouse.archives.gov/wp-content/uploads/2022/01/010422-NSPM-
US NSTC Federal National Science & Technology Council (NSTC) NSPM-33
33-Implementation-Guidance.pdf
NSPM-33

US
Cybersecurity Final Rule (Cybersecurity Risk Management, Strategy, Governance,
US SEC Federal https://www.sec.gov/files/rules/final/2023/33-11216.pdf https://securecontrolsframework.com/content/strm/scf-strm-us-fed-sec-cybersecurity-rule.pdf
and Incident Disclosure) - 17 CFR Parts 229, 232, 239, 240, and 249
Cybersecurity Rule

US
US Federal Sarbanes Oxley Act (SOX) http://www.sec.gov/about/laws/soa2002.pdf
SOX

US
SSA Social Security Administration (SSA) Electronic Information Exchange Security
US Federal https://www.ssa.gov/dataexchange/security.html
EIESR Requirements
v8.0
StateRAMP
StateRAMP Low (Category 1)
US Low State https://stateramp.org/documents/
Category 1

Page 6 of 196
Licensed by Creative Commons Attribution-NoDerivatives
version 2025.2 Secure Controls Framework (SCF) Authoritative Sources

Mapping Column
Geography Source Authoritative Source - Law, Regulation or Framework (LRF) URL - Authoritative Source Set Theory Relationship Mapping (STRM)
Header

StateRAMP
StateRAMP Low+ (Category 2)
US Low+ State https://stateramp.org/documents/
Category 2

StateRAMP
StateRAMP Moderate (Category 3)
US Moderate State https://stateramp.org/documents/
Category 3

US
Security Directive 1580/82-2022-01 (Rail Cybersecurity Mitigation Actions and
US TSA / DHS Federal https://www.tsa.gov/sites/default/files/sd-1580-82-2022-01.pdf
Testing)
1580/82-2022-01

US - AK
US State AK - Alaska Personal Information Protection Act (PIPA) https://www.akleg.gov/basis/get_documents.asp?session=29&docid=65934
PIPA

US - CA https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?
US State CA - SB327
SB327 bill_id=201720180SB327

US-CA
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) -
US CCPA / CPRA State https://cppa.ca.gov/regulations/pdf/20221102_mod_text.pdf https://securecontrolsframework.com/content/strm/scf-strm-us-state-ca-ccpa-cpra.pdf
November 2022 version
(Nov 2022)

US - CA https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?
US State CA - SB1386
SB1386 bill_id=200120020SB1386

US - CO
US State CO - Colorado Privacy Act https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
Colorado Privacy Act

US - IL
US State IL - Illinois Biometric Information Privacy Act (PIPA) https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
BIPA

US - IL
US State IL - Illinois Identity Protection Act (IPA) https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3174&ChapterID=2
IPA

US - IL
US State IL - Illinois Personal Information Protection Act (PIPA) https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapterID=67
PIPA

US - MA
US State MA - 201 CMR 17.00 http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf
201 CMR 17.00

US - NV
US State NV - SB220 https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Tex
SB220

US - NY
DFS NY - Cybersecurity Requirements for Financial Services Companies (DFS 23 https://www.dfs.ny.gov/system/files/documents/2023/12/
US State https://securecontrolsframework.com/content/strm/scf-strm-us-state-ny-dfs-23-nycrr500-amd2.pdf
23 NYCRR500 NYCRR500) - 2023 Amendment 2 rf23_nycrr_part_500_amend02_20231101.pdf
2023 Amd 2
US - NY
US SHIELD Act State NY - SHIELD Act (SB S5575B) https://legislation.nysenate.gov/pdf/bills/2019/s5575b
S5575B

US - OR
US State OR - ORS 646A https://www.oregonlegislature.gov/bills_laws/ors/ors646a.html
646A

US - OR https://olis.oregonlegislature.gov/liz/2023R1/Downloads/MeasureDocument/
US State OR - Consumer Privacy Act (SB 619) https://securecontrolsframework.com/content/strm/scf-strm-us-state-or-cpa.pdf
CPA SB619/Enrolled

US - TN
Tennessee
US State TN - Information Protection Act https://www.capitol.tn.gov/Bills/113/Amend/HA0348.pdf https://securecontrolsframework.com/content/strm/scf-strm-us-state-tn-information-protection-act.pdf
Information
Protection Act

US - TX
US State TX - BC521 http://www.statutes.legis.state.tx.us/Docs/BC/htm/BC.521.htm
BC521

US-TX
US State TX - Cybersecurity Act http://www.legis.state.tx.us/tlodocs/85R/billtext/pdf/HB00008F.pdf#navpanes=0
Cybersecurity Act

US-TX
US State TX - Consumer Data Protection Act (CDPA) https://capitol.texas.gov/tlodocs/88R/billtext/html/HB00004F.htm https://securecontrolsframework.com/content/strm/scf-strm-us-state-tx-cdpa.pdf
CDPA

US-TX DIR Control

US State TX - DIR Security Control Standards Catalog v2.0 https://dir.texas.gov/resource-library-item/security-controls-standards-catalog
Standards 2.0

US-TX
US TX-RAMP State TX - Texas Risk & Authorization Management Program (TX-RAMP) http://dir.texas.gov/texas-risk-and-authorization-management-program-tx-ramp
Level 1

US-TX
US TX-RAMP State TX - Texas Risk & Authorization Management Program (TX-RAMP) http://dir.texas.gov/texas-risk-and-authorization-management-program-tx-ramp
Level 2

US-TX https://www.legiscan.com/TX/text/SB820/id/2027614/Texas-2019-SB820-
US State TX - 2019 - SB820
SB820 Enrolled.html

US-VA
US CDPA State Virginia Consumer Data Protection Act (2023) https://lis.virginia.gov/cgi-bin/legp604.exe?212+ful+CHAP0035+pdf
2023

US-VT https://legislature.vermont.gov/Documents/2018/Docs/ACTS/ACT171/
US State VT - Act 171 of 2018 (Data Broker Registration Act)
Act 171 of 2018 ACT171%20As%20Enacted.pdf

EMEA
EMEA EU EU EU Artificial Intelligence (AI)I Act (Regulation (EU) 2024/1689) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689 https://securecontrolsframework.com/content/strm/scf-strm-emea-eu-ai-act.pdf
AI Act

EMEA
EMEA EU EU EU Cyber Resilience Act https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:52022PC0454 https://securecontrolsframework.com/content/strm/scf-strm-emea-eu-cyber-resilience-act.pdf
Cyber Resiliency Act
EMEA
EU https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-34e9-11ed-9c68-
EMEA EU EU Cyber Resilience Act - Annexes https://securecontrolsframework.com/content/strm/scf-strm-emea-eu-cyber-resilience-act-annexes.pdf
Cyber Resiliency Act 01aa75ed71a1.0001.02/DOC_2&format=PDF
Annexes
EMEA
EU European Banking Authority (EBA) Guidelines on ICT and security risk https://www.eba.europa.eu/regulation-and-policy/internal-governance/guidelines-
EMEA EU
EBA management on-ict-and-security-risk-management
GL/2019/04
EMEA
https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?
EMEA EU EU Digital Operational Resilience Act (DORA) (2023) https://securecontrolsframework.com/content/strm/scf-strm-emea-eu-dora.pdf
uri=CELEX:32022R2554&from=EN
DORA

EMEA
https://commission.europa.eu/law/law-topic/data-protection/legal-framework-eu-
EMEA EU EU General Data Protection Regulation (GDPR) https://securecontrolsframework.com/content/strm/scf-strm-emea-eu-gdpr.pdf
data-protection_en
GDPR

EMEA
https://www.enisa.europa.eu/topics/awareness-and-cyber-hygiene/network-and-
EMEA EU EU ENISA NIS2 (Directive (EU) 2022/2555) https://securecontrolsframework.com/content/strm/scf-strm-emea-eu-nis2.pdf
information-systems-directive-2-nis2
NIS2

EMEA
EMEA EU EU ENISA NIS2 Annex https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=intcom:C%282024%297151 https://securecontrolsframework.com/content/strm/scf-strm-emea-eu-nis2-annex.pdf
NIS2 Annex

EMEA
EMEA EU EU Second Payment Services Directive (PSD2) https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32015L2366
PSD2
EMEA
EU
EMEA EU EU-US Data Privacy Framework https://www.dataprivacyframework.gov/s/
EU-US Data Privacy
Framework

EMEA
EMEA Austria Federal Act concerning the Protection of Personal Data (DSG 2000) https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.pdf
Austria

EMEA http://www.privacycommission.be/sites/privacycommission/files/documents/
EMEA Belgium Act of 8 December 1992
Belgium Privacy_Act_1992.pdf

EMEA
EMEA Germany Federal Data Protection Act https://www.gesetze-im-internet.de/englisch_bdsg/englisch_bdsg.pdf
Germany
EMEA
Germany https://www.bafin.de/SharedDocs/Downloads/EN/Rundschreiben/
EMEA Banking Supervisory Germany Banking Supervisory Requirements for IT (BAIT) dl_rs_1710_ba_BAIT_en.html;jsessionid=CDFE3798FF983139B1E73C57CD17B025.
Requirements for IT 1_cid389?nn=9866146
(BAIT)
EMEA https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/
EMEA Germany Germany Cloud Computing Compliance Controls Catalogue (C5) 2020 CloudComputing/ComplianceControlsCatalogue-Cloud_Computing-C5.pdf?
C5:2020 __blob=publicationFile&v=3

EMEA Protection of Individuals with Regard to the Processing of Personal Data

EMEA Greece https://www.dpa.gr/sites/default/files/2019-10/law_2472-97-nov2013-en.pdf
Greece (2472/1997)

EMEA
EMEA Hungary Informational Self-Determination and Freedom of Information (Act CXII of 2011) http://www.naih.hu/files/Privacy_Act-CXII-of-2011_EN_201310.pdf
Hungary

EMEA
EMEA Ireland Data Protection Act (2003) http://www.irishstatutebook.ie/2003/en/act/pub/0006/print.html
Ireland

Page 7 of 196
Licensed by Creative Commons Attribution-NoDerivatives
version 2025.2 Secure Controls Framework (SCF) Authoritative Sources

Mapping Column
Geography Source Authoritative Source - Law, Regulation or Framework (LRF) URL - Authoritative Source Set Theory Relationship Mapping (STRM)
Header

EMEA
https://www.gov.il/BlobFolder/policy/
Israel
EMEA Israel Cybersecurity Methodology for an Organization v1.0 cyber_security_methodology_for_organizations/en/Cyber%20Defense
CDMO
%20Methodology%20for%20an%20Oragnization.pdf
v1.0

EMEA https://www.gov.il/BlobFolder/legalinfo/legislation/en/
EMEA Israel Protection of Privacy Law, 5741 – 1981
Israel ProtectionofPrivacyLaw57411981unofficialtranslatio.pdf

EMEA
EMEA Italy Personal Data Protection Code http://www.privacy.it/privacycode-en.html
Italy

EMEA
http://kenyalaw.org/kl/fileadmin/pdfdownloads/Acts/2019/
EMEA Kenya Kenya Kenya Data Protection Act (2019)
TheDataProtectionAct__No24of2019.pdf
DPA 2019

EMEA
EMEA Netherlands Personal Data Protection Act https://www.autoriteitpersoonsgegevens.nl/en/themes/basic-gdpr
Netherlands

EMEA
https://nitda.gov.ng/wp-content/uploads/2020/11/
EMEA Nigeria Nigeria Nigeria Data Protection Regulation (2019)
NigeriaDataProtectionRegulation11.pdf
DPR 2019

EMEA
EMEA Norway Personal Data Act https://lovdata.no/dokument/NLE/lov/2018-06-15-38
Norway

EMEA
EMEA Poland Act of 29 August 1997 on the Protection of Personal Data http://www.giodo.gov.pl/144/id_art/171/j/en/
Poland

EMEA https://compliance.qcert.org/sites/default/files/library/2020-11/Law%20No.
EMEA Qatar Qatar Personal Data Privacy Protection Law (PDPPL) %20%2813%29%20of%202016%20%20on%20Protecting%20Personal%20Data
PDPPL %20Privacy%20-%20English.pdf

EMEA
EMEA Russia Federal Law of 27 July 2006 N 152-FZ http://www.rg.ru/2006/07/29/personaljnye-dannye-dok.html
Russia

EMEA
EMEA Saudi Arabia Saudi Arabia Critical Systems Cybersecurity Controls (CSCC – 1: 2019) https://www.nca.gov.sa/en/legislation?item=194&slug=controls-list
CSCC – 1: 2019

EMEA
https://cdn.nca.gov.sa/api/files/public/upload/207a41a9-febf-45ea-9517-
EMEA Saudi Arabia Saudi Arabia Saudi Arabia IoT CGIoT-1:2024 https://securecontrolsframework.com/content/strm/scf-strm-emea-sa-cybersecurity-guidelines-iot.pdf
5519e863028a_CGIoT-.pdf
IoT CGIoT-1:2024

EMEA
EMEA Saudi Arabia Saudi Arabia Essential Cybersecurity Controls (ECC – 1 : 2018) https://nca.gov.sa/ar/ecc-en.pdf
ECC-1 2018

EMEA
EMEA Saudi Arabia Saudi Arabia Operational Technology Cybersecurity Controls (OTCC -1: 2022) https://nca.gov.sa/otcc_en.pdf
OTCC-1 2022
EMEA
Saudi Arabia https://sdaia.gov.sa/en/SDAIA/about/Documents/Personal%20Data%20English
EMEA Saudi Arabia Saudi Arabia Personal Data Protection Law (PDPL) https://securecontrolsframework.com/content/strm/scf-strm-emea-sa-pdpl.pdf
Personal Data %20V2-23April2023-%20Reviewed-.pdf
Protection Law
EMEA
https://www.aramco.com/-/media/downloads/working-with-us/ccc/sacs-002-third-
EMEA Saudi Arabia Saudi Arabia SACS-002 - Third Party Cybersecurity Standard
party-cybersecurity-standard.pdf
SACS-002

EMEA
Saudi Arabian Monetary Authority (SAMA) Cyber Security Framework (CSF) Version https://www.sama.gov.sa/en-US/Laws/FinanceRules/SAMA%20Cyber%20Security
EMEA Saudi Arabia Saudi Arabia
1.0 (May 2017) %20Framework%20v1.0%20final_updated.pdf
SAMA CSFv1.0

EMEA
EMEA Serbia Serbia Act of 9 November 2018 on Personal Data Protection (Official Gazette No. 87/18) https://www.refworld.org/legal/legislation/natlegbod/2018/en/123513
87/2018

EMEA
EMEA South Africa Protection of Personal Information Act (POPIA) http://www.justice.gov.za/legislation/acts/2013-004.pdf
South Africa

EMEA
EMEA Spain Spain BOE-A-2022-7191 https://www.boe.es/diario_boe/txt.php?id=BOE-A-2022-7191 https://securecontrolsframework.com/content/strm/scf-strm-emea-spain-boe-a-2022-7191.pdf
BOE-A-2022-7191
https://www.mjusticia.gob.es/es/AreaTematica/DocumentacionPublicaciones/
EMEA
Documents/
EMEA Spain Spain Royal Decree 1720/2007 (protection of personal data)
Royal_Decree_approving_the_regulations_relating_to_Constitucional_Act_on_Perso
1720/2007
nal_Data_Protection_%28.PDF
EMEA
EMEA Spain Spain Spain Royal Decree 311/2022 https://www.boe.es/diario_boe/txt.php?id=BOE-A-2022-7191
311/2022

EMEA
https://www.ccn-cert.cni.es/es/800-guia-esquema-nacional-de-seguridad/7122-
EMEA Spain Spain ICT Security Guide CCN-STIC 825
ccn-stic-825-national-security-framework-27001-certifications/file.html
CCN-STIC 825

EMEA
EMEA Sweden Personal Data Act http://www.datainspektionen.se/in-english/legislation/the-personal-data-act/
Sweden

EMEA
EMEA Switzerland Federal Act on Data Protection (FADP) https://www.admin.ch/opc/en/classified-compilation/19920153/index.html
Switzerland

EMEA
EMEA Turkey Regulation on Protection of Personal Data in Electronic Communications Sector https://global.tbmm.gov.tr/docs/constitution_en.pdf
Turkey

EMEA
https://u.ae/-/media/Documents-2023/National-Information-Assurance-Framework-
EMEA UAE UAE UAE National Information Assurance Framework (NIAF) https://securecontrolsframework.com/content/strm/scf-strm-emea-uae-niaf.pdf
NIAF.pdf
NIAF

EMEA
EMEA UK United Kingdom Cyber Assessment Framework (CAF) v3.1 https://www.ncsc.gov.uk/files/Cyber-Assessment-Framework-v3-1.pdf
CAF v3.1

EMEA
https://publicapps.caa.co.uk/modalapplication.aspx?
EMEA UK United Kingdom Cyber Assessment Framework (CAF) for Aviation Guidance (CAP1850)
appid=11&mode=detail&id=9295
CAP 1850

EMEA
EMEA UK United Kingdom Cyber Essentials https://www.cyberessentials.ncsc.gov.uk
Cyber Essentials

EMEA
EMEA UK United Kingdom Data Protection Act http://www.legislation.gov.uk/ukpga/1998/29/contents
DPA

EMEA
https://www.gov.uk/government/publications/cyber-security-for-defence-suppliers-
EMEA UK United Kingdom Ministry of Defence Standard 05-138 (14 May 2024) https://securecontrolsframework.com/content/strm/scf-strm-emea-uk-def-stan-05-138.pdf
def-stan-05-138-issue-4
DEFSTAN 05-138

EMEA
EMEA UK United Kingdom UK General Data Protection Regulation https://www.legislation.gov.uk/eur/2016/679/data.pdf
GDPR

APAC
https://www.cyber.gov.au/resources-business-and-government/essential-cyber-
APAC Australia Australia Australia Essential Eight https://securecontrolsframework.com/content/strm/scf-strm-apac-australia-essential-8.pdf
security/essential-eight
Essential 8

APAC
APAC Australia Australia Privacy Act of 1998 https://www.comlaw.gov.au/Details/C2015C00089
Privacy Act

APAC
https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-
APAC Australian Privacy Australia Australia Privacy Principles
principles-quick-reference/
Principles

APAC
APAC Australia Australia Australian Government Information Security Manual (ISM) (June 2024) https://www.cyber.gov.au/acsc/view-all-content/ism https://securecontrolsframework.com/content/strm/scf-strm-apac-australia-ism-june-2024.pdf
ISM June 2024

APAC
APAC Australia Australia Australia - Code of Practice - Securing the Internet of Things for Consumers https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf
IoT Code of Practice
APAC
Australia https://www.apra.gov.au/sites/default/files/2023-07/Prudential%20Standard
APAC Australia Prudential Standard CPS 230 - Operational Risk Management
Prudential Standard %20CPS%20230%20Operational%20Risk%20Management%20-%20clean.pdf
CPS230
APAC
Australia https://www.apra.gov.au/sites/default/files/
APAC Australia Prudential Standard CPS 234 Information Security
Prudential Standard cps_234_july_2019_for_public_release.pdf
CPS234
APAC
China China Cybersecurity Law of the People's Republic of China (China Cybersecurity https://digichina.stanford.edu/work/translation-cybersecurity-law-of-the-peoples-
APAC China https://securecontrolsframework.com/content/strm/scf-strm-apac-china-cybersecurity-law-2017.pdf
Cybersecurity Law) 2017 republic-of-china-effective-june-1-2017/
Law
APAC
China https://digichina.stanford.edu/news/translation-data-security-law-peoples-republic-
APAC China China Data Security Law of the People's Republic of China
Data Security Law china
(DSL)
APAC
http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://www.gov.cn/
APAC China China Decision on Strengthening Network Information Protection
jrzg/2012-12/28/content_2301231.htm&prev=search
DNSIP

APAC
http://www.npc.gov.cn/npc/c30834/202108/
APAC China China Personal Information Protection Law of the People's Republic of China
a8c4e3672c74491a80b53a172bb753fe.shtml
Privacy Law

APAC
APAC Hong Kong Personal Data Ordinance https://www.elegislation.gov.hk/hk/cap486!en-zh-Hant-HK.pdf?FROMCAPINDEX=Y
Hong Kong

Page 8 of 196
Licensed by Creative Commons Attribution-NoDerivatives
version 2025.2 Secure Controls Framework (SCF) Authoritative Sources

Mapping Column
Geography Source Authoritative Source - Law, Regulation or Framework (LRF) URL - Authoritative Source Set Theory Relationship Mapping (STRM)
Header

APAC
https://www.meity.gov.in/static/uploads/
APAC India India India Digital Personal Data Protection Act 2023 https://securecontrolsframework.com/content/strm/scf-strm-apac-india-dpdpa-2023.pdf
2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf
DPDPA 2023

APAC
APAC India India Information Technology Rules (Privacy Rules) http://www.wipo.int/edocs/lexdocs/laws/en/in/in098en.pdf
ITR

APAC
APAC Japan Japan Act on the Protection of Personal Information (June 2020) https://www.ppc.go.jp/files/pdf/APPI_english.pdf
APPI

APAC https://www.ismap.go.jp/csm/en?
APAC Japan Japan Japan Information System Security Management and Assessment Program (ISMAP) id=kb_article_view&sysparm_article=KB0010301&sys_kb_id=4d06b8701b4f0110
ISMAP 13a78665cc4bcbd2&spa=1

APAC
APAC Malaysia Personal Data Protection Act of 2010 https://www.malaysia.gov.my/portal/content/654
Malaysia

APAC
https://www.tewhatuora.govt.nz/publications/health-information-security-
APAC New Zealand HISF New Zealand NZ Health Information Security Framework (2022) https://securecontrolsframework.com/content/strm/scf-strm-apac-nz-hisf-2025.pdf
framework
2022

APAC
HISO 10029:2024 NZ Health Information Security Framework Guidance for https://www.tewhatuora.govt.nz/assets/Publications/HISO-Standards/HISO-10029-
APAC New Zealand HISF New Zealand https://securecontrolsframework.com/content/strm/scf-strm-apac-nz-hisf-suppliers-2025.pdf
Suppliers 4-2023-Health-Information-Security-Framework-Guidance-for-Suppliers.pdf
Suppliers 2023

APAC
APAC New Zealand New Zealand New Zealand Information Security Manual (NZISM) v3.6 https://www.nzism.gcsb.govt.nz/ism-document/
NZISM 3.6

APAC
APAC New Zealand Privacy New Zealand Privacy Act of 2020 https://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html
Act of 2020

APAC https://privacy.gov.ph/implementing-rules-and-regulations-of-republic-act-no-
APAC Philippines Data Privacy Act of 2012
Philippines 10173-known-as-the-data-privacy-act-of-2012/

APAC
APAC Singapore Personal Data Protection Act of 2012 https://sso.agc.gov.sg/Act/PDPA2012
Singapore

APAC
Singapore
APAC Singapore Cyber Hygiene Practice https://www.mas.gov.sg/-/media/MAS/Notices/PDF/MAS-Notice-132.pdf
Cyber Hygiene
Practice
APAC https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/
Monitory Authority of Singapore (MAS) Technology Risk Management (TRM)
APAC Singapore MAS Singapore Regulatory-and-Supervisory-Framework/Risk-Management/TRM-Guidelines-18-
Guidelines (2021)
TRM 2021 January-2021.pdf

APAC
APAC South Korea Personal Information Protection Act http://koreanlii.or.kr/w/images/0/0e/KoreanDPAct2011.pdf
South Korea

APAC
APAC Taiwan Personal Data Protection Act http://law.moj.gov.tw/Eng/LawClass/LawAll.aspx?PCode=I0050021
Taiwan

Americas
Americas Argentina Protection of Personal Law No. 25,326 http://www.infoleg.gov.ar/infolegInternet/anexos/60000-64999/64790/norma.htm
Argentina

Americas
https://www.argentina.gob.ar/sites/default/files/mensaje_ndeg_147-
Americas Argentina Argentina Protection of Personal Data - MEN-2018-147-APN-PTE
2018_datos_personales.pdf
Reg 132/2018

Americas
Americas Bahamas Data Protection Act https://www.lexbahamas.com/Data%20Protection%202003.pdf
Bahamas

Americas
https://www.bma.bm/viewPDF/documents/2020-10-06-09-27-29-Insurance-Sector-
Americas Bermuda Bermuda Bermuda Monetary Authority Cyber Code of Conduct
Cyber-Risk-Management-Code-of-Conduct.pdf
BMA CCC

Americas
https://www.pnm.adv.br/wp-content/uploads/2018/08/Brazilian-General-Data-
Americas Brazil Brazil General Data Protection Law (LGPD)
Protection-Law.pdf
LGPD

Americas
Office of the Superintendent of Financial Institutions Canada (OSFI) - Cyber https://www.osfi-bsif.gc.ca/en/risks/technology-cyber-risk-management/cyber-
Americas Canada Canada
Security Self-Assessment Guidance security-self-assessment
CSAG

Americas
Protecting controlled information in non-Government of Canada systems and https://www.cyber.gc.ca/en/guidance/protecting-controlled-information-non-
Americas Canada Canada https://securecontrolsframework.com/content/strm/scf-strm-americas-canada-itsp-10-171.pdf
organizations (ITSP.10.171) government-canada-systems-and-organizations-itsp10171
ITSP-10-171

Americas
Americas Canada Canada B-13 https://www.osfi-bsif.gc.ca/Eng/fi-if/rg-ro/gdn-ort/gl-ld/Pages/b13-jul-let.aspx https://securecontrolsframework.com/content/strm/scf-strm-americas-canada-osfi-b13.pdf
OSFI B-13

Americas
Americas Canada Canada Personal Information Protection and Electronic Documents Act (PIPEDA) http://laws-lois.justice.gc.ca/eng/acts/p-8.6/FullText.html
PIPEDA

Americas
Americas Chile Act 19628 - Protection of Personal Data http://www.leychile.cl/Navegar?idNorma=141599
Chile

Americas
Americas Colombia Law 1581 of 2012 https://www.alcaldiabogota.gov.co/sisjur/normas/Norma1.jsp?i=49981
Colombia

Americas
Americas Costa Rica Protection of the Person in the Processing of His Personal Data Link is deprecated - no longer works.
Costa Rica

Americas https://privacyassociation.org/media/pdf/knowledge_center/
Americas Mexico Federal Law on Protection of Personal Data held by Private Parties
Mexico Mexico_Federal_Data_Protection_Act_July2010.pdf

Americas
Americas Peru Personal Data Protection Law Link is deprecated - no longer works.
Peru

Americas
Americas Uruguay Law No. 18,331 - Protection of Personal Data and Action "Habeas Data" Link is deprecated - no longer works.
Uruguay

Page 9 of 196
Licensed by Creative Commons Attribution-NoDerivatives
version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to facilitate the implementation of cybersecurity & data ∙ ComplianceForge - ∙ ComplianceForge - ∙ Steering committee ∙ Steering committee ∙ Steering committee Does the organization facilitate the implementation There is no evidence of a capability to Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) See C|P-CMM4. There are no defined C|P-
protection governance controls. Cybersecurity & Data Protection Cybersecurity & Data Protection ∙ ComplianceForge - Digital ∙ ComplianceForge - Digital ∙ ComplianceForge - Digital of cybersecurity & data protection governance facilitate the implementation of cybersecurity efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven and governed efforts are standardized across the efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Cybersecurity & Cybersecurity & Data Program (CDPP) Program (CDPP) Security Program (DSP) Security Program (DSP) Security Program (DSP) controls? & data privacy governance controls. 1 control maturity would reasonably expect at a local/regional level, but are not consistent organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
E-GOV-01
Data Protection Protection Governance GOV-01 (https://complianceforge.com) (https://complianceforge.com) (https://complianceforge.com) (https://complianceforge.com) (https://complianceforge.com) 10 x Govern x x x all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. quantitative understanding of process not necessary to facilitate the implementation
E-GOV-02
Governance Program ∙ ComplianceForge - ∙ ComplianceForge - exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would capabilities) to predict optimal performance, of cybersecurity & data privacy governance
Cybersecurity & Data Protection Cybersecurity & Data Protection • No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the ensure continued operations and identify controls.
Program (CDPP) Program (CDPP) privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: areas for improvement. In addition to CMM
Mechanisms exist to coordinate cybersecurity, data protection and business ∙ Third-party advisors (subject ∙ Third-party advisors (subject ∙ Steering committee / advisory
(https://complianceforge.com) ∙ Steering committee / advisory
(https://complianceforge.com) ∙ Steering committee / advisory Does the organization coordinate cybersecurity, There is no evidence of a capability to Cybersecurity
organization. & Privacy Governance (GOV) Cybersecurity & Privacy
governance activities areGovernance (GOV)
decentralized (e.g., Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) See C|P-CMM4. There are no defined C|P-
alignment through a steering committee or advisory board, comprised of matter experts) matter experts) board board board data protection and business alignment through a coordinate cybersecurity, data privacy and efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven
a localized/regionalized function)and
andgoverned
uses efforts are standardized across the efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Cybersecurity & key cybersecurity, data privacy and business executives, which meets steering committee or advisory board, comprised of business alignment through a steering 1 control maturity would reasonably expect at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Steering Committee &
Data Protection GOV-01.1 formally and on a regular basis. E-GOV-03 key cybersecurity, data privacy and business 7 x Govern x x committee or advisory board, comprised of all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. quantitative understanding of process not necessary to coordinate cybersecurity,
Program Oversight
Governance executives, which meets formally and on a regular key cybersecurity, data privacy and business exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would capabilities) to predict optimal performance, data privacy and business alignment through
basis? executives, which meets formally and on a • No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the ensure continued operations and identify a steering committee or advisory board,
E-CPL-05 regular basis. privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: areas for improvement. In addition to CMM comprised of key cybersecurity, data privacy
Mechanisms exist to provide governance oversight reporting and E-CPL-09 ∙ Quarterly Business Review ∙ Quarterly Business Review ∙ Quarterly Business Review ∙ Quarterly Business Review ∙ Quarterly Business Review Does the organization provide governance There is no evidence of a capability to provide C|P-CMM1
organization.is N/A, since a structured process is Cybersecurity & Privacy
governance activities areGovernance (GOV)
decentralized (e.g., Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
recommendations to those entrusted to make executive decisions about E-GOV-03 (QBR) (QBR) (QBR) (QBR) (QBR) oversight reporting and recommendations to those governance oversight reporting and required to provide governance oversight efforts are requirements-driven
a localized/regionalized function)and
andgoverned
uses efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & matters considered material to the organization's cybersecurity & data entrusted to make executive decisions about recommendations to those entrusted to make reporting and recommendations to those at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Status Reporting To E-GOV-04
Data Protection GOV-01.2 protection program. matters considered material to its cybersecurity & 5 x Govern x x executive decisions about matters considered entrusted to make executive decisions about across the organization. CMM Level 2 control technically feasible, to ensure consistency. not necessary to provide governance not necessary to provide governance
Governing Body E-GOV-05
Governance data protection program? material to its cybersecurity & data protection matters considered material to its maturity would reasonably expect all, or at CMM Level 3 control maturity would oversight reporting and recommendations to oversight reporting and recommendations to
E-GOV-06
E-GOV-07 program. cybersecurity & data protection program. least most, the following criteria to exist: reasonably expect all, or at least most, the those entrusted to make executive decisions those entrusted to make executive decisions
E-GOV-13 • Cybersecurity and data privacy following criteria to exist: about matters considered material to its about matters considered material to its
Mechanisms exist to commit appropriate resources needed for continual Does the organization commit appropriate There is no evidence of a capability to commit C|P-CMM1 is N/A, since a structured process is Cybersecurity & Privacy
governance activities areGovernance (GOV)
decentralized (e.g., Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
improvement of the organization's cybersecurity & data privacy program, resources needed for continual improvement of the appropriate resources needed for continual required to commit appropriate resources efforts are requirements-driven
a localized/regionalized function)and
andgoverned
uses efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & including: organization's cybersecurity & data privacy improvement of the organization's needed for continual improvement of the at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Commitment To
Data Protection GOV-01.3 (1) Staffing; program, including: 7 x Govern x x cybersecurity & data privacy program, organization's cybersecurity & data privacy across the organization. CMM Level 2 control technically feasible, to ensure consistency. not necessary to commit appropriate not necessary to commit appropriate
Continual Improvements
Governance (2) Budget; (1) Staffing; including: program, including: maturity would reasonably expect all, or at CMM Level 3 control maturity would resources needed for continual improvement resources needed for continual improvement
(3) Processes; and (2) Budget; (1) Staffing; (1) Staffing; least most, the following criteria to exist: reasonably expect all, or at least most, the of the organization's cybersecurity & data of the organization's cybersecurity & data
(4) Technologies. (3) Processes; and (2) Budget; (2) Budget; • Cybersecurity and data privacy following criteria to exist: privacy program, including: privacy program, including:
Mechanisms exist to establish, maintain and disseminate cybersecurity & ∙ ComplianceForge - ∙ ComplianceForge - ∙ ComplianceForge - Digital ∙ ComplianceForge - Digital ∙ ComplianceForge - Digital Does the organization establish, maintain and There is no evidence of a capability to Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy
governance activities areGovernance (GOV)
decentralized (e.g., Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) See C|P-CMM4. There are no defined C|P-
data protection policies, standards and procedures. Cybersecurity & Data Protection Cybersecurity & Data Protection
Security Program (DSP) Security Program (DSP) Security Program (DSP) disseminate cybersecurity & data protection establish, maintain and disseminate efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven
a localized/regionalized function)and
andgoverned
uses efforts are standardized across the efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Cybersecurity & Publishing Cybersecurity E-GOV-08 Program (CDPP) Program (CDPP) (https://complianceforge.com) (https://complianceforge.com) (https://complianceforge.com) policies, standards and procedures? cybersecurity & data privacy policies, 1 control maturity would reasonably expect at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Data Protection & Data Protection GOV-02 E-GOV-09 (https://complianceforge.com) (https://complianceforge.com)
∙ ComplianceForge - ∙ ComplianceForge - 10 x Govern x x x standards and procedures. all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. quantitative understanding of process not necessary to establish, maintain and
Governance Documentation E-GOV-11 ∙ SCFConnect ∙ SCFConnect Cybersecurity & Data Protection Cybersecurity & Data Protection exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would capabilities) to predict optimal performance, disseminate cybersecurity & data privacy
(https://scfconnect.com) (https://scfconnect.com) Program (CDPP) Program (CDPP) • No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the ensure continued operations and identify policies, standards and procedures.
(https://complianceforge.com) (https://complianceforge.com) privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: areas for improvement. In addition to CMM
Mechanisms exist to prohibit exceptions to standards, except when the ∙ Manual exception management ∙ Manual exception management ∙ Manual exception management ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance Does the organization prohibit exceptions to There is no evidence of a capability to prohibit Cybersecurity
organization. & Privacy Governance (GOV) Cybersecurity & Privacy
governance activities areGovernance (GOV)
decentralized (e.g., Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
exception has been formally assessed for risk impact, approved and process process process (GRC) solution (GRC) solution standards, except when the exception has been exceptions to standards, except when the efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven
a localized/regionalized function)and
andgoverned
uses efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & recorded. ∙ SCFConnect ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ SCFConnect ∙ SCFConnect formally assessed for risk impact, approved and exception has been formally assessed for risk 1 control maturity would reasonably expect at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Data Protection Exception Management GOV-02.1 E-GOV-18 (https://scfconnect.com) (GRC) solution (GRC) solution (https://scfconnect.com) (https://scfconnect.com) recorded? 8 x Govern x x x impact, approved and recorded. all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. not necessary to prohibit exceptions to not necessary to prohibit exceptions to
Governance ∙ SCFConnect ∙ SCFConnect exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would standards, except when the exception has standards, except when the exception has
(https://scfconnect.com) (https://scfconnect.com) • No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the been formally assessed for risk impact, been formally assessed for risk impact,
privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: approved and recorded. approved and recorded.
Mechanisms exist to review the cybersecurity & data protection program, ∙ Human reviews ∙ Human reviews ∙ Human reviews ∙ Human reviews ∙ Human reviews Does the organization review the cybersecurity & Mechanisms exist to review the cybersecurity Cybersecurity
organization. & Privacy Governance (GOV) Cybersecurity & Privacy
governance activities areGovernance (GOV)
decentralized (e.g., Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Periodic Review & including policies, standards and procedures, at planned intervals or if ∙ Documentation change control ∙ Documentation change control ∙ Documentation change control ∙ Documentation change control ∙ Documentation change control data protection program, including policies, & data protection program, including policies, efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven
a localized/regionalized function)and
andgoverned
uses efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & significant changes occur to ensure their continuing suitability, adequacy standards and procedures, at planned intervals or if standards and procedures, at planned 1 control maturity would reasonably expect at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Update of Cybersecurity
Data Protection GOV-03 and effectiveness. E-GOV-12 significant changes occur to ensure their continuing 7 x Govern x x x intervals or if significant changes occur to all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. not necessary to review the cybersecurity & not necessary to review the cybersecurity &
& Data Protection
Governance suitability, adequacy and effectiveness? ensure their continuing suitability, adequacy exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would data protection program, including policies, data protection program, including policies,
Program
and effectiveness. • No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the standards and procedures, at planned standards and procedures, at planned
E-HRS-01 privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: intervals or if significant changes occur to intervals or if significant changes occur to
Mechanisms exist to assign one or more qualified individuals with the E-HRS-05 ∙ Third-party advisors (e.g., ∙ Third-party advisors (e.g., ∙ Chief Information Security ∙ Chief Information Security ∙ Chief Information Security Does the organization assign one or more qualified There is no evidence of a capability to assign a C|P-CMM1
organization.is N/A, since a structured process is Cybersecurity & Privacy
governance activities areGovernance (GOV)
decentralized (e.g., Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
mission and resources to centrally-manage, coordinate, develop, implement E-HRS-06 virtual CISO, Managed Security virtual CISO, Managed Security Officer (CISO) Officer (CISO) Officer (CISO) individuals with the mission and resources to qualified individual with the mission and required to assign a qualified individual with efforts are requirements-driven
a localized/regionalized function)and
andgoverned
uses efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & Assigned Cybersecurity and maintain an enterprise-wide cybersecurity & data protection program. E-HRS-07 Services Provider (MSSP), etc.) Services Provider (MSSP), etc.) centrally-manage, coordinate, develop, implement resources to centrally-manage, coordinate, the mission and resources to centrally- at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Data Protection & Data Protection GOV-04 E-HRS-08 and maintain an enterprise-wide cybersecurity & 10 x Govern x x x develop, implement and maintain an manage, coordinate, develop, implement and across the organization. CMM Level 2 control technically feasible, to ensure consistency. not necessary to assign a qualified individual not necessary to assign a qualified individual
Governance Responsibilities E-HRS-09 data protection program? enterprise-wide cybersecurity & data privacy maintain an enterprise-wide cybersecurity & maturity would reasonably expect all, or at CMM Level 3 control maturity would with the mission and resources to centrally- with the mission and resources to centrally-
E-HRS-10 program. data privacy program. least most, the following criteria to exist: reasonably expect all, or at least most, the manage, coordinate, develop, implement and manage, coordinate, develop, implement and
E-HRS-13 • Cybersecurity and data privacy following criteria to exist: maintain an enterprise-wide cybersecurity & maintain an enterprise-wide cybersecurity &
Mechanisms exist to enforce an accountability structure so that appropriate E-HRS-15 ∙ Documented roles and ∙ Documented roles and ∙ Documented roles and ∙ Documented roles and ∙ Documented roles and Does the organization enforce an accountability There is no evidence of a capability to enforce C|P-CMM1 is N/A, since a structured process is C|P-CMM2
governance is activities
N/A, sinceare
a well-defined
decentralizedprocess
(e.g., Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
teams and individuals are empowered, responsible and trained for responsibilities responsibilities responsibilities responsibilities responsibilities structure so that appropriate teams and individuals an accountability structure so that appropriate required to enforce an accountability structure is required to enforce anfunction)
a localized/regionalized accountability
and uses efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & mapping, measuring and managing data and technology-related risks. are empowered, responsible and trained for teams and individuals are empowered, so that appropriate teams and individuals are structure so that appropriate
non-standardized methods to teams and
implement organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Stakeholder
Data Protection GOV-04.1 E-HRS-15 mapping, measuring and managing data and 8 x Govern x x x responsible and trained for mapping, empowered, responsible and trained for individuals are empowered, responsible and technically feasible, to ensure consistency. not necessary to enforce an accountability not necessary to enforce an accountability
Accountability Structure
Governance technology-related risks? measuring and managing data and mapping, measuring and managing data and trained for mapping, measuring and managing CMM Level 3 control maturity would structure so that appropriate teams and structure so that appropriate teams and
technology-related risks. technology-related risks. data and technology-related risks. reasonably expect all, or at least most, the individuals are empowered, responsible and individuals are empowered, responsible and
following criteria to exist: trained for mapping, measuring and managing trained for mapping, measuring and managing
Mechanisms exist to establish an authoritative chain of command with clear ∙ Organization chart ∙ Organization chart ∙ Organization chart ∙ Organization chart ∙ Organization chart Does the organization establish an authoritative There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
lines of communication to remove ambiguity from individuals and teams chain of command with clear lines of establish an authoritative chain of command required to establish an authoritative chain of is required to establish an authoritative chain efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & related to managing data and technology-related risks. communication to remove ambiguity from with clear lines of communication to remove command with clear lines of communication to of command with clear lines of communication organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Authoritative Chain of
Data Protection GOV-04.2 E-HRS-15 individuals and teams related to managing data and 7 x Govern x x x ambiguity from individuals and teams related remove ambiguity from individuals and teams to remove ambiguity from individuals and technically feasible, to ensure consistency. not necessary to establish an authoritative not necessary to establish an authoritative
Command
Governance technology-related risks? to managing data and technology-related related to managing data and technology- teams related to managing data and CMM Level 3 control maturity would chain of command with clear lines of chain of command with clear lines of
risks. related risks. technology-related risks. reasonably expect all, or at least most, the communication to remove ambiguity from communication to remove ambiguity from
following criteria to exist: individuals and teams related to managing individuals and teams related to managing
Mechanisms exist to develop, report and monitor cybersecurity & data ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics Does the organization develop, report and monitor There is no evidence of a capability to Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV)
privacy program measures of performance. ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance cybersecurity & data privacy program measures of develop, report and monitor cybersecurity & efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven and governed efforts are standardized across the efforts are metrics driven and provide efforts are “world-class” capabilities that
Cybersecurity & (GRC) solution (GRC) solution (GRC) solution (GRC) solution performance? data privacy program measures of 1 control maturity would reasonably expect at a local/regional level, but are not consistent organization and centrally managed, where sufficient management insight (based on a leverage predictive analysis (e.g., machine
Measures of
Data Protection GOV-05 E-GOV-13 6 x Govern x x performance. all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. quantitative understanding of process learning, AI, etc.). In addition to CMM Level 4
Performance
Governance exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would capabilities) to predict optimal performance, criteria, CMM Level 5 control maturity would
• No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the ensure continued operations and identify reasonably expect all, or at least most, the
privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: areas for improvement. In addition to CMM following criteria to exist:
Mechanisms exist to develop, report and monitor Key Performance ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics Does the organization develop, report and monitor There is no evidence of a capability to C|P-CMM1
organization.is N/A, since a structured process is C|P-CMM2
governance is activities
N/A, sinceare
a well-defined
decentralized process
(e.g., Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV)
Indicators (KPIs) to assist organizational management in performance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance Key Performance Indicators (KPIs) to assist develop, report and monitor Key Performance required to develop, report and monitor Key is required to develop, report
a localized/regionalized andand
function) monitor
usesKey efforts are standardized across the efforts are metrics driven and provide efforts are “world-class” capabilities that
Cybersecurity & monitoring and trend analysis of the cybersecurity & data privacy program. (GRC) solution (GRC) solution (GRC) solution (GRC) solution organizational management in performance Indicators (KPIs) to assist organizational Performance Indicators (KPIs) to assist Performance
non-standardizedIndicators (KPIs)
methods to assist
to implement organization and centrally managed, where sufficient management insight (based on a leverage predictive analysis (e.g., machine
Key Performance
Data Protection GOV-05.1 monitoring and trend analysis of the cybersecurity 6 x Govern x management in performance monitoring and organizational management in performance organizational management in performance technically feasible, to ensure consistency. quantitative understanding of process learning, AI, etc.). In addition to CMM Level 4
Indicators (KPIs)
Governance & data privacy program? trend analysis of the cybersecurity & data monitoring and trend analysis of the monitoring and trend analysis of the CMM Level 3 control maturity would capabilities) to predict optimal performance, criteria, CMM Level 5 control maturity would
privacy program. cybersecurity & data privacy program. cybersecurity & data privacy program. reasonably expect all, or at least most, the ensure continued operations and identify reasonably expect all, or at least most, the
following criteria to exist: areas for improvement. In addition to CMM following criteria to exist:
Mechanisms exist to develop, report and monitor Key Risk Indicators (KRIs) ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics Does the organization develop, report and monitor There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV)
to assist senior management in performance monitoring and trend analysis ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance Key Risk Indicators (KRIs) to assist senior develop, report and monitor Key Risk required to develop, report and monitor Key is required to develop, report and monitor Key efforts are standardized across the efforts are metrics driven and provide efforts are “world-class” capabilities that
Cybersecurity & of the cybersecurity & data privacy program. (GRC) solution (GRC) solution (GRC) solution (GRC) solution management in performance monitoring and trend Indicators (KRIs) to assist senior management Risk Indicators (KRIs) to assist senior Risk Indicators (KRIs) to assist senior organization and centrally managed, where sufficient management insight (based on a leverage predictive analysis (e.g., machine
Key Risk Indicators
Data Protection GOV-05.2 E-GOV-13 analysis of the cybersecurity & data privacy 6 x Govern x in performance monitoring and trend analysis management in performance monitoring and management in performance monitoring and technically feasible, to ensure consistency. quantitative understanding of process learning, AI, etc.). In addition to CMM Level 4
(KRIs)
Governance program? of the cybersecurity & data privacy program. trend analysis of the cybersecurity & data trend analysis of the cybersecurity & data CMM Level 3 control maturity would capabilities) to predict optimal performance, criteria, CMM Level 5 control maturity would
privacy program. privacy program. reasonably expect all, or at least most, the ensure continued operations and identify reasonably expect all, or at least most, the
following criteria to exist: areas for improvement. In addition to CMM following criteria to exist:
Mechanisms exist to identify and document appropriate contacts with ∙ Integrated Security Incident ∙ Integrated Security Incident ∙ Integrated Security Incident Does the organization identify and document There is no evidence of a capability to identify Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV)
relevant law enforcement and regulatory bodies. Response Team (ISIRT) Response Team (ISIRT) Response Team (ISIRT) appropriate contacts with relevant law enforcement and document appropriate contacts with efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven and governed efforts are standardized across the efforts are metrics driven and provide efforts are “world-class” capabilities that
Cybersecurity & and regulatory bodies? relevant law enforcement and regulatory 1 control maturity would reasonably expect at a local/regional level, but are not consistent organization and centrally managed, where sufficient management insight (based on a leverage predictive analysis (e.g., machine
Contacts With
Data Protection GOV-06 5 x Govern x bodies. all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. quantitative understanding of process learning, AI, etc.). In addition to CMM Level 4
Authorities
Governance exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would capabilities) to predict optimal performance, criteria, CMM Level 5 control maturity would
• No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the ensure continued operations and identify reasonably expect all, or at least most, the
privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: areas for improvement. In addition to CMM following criteria to exist:
Mechanisms exist to establish contact with selected groups and ∙ ISACA chapters ∙ ISACA chapters ∙ ISACA chapters ∙ ISACA chapters ∙ ISACA chapters Does the organization establish contact with There is no evidence of a capability to Cybersecurity
organization. & Privacy Governance (GOV) Cybersecurity & Privacy
governance activities areGovernance
decentralized (GOV)
(e.g., Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV)
associations within the cybersecurity & data privacy communities to: ∙ ISAA chapters ∙ ISAA chapters ∙ ISAA chapters ∙ ISAA chapters ∙ ISAA chapters selected groups and associations within the establish contact with selected groups and efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven
a localized/regionalized function)andandgoverned
uses efforts are standardized across the efforts are metrics driven and provide efforts are “world-class” capabilities that
Cybersecurity & (1) Facilitate ongoing cybersecurity & data privacy education and training ∙ IAPP chapters ∙ IAPP chapters ∙ IAPP chapters ∙ IAPP chapters ∙ IAPP chapters cybersecurity & data privacy communities to: associations within the cybersecurity & data 1 control maturity would reasonably expect at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where sufficient management insight (based on a leverage predictive analysis (e.g., machine
Contacts With Groups &
Data Protection GOV-07 for organizational personnel; E-THR-02 ∙ Cooey Center of Excellence ∙ Cooey Center of Excellence ∙ Cooey Center of Excellence ∙ Cooey Center of Excellence ∙ Cooey Center of Excellence (1) Facilitate ongoing cybersecurity & data privacy 7 x Govern x x privacy communities to: all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. quantitative understanding of process learning, AI, etc.). In addition to CMM Level 4
Associations
Governance (2) Maintain currency with recommended cybersecurity & data privacy (Discord) (Discord) (Discord) (Discord) (Discord) education and training for organizational personnel; (1) Facilitate ongoing cybersecurity & data exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would capabilities) to predict optimal performance, criteria, CMM Level 5 control maturity would
practices, techniques and technologies; and (2) Maintain currency with recommended privacy education and training for • No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the ensure continued operations and identify reasonably expect all, or at least most, the
(3) Share current cybersecurity and/or data privacy-related information cybersecurity & data privacy practices, techniques organizational personnel; privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: areas for improvement. In addition to CMM following criteria to exist:
Mechanisms exist vulnerabilities
including threats, to define the context of its business model and document
and incidents. Does the organization
and technologies; and define the context of its There is no evidence of a capability to define C|P-CMM1
organization.is N/A, since a structured process is Cybersecurity & Privacy
governance activities areGovernance
decentralized (GOV)
(e.g., Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
the organization's mission. business model and document the mission of the the context of its business model and required to define the context of its business efforts are requirements-driven
a localized/regionalized function)andandgoverned
uses efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & organization? document the mission of the organization. model and document the mission of the at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Defining Business
Data Protection GOV-08 E-PRM-01 5 x Govern x organization. across the organization. CMM Level 2 control technically feasible, to ensure consistency. not necessary to define the context of its not necessary to define the context of its
Context & Mission
Governance maturity would reasonably expect all, or at CMM Level 3 control maturity would business model and document the mission of business model and document the mission of
least most, the following criteria to exist: reasonably expect all, or at least most, the the organization. the organization.
• Cybersecurity and data privacy following criteria to exist:
Mechanisms exist to establish control objectives as the basis for the Does the organization establish control objectives There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Cybersecurity & Privacy
governance activities areGovernance
decentralized (GOV)
(e.g., Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
selection, implementation and management of the organization's internal as the basis for the selection, implementation and establish control objectives as the basis for required to establish control objectives as the efforts are requirements-driven
a localized/regionalized function)andandgoverned
uses efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & control system. management of its internal control system? the selection, implementation and basis for the selection, implementation and at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Define Control
Data Protection GOV-09 E-GOV-10 5 x Govern x x management of its internal control system management of its internal control system across the organization. CMM Level 2 control technically feasible, to ensure consistency. not necessary to establish control objectives not necessary to establish control objectives
Objectives
Governance maturity would reasonably expect all, or at CMM Level 3 control maturity would as the basis for the selection, implementation as the basis for the selection, implementation
least most, the following criteria to exist: reasonably expect all, or at least most, the and management of its internal control and management of its internal control
• Cybersecurity and data privacy following criteria to exist: system system
Mechanisms exist to facilitate data governance to oversee the ∙ Chief Data Officer (CDO) ∙ Chief Data Officer (CDO) Does the organization facilitate data governance to There is no evidence of a capability to Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy
governance activities areGovernance
decentralized (GOV)
(e.g., Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) See C|P-CMM4. There are no defined C|P-
organization's policies, standards and procedures so that oversee its policies, standards and procedures so facilitate data governance to oversee its efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven
a localized/regionalized function)andandgoverned
uses efforts are standardized across the efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Cybersecurity & sensitive/regulated data is effectively managed and maintained in that sensitive/regulated data is effectively managed policies, standards and procedures so that 1 control maturity would reasonably expect at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Data Protection Data Governance GOV-10 accordance with applicable statutory, regulatory and contractual and maintained in accordance with applicable 9 x Govern x sensitive/regulated data is effectively all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. quantitative understanding of process not necessary to facilitate data governance to
Governance obligations. statutory, regulatory and contractual obligations? managed and maintained in accordance with exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would capabilities) to predict optimal performance, oversee its policies, standards and procedures
applicable statutory, regulatory and • No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the ensure continued operations and identify so that sensitive/regulated data is effectively
contractual obligations. privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: areas for improvement. In addition to CMM managed and maintained in accordance with
Mechanisms exist to monitor mission/business-critical services or functions Does the organization monitor mission/business- There is no evidence of a capability to monitor
Cybersecurity
organization. & Privacy Governance (GOV) Cybersecurity & Privacy
governance activities areGovernance
decentralized (GOV)
(e.g., Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) See C|P-CMM4. There are no defined C|P-
to ensure those resources are being used consistent with their intended critical services or functions to ensure those mission/business-critical services or functions
efforts are ad hoc and inconsistent. CMM Level efforts are requirements-driven
a localized/regionalized function)andandgoverned
uses efforts are standardized across the efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Cybersecurity & purpose. resources are being used consistent with their to ensure those resources are being used 1 control maturity would reasonably expect at a local/regional methods
non-standardized level, butto
are not consistent
implement organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Data Protection Purpose Validation GOV-11 intended purpose? 5 x Govern x x consistent with their intended purpose. all, or at least most, the following criteria to across the organization. CMM Level 2 control technically feasible, to ensure consistency. quantitative understanding of process not necessary to monitor mission/business-
Governance exist: maturity would reasonably expect all, or at CMM Level 3 control maturity would capabilities) to predict optimal performance, critical services or functions to ensure those
• No formal cybersecurity and/ or data least most, the following criteria to exist: reasonably expect all, or at least most, the ensure continued operations and identify resources are being used consistent with their
privacy principles are identified for the • Cybersecurity and data privacy following criteria to exist: areas for improvement. In addition to CMM intended purpose.
Mechanisms exist to avoid and/or constrain the forced exfiltration of ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review Does the organization avoid and/or constrain the There is no evidence of a capability to avoid C|P-CMM1
organization.is N/A, since a structured process is C|P-CMM2
governance is activities
N/A, sinceare
a well-defined
decentralized process
(e.g., Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
sensitive / regulated information (e.g., Intellectual Property (IP)) to the host ∙ Steering committee ∙ Steering committee ∙ Steering committee forced exfiltration of sensitive / regulated and/ or constrain the forced exfiltration of required to avoid and/ or constrain the forced is required to avoid and/function)
a localized/regionalized or constrain
and the
uses efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & government for purposes of market access or market management ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) information (e.g., Intellectual Property (IP)) to the sensitive / regulated information (e.g., exfiltration of sensitive / regulated information forced exfiltration methods
non-standardized of sensitive / regulated
to implement organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Forced Technology
Data Protection GOV-12 practices. host government for purposes of market access or 10 x Govern x x Intellectual Property (IP)) to the host (e.g., Intellectual Property (IP)) to the host information (e.g., Intellectual Property (IP)) to technically feasible, to ensure consistency. not necessary to avoid and/ or constrain the not necessary to avoid and/ or constrain the
Transfer (FTT)
Governance market management practices? government for purposes of market access or government for purposes of market access or the host government for purposes of market CMM Level 3 control maturity would forced exfiltration of sensitive / regulated forced exfiltration of sensitive / regulated
market management practices. market management practices. access or market management practices. reasonably expect all, or at least most, the information (e.g., Intellectual Property (IP)) to information (e.g., Intellectual Property (IP)) to
following criteria to exist: the host government for purposes of market the host government for purposes of market
Mechanisms exist to constrain the host government's ability to leverage the ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review Does the organization constrain the host There is no evidence of a capability to
organization's technology assets for economic or political espionage and/or ∙ Steering committee ∙ Steering committee ∙ Steering committee government's ability to leverage its technology constrain the host gov
Cybersecurity & cyberwarfare activities. ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) assets for economic or political espionage and/or
State-Sponsored
Data Protection GOV-13 cyberwarfare activities? 10 x Govern x x
Espionage
Governance

GOV-14 6 x Govern x x

GOV-15 9 x Govern x x

Select Controls GOV-15.1 8 x Govern x x

Implement Controls GOV-15.2 9 x Govern x x

Assess Controls GOV-15.3 8 x Govern x x

GOV-15.4 8 x Govern x x

Monitor Controls GOV-15.5 8 x Govern x x

GOV-16 E-GOV-14 7 x Govern x

Material Risks GOV-16.1 E-GOV-15 7 x Govern x x

Licensed by Creative Commons Attribution-NoDerivatives 10 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to define criteria necessary to designate a threat as a ∙ SCF Cybersecurity & Data ∙ SCF Cybersecurity & Data ∙ SCF Cybersecurity & Data ∙ SCF Cybersecurity & Data ∙ SCF Cybersecurity & Data Does the organization define criteria necessary to There is no evidence of a capability to define C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
material threat. Privacy Risk Management Model Privacy Risk Management Model Privacy Risk Management Model Privacy Risk Management Model Privacy Risk Management Model designate a threat as a material threat? criteria necessary to designate a threat as a required to designate a threat as a material is required to designate a threat as a material efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & (C|P-RMM) (C|P-RMM) (C|P-RMM) (C|P-RMM) (C|P-RMM) material threat. threat. threat. organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Data Protection Material Threats GOV-16.2 E-GOV-16 (https://securecontrolsframework. (https://securecontrolsframework. (https://securecontrolsframework. (https://securecontrolsframework. (https://securecontrolsframework. 7 x Govern x x technically feasible, to ensure consistency. not necessary to designate a threat as a not necessary to designate a threat as a
Governance com/risk-management-model) com/risk-management-model) com/risk-management-model) com/risk-management-model) com/risk-management-model) CMM Level 3 control maturity would material threat. material threat.
reasonably expect all, or at least most, the
following criteria to exist:
Mechanisms exist to submit status reporting of the organization's Does the organization submit status reporting of its There is no evidence of a capability to submit C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cybersecurity & Privacy Governance (GOV) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
cybersecurity and/or data privacy program to applicable statutory and/or cybersecurity and/or data privacy program to status reporting of its cybersecurity and/or required to submit status reporting of its is required to submit status reporting of its efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cybersecurity & regulatory authorities, as required. applicable statutory and/or regulatory authorities, data privacy program to applicable statutory cybersecurity and/or data privacy program to cybersecurity and/or data privacy program to organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Cybersecurity & Data
Data Protection GOV-17 E-GOV-17 as required? 8 x Govern x x and/or regulatory authorities, as required. applicable statutory and/or regulatory applicable statutory and/or regulatory technically feasible, to ensure consistency. not necessary to submit status reporting of its not necessary to submit status reporting of its
Privacy Status Reporting
Governance authorities, as required. authorities, as required. CMM Level 3 control maturity would cybersecurity and/or data privacy program to cybersecurity and/or data privacy program to
reasonably expect all, or at least most, the applicable statutory and/or regulatory applicable statutory and/or regulatory
following criteria to exist: authorities, as required. authorities, as required.
Mechanisms exist to govern a Quality Management System (QMS) to ensure Does the organization govern a Quality Mechanisms exist to govern a Quality C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cybersecurity & Privacy Governance (GOV) Cybersecurity & Privacy Governance (GOV) See C|P-CMM4. There are no defined C|P-
cybersecurity and data protection processes conform with applicable Management System (QMS) to ensure cybersecurity Management System (QMS) to ensure required to govern a Quality Management is required to govern a Quality Management efforts are standardized across the efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Cybersecurity & statutory, regulatory and/or contractual obligations. and data protection processes conform with cybersecurity and data protection processes System (QMS) to ensure cybersecurity and System (QMS) to ensure cybersecurity and organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Quality Management
Data Protection GOV-18 applicable statutory, regulatory and/or contractual 4 x Govern x conform with applicable statutory, regulatory data protection processes conform with data protection processes conform with technically feasible, to ensure consistency. quantitative understanding of process not necessary to govern a Quality
System (QMS)
Governance obligations? and/or contractual obligations. applicable statutory, regulatory and/or applicable statutory, regulatory and/or CMM Level 3 control maturity would capabilities) to predict optimal performance, Management System (QMS) to ensure
contractual obligations. contractual obligations. reasonably expect all, or at least most, the ensure continued operations and identify cybersecurity and data protection processes
following criteria to exist: areas for improvement. In addition to CMM conform with applicable statutory, regulatory
Mechanisms exist to ensure policies, processes, procedures and practices ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization ensure policies, processes, There is no evidence of a capability to ensure Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Artificial Intelligence (AI) related to the mapping, measuring and managing of Artificial Intelligence autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies procedures and practices related to the mapping, policies, processes, procedures and practices Technology (AAT) efforts are requirements- is required in this domain to ensure policies, Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & (AI) and Autonomous Technologies (AAT)-related risks are in place, governance program governance program governance program governance program governance program measuring and managing of Artificial Intelligence related to the mapping, measuring and driven and governed at a local/regional level, processes, procedures and practices related across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
& Autonomous
Autonomous AAT-01 transparent and implemented effectively. E-AAT-01 (AI) and Autonomous Technologies (AAT)-related 10 x Govern x x managing of Artificial Intelligence (AI) and but are not consistent across the organization. to the mapping, measuring and managing of managed, where technically feasible, to not necessary to ensure policies, processes, not necessary to ensure policies, processes,
Technologies
Technologies risks are in place, transparent and implemented Autonomous Technologies (AAT)-related risks CMM Level 2 control maturity would Artificial Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control procedures and practices related to the procedures and practices related to the
Governance
effectively? are in place, transparent and implemented reasonably expect all, or at least most, the Technologies (AAT)-related risks are in place, maturity would reasonably expect all, or at mapping, measuring and managing of mapping, measuring and managing of
effectively. following criteria to exist: transparent and implemented effectively. least most, the following criteria to exist: Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
Mechanisms exist to identify, understand, document and manage ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization identify, understand, There is no evidence of a capability to identify, Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
AI & Autonomous applicable statutory and regulatory requirements for Artificial Intelligence autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies document and manage applicable statutory and understand, document and manage applicable Technology (AAT) efforts are requirements- is required in this domain to identify, Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & (AI) and Autonomous Technologies (AAT). governance program governance program governance program governance program governance program regulatory requirements for Artificial Intelligence statutory and regulatory requirements for driven and governed at a local/regional level, understand, document and manage applicable across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Technologies-Related
Autonomous AAT-01.1 E-AAT-02 (AI) and Autonomous Technologies (AAT)? 8 x Govern x x Artificial Intelligence (AI) and Autonomous but are not consistent across the organization. statutory and regulatory requirements for managed, where technically feasible, to not necessary to identify, understand, not necessary to identify, understand,
Legal Requirements
Technologies Technologies (AAT). CMM Level 2 control maturity would Artificial Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control document and manage applicable statutory document and manage applicable statutory
Definition
reasonably expect all, or at least most, the Technologies (AAT). maturity would reasonably expect all, or at and regulatory requirements for Artificial and regulatory requirements for Artificial
following criteria to exist: least most, the following criteria to exist: Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization ensure Artificial Intelligence There is no evidence of a capability to ensure Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT) are designed to be reliable, safe, fair, secure, resilient, autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies (AI) and Autonomous Technologies (AAT) are Artificial Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Trustworthy AI & transparent, explainable and data privacy-enhanced to minimize emergent governance program governance program governance program governance program governance program designed to be reliable, safe, fair, secure, resilient, Technologies (AAT) are designed to be driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Autonomous AAT-01.2 properties or unintended consequences. E-AAT-03 transparent, explainable and data privacy- 10 x Protect x x reliable, safe, fair, secure, resilient, but are not consistent across the organization. Technologies (AAT) are designed to be managed, where technically feasible, to not necessary to ensure Artificial Intelligence not necessary to ensure Artificial Intelligence
Technologies Technologies enhanced to minimize emergent properties or transparent, explainable and data privacy- CMM Level 2 control maturity would reliable, safe, fair, secure, resilient, ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT) are (AI) and Autonomous Technologies (AAT) are
unintended consequences? enhanced to minimize emergent properties or reasonably expect all, or at least most, the transparent, explainable and data privacy- maturity would reasonably expect all, or at designed to be reliable, safe, fair, secure, designed to be reliable, safe, fair, secure,
unintended consequences. following criteria to exist: enhanced to minimize emergent properties or least most, the following criteria to exist: resilient, transparent, explainable and data resilient, transparent, explainable and data
Mechanisms exist to sustain the value of deployed Artificial Intelligence (AI) ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization sustain the value of deployed There is no evidence of a capability to sustain Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
and Autonomous Technologies (AAT). autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies Artificial Intelligence (AI) and Autonomous the value of deployed Artificial Intelligence (AI) Technology (AAT) efforts are requirements- is required in this domain to sustain the value Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous governance program governance program governance program governance program governance program Technologies (AAT)? and Autonomous Technologies (AAT). driven and governed at a local/regional level, of deployed Artificial Intelligence (AI) and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Value AAT-01.3 1 x Identify x x but are not consistent across the organization. Autonomous Technologies (AAT). managed, where technically feasible, to not necessary to sustain the value of deployed not necessary to sustain the value of deployed
Technologies Sustainment CMM Level 2 control maturity would ensure consistency. CMM Level 3 control Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
reasonably expect all, or at least most, the maturity would reasonably expect all, or at Technologies (AAT). Technologies (AAT).
following criteria to exist: least most, the following criteria to exist:
Mechanisms exist to develop and maintain an inventory of Artificial ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization develop and maintain an There is no evidence of a capability to develop Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Intelligence (AI) and Autonomous Technologies (AAT) (internal and third- autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies inventory of Artificial Intelligence (AI) and and maintain an inventory of Artificial Technology (AAT) efforts are requirements- is required in this domain to develop and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Situational Awareness of party). governance program governance program governance program governance program governance program Autonomous Technologies (AAT) (internal and third- Intelligence (AI) and Autonomous driven and governed at a local/regional level, maintain an inventory of Artificial Intelligence across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous AI & Autonomous AAT-02 party)? 9 x Identify x x x Technologies (AAT) (internal and third-party). but are not consistent across the organization. (AI) and Autonomous Technologies (AAT) managed, where technically feasible, to not necessary to develop and maintain an not necessary to develop and maintain an
Technologies Technologies CMM Level 2 control maturity would (internal and third-party). ensure consistency. CMM Level 3 control inventory of Artificial Intelligence (AI) and inventory of Artificial Intelligence (AI) and
reasonably expect all, or at least most, the maturity would reasonably expect all, or at Autonomous Technologies (AAT) (internal and Autonomous Technologies (AAT) (internal and
following criteria to exist: least most, the following criteria to exist: third-party). third-party).
Mechanisms exist to identify Artificial Intelligence (AI) and Autonomous ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization identify Artificial Intelligence There is no evidence of a capability to identify Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT) in use and map those components to potential legal autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies (AI) and Autonomous Technologies (AAT) in use and Artificial Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to identify Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous risks, including statutory and regulatory compliance requirements. governance program governance program governance program governance program governance program map those components to potential legal risks, Technologies (AAT) in use and map those driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Risk AAT-02.1 including statutory and regulatory compliance 9 x Identify x x x components to potential legal risks, including but are not consistent across the organization. Technologies (AAT) in use and map those managed, where technically feasible, to not necessary to identify Artificial Intelligence not necessary to identify Artificial Intelligence
Technologies Mapping requirements? statutory and regulatory compliance CMM Level 2 control maturity would components to potential legal risks, including ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT) in (AI) and Autonomous Technologies (AAT) in
requirements. reasonably expect all, or at least most, the statutory and regulatory compliance maturity would reasonably expect all, or at use and map those components to potential use and map those components to potential
following criteria to exist: requirements. least most, the following criteria to exist: legal risks, including statutory and regulatory legal risks, including statutory and regulatory
Mechanisms exist to identify and document internal cybersecurity & data ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization identify and document There is no evidence of a capability to identify Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
privacy controls for Artificial Intelligence (AI) and Autonomous Technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies internal cybersecurity & data privacy controls for and document internal cybersecurity & data Technology (AAT) efforts are requirements- is required in this domain to identify and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous (AAT). governance program governance program governance program governance program governance program Artificial Intelligence (AI) and Autonomous privacy controls for Artificial Intelligence (AI) driven and governed at a local/regional level, document internal cybersecurity & data across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Internal AAT-02.2 Technologies (AAT)? 9 x Identify x x x and Autonomous Technologies (AAT). but are not consistent across the organization. protection controls for Artificial Intelligence managed, where technically feasible, to not necessary to identify and document not necessary to identify and document
Technologies Controls CMM Level 2 control maturity would (AI) and Autonomous Technologies (AAT). ensure consistency. CMM Level 3 control internal cybersecurity & data protection internal cybersecurity & data protection
reasonably expect all, or at least most, the maturity would reasonably expect all, or at controls for Artificial Intelligence (AI) and controls for Artificial Intelligence (AI) and
following criteria to exist: least most, the following criteria to exist: Autonomous Technologies (AAT). Autonomous Technologies (AAT).
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Does the organization ensure Artificial Intelligence Mechanisms exist to ensure Artificial Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT) include reasonable cybersecurity and data protections (AI) and Autonomous Technologies (AAT) include Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Adequate Protections For that are commensurate with assessed risks and threats. reasonable cybersecurity and data protections that Technologies (AAT) include reasonable driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous AI & Autonomous AAT-02.3 are commensurate with assessed risks and threats? 10 x Govern x x cybersecurity and data protections that are but are not consistent across the organization. Technologies (AAT) include reasonable managed, where technically feasible, to not necessary to ensure Artificial Intelligence not necessary to ensure Artificial Intelligence
Technologies Technologies commensurate with assessed risks and CMM Level 2 control maturity would cybersecurity and data protections that are ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT) (AI) and Autonomous Technologies (AAT)
threats. reasonably expect all, or at least most, the commensurate with assessed risks and maturity would reasonably expect all, or at include reasonable cybersecurity and data include reasonable cybersecurity and data
following criteria to exist: threats. least most, the following criteria to exist: protections that are commensurate with protections that are commensurate with
Mechanisms exist to establish and document the context surrounding ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization establish and document the There is no evidence of a capability to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Artificial Intelligence (AI) and Autonomous Technologies (AAT), including: autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies context surrounding Artificial Intelligence (AI) and establish and document the context Technology (AAT) efforts are requirements- is required in this domain to establish and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous (1) Intended purposes; governance program governance program governance program governance program governance program Autonomous Technologies (AAT), including: surrounding Artificial Intelligence (AI) and driven and governed at a local/regional level, document the context surrounding Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Context AAT-03 (2) Potentially beneficial uses; (1) Intended purposes; 8 x Identify x x Autonomous Technologies (AAT), including: but are not consistent across the organization. Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to establish and document the not necessary to establish and document the
Technologies Definition (3) Context-specific laws and regulations; (2) Potentially beneficial uses; (1) Intended purposes; CMM Level 2 control maturity would Technologies (AAT), including: ensure consistency. CMM Level 3 control context surrounding Artificial Intelligence (AI) context surrounding Artificial Intelligence (AI)
(4) Norms and expectations; and (3) Context-specific laws and regulations; (2) Potentially beneficial uses; reasonably expect all, or at least most, the (1) Intended purposes; maturity would reasonably expect all, or at and Autonomous Technologies (AAT), and Autonomous Technologies (AAT),
(5) Prospective settings in which the system(s) will be deployed. (4) Norms and expectations; and (3) Context-specific laws and regulations; following criteria to exist: (2) Potentially beneficial uses; least most, the following criteria to exist: including: including:
Mechanisms exist to define and document the organization's mission and ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization define and document its There is no evidence of a capability to define Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
defined goals for Artificial Intelligence (AI) and Autonomous Technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies mission and defined goals for Artificial Intelligence and document its mission and defined goals Technology (AAT) efforts are requirements- is required in this domain to define and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous (AAT). governance program governance program governance program governance program governance program (AI) and Autonomous Technologies (AAT)? for Artificial Intelligence (AI) and Autonomous driven and governed at a local/regional level, document its mission and defined goals for across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Mission AAT-03.1 8 x Identify x x x Technologies (AAT). but are not consistent across the organization. Artificial Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to define and document its not necessary to define and document its
Technologies and Goals Definition CMM Level 2 control maturity would Technologies (AAT). ensure consistency. CMM Level 3 control mission and defined goals for Artificial mission and defined goals for Artificial
reasonably expect all, or at least most, the maturity would reasonably expect all, or at Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
following criteria to exist: least most, the following criteria to exist: Technologies (AAT). Technologies (AAT).
Mechanisms exist to benchmark capabilities, targeted usage, goals and ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization benchmark capabilities, There is no evidence of a capability to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
expected benefits and costs of Artificial Intelligence (AI) and Autonomous autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies targeted usage, goals and expected benefits and benchmark capabilities, targeted usage, goals Technology (AAT) efforts are requirements- is required in this domain to benchmark Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous Technologies (AAT). governance program governance program governance program governance program governance program costs of Artificial Intelligence (AI) and Autonomous and expected benefits and costs of Artificial driven and governed at a local/regional level, capabilities, targeted usage, goals and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Business AAT-04 E-AAT-04 Technologies (AAT)? 8 x Identify x x x Intelligence (AI) and Autonomous but are not consistent across the organization. expected benefits and costs of Artificial managed, where technically feasible, to not necessary to benchmark capabilities, not necessary to benchmark capabilities,
Technologies Case Technologies (AAT). CMM Level 2 control maturity would Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control targeted usage, goals and expected benefits targeted usage, goals and expected benefits
reasonably expect all, or at least most, the Technologies (AAT). maturity would reasonably expect all, or at and costs of Artificial Intelligence (AI) and and costs of Artificial Intelligence (AI) and
following criteria to exist: least most, the following criteria to exist: Autonomous Technologies (AAT). Autonomous Technologies (AAT).
Mechanisms exist to assess the potential benefits of proposed Artificial ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization assess the potential benefits There is no evidence of a capability to assess Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Intelligence (AI) and Autonomous Technologies (AAT). autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies of proposed Artificial Intelligence (AI) and the potential benefits of proposed Artificial Technology (AAT) efforts are requirements- is required in this domain to assess the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous governance program governance program governance program governance program governance program Autonomous Technologies (AAT)? Intelligence (AI) and Autonomous driven and governed at a local/regional level, potential benefits of proposed Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Potential AAT-04.1 2 x Identify x x Technologies (AAT). but are not consistent across the organization. Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to assess the potential benefits not necessary to assess the potential benefits
Technologies Benefits Analysis CMM Level 2 control maturity would Technologies (AAT). ensure consistency. CMM Level 3 control of proposed Artificial Intelligence (AI) and of proposed Artificial Intelligence (AI) and
reasonably expect all, or at least most, the maturity would reasonably expect all, or at Autonomous Technologies (AAT). Autonomous Technologies (AAT).
following criteria to exist: least most, the following criteria to exist:
Mechanisms exist to assess potential costs, including non-monetary costs, ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization assess potential costs, There is no evidence of a capability to assess Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
resulting from expected or realized Artificial Intelligence (AI) and autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies including non-monetary costs, resulting from potential costs, including non-monetary costs, Technology (AAT) efforts are requirements- is required in this domain to assess potential Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous Autonomous Technologies (AAT)-related errors or system functionality and governance program governance program governance program governance program governance program expected or realized Artificial Intelligence (AI) and resulting from expected or realized Artificial driven and governed at a local/regional level, costs, including non-monetary costs, resulting across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Potential AAT-04.2 trustworthiness. Autonomous Technologies (AAT)-related errors or 2 x Identify x x Intelligence (AI) and Autonomous but are not consistent across the organization. from expected or realized Artificial Intelligence managed, where technically feasible, to not necessary to assess potential costs, not necessary to assess potential costs,
Technologies Costs Analysis system functionality and trustworthiness? Technologies (AAT)-related errors or system CMM Level 2 control maturity would (AI) and Autonomous Technologies (AAT)- ensure consistency. CMM Level 3 control including non-monetary costs, resulting from including non-monetary costs, resulting from
functionality and trustworthiness. reasonably expect all, or at least most, the related errors or system functionality and maturity would reasonably expect all, or at expected or realized Artificial Intelligence (AI) expected or realized Artificial Intelligence (AI)
following criteria to exist: trustworthiness. least most, the following criteria to exist: and Autonomous Technologies (AAT)-related and Autonomous Technologies (AAT)-related
Mechanisms exist to specify and document the targeted application scope ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization specify and document the There is no evidence of a capability to specify Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
of the proposed use and operation of Artificial Intelligence (AI) and autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies targeted application scope of the proposed use and and document the targeted application scope Technology (AAT) efforts are requirements- is required in this domain to specify and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous Autonomous Technologies (AAT). governance program governance program governance program governance program governance program operation of Artificial Intelligence (AI) and of the proposed use and operation of Artificial driven and governed at a local/regional level, document the targeted application scope of across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Targeted AAT-04.3 Autonomous Technologies (AAT)? 8 x Identify x x x Intelligence (AI) and Autonomous but are not consistent across the organization. the proposed use and operation of Artificial managed, where technically feasible, to not necessary to specify and document the not necessary to specify and document the
Technologies Application Scope Technologies (AAT). CMM Level 2 control maturity would Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control targeted application scope of the proposed targeted application scope of the proposed
reasonably expect all, or at least most, the Technologies (AAT). maturity would reasonably expect all, or at use and operation of Artificial Intelligence (AI) use and operation of Artificial Intelligence (AI)
following criteria to exist: least most, the following criteria to exist: and Autonomous Technologies (AAT). and Autonomous Technologies (AAT).
Mechanisms exist to map risks and benefits for all components of Artificial ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization map risks and benefits for all There is no evidence of a capability to map Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Intelligence (AI) and Autonomous Technologies (AAT), including third-party autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies components of Artificial Intelligence (AI) and risks and benefits for all components of Technology (AAT) efforts are requirements- is required in this domain to map risks and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous software and data. governance program governance program governance program governance program governance program Autonomous Technologies (AAT), including third- Artificial Intelligence (AI) and Autonomous driven and governed at a local/regional level, benefits for all components of Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Cost / AAT-04.4 party software and data? 2 x Identify x x Technologies (AAT), including third-party but are not consistent across the organization. Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to map risks and benefits for all not necessary to map risks and benefits for all
Technologies Benefit Mapping software and data. CMM Level 2 control maturity would Technologies (AAT), including third-party ensure consistency. CMM Level 3 control components of Artificial Intelligence (AI) and components of Artificial Intelligence (AI) and
reasonably expect all, or at least most, the software and data. maturity would reasonably expect all, or at Autonomous Technologies (AAT), including Autonomous Technologies (AAT), including
following criteria to exist: least most, the following criteria to exist: third-party software and data. third-party software and data.
Mechanisms exist to ensure personnel and external stakeholders are ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization ensure personnel and There is no evidence of a capability to ensure Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
provided with position-specific risk management training for Artificial autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies external stakeholders are provided with position- personnel and external stakeholders are Technology (AAT) efforts are requirements- is required in this domain to ensure personnel Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Intelligence (AI) and Autonomous Technologies (AAT). governance program governance program governance program governance program governance program specific risk management training for Artificial provided with position-specific risk driven and governed at a local/regional level, and external stakeholders are provided with across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI & Autonomous
Autonomous AAT-05 Intelligence (AI) and Autonomous Technologies 5 x Identify x x management training for Artificial Intelligence but are not consistent across the organization. position-specific risk management training for managed, where technically feasible, to not necessary to ensure personnel and not necessary to ensure personnel and
Technologies Training
Technologies (AAT)? (AI) and Autonomous Technologies (AAT). CMM Level 2 control maturity would Artificial Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control external stakeholders are provided with external stakeholders are provided with
reasonably expect all, or at least most, the Technologies (AAT). maturity would reasonably expect all, or at position-specific risk management training for position-specific risk management training for
following criteria to exist: least most, the following criteria to exist: Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
Mechanisms exist to prevent Artificial Intelligence (AI) and Autonomous ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization prevent Artificial Intelligence There is no evidence of a capability to prevent Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT) from unfairly identifying, profiling and/or statistically autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies (AI) and Autonomous Technologies (AAT) from Artificial Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to prevent Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous singling out a segmented population defined by race, religion, gender governance program governance program governance program governance program governance program unfairly identifying, profiling and/or statistically Technologies (AAT) from unfairly identifying, driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Fairness & AAT-06 identity, national origin, religion, disability or any other politically-charged singling out a segmented population defined by 9 x Identify x profiling and/ or statistically singling out a but are not consistent across the organization. Technologies (AAT) from unfairly identifying, managed, where technically feasible, to not necessary to prevent Artificial Intelligence not necessary to prevent Artificial Intelligence
Technologies Bias identifier. race, religion, gender identity, national origin, segmented population defined by race, CMM Level 2 control maturity would profiling and/ or statistically singling out a ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT) from (AI) and Autonomous Technologies (AAT) from
religion, disability or any other politically-charged religion, gender identity, national origin, reasonably expect all, or at least most, the segmented population defined by race, maturity would reasonably expect all, or at unfairly identifying, profiling and/ or unfairly identifying, profiling and/ or
identifier? religion, disability or any other politically- following criteria to exist: religion, gender identity, national origin, least most, the following criteria to exist: statistically singling out a segmented statistically singling out a segmented
Mechanisms exist to leverage decision makers from a diversity of ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization leverage decision makers There is no evidence of a capability to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous
demographics, disciplines, experience, expertise and backgrounds for autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies from a diversity of demographics, disciplines, leverage decision makers from a diversity of Technology (AAT) efforts are requirements- is required in this domain to leverage decision Technology (AAT) efforts are standardized
Artificial & AI & Autonomous mapping, measuring and managing Artificial Intelligence (AI) and governance program governance program governance program governance program governance program experience, expertise and backgrounds for demographics, disciplines, experience, driven and governed at a local/regional level, makers from a diversity of demographics, across the organization and centrally
Autonomous Technologies Risk AAT-07 Autonomous Technologies (AAT)-related risks. E-AAT-05 mapping, measuring and managing Artificial 10 x Identify x x x expertise and backgrounds for mapping, but are not consistent across the organization. disciplines, experience, expertise and managed, where technically feasible, to
Technologies Management Decisions Intelligence (AI) and Autonomous Technologies measuring and managing Artificial Intelligence CMM Level 2 control maturity would backgrounds for mapping, measuring and ensure consistency. CMM Level
(AAT)-related risks? (AI) and Autonomous Technologies (AAT)- reasonably expect all, or at least most, the managing Artificial Intelligence (AI) and
related risks. following criteria to exist: Autonomous Technologies (AAT)-related risks.

AAT-07.1 E-AAT-06 8 x Identify x x

AAT-07.2 E-AAT-06 10 x Identify x x x

AAT-07.3 8 x Identify x x x

AAT-08 9 x Identify x x x

AAT-09 9 x Identify x

AAT-09.1 7 x Identify x x

AAT-10 10 x Detect x x x

AAT-10.1 10 x Detect x

AI TEVV Tools AAT-10.2 7 x Detect x x

Licensed by Creative Commons Attribution-NoDerivatives 11 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to demonstrate the Artificial Intelligence (AI) and ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization demonstrate the Artificial Mechanisms exist to demonstrate the Artificial C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Autonomous Technologies (AAT) to be deployed are: Program Program Program Program Program Intelligence (AI) and Autonomous Technologies Intelligence (AI) and Autonomous required to report the status and results of is required in this domain to demonstrate the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & (1) Valid; ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / (AAT) to be deployed are: Technologies (AAT) to be deployed are: Artificial Intelligence Test, Evaluation, Artificial Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Trustworthiness
Autonomous AAT-10.3 (2) Reliable; and autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies (1) Valid; 9 x Detect x x (1) Valid; Validation & Verification (AI TEVV) to relevant Technologies (AAT) to be deployed are: managed, where technically feasible, to not necessary to demonstrate the Artificial not necessary to demonstrate the Artificial
Demonstration
Technologies (3) Operate as intended, based on approved designs. governance program governance program governance program governance program governance program (2) Reliable; and (2) Reliable; and stakeholders, including governing bodies, as (1) Valid; ensure consistency. CMM Level 3 control Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
(3) Operate as intended, based on approved (3) Operate as intended, based on approved required. (2) Reliable; and maturity would reasonably expect all, or at Technologies (AAT) to be deployed are: Technologies (AAT) to be deployed are:
designs? designs. (3) Operate as intended, based on approved least most, the following criteria to exist: (1) Valid; (1) Valid;
Mechanisms exist to demonstrate the Artificial Intelligence (AI) and ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization demonstrate the Artificial There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2
designs. is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Autonomous Technologies (AAT) to be deployed are safe, residual risk does Program Program Program Program Program Intelligence (AI) and Autonomous Technologies demonstrate the Artificial Intelligence (AI) and required to report the status and results of is required in this domain to demonstrate the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & not exceed the organization's risk tolerance and can fail safely, particularly ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / (AAT) to be deployed are safe, residual risk does not Autonomous Technologies (AAT) to be Artificial Intelligence Test, Evaluation, Artificial Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Safety
Autonomous AAT-10.4 if made to operate beyond its knowledge limits. autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies exceed its risk tolerance and can fail safely, 10 x Detect x x deployed are safe, residual risk does not Validation & Verification (AI TEVV) to relevant Technologies (AAT) to be deployed are safe, managed, where technically feasible, to not necessary to demonstrate the Artificial not necessary to demonstrate the Artificial
Demonstration
Technologies governance program governance program governance program governance program governance program particularly if made to operate beyond its exceed its risk tolerance and can fail safely, stakeholders, including governing bodies, as residual risk does not exceed its risk tolerance ensure consistency. CMM Level 3 control Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
knowledge limits? particularly if made to operate beyond its required. and can fail safely, particularly if made to maturity would reasonably expect all, or at Technologies (AAT) to be deployed are safe, Technologies (AAT) to be deployed are safe,
knowledge limits. operate beyond its knowledge limits. least most, the following criteria to exist: residual risk does not exceed its risk tolerance residual risk does not exceed its risk tolerance
Mechanisms exist to evaluate the security and resilience of Artificial ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization evaluate the security and There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Intelligence (AI) and Autonomous Technologies (AAT) to be deployed. Program Program Program Program Program resilience of Artificial Intelligence (AI) and evaluate the security and resilience of required to report the status and results of is required in this domain to evaluate the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Autonomous Technologies (AAT) to be deployed? Artificial Intelligence (AI) and Autonomous Artificial Intelligence Test, Evaluation, security and resilience of Artificial Intelligence across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Security &
Autonomous AAT-10.5 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies 6 x Detect x x Technologies (AAT) to be deployed. Validation & Verification (AI TEVV) to relevant (AI) and Autonomous Technologies (AAT) to be managed, where technically feasible, to not necessary to evaluate the security and not necessary to evaluate the security and
Resiliency Assessment
Technologies governance program governance program governance program governance program governance program stakeholders, including governing bodies, as deployed. ensure consistency. CMM Level 3 control resilience of Artificial Intelligence (AI) and resilience of Artificial Intelligence (AI) and
required. maturity would reasonably expect all, or at Autonomous Technologies (AAT) to be Autonomous Technologies (AAT) to be
least most, the following criteria to exist: deployed. deployed.
Mechanisms exist to examine risks associated with transparency and ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization examine risks associated There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
accountability of Artificial Intelligence (AI) and Autonomous Technologies Program Program Program Program Program with transparency and accountability of Artificial examine risks associated with transparency required to report the status and results of is required in this domain to examine risks Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI TEVV Transparency & (AAT) to be deployed. ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Intelligence (AI) and Autonomous Technologies and accountability of Artificial Intelligence (AI) Artificial Intelligence Test, Evaluation, associated with transparency and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Accountability AAT-10.6 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies (AAT) to be deployed? 7 x Detect x x and Autonomous Technologies (AAT) to be Validation & Verification (AI TEVV) to relevant accountability of Artificial Intelligence (AI) and managed, where technically feasible, to not necessary to examine risks associated not necessary to examine risks associated
Technologies Assessment governance program governance program governance program governance program governance program deployed. stakeholders, including governing bodies, as Autonomous Technologies (AAT) to be ensure consistency. CMM Level 3 control with transparency and accountability of with transparency and accountability of
required. deployed. maturity would reasonably expect all, or at Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
least most, the following criteria to exist: Technologies (AAT) to be deployed. Technologies (AAT) to be deployed.
Mechanisms exist to examine the data privacy risk of Artificial Intelligence ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization examine the data privacy risk There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(AI) and Autonomous Technologies (AAT) to be deployed. Program Program Program Program Program of Artificial Intelligence (AI) and Autonomous examine the data privacy risk of Artificial required to report the status and results of is required in this domain to examine the data Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Technologies (AAT) to be deployed? Intelligence (AI) and Autonomous Artificial Intelligence Test, Evaluation, privacy risk of Artificial Intelligence (AI) and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Privacy
Autonomous AAT-10.7 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies 9 x Detect x x Technologies (AAT) to be deployed. Validation & Verification (AI TEVV) to relevant Autonomous Technologies (AAT) to be managed, where technically feasible, to not necessary to examine the data privacy not necessary to examine the data privacy
Assessment
Technologies governance program governance program governance program governance program governance program stakeholders, including governing bodies, as deployed. ensure consistency. CMM Level 3 control risk of Artificial Intelligence (AI) and risk of Artificial Intelligence (AI) and
required. maturity would reasonably expect all, or at Autonomous Technologies (AAT) to be Autonomous Technologies (AAT) to be
least most, the following criteria to exist: deployed. deployed.
Mechanisms exist to examine fairness and bias of Artificial Intelligence (AI) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization examine fairness and bias of There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
and Autonomous Technologies (AAT) to be deployed. Program Program Program Program Program Artificial Intelligence (AI) and Autonomous examine fairness and bias of Artificial required to report the status and results of is required in this domain to examine fairness Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Technologies (AAT) to be deployed? Intelligence (AI) and Autonomous Artificial Intelligence Test, Evaluation, and bias of Artificial Intelligence (AI) and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Fairness & Bias
Autonomous AAT-10.8 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies 9 x Detect x x Technologies (AAT) to be deployed. Validation & Verification (AI TEVV) to relevant Autonomous Technologies (AAT) to be managed, where technically feasible, to not necessary to examine fairness and bias of not necessary to examine fairness and bias of
Assessment
Technologies governance program governance program governance program governance program governance program stakeholders, including governing bodies, as deployed. ensure consistency. CMM Level 3 control Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
required. maturity would reasonably expect all, or at Technologies (AAT) to be deployed. Technologies (AAT) to be deployed.
least most, the following criteria to exist:
Mechanisms exist to validate the Artificial Intelligence (AI) and Autonomous ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization validate the Artificial There is no evidence of a capability to validate C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT) model. Program Program Program Program Program Intelligence (AI) and Autonomous Technologies the Artificial Intelligence (AI) and Autonomous required to report the status and results of is required in this domain to validate the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / (AAT) model? Technologies (AAT) model. Artificial Intelligence Test, Evaluation, Artificial Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Model AAT-10.9 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies 5 x Detect x x x Validation & Verification (AI TEVV) to relevant Technologies (AAT) model. managed, where technically feasible, to not necessary to validate the Artificial not necessary to validate the Artificial
Technologies Validation governance program governance program governance program governance program governance program stakeholders, including governing bodies, as ensure consistency. CMM Level 3 control Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
required. maturity would reasonably expect all, or at Technologies (AAT) model. Technologies (AAT) model.
least most, the following criteria to exist:
Mechanisms exist to evaluate the results of Artificial Intelligence Test, ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization evaluate the results of There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is
C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Evaluation, Validation & Verification (AI TEVV) to determine the viability of Program Program Program Program Program Artificial Intelligence Test, Evaluation, Validation & evaluate the results of Artificial Intelligence required to report the status and results ofis required in this domain to evaluate the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & the proposed Artificial Intelligence (AI) and Autonomous Technologies ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Verification (AI TEVV) to determine the viability of Test, Evaluation, Validation & Verification (AI Artificial Intelligence Test, Evaluation, results of Artificial Intelligence Test, across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Results
Autonomous AAT-10.10 (AAT). autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies the proposed Artificial Intelligence (AI) and 10 x Detect x x TEVV) to determine the viability of the Validation & Verification (AI TEVV) to relevant
Evaluation, Validation & Verification (AI TEVV) managed, where technically feasible, to not necessary to evaluate the results of not necessary to evaluate the results of
Evaluation
Technologies governance program governance program governance program governance program governance program Autonomous Technologies (AAT)? proposed Artificial Intelligence (AI) and stakeholders, including governing bodies, asto determine the viability of the proposed ensure consistency. CMM Level 3 control Artificial Intelligence Test, Evaluation, Artificial Intelligence Test, Evaluation,
Autonomous Technologies (AAT). required. Artificial Intelligence (AI) and Autonomous maturity would reasonably expect all, or at Validation & Verification (AI TEVV) to Validation & Verification (AI TEVV) to
Technologies (AAT). least most, the following criteria to exist: determine the viability of the proposed determine the viability of the proposed
Mechanisms exist to evaluate the effectiveness of the processes utilized to ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization evaluate the effectiveness of There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
perform Artificial Intelligence Test, Evaluation, Validation & Verification (AI Program Program Program Program Program the processes utilized to perform Artificial evaluate the effectiveness of the processes required to report the status and results of is required in this domain to evaluate the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & TEVV). ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Intelligence Test, Evaluation, Validation & utilized to perform Artificial Intelligence Test, Artificial Intelligence Test, Evaluation, effectiveness of the processes utilized to across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous AI TEVV Effectiveness AAT-10.11 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies Verification (AI TEVV)? 5 x Detect x Evaluation, Validation & Verification (AI TEVV). Validation & Verification (AI TEVV) to relevant perform Artificial Intelligence Test, Evaluation, managed, where technically feasible, to not necessary to evaluate the effectiveness of not necessary to evaluate the effectiveness of
Technologies governance program governance program governance program governance program governance program stakeholders, including governing bodies, as Validation & Verification (AI TEVV). ensure consistency. CMM Level 3 control the processes utilized to perform Artificial the processes utilized to perform Artificial
required. maturity would reasonably expect all, or at Intelligence Test, Evaluation, Validation & Intelligence Test, Evaluation, Validation &
least most, the following criteria to exist: Verification (AI TEVV). Verification (AI TEVV).
Mechanisms exist to evaluate Artificial Intelligence (AI) and Autonomous ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization evaluate Artificial Intelligence There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT)-related performance or the assurance criteria Program Program Program Program Program (AI) and Autonomous Technologies (AAT)-related evaluate Artificial Intelligence (AI) and required to report the status and results of is required in this domain to evaluate Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & demonstrated for conditions similar to deployment settings. ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / performance or the assurance criteria Autonomous Technologies (AAT)-related Artificial Intelligence Test, Evaluation, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Comparable
Autonomous AAT-10.12 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies demonstrated for conditions similar to deployment 5 x Identify x x performance or the assurance criteria Validation & Verification (AI TEVV) to relevant Technologies (AAT)-related performance or managed, where technically feasible, to not necessary to evaluate Artificial Intelligence not necessary to evaluate Artificial Intelligence
Deployment Settings
Technologies governance program governance program governance program governance program governance program settings? demonstrated for conditions similar to stakeholders, including governing bodies, as the assurance criteria demonstrated for ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT)- (AI) and Autonomous Technologies (AAT)-
deployment settings. required. conditions similar to deployment settings. maturity would reasonably expect all, or at related performance or the assurance criteria related performance or the assurance criteria
least most, the following criteria to exist: demonstrated for conditions similar to demonstrated for conditions similar to
Mechanisms exist to proactively and continuously monitor deployed ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics ∙ Manually-generated metrics Does the organization proactively and continuously There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Artificial Intelligence (AI) and Autonomous Technologies (AAT). ∙ Quarterly Business Review ∙ Quarterly Business Review ∙ Quarterly Business Review ∙ Quarterly Business Review ∙ Quarterly Business Review monitor deployed Artificial Intelligence (AI) and proactively and continuously monitor required to report the status and results of is required in this domain to proactively and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & (QBR) (QBR) (QBR) (QBR) (QBR) Autonomous Technologies (AAT)? deployed Artificial Intelligence (AI) and Artificial Intelligence Test, Evaluation, continuously monitor deployed Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Post-
Autonomous AAT-10.13 ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / 9 x Detect x x x Autonomous Technologies (AAT). Validation & Verification (AI TEVV) to relevant Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to proactively and continuously not necessary to proactively and continuously
Deployment Monitoring
Technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies stakeholders, including governing bodies, as Technologies (AAT). ensure consistency. CMM Level 3 control monitor deployed Artificial Intelligence (AI) monitor deployed Artificial Intelligence (AI)
governance program governance program governance program governance program governance program required. maturity would reasonably expect all, or at and Autonomous Technologies (AAT). and Autonomous Technologies (AAT).
least most, the following criteria to exist:
Mechanisms exist to integrate continual improvements for deployed ∙ Change management program ∙ Change management program ∙ Change management program ∙ Change management program ∙ Change management program Does the organization integrate continual There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Artificial Intelligence (AI) and Autonomous Technologies (AAT). ∙ System Development Lifecycle ∙ System Development Lifecycle ∙ System Development Lifecycle ∙ System Development Lifecycle ∙ System Development Lifecycle improvements for deployed Artificial Intelligence integrate continual improvements for required to report the status and results of is required in this domain to integrate Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Updating AI & (SDLC) governance / oversight (SDLC) governance / oversight (SDLC) governance / oversight (SDLC) governance / oversight (SDLC) governance / oversight (AI) and Autonomous Technologies (AAT)? deployed Artificial Intelligence (AI) and Artificial Intelligence Test, Evaluation, continual improvements for deployed Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Autonomous AAT-10.14 ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) 9 x Identify x x Autonomous Technologies (AAT). Validation & Verification (AI TEVV) to relevant Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to integrate continual not necessary to integrate continual
Technologies Technologies Program Program Program Program Program stakeholders, including governing bodies, as Technologies (AAT). ensure consistency. CMM Level 3 control improvements for deployed Artificial improvements for deployed Artificial
∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / required. maturity would reasonably expect all, or at Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies least most, the following criteria to exist: Technologies (AAT). Technologies (AAT).
Mechanisms exist to report the status and results of Artificial Intelligence governance program governance program governance program governance program governance program Does the organization report the status and results Mechanisms exist to report the status and C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Test, Evaluation, Validation & Verification (AI TEVV) to relevant of Artificial Intelligence Test, Evaluation, Validation results of Artificial Intelligence Test, required to report the status and results of is required in this domain to report the status Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & stakeholders, including governing bodies, as required. & Verification (AI TEVV) to relevant stakeholders, Evaluation, Validation & Verification (AI TEVV) Artificial Intelligence Test, Evaluation, and results of Artificial Intelligence Test, across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous AI TEVV Reporting AAT-10.15 including governing bodies, as required? 5 x Protect to relevant stakeholders, including governing Validation & Verification (AI TEVV) to relevant Evaluation, Validation & Verification (AI TEVV) managed, where technically feasible, to not necessary to report the status and results not necessary to report the status and results
Technologies bodies, as required. stakeholders, including governing bodies, as to relevant stakeholders, including governing ensure consistency. CMM Level 3 control of Artificial Intelligence Test, Evaluation, of Artificial Intelligence Test, Evaluation,
required. bodies, as required. maturity would reasonably expect all, or at Validation & Verification (AI TEVV) to relevant Validation & Verification (AI TEVV) to relevant
least most, the following criteria to exist: stakeholders, including governing bodies, as stakeholders, including governing bodies, as
Mechanisms exist to evaluate claims of Artificial Intelligence (AI) and Does the organization evaluate claims of Artificial Mechanisms exist to evaluate claims of C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Autonomous Technologies (AAT) model capabilities using empirically Intelligence (AI) and Autonomous Technologies Artificial Intelligence (AI) and Autonomous required to evaluate claims of Artificial is required in this domain to evaluate claims Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & validated methods. (AAT) model capabilities using empirically validated Technologies (AAT) model capabilities using Intelligence (AI) and Autonomous of Artificial Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Empirically
Autonomous AAT-10.16 methods? 1 x Protect empirically validated methods. Technologies (AAT) model capabilities using Technologies (AAT) model capabilities using managed, where technically feasible, to not necessary to evaluate claims of Artificial not necessary to evaluate claims of Artificial
Validated Methods
Technologies empirically validated methods. empirically validated methods. ensure consistency. CMM Level 3 control Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
maturity would reasonably expect all, or at Technologies (AAT) model capabilities using Technologies (AAT) model capabilities using
least most, the following criteria to exist: empirically validated methods. empirically validated methods.
Mechanisms exist to benchmark the verifiable lineage and origin of content Does the organization benchmark the verifiable Mechanisms exist to benchmark the verifiable C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
used by Artificial Intelligence (AI) and Autonomous Technologies (AAT) lineage and origin of content used by Artificial lineage and origin of content used by Artificial required to benchmark the verifiable lineage is required in this domain to benchmark the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & according to industry-recognized standards. Intelligence (AI) and Autonomous Technologies Intelligence (AI) and Autonomous and origin of content used by Artificial verifiable lineage and origin of content used across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Benchmarking
Autonomous AAT-10.17 (AAT) according to industry -recognized standards? 7 x Protect Technologies (AAT) according to industry - Intelligence (AI) and Autonomous by Artificial Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to benchmark the verifiable not necessary to benchmark the verifiable
Content Provenance
Technologies recognized standards. Technologies (AAT) according to industry - Technologies (AAT) according to industry - ensure consistency. CMM Level 3 control lineage and origin of content used by Artificial lineage and origin of content used by Artificial
recognized standards. recognized standards. maturity would reasonably expect all, or at Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
least most, the following criteria to exist: Technologies (AAT) according to industry - Technologies (AAT) according to industry -
Mechanisms exist to mitigate concerns of model collapse by: Does the organization mitigate concerns of model Mechanisms exist to mitigate concerns of C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(1) Assessing the proportion of synthetic to non-synthetic training data; and collapse by: model collapse by: required to mitigate concerns of model is required in this domain to mitigate concerns Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & (2) Verifying training data is not overly homogenous or Artificial Intelligence (1) Assessing the proportion of synthetic to non- (1) Assessing the proportion of synthetic to collapse by: of model collapse by: across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
AI TEVV Model Collapse
Autonomous AAT-10.18 (AI) and Autonomous Technologies (AAT) system-produced. synthetic training data; and 8 x Protect non-synthetic training data; and (1) Assessing the proportion of synthetic to (1) Assessing the proportion of synthetic to managed, where technically feasible, to not necessary to mitigate concerns of model not necessary to mitigate concerns of model
Mitigations
Technologies (2) Verifying training data is not overly homogenous (2) Verifying training data is not overly non-synthetic training data; and non-synthetic training data; and ensure consistency. CMM Level 3 control collapse by: collapse by:
or Artificial Intelligence (AI) and Autonomous homogenous or Artificial Intelligence (AI) and (2) Verifying training data is not overly (2) Verifying training data is not overly maturity would reasonably expect all, or at (1) Assessing the proportion of synthetic to (1) Assessing the proportion of synthetic to
Technologies (AAT) system-produced? Autonomous Technologies (AAT) system- homogenous or Artificial Intelligence (AI) and homogenous or Artificial Intelligence (AI) and least most, the following criteria to exist: non-synthetic training data; and non-synthetic training data; and
Mechanisms exist to compel ongoing engagement with relevant Artificial ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ AI Steering committee / ∙ AI Steering committee / ∙ AI Steering committee / Does the organization compel ongoing engagement There is no evidence of a capability to compel
produced. Artificial
Autonomous Intelligence and Autonomous
Technologies (AAT) system- C|P-CMM2
Autonomous is N/A, since a well-defined
Technologies process
(AAT) system- Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Robust Stakeholder Intelligence (AI) and Autonomous Technologies (AAT) stakeholders to autonomous technologies autonomous technologies advisory board advisory board advisory board with relevant Artificial Intelligence (AI) and ongoing engagement with relevant Artificial Technology
produced. (AAT) efforts are requirements- is required in this domain to compel ongoing
produced. Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & encourage feedback about positive, negative and unanticipated impacts. governance program governance program ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Autonomous Technologies (AAT) stakeholders to Intelligence (AI) and Autonomous driven and governed at a local/regional level, engagement with relevant Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Engagement for AI &
Autonomous AAT-11 E-AAT-08 autonomous technologies autonomous technologies autonomous technologies encourage feedback about positive, negative and 9 x Protect x x x Technologies (AAT) stakeholders to encourage but are not consistent across the organization. Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to compel ongoing engagement not necessary to compel ongoing engagement
Autonomous
Technologies governance program governance program governance program unanticipated impacts? feedback about positive, negative and CMM Level 2 control maturity would Technologies (AAT) stakeholders to encourage ensure consistency. CMM Level 3 control with relevant Artificial Intelligence (AI) and with relevant Artificial Intelligence (AI) and
Technologies
unanticipated impacts. reasonably expect all, or at least most, the feedback about positive, negative and maturity would reasonably expect all, or at Autonomous Technologies (AAT) stakeholders Autonomous Technologies (AAT) stakeholders
following criteria to exist: unanticipated impacts. least most, the following criteria to exist: to encourage feedback about positive, to encourage feedback about positive,
Mechanisms exist to regularly collect, consider, prioritize and integrate risk- ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization regularly collect, consider, There is no evidence of a capability to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
AI & Autonomous related feedback from those external to the team that developed or autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies prioritize and integrate risk-related feedback from regularly collect, consider, prioritize and Technology (AAT) efforts are requirements- is required in this domain to regularly collect, Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & deployed Artificial Intelligence (AI) and Autonomous Technologies (AAT). governance program governance program governance program governance program governance program those external to the team that developed or integrate risk-related feedback from those driven and governed at a local/regional level, consider, prioritize and integrate risk-related across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Technologies
Autonomous AAT-11.1 deployed Artificial Intelligence (AI) and Autonomous 9 x Protect x x external to the team that developed or but are not consistent across the organization. feedback from those external to the team that managed, where technically feasible, to not necessary to regularly collect, consider, not necessary to regularly collect, consider,
Stakeholder Feedback
Technologies Technologies (AAT)? deployed Artificial Intelligence (AI) and CMM Level 2 control maturity would developed or deployed Artificial Intelligence ensure consistency. CMM Level 3 control prioritize and integrate risk-related feedback prioritize and integrate risk-related feedback
Integration
Autonomous Technologies (AAT). reasonably expect all, or at least most, the (AI) and Autonomous Technologies (AAT). maturity would reasonably expect all, or at from those external to the team that from those external to the team that
following criteria to exist: least most, the following criteria to exist: developed or deployed Artificial Intelligence developed or deployed Artificial Intelligence
Mechanisms exist to conduct regular assessments of Artificial Intelligence ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) ∙ Information Assurance (IA) Does the organization conduct regular assessments There is no evidence of a capability to conduct Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(AI) and Autonomous Technologies (AAT) with independent assessors and Program Program Program Program Program of Artificial Intelligence (AI) and Autonomous regular assessments of Artificial Intelligence Technology (AAT) efforts are requirements- is required in this domain to conduct regular Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous stakeholders not involved in the development of the AAT. ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Technologies (AAT) with independent assessors and (AI) and Autonomous Technologies (AAT) with driven and governed at a local/regional level, assessments of Artificial Intelligence (AI) and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Ongoing AAT-11.2 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies stakeholders not involved in the development of the 9 x Protect x independent assessors and stakeholders not but are not consistent across the organization. Autonomous Technologies (AAT) with managed, where technically feasible, to not necessary to conduct regular assessments not necessary to conduct regular assessments
Technologies Assessments governance program governance program governance program governance program governance program AAT? involved in the development of the AAT. CMM Level 2 control maturity would independent assessors and stakeholders not ensure consistency. CMM Level 3 control of Artificial Intelligence (AI) and Autonomous of Artificial Intelligence (AI) and Autonomous
reasonably expect all, or at least most, the involved in the development of the AAT. maturity would reasonably expect all, or at Technologies (AAT) with independent Technologies (AAT) with independent
following criteria to exist: least most, the following criteria to exist: assessors and stakeholders not involved in the assessors and stakeholders not involved in the
Mechanisms exist to collect and integrate feedback from end users and ∙ Formal product management ∙ Formal product management ∙ Formal product management ∙ Formal product management ∙ Formal product management Does the organization collect and integrate There is no evidence of a capability to collect Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
impacted communities into Artificial Intelligence (AI) and Autonomous practices practices practices practices practices feedback from end users and impacted and integrate feedback from end users and Technology (AAT) efforts are requirements- is required in this domain to collect and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous Technologies (AAT)-related system evaluation metrics. ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / communities into Artificial Intelligence (AI) and impacted communities into Artificial driven and governed at a local/regional level, integrate feedback from end users and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies End User AAT-11.3 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies Autonomous Technologies (AAT)-related system 7 x Protect x x Intelligence (AI) and Autonomous but are not consistent across the organization. impacted communities into Artificial managed, where technically feasible, to not necessary to collect and integrate not necessary to collect and integrate
Technologies Feedback governance program governance program governance program governance program governance program evaluation metrics? Technologies (AAT)-related system evaluation CMM Level 2 control maturity would Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control feedback from end users and impacted feedback from end users and impacted
metrics. reasonably expect all, or at least most, the Technologies (AAT)-related system evaluation maturity would reasonably expect all, or at communities into Artificial Intelligence (AI) and communities into Artificial Intelligence (AI) and
following criteria to exist: metrics. least most, the following criteria to exist: Autonomous Technologies (AAT)-related Autonomous Technologies (AAT)-related
Mechanisms exist to communicate Artificial Intelligence (AI) and ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Inci
Autonomous Technologies (AAT)-related incidents and/or errors to relevant ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) /
Artificial & AI & Autonomous stakeholders, including affected communities. autonomous technologies autonomous technologies
Autonomous Technologies Incident & AAT-11.4 governance program governance program 9 x Protect x x
Technologies Error Reporting

AAT-12 E-AAT-09 10 x Protect x

AAT-12.1 E-AAT-10 10 x Govern x x x

Data Source Integrity AAT-12.2 10 x Protect x x x

AAT-12.3 9 x Protect

AAT-12.4 9 x Protect

AAT-13 8 x Identify x

AAT-13.1 9 x Govern x x

AAT-14 8 x Govern x x x

AAT-14.1 8 x Govern x x

Licensed by Creative Commons Attribution-NoDerivatives 12 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to identify and document knowledge limits of Artificial ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization identify and document There is no evidence of a capability to identify Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Intelligence (AI) and Autonomous Technologies (AAT) to provide sufficient autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies knowledge limits of Artificial Intelligence (AI) and and document knowledge limits of Artificial Technology (AAT) efforts are requirements- is required in this domain to identify and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous information to assist relevant stakeholder decision making. governance program governance program governance program governance program governance program Autonomous Technologies (AAT) to provide Intelligence (AI) and Autonomous driven and governed at a local/regional level, document knowledge limits of Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Knowledge AAT-14.2 sufficient information to assist relevant stakeholder 10 x Identify x x x Technologies (AAT) to provide sufficient but are not consistent across the organization. Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to identify and document not necessary to identify and document
Technologies Limits decision making? information to assist relevant stakeholder CMM Level 2 control maturity would Technologies (AAT) to provide sufficient ensure consistency. CMM Level 3 control knowledge limits of Artificial Intelligence (AI) knowledge limits of Artificial Intelligence (AI)
decision making. reasonably expect all, or at least most, the information to assist relevant stakeholder maturity would reasonably expect all, or at and Autonomous Technologies (AAT) to and Autonomous Technologies (AAT) to
following criteria to exist: decision making. least most, the following criteria to exist: provide sufficient information to assist provide sufficient information to assist
Mechanisms exist to define the criteria as to whether Artificial Intelligence ∙ Project team review ∙ Project team review ∙ Project team review ∙ Legal review ∙ Legal review Does the organization define the criteria as to There is no evidence of a capability to define Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(AI) and Autonomous Technologies (AAT) achieved intended purposes and ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Legal review ∙ Steering committee ∙ Steering committee whether Artificial Intelligence (AI) and Autonomous the criteria as to whether Artificial Intelligence Technology (AAT) efforts are requirements- is required in this domain to define the criteria Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous stated objectives to determine whether its development or deployment autonomous technologies autonomous technologies ∙ Steering committee ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) Technologies (AAT) achieved intended purposes (AI) and Autonomous Technologies (AAT) driven and governed at a local/regional level, as to whether Artificial Intelligence (AI) and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Viability AAT-15 should proceed. governance program governance program ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / and stated objectives to determine whether its 10 x Protect x x x achieved intended purposes and stated but are not consistent across the organization. Autonomous Technologies (AAT) achieved managed, where technically feasible, to not necessary to define the criteria as to not necessary to define the criteria as to
Technologies Decisions autonomous technologies autonomous technologies autonomous technologies development or deployment should proceed? objectives to determine whether its CMM Level 2 control maturity would intended purposes and stated objectives to ensure consistency. CMM Level 3 control whether Artificial Intelligence (AI) and whether Artificial Intelligence (AI) and
governance program governance program governance program development or deployment should proceed. reasonably expect all, or at least most, the determine whether its development or maturity would reasonably expect all, or at Autonomous Technologies (AAT) achieved Autonomous Technologies (AAT) achieved
following criteria to exist: deployment should proceed. least most, the following criteria to exist: intended purposes and stated objectives to intended purposes and stated objectives to
Mechanisms exist to identify and document negative, residual risks (defined ∙ Project team review ∙ Project team review ∙ Project team review ∙ Legal review ∙ Legal review Does the organization identify and document There is no evidence of a capability to identify Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
as the sum of all unmitigated risks) to both downstream acquirers and end ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Legal review ∙ Steering committee ∙ Steering committee negative, residual risks (defined as the sum of all and document negative, residual risks Technology (AAT) efforts are requirements- is required in this domain to identify and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous users of Artificial Intelligence (AI) and Autonomous Technologies (AAT). autonomous technologies autonomous technologies ∙ Steering committee ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) unmitigated risks) to both downstream acquirers (defined as the sum of all unmitigated risks) to driven and governed at a local/regional level, document negative, residual risks (defined as across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Negative AAT-15.1 governance program governance program ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / and end users of Artificial Intelligence (AI) and 9 x Protect x x both downstream acquirers and end users of but are not consistent across the organization. the sum of all unmitigated risks) to both managed, where technically feasible, to not necessary to identify and document not necessary to identify and document
Technologies Residual Risks autonomous technologies autonomous technologies autonomous technologies Autonomous Technologies (AAT)? Artificial Intelligence (AI) and Autonomous CMM Level 2 control maturity would downstream acquirers and end users of ensure consistency. CMM Level 3 control negative, residual risks (defined as the sum of negative, residual risks (defined as the sum of
governance program governance program governance program Technologies (AAT). reasonably expect all, or at least most, the Artificial Intelligence (AI) and Autonomous maturity would reasonably expect all, or at all unmitigated risks) to both downstream all unmitigated risks) to both downstream
following criteria to exist: Technologies (AAT). least most, the following criteria to exist: acquirers and end users of Artificial acquirers and end users of Artificial
Mechanisms exist to define the criteria and responsible party(ies) for ∙ Project team review ∙ Project team review ∙ Project team review ∙ Legal review ∙ Legal review Does the organization define the criteria and There is no evidence of a capability to define Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Responsibility To superseding, disengaging or deactivating Artificial Intelligence (AI) and ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Legal review ∙ Steering committee ∙ Steering committee responsible party(ies) for superseding, disengaging the criteria and responsible party(ies) for Technology (AAT) efforts are requirements- is required in this domain to define the criteria Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Supersede, Deactivate Autonomous Technologies (AAT) that demonstrate performance or autonomous technologies autonomous technologies ∙ Steering committee ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) or deactivating Artificial Intelligence (AI) and superseding, disengaging or deactivating driven and governed at a local/regional level, and responsible party(ies) for superseding, across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous and/or Disengage AI & AAT-15.2 outcomes inconsistent with intended use. governance program governance program ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Autonomous Technologies (AAT) that demonstrate 10 x Protect x x x Artificial Intelligence (AI) and Autonomous but are not consistent across the organization. disengaging or deactivating Artificial managed, where technically feasible, to not necessary to define the criteria and not necessary to define the criteria and
Technologies Autonomous autonomous technologies autonomous technologies autonomous technologies performance or outcomes inconsistent with Technologies (AAT) that demonstrate CMM Level 2 control maturity would Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control responsible party(ies) for superseding, responsible party(ies) for superseding,
Technologies governance program governance program governance program intended use? performance or outcomes inconsistent with reasonably expect all, or at least most, the Technologies (AAT) that demonstrate maturity would reasonably expect all, or at disengaging or deactivating Artificial disengaging or deactivating Artificial
intended use. following criteria to exist: performance or outcomes inconsistent with least most, the following criteria to exist: Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
Mechanisms exist to monitor the functionality and behavior of the deployed ∙ Formal product management ∙ Formal product management ∙ Formal product management ∙ Formal product management ∙ Formal product management Does the organization monitor the functionality and There is no evidence of a capability to monitor Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Artificial Intelligence (AI) and Autonomous Technologies (AAT). practices practices practices practices practices behavior of the deployed Artificial Intelligence (AI) the functionality and behavior of the deployed Technology (AAT) efforts are requirements- is required in this domain to monitor the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / and Autonomous Technologies (AAT)? Artificial Intelligence (AI) and Autonomous driven and governed at a local/regional level, functionality and behavior of the deployed across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Production AAT-16 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies 9 x Detect x x Technologies (AAT). but are not consistent across the organization. Artificial Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to monitor the functionality and not necessary to monitor the functionality and
Technologies Monitoring governance program governance program governance program governance program governance program CMM Level 2 control maturity would Technologies (AAT). ensure consistency. CMM Level 3 control behavior of the deployed Artificial Intelligence behavior of the deployed Artificial Intelligence
reasonably expect all, or at least most, the maturity would reasonably expect all, or at (AI) and Autonomous Technologies (AAT). (AI) and Autonomous Technologies (AAT).
following criteria to exist: least most, the following criteria to exist:
Mechanisms exist to measure Artificial Intelligence (AI) and Autonomous ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization measure Artificial Intelligence There is no evidence of a capability to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
AI & Autonomous Technologies (AAT)-related risks to deployment context(s) through review autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies (AI) and Autonomous Technologies (AAT)-related measure Artificial Intelligence (AI) and Technology (AAT) efforts are requirements- is required in this domain to measure Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & and consultation with industry experts, domain specialists and end users. governance program governance program governance program governance program governance program risks to deployment context(s) through review and Autonomous Technologies (AAT)-related risks driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Technologies
Autonomous AAT-16.1 consultation with industry experts, domain 8 x Detect x to deployment context(s) through review and but are not consistent across the organization. Technologies (AAT)-related risks to managed, where technically feasible, to not necessary to measure Artificial not necessary to measure Artificial
Measurement
Technologies specialists and end users? consultation with industry experts, domain CMM Level 2 control maturity would deployment context(s) through review and ensure consistency. CMM Level 3 control Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
Approaches
specialists and end users. reasonably expect all, or at least most, the consultation with industry experts, domain maturity would reasonably expect all, or at Technologies (AAT)-related risks to Technologies (AAT)-related risks to
following criteria to exist: specialists and end users. least most, the following criteria to exist: deployment context(s) through review and deployment context(s) through review and
Mechanisms exist to regularly assess the effectiveness of existing controls, ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization regularly assess the There is no evidence of a capability to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Measuring AI & including reports of errors and potential impacts on affected communities. autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies effectiveness of existing controls, including reports regularly assess the effectiveness of existing Technology (AAT) efforts are requirements- is required in this domain to regularly assess Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & governance program governance program governance program governance program governance program of errors and potential impacts on affected controls, including reports of errors and driven and governed at a local/regional level, the effectiveness of existing controls, across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous
Autonomous AAT-16.2 communities? 5 x Detect x potential impacts on affected communities. but are not consistent across the organization. including reports of errors and potential managed, where technically feasible, to not necessary to regularly assess the not necessary to regularly assess the
Technologies
Technologies CMM Level 2 control maturity would impacts on affected communities. ensure consistency. CMM Level 3 control effectiveness of existing controls, including effectiveness of existing controls, including
Effectiveness
reasonably expect all, or at least most, the maturity would reasonably expect all, or at reports of errors and potential impacts on reports of errors and potential impacts on
following criteria to exist: least most, the following criteria to exist: affected communities. affected communities.
Mechanisms exist to identify and document unmeasurable risks or ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization identify and document There is no evidence of a capability to identify Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
trustworthiness characteristics. autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies unmeasurable risks or trustworthiness and document unmeasurable risks or Technology (AAT) efforts are requirements- is required in this domain to identify and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Unmeasurable AI & governance program governance program governance program governance program governance program characteristics? trustworthiness characteristics. driven and governed at a local/regional level, document unmeasurable risks or across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Autonomous AAT-16.3 7 x Detect x x but are not consistent across the organization. trustworthiness characteristics. managed, where technically feasible, to not necessary to identify and document not necessary to identify and document
Technologies Technologies Risks CMM Level 2 control maturity would ensure consistency. CMM Level 3 control unmeasurable risks or trustworthiness unmeasurable risks or trustworthiness
reasonably expect all, or at least most, the maturity would reasonably expect all, or at characteristics. characteristics.
following criteria to exist: least most, the following criteria to exist:
Mechanisms exist to gather and assess feedback about the efficacy of ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization gather and assess feedback There is no evidence of a capability to gather Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Efficacy of AI & Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies about the efficacy of Artificial Intelligence (AI) and and assess feedback about the efficacy of Technology (AAT) efforts are requirements- is required in this domain to gather and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & measurements. governance program governance program governance program governance program governance program Autonomous Technologies (AAT)-related Artificial Intelligence (AI) and Autonomous driven and governed at a local/regional level, assess feedback about the efficacy of Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous
Autonomous AAT-16.4 measurements? 5 x Govern x x Technologies (AAT)-related measurements. but are not consistent across the organization. Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to gather and assess feedback not necessary to gather and assess feedback
Technologies
Technologies CMM Level 2 control maturity would Technologies (AAT)-related measurements. ensure consistency. CMM Level 3 control about the efficacy of Artificial Intelligence (AI) about the efficacy of Artificial Intelligence (AI)
Measurement
reasonably expect all, or at least most, the maturity would reasonably expect all, or at and Autonomous Technologies (AAT)-related and Autonomous Technologies (AAT)-related
following criteria to exist: least most, the following criteria to exist: measurements. measurements.
Mechanisms exist to utilize input from domain experts and relevant ∙ Third-party advisors (subject ∙ Third-party advisors (subject ∙ Third-party advisors (subject ∙ Third-party advisors (subject ∙ Third-party advisors (subject Does the organization utilize input from domain There is no evidence of a capability to utilize Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
stakeholders to validate whether the Artificial Intelligence (AI) and matter experts) matter experts) matter experts) matter experts) matter experts) experts and relevant stakeholders to validate input from domain experts and relevant Technology (AAT) efforts are requirements- is required in this domain to utilize input from Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous Autonomous Technologies (AAT) perform consistently, as intended. ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / whether the Artificial Intelligence (AI) and stakeholders to validate whether the Artificial driven and governed at a local/regional level, domain experts and relevant stakeholders to across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Domain AAT-16.5 autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies Autonomous Technologies (AAT) perform 8 x Govern x Intelligence (AI) and Autonomous but are not consistent across the organization. validate whether the Artificial Intelligence (AI) managed, where technically feasible, to not necessary to utilize input from domain not necessary to utilize input from domain
Technologies Expert Reviews governance program governance program governance program governance program governance program consistently, as intended? Technologies (AAT) perform consistently, as CMM Level 2 control maturity would and Autonomous Technologies (AAT) perform ensure consistency. CMM Level 3 control experts and relevant stakeholders to validate experts and relevant stakeholders to validate
intended. reasonably expect all, or at least most, the consistently, as intended. maturity would reasonably expect all, or at whether the Artificial Intelligence (AI) and whether the Artificial Intelligence (AI) and
following criteria to exist: least most, the following criteria to exist: Autonomous Technologies (AAT) perform Autonomous Technologies (AAT) perform
Mechanisms exist to evaluate performance improvements or declines with ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization evaluate performance There is no evidence of a capability to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
domain experts and relevant stakeholders to define context-relevant risks autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies improvements or declines with domain experts and evaluate performance improvements or Technology (AAT) efforts are requirements- is required in this domain to evaluate Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous and trustworthiness issues. governance program governance program governance program governance program governance program relevant stakeholders to define context-relevant declines with domain experts and relevant driven and governed at a local/regional level, performance improvements or declines with across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies AAT-16.6 risks and trustworthiness issues? 10 x Govern x x x stakeholders to define context-relevant risks but are not consistent across the organization. domain experts and relevant stakeholders to managed, where technically feasible, to not necessary to evaluate performance not necessary to evaluate performance
Technologies Performance Changes and trustworthiness issues. CMM Level 2 control maturity would define context-relevant risks and ensure consistency. CMM Level 3 control improvements or declines with domain improvements or declines with domain
reasonably expect all, or at least most, the trustworthiness issues. maturity would reasonably expect all, or at experts and relevant stakeholders to define experts and relevant stakeholders to define
following criteria to exist: least most, the following criteria to exist: context-relevant risks and trustworthiness context-relevant risks and trustworthiness
Mechanisms exist to validate the information source(s) and quality of pre- ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization validate the information Mechanisms exist to validate the information Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
trained models used in Artificial Intelligence (AI) and Autonomous autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies source(s) and quality of pre-trained models used in source(s) and quality of pre-trained models Technology (AAT) efforts are requirements- is required in this domain to validate the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Pre-Trained AI & Technologies (AAT) training, maintenance and improvement-related governance program governance program governance program governance program governance program Artificial Intelligence (AI) and Autonomous used in Artificial Intelligence (AI) and driven and governed at a local/regional level, information source(s) and quality of pre- across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Autonomous AAT-16.7 activities. Technologies (AAT) training, maintenance and 8 x Protect x Autonomous Technologies (AAT) training, but are not consistent across the organization. trained models used in Artificial Intelligence managed, where technically feasible, to not necessary to validate the information not necessary to validate the information
Technologies Technologies Models improvement-related activities? maintenance and improvement-related CMM Level 2 control maturity would (AI) and Autonomous Technologies (AAT) ensure consistency. CMM Level 3 control source(s) and quality of pre-trained models source(s) and quality of pre-trained models
activities. reasonably expect all, or at least most, the training, maintenance and improvement- maturity would reasonably expect all, or at used in Artificial Intelligence (AI) and used in Artificial Intelligence (AI) and
following criteria to exist: related activities. least most, the following criteria to exist: Autonomous Technologies (AAT) training, Autonomous Technologies (AAT) training,
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Does the organization ensure Artificial Intelligence Mechanisms exist to ensure Artificial Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT) system event logging capabilities at a minimum (AI) and Autonomous Technologies (AAT) system Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous provide: event logging capabilities at a minimum provide: Technologies (AAT) system event logging driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Event AAT-16.8 (1) Start date, start time, end date and end time for each use; (1) Start date, start time, end date and end time for 7 x Protect x capabilities at a minimum provide: but are not consistent across the organization. Technologies (AAT) system event logging managed, where technically feasible, to not necessary to ensure Artificial Intelligence not necessary to ensure Artificial Intelligence
Technologies Logging (2) Database(s) against which input data has been checked by the system; each use; (1) Start date, start time, end date and end CMM Level 2 control maturity would capabilities at a minimum provide: ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT) (AI) and Autonomous Technologies (AAT)
(3) Input data for which the search has led to a match; and (2) Database(s) against which input data has been time for each use; reasonably expect all, or at least most, the (1) Start date, start time, end date and end maturity would reasonably expect all, or at system event logging capabilities at a system event logging capabilities at a
(4) Identification of individual(s) involved in the verification of the results. checked by the system; (2) Database(s) against which input data has following criteria to exist: time for each use; least most, the following criteria to exist: minimum provide: minimum provide:
Mechanisms exist to report any serious incident involving operational Does the organization report any serious incident Mechanisms
been checkedexist to report
by the system;any serious Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Serious Incident Artificial Intelligence (AI) and Autonomous Technologies (AAT) to relevant involving operational Artificial Intelligence (AI) and incident involving operational Artificial Technology (AAT) efforts are requirements- is required in this domain to report any Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & authorities as to when and where the serious incident occurred, in Autonomous Technologies (AAT) to relevant Intelligence (AI) and Autonomous driven and governed at a local/regional level, serious incident involving operational Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Reporting For AI &
Autonomous AAT-16.9 accordance with mandated reporting timelines. authorities as to when and where the serious 5 x Protect x Technologies (AAT) to relevant authorities as but are not consistent across the organization. Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to report any serious incident not necessary to report any serious incident
Autonomous
Technologies incident occurred, in accordance with mandated to when and where the serious incident CMM Level 2 control maturity would Technologies (AAT) to relevant authorities as ensure consistency. CMM Level 3 control involving operational Artificial Intelligence (AI) involving operational Artificial Intelligence (AI)
Technologies
reporting timelines? occurred, in accordance with mandated reasonably expect all, or at least most, the to when and where the serious incident maturity would reasonably expect all, or at and Autonomous Technologies (AAT) to and Autonomous Technologies (AAT) to
reporting timelines. following criteria to exist: occurred, in accordance with mandated least most, the following criteria to exist: relevant authorities as to when and where the relevant authorities as to when and where the
Mechanisms exist to perform an investigation when there is a serious Does the organization perform an investigation Mechanisms exist to perform an investigation Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Serious Incident Root incident involving operational Artificial Intelligence (AI) and Autonomous when there is a serious incident involving when there is a serious incident involving Technology (AAT) efforts are requirements- is required in this domain to perform an Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Technologies (AAT) that documents a: operational Artificial Intelligence (AI) and operational Artificial Intelligence (AI) and driven and governed at a local/regional level, investigation when there is a serious incident across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Cause Analysis (RCA) For
Autonomous AAT-16.10 (1) Root Cause Analysis (RCA); Autonomous Technologies (AAT) that documents a: 8 x Protect x Autonomous Technologies (AAT) that but are not consistent across the organization. involving operational Artificial Intelligence (AI) managed, where technically feasible, to not necessary to perform an investigation not necessary to perform an investigation
AI & Autonomous
Technologies (2) Risk assessment of the incident; and (1) Root Cause Analysis (RCA); documents a: CMM Level 2 control maturity would and Autonomous Technologies (AAT) that ensure consistency. CMM Level 3 control when there is a serious incident involving when there is a serious incident involving
Technologies
(3) Description of corrective actions taken, including measures (2) Risk assessment of the incident; and (1) Root Cause Analysis (RCA); reasonably expect all, or at least most, the documents: maturity would reasonably expect all, or at operational Artificial Intelligence (AI) and operational Artificial Intelligence (AI) and
implemented to prevent a recurrence of the incident. (3) Description of corrective actions taken, including (2) Risk assessment of the incident; and following criteria to exist: (1) A Root Cause Analysis (RCA); least most, the following criteria to exist: Autonomous Technologies (AAT) that Autonomous Technologies (AAT) that
Mechanisms exist to proactively prevent harm by regularly identifying and ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review Does the organization
measures implemented proactively
to preventprevent harm by
a recurrence of There is no evidence of a capability to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
tracking existing, unanticipated and emergent Artificial Intelligence (AI) and ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Steering committee ∙ Steering committee ∙ Steering committee regularly identifying and tracking existing,
the incident? proactively prevent harm by regularly Technology (AAT) efforts are requirements- is required in this domain to proactively Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous Autonomous Technologies (AAT)-related risks. autonomous technologies autonomous technologies ∙ Artificial Intelligence (AI) / ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) unanticipated and emergent Artificial Intelligence identifying and tracking existing, driven and governed at a local/regional level, prevent harm by regularly identifying and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Harm AAT-17 governance program governance program autonomous technologies ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / (AI) and Autonomous Technologies (AAT)-related 10 x Protect x x x unanticipated and emergent Artificial but are not consistent across the organization. tracking existing, unanticipated and emergent managed, where technically feasible, to not necessary to proactively prevent harm by not necessary to proactively prevent harm by
Technologies Prevention governance program autonomous technologies autonomous technologies risks? Intelligence (AI) and Autonomous CMM Level 2 control maturity would Artificial Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control regularly identifying and tracking existing, regularly identifying and tracking existing,
governance program governance program Technologies (AAT)-related risks. reasonably expect all, or at least most, the Technologies (AAT)-related risks. maturity would reasonably expect all, or at unanticipated and emergent Artificial unanticipated and emergent Artificial
following criteria to exist: least most, the following criteria to exist: Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
Mechanisms exist to protect human subjects from harm. ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review Does the organization protect human subjects from There is no evidence of a capability to protect Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Steering committee ∙ Steering committee ∙ Steering committee harm? human subjects from harm. Technology (AAT) efforts are requirements- is required in this domain to protect human Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous autonomous technologies autonomous technologies ∙ Artificial Intelligence (AI) / ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) driven and governed at a local/regional level, subjects from harm. across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Human AAT-17.1 governance program governance program autonomous technologies ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / 10 x Protect x x x but are not consistent across the organization. managed, where technically feasible, to not necessary to protect human subjects from not necessary to protect human subjects from
Technologies Subject Protections governance program autonomous technologies autonomous technologies CMM Level 2 control maturity would ensure consistency. CMM Level 3 control harm. harm.
governance program governance program reasonably expect all, or at least most, the maturity would reasonably expect all, or at
following criteria to exist: least most, the following criteria to exist:
Mechanisms exist to assess and document the environmental impacts and ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Steering committee ∙ Steering committee ∙ Steering committee Does the organization assess and document the There is no evidence of a capability to assess Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
AI & Autonomous sustainability of Artificial Intelligence (AI) and Autonomous Technologies autonomous technologies autonomous technologies ∙ Artificial Intelligence (AI) / ∙ Board of Directors (BoD) ∙ Board of Directors (BoD) environmental impacts and sustainability of and document the environmental impacts and Technology (AAT) efforts are requirements- is required in this domain to assess and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & (AAT). governance program governance program autonomous technologies ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Artificial Intelligence (AI) and Autonomous sustainability of Artificial Intelligence (AI) and driven and governed at a local/regional level, document the environmental impacts and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Technologies
Autonomous AAT-17.2 governance program autonomous technologies autonomous technologies Technologies (AAT)? 9 x Govern x x Autonomous Technologies (AAT). but are not consistent across the organization. sustainability of Artificial Intelligence (AI) and managed, where technically feasible, to not necessary to assess and document the not necessary to assess and document the
Environmental Impact &
Technologies governance program governance program CMM Level 2 control maturity would Autonomous Technologies (AAT). ensure consistency. CMM Level 3 control environmental impacts and sustainability of environmental impacts and sustainability of
Sustainability
reasonably expect all, or at least most, the maturity would reasonably expect all, or at Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
following criteria to exist: least most, the following criteria to exist: Technologies (AAT). Technologies (AAT).
Mechanisms exist to respond to and recover from a previously unknown ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / ∙ Artificial Intelligence (AI) / Does the organization respond to and recover from There is no evidence of a capability to respond Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Previously Unknown AI & Artificial Intelligence (AI) and Autonomous Technologies (AAT)-related risk autonomous technologies autonomous technologies autonomous technologies autonomous technologies autonomous technologies a previously unknown Artificial Intelligence (AI) and to and recover from a previously unknown Technology (AAT) efforts are requirements- is required in this domain to respond to and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & when it is identified. governance program governance program governance program governance program governance program Autonomous Technologies (AAT)-related risk when Artificial Intelligence (AI) and Autonomous driven and governed at a local/regional level, recover from a previously unknown Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous
Autonomous AAT-17.3 it is identified? 9 x Govern x x x Technologies (AAT)-related risk when it is but are not consistent across the organization. Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to respond to and recover from not necessary to respond to and recover from
Technologies Threats &
Technologies identified. CMM Level 2 control maturity would Technologies (AAT)-related risk when it is ensure consistency. CMM Level 3 control a previously unknown Artificial Intelligence a previously unknown Artificial Intelligence
Risks
reasonably expect all, or at least most, the identified. maturity would reasonably expect all, or at (AI) and Autonomous Technologies (AAT)- (AI) and Autonomous Technologies (AAT)-
following criteria to exist: least most, the following criteria to exist: related risk when it is identified. related risk when it is identified.
Mechanisms exist to utilize novel methods and technologies for the Does the organization utilize novel methods and Mechanisms exist to utilize novel methods and Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
measurement of Artificial Intelligence (AI) and Autonomous Technologies technologies for the measurement of Artificial technologies for the measurement of Artificial Technology (AAT) efforts are requirements- is required in this domain to utilize novel Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 c
Artificial & (AAT)-related risks to evaluate, if applicable: Intelligence (AI) and Autonomous Technologies Intelligence (AI) and Autonomous driven and governed at a local/regional level, methods and technologies for the across the organization and centrally assume a quantitatively-controlled process is
Novel Risk Assessment
Autonomous AAT-17.4 (1) Content provenance; (AAT)-related risks to evaluate, if applicable: 7 x Protect x Technologies (AAT)-related risks to evaluate, if but are not consistent across the organization. measurement of Artificial Intelligence (AI) and managed, where technically feasible, to not necessary to utilize novel methods and
Methods & Technologies
Technologies (2) Offensive cyber capabilities; (1) Content provenance; applicable: CMM Level 2 control maturity would Autonomous Technologies (AAT)-related risks ensure consistency. CMM Level 3 control technologies for the measurement of Artificial
(3) Chemical, Biological, Radiological or Nuclear (CBRN) weapons; and/or (2) Offensive cyber capabilities; (1) Content provenance; reasonably expect all, or at least most, the to evaluate, if applicable: maturity would reasonably expect all, or at Intelligence (AI) and Autonomous
(4) Other dangerous materials or agents. (3) Chemical, Biological, Radiological or Nuclear (2) Offensive cyber capabilities; following criteria to exist: (1) Content provenance; least most, the following criteria to exist: Technologies (AAT)-related risks to evaluate, if
(CBRN) weapons; and/or

AAT-17.5 9 x Protect x

AAT-18 9 x Govern x x x

AAT-18.1 10 x Govern x x x

AAT-19 9 x Protect x

AAT-19.1 9 x Protect x

AAT-19.2 9 x Protect x

Social Scoring AAT-19.3 9 x Protect x

AAT-19.4 9 x Protect x

AAT-19.5 4 x Protect x

AAT-19.6 9 x Protect x

Licensed by Creative Commons Attribution-NoDerivatives 13 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Does the organization prohibit the sale, deployment Mechanisms exist to prohibit the sale, C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Intelligence (AI) and Autonomous Technologies (AAT) that infer human and/or use of Artificial Intelligence (AI) and deployment and/or use of Artificial Intelligence required to prohibit the sale, deployment is required in this domain to prohibit the sale, Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & emotions of an individual based on observed characteristics. Autonomous Technologies (AAT) that infer human (AI) and Autonomous Technologies (AAT) that and/or use of Artificial Intelligence (AI) and deployment and/or use of Artificial Intelligence across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Emotion Inference AAT-19.7 emotions of an individual based on observed 5 x Protect x infer human emotions of an individual based Autonomous Technologies (AAT) that infer (AI) and Autonomous Technologies (AAT) that managed, where technically feasible, to not necessary to prohibit the sale, deployment not necessary to prohibit the sale, deployment
Technologies characteristics? on observed characteristics. human emotions of an individual based on infer human emotions of an individual based ensure consistency. CMM Level 3 control and/or use of Artificial Intelligence (AI) and and/or use of Artificial Intelligence (AI) and
observed characteristics. on observed characteristics. maturity would reasonably expect all, or at Autonomous Technologies (AAT) that infer Autonomous Technologies (AAT) that infer
least most, the following criteria to exist: human emotions of an individual based on human emotions of an individual based on
Mechanisms exist to prohibit the sale, deployment and/or use of Artificial Does the organization prohibit the sale, deployment Mechanisms exist to prohibit the sale, C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Intelligence (AI) and Autonomous Technologies (AAT) that categorize an and/or use of Artificial Intelligence (AI) and deployment and/or use of Artificial Intelligence required to prohibit the sale, deployment is required in this domain to prohibit the sale, Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & individual based on their biometric data to deduce, or infer, the individual's: Autonomous Technologies (AAT) that categorize an (AI) and Autonomous Technologies (AAT) that and/or use of Artificial Intelligence (AI) and deployment and/or use of Artificial Intelligence across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Biometric Categorization AAT-19.8 (1) Race; individual based on their biometric data to deduce, 5 x Protect x categorize an individual based on their Autonomous Technologies (AAT) that (AI) and Autonomous Technologies (AAT) that managed, where technically feasible, to not necessary to prohibit the sale, deployment not necessary to prohibit the sale, deployment
Technologies (2) Political opinions; or infer, the individual's: biometric data to deduce, or infer, the categorize an individual based on their categorize an individual based on their ensure consistency. CMM Level 3 control and/or use of Artificial Intelligence (AI) and and/or use of Artificial Intelligence (AI) and
(3) Trade union membership; (1) Race; individual's: biometric data to deduce, or infer, the biometric data to deduce, or infer, the maturity would reasonably expect all, or at Autonomous Technologies (AAT) that Autonomous Technologies (AAT) that
(4) Religious or philosophical beliefs; (2) Political opinions; (1) Race; individual's: individual's: least most, the following criteria to exist: categorize an individual based on their categorize an individual based on their
Measures exist to ensure Artificial Intelligence (AI) and Autonomous Does the organization ensure Artificial Intelligence Measures exist to ensure Artificial Intelligence Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous Measures exist to ensure Artificial Intelligence Measures exist to ensure Artificial Intelligence
Technologies (AAT) are designed and developed to: (AI) and Autonomous Technologies (AAT) are (AI) and Autonomous Technologies (AAT) are Technology (AAT) efforts are requirements- is required in this domain to ensure Artificial Technology (AAT) efforts are standardized (AI) and Autonomous Technologies (AAT) are (AI) and Autonomous Technologies (AAT) are
Artificial & AI & Autonomous (1) Achieve an appropriate level of accuracy, robustness, and cybersecurity; designed and developed to: designed and developed to: driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally designed and developed to: designed and developed to:
Autonomous Technologies AAT-20 (2) Perform consistently in those respects throughout the AAT system's (1) Achieve an appropriate level of accuracy, 10 x Protect x (1) Achieve an appropriate level of accuracy, but are not consistent across the organization. Technologies (AAT) are designed and managed, where technically feasible, to (1) Achieve an appropriate level of accuracy, (1) Achieve an appropriate level of accuracy,
Technologies Development Practices lifecycle; and robustness, and cybersecurity; robustness, and cybersecurity; CMM Level 2 control maturity would developed to: ensure consistency. CMM Level 3 control robustness, and cybersecurity; robustness, and cybersecurity;
(3) Be effectively overseen by competent individuals. (2) Perform consistently in those respects (2) Perform consistently in those respects reasonably expect all, or at least most, the (1) Achieve an appropriate level of accuracy, maturity would reasonably expect all, or at (2) Perform consistently in those respects (2) Perform consistently in those respects
throughout the AAT system's lifecycle; and throughout the AAT system's lifecycle; and following criteria to exist: robustness, and cybersecurity; least most, the following criteria to exist: throughout the AAT system's lifecycle; and throughout the AAT system's lifecycle; and
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Does the organization ensure Artificial Intelligence Mechanisms exist to ensure Artificial Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT) are designed and developed so its operation is (AI) and Autonomous Technologies (AAT) are Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous sufficiently transparent such that output can be easily interpreted by designed and developed so its operation is Technologies (AAT) are designed and driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies AAT-20.1 personnel implementing the AAT. sufficiently transparent such that output can be 9 x Protect x x developed so its operation is sufficiently but are not consistent across the organization. Technologies (AAT) are designed and managed, where technically feasible, to not necessary to ensure Artificial Intelligence not necessary to ensure Artificial Intelligence
Technologies Transparency easily interpreted by personnel implementing the transparent such that output can be easily CMM Level 2 control maturity would developed so its operation is sufficiently ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT) are (AI) and Autonomous Technologies (AAT) are
AAT? interpreted by personnel implementing the reasonably expect all, or at least most, the transparent such that output can be easily maturity would reasonably expect all, or at designed and developed so its operation is designed and developed so its operation is
AAT. following criteria to exist: interpreted by personnel implementing the least most, the following criteria to exist: sufficiently transparent such that output can sufficiently transparent such that output can
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Does the organization ensure Artificial Intelligence Mechanisms exist to ensure Artificial Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
AI & Autonomous Technologies (AAT) include clear and concise documentation that is (AI) and Autonomous Technologies (AAT) include Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & relevant, accessible and comprehensible to personnel implementing and clear and concise documentation that is relevant, Technologies (AAT) include clear and concise driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Technologies
Autonomous AAT-20.2 maintaining the AAT that, at a minimum, provides: accessible and comprehensible to personnel 9 x Protect x x documentation that is relevant, accessible and but are not consistent across the organization. Technologies (AAT) include clear and concise managed, where technically feasible, to not necessary to ensure Artificial Intelligence not necessary to ensure Artificial Intelligence
Implementation
Technologies (1) Contact details of the provider; implementing and maintaining the AAT that, at a comprehensible to personnel implementing CMM Level 2 control maturity would documentation that is relevant, accessible and ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT) (AI) and Autonomous Technologies (AAT)
Documentation
(2) Characteristics, capabilities and limitations of performance of the AAT; minimum, provides: and maintaining the AAT that, at a minimum, reasonably expect all, or at least most, the comprehensible to personnel implementing maturity would reasonably expect all, or at include clear and concise documentation that include clear and concise documentation that
(3) Errata from the AAT's initial conformity assessment; (1) Contact details of the provider; provides: following criteria to exist: and maintaining the AAT that, at a minimum, least most, the following criteria to exist: is relevant, accessible and comprehensible to is relevant, accessible and comprehensible to
Mechanisms exist to document the extent to which human domain Does the organization document the extent to Mechanisms exist to document the extent to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
AI & Autonomous knowledge is employed to improve Artificial Intelligence (AI) and which human domain knowledge is employed to which human domain knowledge is employed Technology (AAT) efforts are requirements- is required in this domain to document the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Autonomous Technologies (AAT) performance including: improve Artificial Intelligence (AI) and Autonomous to improve Artificial Intelligence (AI) and driven and governed at a local/regional level, extent to which human domain knowledge is across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Technologies Human
Autonomous AAT-20.3 (1) Reinforcement Learning from Human Feedback (RLHF); Technologies (AAT) performance including: 5 x Protect x x Autonomous Technologies (AAT) performance but are not consistent across the organization. employed to improve Artificial Intelligence (AI) managed, where technically feasible, to not necessary to document the extent to not necessary to document the extent to
Domain Knowledge
Technologies (2) Fine-tuning; (1) Reinforcement Learning from Human Feedback including: CMM Level 2 control maturity would and Autonomous Technologies (AAT) ensure consistency. CMM Level 3 control which human domain knowledge is employed which human domain knowledge is employed
Reliance
(3) Retrieval- augmented generation; (RLHF); (1) Reinforcement Learning from Human reasonably expect all, or at least most, the performance including: maturity would reasonably expect all, or at to improve Artificial Intelligence (AI) and to improve Artificial Intelligence (AI) and
(4) Content moderation; and (2) Fine-tuning; Feedback (RLHF); following criteria to exist: (1) Reinforcement Learning from Human least most, the following criteria to exist: Autonomous Technologies (AAT) performance Autonomous Technologies (AAT) performance
Mechanisms exist to maintain a current registration for Artificial Intelligence Does the organization maintain a current Mechanisms exist to maintain a current C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process
Feedback (RLHF); Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(AI) and Autonomous Technologies (AAT) with the appropriate governing registration for Artificial Intelligence (AI) and registration for Artificial Intelligence (AI) and required to maintain a current registration for is required in this domain to maintain a Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous body, as required by statutory or regulatory requirements. Autonomous Technologies (AAT) with the Autonomous Technologies (AAT) with the Artificial Intelligence (AI) and Autonomous current registration for Artificial Intelligence across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies AAT-21 appropriate governing body, as required by 4 x Protect x x appropriate governing body, as required by Technologies (AAT) with the appropriate (AI) and Autonomous Technologies (AAT) with managed, where technically feasible, to not necessary to maintain a current not necessary to maintain a current
Technologies Registration statutory or regulatory requirements? statutory or regulatory requirements. governing body, as required by statutory or the appropriate governing body, as required ensure consistency. CMM Level 3 control registration for Artificial Intelligence (AI) and registration for Artificial Intelligence (AI) and
regulatory requirements. by statutory or regulatory requirements. maturity would reasonably expect all, or at Autonomous Technologies (AAT) with the Autonomous Technologies (AAT) with the
least most, the following criteria to exist: appropriate governing body, as required by appropriate governing body, as required by
Mechanisms exist to ensure the deployment of Artificial Intelligence (AI) Does the organization ensure the deployment of Mechanisms exist to ensure the deployment of Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
and Autonomous Technologies (AAT) includes appropriate technical and Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous organizational measures so that AAT are used in accordance with the AAT Technologies (AAT) includes appropriate technical Technologies (AAT) includes appropriate driven and governed at a local/regional level, deployment of Artificial Intelligence (AI) and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies AAT-22 developer-provided instructions for use. and organizational measures so that AAT are used 8 x Protect x x technical and organizational measures so that but are not consistent across the organization. Autonomous Technologies (AAT) includes managed, where technically feasible, to not necessary to ensure the deployment of not necessary to ensure the deployment of
Technologies Deployment in accordance with the AAT developer-provided AAT are used in accordance with the AAT CMM Level 2 control maturity would appropriate technical and organizational ensure consistency. CMM Level 3 control Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
instructions for use? developer-provided instructions for use. reasonably expect all, or at least most, the measures so that AAT are used in accordance maturity would reasonably expect all, or at Technologies (AAT) includes appropriate Technologies (AAT) includes appropriate
following criteria to exist: with the AAT developer-provided instructions least most, the following criteria to exist: technical and organizational measures so that technical and organizational measures so that
Mechanisms exist to assign human oversight of Artificial Intelligence (AI) Does the organization assign human oversight of Mechanisms exist to assign human oversight Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
and Autonomous Technologies (AAT) to prevent or minimize the risks to: Artificial Intelligence (AI) and Autonomous of Artificial Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to assign human Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous (1) Health; Technologies (AAT) to prevent or minimize the risks Technologies (AAT) to prevent or minimize the driven and governed at a local/regional level, oversight of Artificial Intelligence (AI) and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Human AAT-22.1 (2) Safety; and/or to: 9 x Protect x x risks to: but are not consistent across the organization. Autonomous Technologies (AAT) to prevent or managed, where technically feasible, to not necessary to assign human oversight of not necessary to assign human oversight of
Technologies Oversight (3) Fundamental rights. (1) Health; (1) Health; CMM Level 2 control maturity would minimize the risks to: ensure consistency. CMM Level 3 control Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
(2) Safety; and/or (2) Safety; and/or reasonably expect all, or at least most, the (1) Health; maturity would reasonably expect all, or at Technologies (AAT) to prevent or minimize the Technologies (AAT) to prevent or minimize the
(3) Fundamental rights? (3) Fundamental rights. following criteria to exist: (2) Safety; and/or least most, the following criteria to exist: risks to: risks to:
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Does the organization ensure Artificial Intelligence Mechanisms exist to ensure Artificial Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT) oversight measures are commensurate with the: (AI) and Autonomous Technologies (AAT) oversight Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous (1) Assessed risk(s); measures are commensurate with the: Technologies (AAT) oversight measures are driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Oversight AAT-22.2 (2) Level of autonomy; and (1) Assessed risk(s); 9 x Protect x x commensurate with the: but are not consistent across the organization. Technologies (AAT) oversight measures are managed, where technically feasible, to not necessary to ensure Artificial Intelligence not necessary to ensure Artificial Intelligence
Technologies Measures (3) Context of use. (2) Level of autonomy; and (1) Assessed risk(s); CMM Level 2 control maturity would commensurate with the: ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT) (AI) and Autonomous Technologies (AAT)
(3) Context of use? (2) Level of autonomy; and reasonably expect all, or at least most, the (1) Assessed risk(s); maturity would reasonably expect all, or at oversight measures are commensurate with oversight measures are commensurate with
(3) Context of use. following criteria to exist: (2) Level of autonomy; and least most, the following criteria to exist: the: the:
Mechanisms exist to ensure no action or decision is taken by the deployer Does the organization ensure no action or decision Mechanisms exist to ensure no action or Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
of an Artificial Intelligence (AI) and Autonomous Technologies (AAT) based is taken by the deployer of an Artificial Intelligence decision is taken by the deployer of an Technology (AAT) efforts are requirements- is required in this domain to ensure no action Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous solely based on AAT-generated evidence, unless that evidence has been (AI) and Autonomous Technologies (AAT) based Artificial Intelligence (AI) and Autonomous driven and governed at a local/regional level, or decision is taken by the deployer of an across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Separate AAT-22.3 separately verified and confirmed by at least two (2) individuals with the solely based on AAT-generated evidence, unless 9 x Protect x x Technologies (AAT) based solely based on but are not consistent across the organization. Artificial Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to ensure no action or decision not necessary to ensure no action or decision
Technologies Verification necessary competence, training and authority. that evidence has been separately verified and AAT-generated evidence, unless that evidence CMM Level 2 control maturity would Technologies (AAT) based solely based on ensure consistency. CMM Level 3 control is taken by the deployer of an Artificial is taken by the deployer of an Artificial
confirmed by at least two (2) individuals with the has been separately verified and confirmed by reasonably expect all, or at least most, the AAT-generated evidence, unless that evidence maturity would reasonably expect all, or at Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
necessary competence, training and authority? at least two (2) individuals with the necessary following criteria to exist: has been separately verified and confirmed by least most, the following criteria to exist: Technologies (AAT) based solely based on Technologies (AAT) based solely based on
Mechanisms exist to ensure the deployment of Artificial Intelligence (AI) Does the organization ensure the deployment of Mechanisms exist to ensure the deployment of Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
and Autonomous Technologies (AAT) assigns human oversight to Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous individuals who have the necessary: Technologies (AAT) assigns human oversight to Technologies (AAT) assigns human oversight driven and governed at a local/regional level, deployment of Artificial Intelligence (AI) and across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Oversight AAT-22.4 (1) Competence; individuals who have the necessary: 9 x Protect x x to individuals who have the necessary: but are not consistent across the organization. Autonomous Technologies (AAT) assigns managed, where technically feasible, to not necessary to ensure the deployment of not necessary to ensure the deployment of
Technologies Functions Competency (2) Training; (1) Competence; (1) Competence; CMM Level 2 control maturity would human oversight to individuals who have the ensure consistency. CMM Level 3 control Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
(3) Authority; and (2) Training; (2) Training; reasonably expect all, or at least most, the necessary: maturity would reasonably expect all, or at Technologies (AAT) assigns human oversight Technologies (AAT) assigns human oversight
(4) Resources. (3) Authority; and (3) Authority; and following criteria to exist: (1) Competence; least most, the following criteria to exist: to individuals who have the necessary: to individuals who have the necessary:
Mechanisms exist to ensure the input to Artificial Intelligence (AI) and Does the organization ensure the input to Artificial Mechanisms exist to ensure the input to Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Autonomous Technologies (AAT) is relevant to the intended purpose of the Intelligence (AI) and Autonomous Technologies Artificial Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure the input Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous AAT. (AAT) is relevant to the intended purpose of the Technologies (AAT) is relevant to the intended driven and governed at a local/regional level, to Artificial Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Data AAT-22.5 AAT? 5 x Protect x x purpose of the AAT. but are not consistent across the organization. Technologies (AAT) is relevant to the intended managed, where technically feasible, to not necessary to ensure the input to Artificial not necessary to ensure the input to Artificial
Technologies Relevance CMM Level 2 control maturity would purpose of the AAT. ensure consistency. CMM Level 3 control Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
reasonably expect all, or at least most, the maturity would reasonably expect all, or at Technologies (AAT) is relevant to the intended Technologies (AAT) is relevant to the intended
following criteria to exist: least most, the following criteria to exist: purpose of the AAT. purpose of the AAT.
Mechanisms exist to ensure serious incidents and/or irregularities Does the organization ensure serious incidents Mechanisms exist to ensure serious incidents Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
associated with the deployment of Artificial Intelligence (AI) and and/or irregularities associated with the deployment and/or irregularities associated with the Technology (AAT) efforts are requirements- is required in this domain to ensure serious Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous Autonomous Technologies (AAT) are reported without delay to the: of Artificial Intelligence (AI) and Autonomous deployment of Artificial Intelligence (AI) and driven and governed at a local/regional level, incidents and/or irregularities associated with across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Irregularity AAT-22.6 (1) AAT provider; Technologies (AAT) are reported without delay to 8 x Protect x x Autonomous Technologies (AAT) are reported but are not consistent across the organization. the deployment of Artificial Intelligence (AI) managed, where technically feasible, to not necessary to ensure serious incidents not necessary to ensure serious incidents
Technologies Reporting (2) AAT importer or distributor, if applicable; and/or the: without delay to the: CMM Level 2 control maturity would and Autonomous Technologies (AAT) are ensure consistency. CMM Level 3 control and/or irregularities associated with the and/or irregularities associated with the
(3) Local law authorities and/or governmental agency, as required. (1) AAT provider; (1) AAT provider; reasonably expect all, or at least most, the reported without delay to the: maturity would reasonably expect all, or at deployment of Artificial Intelligence (AI) and deployment of Artificial Intelligence (AI) and
(2) AAT importer or distributor, if applicable; and/or (2) AAT importer or distributor, if applicable; following criteria to exist: (1) AAT provider; least most, the following criteria to exist: Autonomous Technologies (AAT) are reported Autonomous Technologies (AAT) are reported
Mechanisms exist to ensure employees, including workers' representatives, Does the organization ensure employees, including Mechanisms
and/or exist to ensure employees, Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
AI & Autonomous are informed about Artificial Intelligence (AI) and Autonomous Technologies workers' representatives, are informed about including workers' representatives, are Technology (AAT) efforts are requirements- is required in this domain to ensure Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & (AAT) deployments, prior to the use of the AAT in a production Artificial Intelligence (AI) and Autonomous informed about Artificial Intelligence (AI) and driven and governed at a local/regional level, employees, including workers' across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Technologies Use
Autonomous AAT-22.7 environment. Technologies (AAT) deployments, prior to the use of 5 x Protect x x Autonomous Technologies (AAT) deployments, but are not consistent across the organization. representatives, are informed about Artificial managed, where technically feasible, to not necessary to ensure employees, including not necessary to ensure employees, including
Notification To
Technologies the AAT in a production environment? prior to the use of the AAT in a production CMM Level 2 control maturity would Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control workers' representatives, are informed about workers' representatives, are informed about
Employees
environment. reasonably expect all, or at least most, the Technologies (AAT) deployments, prior to the maturity would reasonably expect all, or at Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
following criteria to exist: use of the AAT in a production environment. least most, the following criteria to exist: Technologies (AAT) deployments, prior to the Technologies (AAT) deployments, prior to the
Mechanisms exist to ensure Artificial Intelligence (AI) and Autonomous Does the organization ensure Artificial Intelligence Mechanisms exist to ensure Artificial Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Technologies (AAT) that make decisions, or assist in making decisions, (AI) and Autonomous Technologies (AAT) that make Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to ensure Artificial Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous inform the people in a clear manner that they are: decisions, or assist in making decisions, inform the Technologies (AAT) that make decisions, or driven and governed at a local/regional level, Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Use AAT-22.8 (1) Utilizing an AAT solution; and people in a clear manner that they are: 5 x Protect x x assist in making decisions, inform the people but are not consistent across the organization. Technologies (AAT) that make decisions, or managed, where technically feasible, to not necessary to ensure Artificial Intelligence not necessary to ensure Artificial Intelligence
Technologies Notification To Users (2) Expected to validate the output for relevance and accuracy. (1) Utilizing an AAT solution; and in a clear manner that they are: CMM Level 2 control maturity would assist in making decisions, inform the people ensure consistency. CMM Level 3 control (AI) and Autonomous Technologies (AAT) that (AI) and Autonomous Technologies (AAT) that
(2) Expected to validate the output for relevance (1) Utilizing an AAT solution; and reasonably expect all, or at least most, the in a clear manner that they are: maturity would reasonably expect all, or at make decisions, or assist in making decisions, make decisions, or assist in making decisions,
and accuracy? (2) Expected to validate the output for following criteria to exist: (1) Utilizing an AAT solution; and least most, the following criteria to exist: inform the people in a clear manner that they inform the people in a clear manner that they
Mechanisms exist to mark output from Artificial Intelligence (AI) and Does the organization mark output from Artificial Mechanisms
relevance and exist to mark output from
accuracy. Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Autonomous Technologies (AAT) in a machine-readable format so it is Intelligence (AI) and Autonomous Technologies Artificial Intelligence (AI) and Autonomous Technology (AAT) efforts are requirements- is required in this domain to mark output from Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous detectable as artificially generated or manipulated. (AAT) in a machine-readable format so it is Technologies (AAT) in a machine-readable driven and governed at a local/regional level, Artificial Intelligence (AI) and Autonomous across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Output AAT-23 detectable as artificially generated or manipulated? 5 x Protect x format so it is detectable as artificially but are not consistent across the organization. Technologies (AAT) in a machine-readable managed, where technically feasible, to not necessary to mark output from Artificial not necessary to mark output from Artificial
Technologies Marking generated or manipulated. CMM Level 2 control maturity would format so it is detectable as artificially ensure consistency. CMM Level 3 control Intelligence (AI) and Autonomous Intelligence (AI) and Autonomous
reasonably expect all, or at least most, the generated or manipulated. maturity would reasonably expect all, or at Technologies (AAT) in a machine-readable Technologies (AAT) in a machine-readable
following criteria to exist: least most, the following criteria to exist: format so it is detectable as artificially format so it is detectable as artificially
Mechanisms exist to obtain consent from the subjects of testing Artificial Does the organization obtain consent from the Mechanisms exist to obtain consent from the Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Intelligence (AI) and Autonomous Technologies (AAT): subjects of testing Artificial Intelligence (AI) and subjects of testing Artificial Intelligence (AI) Technology (AAT) efforts are requirements- is required in this domain to obtain consent Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Real World Testing of AI (1) Prior to their participation in such testing; and Autonomous Technologies (AAT): and Autonomous Technologies (AAT): driven and governed at a local/regional level, from the subjects of testing Artificial across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous & Autonomous AAT-24 (2) After their having been provided with clear and concise information (1) Prior to their participation in such testing; and 5 x Protect x (1) Prior to their participation in such testing; but are not consistent across the organization. Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to obtain consent from the not necessary to obtain consent from the
Technologies Technologies regarding the testing. (2) After their having been provided with clear and and CMM Level 2 control maturity would Technologies (AAT): ensure consistency. CMM Level 3 control subjects of testing Artificial Intelligence (AI) subjects of testing Artificial Intelligence (AI)
concise information regarding the testing? (2) After their having been provided with clear reasonably expect all, or at least most, the (1) Prior to their participation in such testing; maturity would reasonably expect all, or at and Autonomous Technologies (AAT): and Autonomous Technologies (AAT):
and concise information regarding the testing. following criteria to exist: and least most, the following criteria to exist: (1) Prior to their participation in such testing; (1) Prior to their participation in such testing;
Mechanisms exist to document the sequence of events and relevant Does the organization document the sequence of Mechanisms exist to document the sequence Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See
and C|P-CMM3. There are no defined C|P- See
and C|P-CMM4. There are no defined C|P-
stakeholders involved in creating and deploying Artificial Intelligence (AI) events and relevant stakeholders involved in of events and relevant stakeholders involved Technology (AAT) efforts are requirements- is required in this domain to document the Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous and Autonomous Technologies (AAT). creating and deploying Artificial Intelligence (AI) in creating and deploying Artificial Intelligence driven and governed at a local/regional level, sequence of events and relevant stakeholders across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies System AAT-25 and Autonomous Technologies (AAT)? 3 x Protect x x (AI) and Autonomous Technologies (AAT). but are not consistent across the organization. involved in creating and deploying Artificial managed, where technically feasible, to not necessary to document the sequence of not necessary to document the sequence of
Technologies Value Chain CMM Level 2 control maturity would Intelligence (AI) and Autonomous ensure consistency. CMM Level 3 control events and relevant stakeholders involved in events and relevant stakeholders involved in
reasonably expect all, or at least most, the Technologies (AAT). maturity would reasonably expect all, or at creating and deploying Artificial Intelligence creating and deploying Artificial Intelligence
following criteria to exist: least most, the following criteria to exist: (AI) and Autonomous Technologies (AAT). (AI) and Autonomous Technologies (AAT).
Mechanisms exist to identify: Does the organization identify: Mechanisms exist to identify: Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(1) Over-reliance on third-party data with Artificial Intelligence (AI) and (1) Over-reliance on third-party data with Artificial (1) Over-reliance on third-party data with Technology (AAT) efforts are requirements- is required in this domain to identify: Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous Autonomous Technologies (AAT); and Intelligence (AI) and Autonomous Technologies Artificial Intelligence (AI) and Autonomous driven and governed at a local/regional level, (1) Over-reliance on third-party data with across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies System AAT-25.1 (2) Fallback methods to address the inability to access third-party data, as (AAT); and 5 x Protect x x Technologies (AAT); and but are not consistent across the organization. Artificial Intelligence (AI) and Autonomous managed, where technically feasible, to not necessary to identify: not necessary to identify:
Technologies Value Chain Fallbacks necessary. (2) Fallback methods to address the inability to (2) Fallback methods to address the inability CMM Level 2 control maturity would Technologies (AAT); and ensure consistency. CMM Level 3 control (1) Over-reliance on third-party data with (1) Over-reliance on third-party data with
access third-party data, as necessary? to access third-party data, as necessary. reasonably expect all, or at least most, the (2) Fallback methods to address the inability maturity would reasonably expect all, or at Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
following criteria to exist: to access third-party data, as necessary. least most, the following criteria to exist: Technologies (AAT); and Technologies (AAT); and
Mechanisms exist to develop and implement fact-checking techniques to Does the organization develop and implement fact- Mechanisms exist to develop and implement Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
verify the accuracy and veracity of information generated by Artificial checking techniques to verify the accuracy and fact-checking techniques to verify the Technology (AAT) efforts are requirements- is required in this domain to develop and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & AI & Autonomous Intelligence (AI) and Autonomous Technologies (AAT). veracity of information generated by Artificial accuracy and veracity of information driven and governed at a local/regional level, implement fact-checking techniques to verify across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Technologies Testing AAT-26 Intelligence (AI) and Autonomous Technologies 8 x Protect x x generated by Artificial Intelligence (AI) and but are not consistent across the organization. the accuracy and veracity of information managed, where technically feasible, to not necessary to develop and implement fact- not necessary to develop and implement fact-
Technologies Techniques (AAT)? Autonomous Technologies (AAT). CMM Level 2 control maturity would generated by Artificial Intelligence (AI) and ensure consistency. CMM Level 3 control checking techniques to verify the accuracy checking techniques to verify the accuracy
reasonably expect all, or at least most, the Autonomous Technologies (AAT). maturity would reasonably expect all, or at and veracity of information generated by and veracity of information generated by
following criteria to exist: least most, the following criteria to exist: Artificial Intelligence (AI) and Autonomous Artificial Intelligence (AI) and Autonomous
Mechanisms exist to develop and implement testing techniques to identify Does the organization develop and implement Mechanisms exist to develop and implement Artificial Intelligence and Autonomous C|P-CMM2 is N/A, since a well-defined process Artificial Intelligence and Autonomous See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Generative Artificial Intelligence (GAI) produced content (e.g., synthetic testing techniques to identify Generative Artificial testing techniques to identify Generative Technology (AAT) efforts are requirements- is required in this domain to develop and Technology (AAT) efforts are standardized CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Artificial & Generative Artificial media). Intelligence (GAI) produced content (e.g., synthetic Artificial Intelligence (GAI) produced content driven and governed at a local/regional level, implement testing techniques to identify across the organization and centrally assume a quantitatively-controlled process is assume a continuously-improving process is
Autonomous Intelligence (GAI) AAT-26.1 media)? 5 x Protect x x (e.g., synthetic media). but are not consistent across the organization. Generative Artificial Intelligence (GAI) managed, where technically feasible, to not necessary to develop and implement not necessary to develop and implement
Technologies Identification CMM Level 2 control maturity would produced content (e.g., synthetic media). ensure consistency. CMM Level 3 control testing techniques to identify Generative testing techniques to identify Generative
reasonably expect all, or at least most, the maturity would reasonably expect all, or at Artificial Intelligence (GAI) produced content Artificial Intelligence (GAI) produced content
following criteria to exist: least most, the following criteria to exist: (e.g., synthetic media). (e.g., synthetic media).
Mechanisms exist to delineate human proficiency tests from tests of
Artificial Intell
Artificial & AI & Autonomous
Autonomous Technologies AAT-26.2 2 x Protect x x
Technologies Capabilities Testing

Real-World Testing AAT-26.3 7 x Protect x x

AAT-26.4 5 x Protect x x

AAT-27 5 x Protect x x

Human Moderation AAT-27.1 2 x Protect x x

Asset Management Asset Governance AST-01 E-AST-01 10 x Govern x x x

Asset Management AST-01.1 E-BCM-09 5 x Identify x x

Asset Management AST-01.2 E-CPL-03 5 x Identify x

Licensed by Creative Commons Attribution-NoDerivatives 14 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to implement a scalable, standardized naming ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization implement a scalable, There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Asset Management (AST) efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
convention for systems, applications and services that avoids asset naming program program program program program standardized naming convention for systems, implement a scalable, standardized naming required to implement a scalable, is required to implement a scalable, standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Standardized Naming conflicts. applications and services that avoids asset naming convention for systems, applications and standardized naming convention for systems, standardized naming convention for systems, centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-01.3 conflicts? 5 x Identify x services that avoids asset naming conflicts. applications and services that avoids asset applications and services that avoids asset to ensure consistency. CMM Level 3 control not necessary to implement a scalable, not necessary to implement a scalable,
Convention
naming conflicts. naming conflicts. maturity would reasonably expect all, or at standardized naming convention for systems, standardized naming convention for systems,
least most, the following criteria to exist: applications and services that avoids asset applications and services that avoids asset
• An IT Asset Management (ITAM) function, naming conflicts. naming conflicts.
Mechanisms exist to maintain a current list of approved technologies ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization maintain a current list of There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Asset Management (AST) efforts are Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(hardware and software). program program program program program approved technologies (hardware and software)? maintain a current list of approved required to maintain a current list of approved requirements-driven and governed at a standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management technologies (hardware and software). technologies (hardware and software). local/regional level, but are not consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management Approved Technologies AST-01.4 Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) 7 x Identify x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to maintain a current list of not necessary to maintain a current list of
maturity would reasonably expect all, or at maturity would reasonably expect all, or at approved technologies (hardware and approved technologies (hardware and
least most, the following criteria to exist: least most, the following criteria to exist: software). software).
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function,
Mechanisms exist to perform inventories of technology assets that: ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization perform inventories of There is no evidence of a capability to perform Asset Management (AST) efforts are ad hoc Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics Asset Management (AST) efforts are “world-
(1) Accurately reflects the current systems, applications and services in program program program program program technology assets that: inventories of technology assets that: and inconsistent. CMM Level 1 control requirements-driven
non-standardized methods and governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management class” capabilities that leverage predictive
use; E-AST-04 ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management (1) Accurately reflects the current systems, (1) Accurately reflects the current systems, maturity would reasonably expect all, or at local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative analysis (e.g., machine learning, AI, etc.). In
Asset Management Asset Inventories AST-02 (2) Identifies authorized software products, including business justification E-AST-05 Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) applications and services in use; 10 x Identify x x applications and services in use; least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to addition to CMM Level 4 criteria, CMM Level 5
details; E-AST-07 ∙ ManageEngine AssetExplorer ∙ ManageEngine AssetExplorer ∙ ManageEngine AssetExplorer ∙ ManageEngine AssetExplorer ∙ ManageEngine AssetExplorer (2) Identifies authorized software products, (2) Identifies authorized software products, • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure control maturity would reasonably expect all,
(3) Is at the level of granularity deemed necessary for tracking and (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) including business justification details; including business justification details; as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for or at least most, the following criteria to exist:
reporting; ∙ JAMF (https://jamf.com) ∙ JAMF (https://jamf.com) ∙ Ivanti (https://ivanti.com) ∙ Ivanti (https://ivanti.com) ∙ Ivanti (https://ivanti.com) (3) Is at the level of granularity deemed necessary (3) Is at the level of granularity deemed IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement. • Stakeholders make time-sensitive
Mechanisms exist to update asset inventories as part of component ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management Does the organization
for tracking update asset inventories as
and reporting; There is nofor
necessary evidence
trackingofand
a capability
reporting;to update C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process Asset
and uses Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4.
decisions Thereoperational
to support are no defined C|P-
efficiency,
installations, removals and asset upgrades. Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) part of component installations, removals and asset asset inventories as part of component required to update asset inventories as part of is required to update
non-standardized asset to
methods inventories
implement as part standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria,
which may sinceautomated
include it is reasonable to
remediation
Updates During upgrades? installations, removals and asset upgrades. component installations, removals and asset of component
secure, installations,
resilient and compliantremovals and
practices. centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume
actions. a continuously-improving process is
Asset Management AST-02.1 7 x Identify x upgrades. asset upgrades. to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to update asset inventories as
Installations / Removals
maturity would reasonably expect all, or at predict optimal performance, ensure part of component installations, removals and
least most, the following criteria to exist: continued operations and identify areas for asset upgrades.
• An IT Asset Management (ITAM) function, improvement.
Automated mechanisms exist to detect and alert upon the detection of ∙ DHCP logging ∙ DHCP logging ∙ DHCP logging ∙ DHCP logging ∙ DHCP logging Does the organization use automated mechanisms There is no evidence of a capability to detect C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
unauthorized hardware, software and firmware components. ∙ Active discovery tools ∙ Active discovery tools ∙ Active discovery tools ∙ Active discovery tools ∙ Active discovery tools to detect and alert upon the detection of and alert up on the detection of unauthorized required to detect and alert up on the is required to detect and alert up on the standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria, since it is reasonable to
Automated Unauthorized ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management unauthorized hardware, software and firmware hardware, software and firmware components. detection of unauthorized hardware, software detection of unauthorized hardware, software centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume a continuously-improving process is
Asset Management AST-02.2 Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) components? 3 x Detect x and firmware components. and firmware components. to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to detect and alert up on the
Component Detection
∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite maturity would reasonably expect all, or at predict optimal performance, ensure detection of unauthorized hardware, software
(https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) least most, the following criteria to exist: continued operations and identify areas for and firmware components.
∙ Netwrix Auditor ∙ Netwrix Auditor ∙ Netwrix Auditor • An IT Asset Management (ITAM) function, improvement.
Mechanisms exist to establish and maintain an authoritative source and ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management
(https://netrix.com) ∙ Configuration Management
(https://netrix.com) ∙ Configuration Management
(https://netrix.com) Does the organization establish and maintain an There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
repository to provide a trusted source and accountability for approved and Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) authoritative source and repository to provide a establish and maintain an authoritative source required to establish and maintain an is required to establish and maintain an standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria, since it is reasonable to
Component Duplication implemented system components that prevents assets from being trusted source and accountability for approved and and repository to provide a trusted source and authoritative source and repository to provide authoritative source and repository to provide centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume a continuously-improving process is
Asset Management AST-02.3 duplicated in other asset inventories. implemented system components that prevents 2 x Identify x x accountability for approved and implemented a trusted source and accountability for a trusted source and accountability for to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to establish and maintain an
Avoidance
assets from being duplicated in other asset system components that prevents assets from approved and implemented system approved and implemented system maturity would reasonably expect all, or at predict optimal performance, ensure authoritative source and repository to provide
inventories? being duplicated in other asset inventories. components that prevents assets from being components that prevents assets from being least most, the following criteria to exist: continued operations and identify areas for a trusted source and accountability for
duplicated in other asset inventories. duplicated in other asset inventories. • An IT Asset Management (ITAM) function, improvement. approved and implemented system
Mechanisms exist to document and govern instances of approved ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management Does the organization document and govern There is no evidence of a capability to Asset Management (AST) efforts are ad hoc Asset Management (AST) efforts are Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
deviations from established baseline configurations. Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) instances of approved deviations from established document and govern instances of approved and inconsistent. CMM Level 1 control requirements-driven and governed at a standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria, since it is reasonable to
Approved Baseline E-RSK-03 ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite baseline configurations? deviations from established baseline maturity would reasonably expect all, or at local/regional level, but are not consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume a continuously-improving process is
Asset Management AST-02.4 (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) 8 x Identify x configurations. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to document and govern
Deviations E-TDA-14
∙ Netwrix Auditor ∙ Netwrix Auditor ∙ Netwrix Auditor • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure instances of approved deviations from
(https://netrix.com) (https://netrix.com) (https://netrix.com) as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for established baseline configurations.
∙ Tripwire Enterprise ∙ Tripwire Enterprise ∙ Tripwire Enterprise IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement.
Automated mechanisms exist to employ Network Access Control (NAC), or a ∙
(https://tripwire.com/products/trip (https://tripwire.com/products/trip (https://tripwire.com/products/trip Does the organization use automated mechanisms
Cisco Identity Services Engine ∙ Cisco Identity Services Engine ∙ Cisco Identity Services Engine There is no evidence of a capability to employ C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined
a localized/regionalized function) and uses process Asset Management (AST) efforts
or similar function, governs asset are Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
similar technology, which is capable of detecting unauthorized devices and (ISE) (https://cisco.com)
wire-enterprise) (ISE) (https://cisco.com)
wire-enterprise) (ISE) (https://cisco.com)
wire-enterprise) to employ Network Access Control (NAC), or a Network Access Control (NAC), or a similar required to employ Network Access Control is required to employ
non-standardized Network
methods Access Control standardized
to implement management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria, since it is reasonable to
Network Access Control disable network access to those unauthorized devices. ∙ HPE Aruba Central ∙ HPE Aruba Central ∙ HPE Aruba Central similar technology, which is capable of detecting technology, which is capable of detecting (NAC), or a similar technology, which is (NAC),
secure,or a similar
resilient andtechnology,
compliant which is
practices. centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume a continuously-improving process is
Asset Management AST-02.5 (https://arubanetworks.com) (https://arubanetworks.com) (https://arubanetworks.com) unauthorized devices and disable network access to 4 x Protect x x unauthorized devices and disable network capable of detecting unauthorized devices and capable of detecting unauthorized devices and to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to employ Network Access
(NAC)
∙ Juniper Juniper Mist Access ∙ Juniper Juniper Mist Access ∙ Juniper Juniper Mist Access those unauthorized devices? access to those unauthorized devices. disable network access to those unauthorized disable network access to those unauthorized maturity would reasonably expect all, or at predict optimal performance, ensure Control (NAC), or a similar technology, which
Assurance (https://juniper.net) Assurance (https://juniper.net) Assurance (https://juniper.net) devices. devices. least most, the following criteria to exist: continued operations and identify areas for is capable of detecting unauthorized devices
∙ Packet Fence ∙ Packet Fence ∙ Packet Fence • An IT Asset Management (ITAM) function, improvement. and disable network access to those
Mechanisms exist to enable Dynamic Host Configuration Protocol (DHCP) ∙ Centralized log collector ∙ Centralized log collector ∙ Security Incident Event Manager ∙
(https://packetfence.org) Security Incident Event Manager ∙
(https://packetfence.org) Security Incident Event Manager Does the organization enable Dynamic Host
(https://packetfence.org) There is no evidence of a capability to enable C|P-CMM1 is N/A, since a structured process is Asset Management (AST) efforts are Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
server logging to improve asset inventories and assist in detecting unknown ∙ Security Incident Event Manager ∙ Security Incident Event Manager (SIEM) (SIEM) (SIEM) Configuration Protocol (DHCP) server logging to Dynamic Host Configuration Protocol (DHCP) required to enable Dynamic Host requirements-driven and governed at a standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Dynamic Host systems. (SIEM) (SIEM) improve asset inventories and assist in detecting server logging to improve asset inventories Configuration Protocol (DHCP) server logging local/regional level, but are not consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management Configuration Protocol AST-02.6 E-MON-04 unknown systems? 3 x Identify x and assist in detecting unknown systems. to improve asset inventories and assist in across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to enable Dynamic Host not necessary to enable Dynamic Host
(DHCP) Server Logging detecting unknown systems. maturity would reasonably expect all, or at maturity would reasonably expect all, or at Configuration Protocol (DHCP) server logging Configuration Protocol (DHCP) server logging
least most, the following criteria to exist: least most, the following criteria to exist: to improve asset inventories and assist in to improve asset inventories and assist in
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, detecting unknown systems. detecting unknown systems.
Mechanisms exist to protect Intellectual Property (IP) rights with software ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization protect Intellectual Property There is no evidence of a capability to protect Asset Management (AST) efforts are ad hoc Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
licensing restrictions. program program program program program (IP) rights with software licensing restrictions? Intellectual Property (IP) rights with software and inconsistent. CMM Level 1 control requirements-driven
non-standardized methods and governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria, since it is reasonable to
Software Licensing licensing restrictions. maturity would reasonably expect all, or at local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume a continuously-improving process is
Asset Management AST-02.7 8 x Identify x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to protect Intellectual Property
Restrictions
• Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure (IP) rights with software licensing restrictions.
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement.
Mechanisms exist to create and maintain a map of technology assets where ∙ Visio ∙ Visio ∙ Visio ∙ Visio ∙ Visio Does the organization create and maintain a map of There is no evidence of a capability to create Asset Management (AST) efforts are ad hoc Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
sensitive/regulated data is stored, transmitted or processed. ∙ LucidChart ∙ LucidChart ∙ LucidChart ∙ LucidChart ∙ LucidChart technology assets where sensitive/regulated data is and maintain a map of technology assets and inconsistent. CMM Level 1 control requirements-driven
non-standardized methods and governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria, since it is reasonable to
stored, transmitted or processed? where sensitive/regulated data is stored, maturity would reasonably expect all, or at local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume a continuously-improving process is
Asset Management Data Action Mapping AST-02.8 E-DCH-05 9 x Identify x x transmitted or processed. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to create and maintain a map of
• Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure technology assets where sensitive/regulated
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for data is stored, transmitted or processed.
IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement.
Mechanisms exist to implement and manage a Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management Does the organization implement and manage a There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process Asset
and uses Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
Database (CMDB), or similar technology, to monitor and govern technology Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Configuration Management Database (CMDB), or implement and manage a Configuration required to implement and manage a is required to implement
non-standardized methods and
to manage
implementa standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria, since it is reasonable to
Configuration asset-specific information. similar technology, to monitor and govern Management Database (CMDB), or similar Configuration Management Database (CMDB), Configuration Management
secure, resilient and compliant Database (CMDB), centrally
practices. managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume a continuously-improving process is
Asset Management Management Database AST-02.9 technology asset-specific information? 5 x Identify x technology, to monitor and govern technology or similar technology, to monitor and govern or similar technology, to monitor and govern to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to implement and manage a
(CMDB) asset-specific information. technology asset-specific information. technology asset-specific information. maturity would reasonably expect all, or at predict optimal performance, ensure Configuration Management Database (CMDB),
least most, the following criteria to exist: continued operations and identify areas for or similar technology, to monitor and govern
• An IT Asset Management (ITAM) function, improvement. technology asset-specific information.
Mechanisms exist to track the geographic location of system components. ∙ Prey (https://preyproject.com) ∙ Prey (https://preyproject.com) ∙ Prey (https://preyproject.com) ∙ Prey (https://preyproject.com) ∙ Prey (https://preyproject.com) Does the organization track the geographic location There is no evidence of a capability to track C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics Asset Management (AST) efforts are “world-
of system components? the geographic location of system required to track the geographic location of is required to track the geographic location of standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management class” capabilities that leverage predictive
Automated Location components. system components. system components. centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative analysis (e.g., machine learning, AI, etc.). In
Asset Management AST-02.10 5 x Identify x x to ensure consistency. CMM Level 3 control understanding of process capabilities) to addition to CMM Level 4 criteria, CMM Level 5
Tracking
maturity would reasonably expect all, or at predict optimal performance, ensure control maturity would reasonably expect all,
least most, the following criteria to exist: continued operations and identify areas for or at least most, the following criteria to exist:
• An IT Asset Management (ITAM) function, improvement. • Stakeholders make time-sensitive
Mechanisms exist to bind components to a specific system. Does the organization bind components to a There is no evidence of a capability to bind C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4.
decisions Thereoperational
to support are no defined C|P-
efficiency,
specific system? components to a specific system. required to bind components to a specific is required to bind components to a specific standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria,
which may sinceautomated
include it is reasonable to
remediation
system. system. centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume
actions. a continuously-improving process is
Asset Management Component Assignment AST-02.11 3 x Identify x to ensure consistency. CMM Level 3 control not necessary to bind components to a not necessary to bind components to a
maturity would reasonably expect all, or at specific system. specific system.
least most, the following criteria to exist:
• An IT Asset Management (ITAM) function,
Mechanisms exist to ensure asset ownership responsibilities are assigned, ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization ensure asset ownership There is no evidence of a capability to ensure Asset Management (AST) efforts are ad hoc Asset Management (AST) efforts are Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics Asset Management (AST) efforts are “world-
tracked and managed at a team, individual, or responsible organization program program program program program responsibilities are assigned, tracked and managed asset ownership responsibilities are assigned, and inconsistent. CMM Level 1 control requirements-driven and governed at a standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management class” capabilities that leverage predictive
Asset Ownership level to establish a common understanding of requirements for asset E-AST-01 ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management at a team, individual, or responsible organization tracked and managed at a team, individual, or maturity would reasonably expect all, or at local/regional level, but are not consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative analysis (e.g., machine learning, AI, etc.). In
Asset Management AST-03 protection. Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) level to establish a common understanding of 8 x Identify x responsible organization level to establish a least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to addition to CMM Level 4 criteria, CMM Level 5
Assignment E-CPL-03
requirements for asset protection? common understanding of requirements for • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure control maturity would reasonably expect all,
asset protection. as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for or at least most, the following criteria to exist:
IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement. • Stakeholders make time-sensitive
Mechanisms exist to include capturing the name, position and/or role of ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization include capturing the name, There is no evidence of a capability to include C|P-CMM1 is N/A, since a structured process is Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4.
decisions Thereoperational
to support are no defined C|P-
efficiency,
individuals responsible/accountable for administering assets as part of the program program program program program position and/or role of individuals capturing the name, position and/ or role of required to include capturing the name, requirements-driven
non-standardized methods and governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria,
which may sinceautomated
include it is reasonable to
remediation
Accountability technology asset inventory process. ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management responsible/accountable for administering assets as individuals responsible/accountable for position and/ or role of individuals local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume
actions. a continuously-improving process is
Asset Management AST-03.1 E-AST-01 Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) part of the technology asset inventory process? 5 x Identify x administering assets as part of the technology responsible/accountable for administering across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to include capturing the name,
Information
asset inventory process. assets as part of the technology asset maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure position and/ or role of individuals
inventory process. least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for responsible/accountable for administering
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement. assets as part of the technology asset
Mechanisms exist to track the origin, development, ownership, location and ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization track the origin, There is no evidence of a capability to track C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process Asset
and uses Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
changes to systems, system components and associated data. program program program program program development, ownership, location and changes to the origin, development, ownership, location required to track the origin, development, is required to trackmethods
non-standardized the origin, development,
to implement standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management systems, system components and associated data? and changes to systems, system components ownership, location and changes to systems, ownership, location
secure, resilient andand changes
compliant to systems, centrally
practices. managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management Provenance AST-03.2 E-AST-22 Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) 8 x Identify x x and associated data. system components and associated data. system components and associated data. to ensure consistency. CMM Level 3 control not necessary to track the origin, not necessary to track the origin,
maturity would reasonably expect all, or at development, ownership, location and development, ownership, location and
least most, the following criteria to exist: changes to systems, system components and changes to systems, system components and
• An IT Asset Management (ITAM) function, associated data. associated data.
Mechanisms exist to maintain network architecture diagrams that: ∙ High-Level Diagram (HLD) ∙ High-Level Diagram (HLD) ∙ High-Level Diagram (HLD) ∙ High-Level Diagram (HLD) ∙ High-Level Diagram (HLD) Does the organization maintain network There is no evidence of a capability to Asset Management (AST) efforts are ad hoc Asset Management (AST) efforts are Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
(1) Contain sufficient detail to assess the security of the network's ∙ Low-Level Diagram (LLD) ∙ Low-Level Diagram (LLD) ∙ Low-Level Diagram (LLD) ∙ Low-Level Diagram (LLD) ∙ Low-Level Diagram (LLD) architecture diagrams that: maintain network architecture diagrams that: and inconsistent. CMM Level 1 control requirements-driven and governed at a standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria, since it is reasonable to
Network Diagrams & architecture; E-DCH-03 ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) (1) Contain sufficient detail to assess the security (1) Contain sufficient detail to assess the maturity would reasonably expect all, or at local/regional level, but are not consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume a continuously-improving process is
Asset Management Data Flow Diagrams AST-04 (2) Reflect the current architecture of the network environment; and E-DCH-04 of the network's architecture; 10 x Identify x x security of the network's architecture; least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to maintain network
(DFDs) (3) Document all sensitive/regulated data flows. E-DCH-05 (2) Reflect the current architecture of the network (2) Reflect the current architecture of the • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure architecture diagrams that:
environment; and network environment; and as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for (1) Contain sufficient detail to assess the
(3) Document all sensitive/regulated data flows? (3) Document all sensitive/regulated data IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement. security of the network's architecture;
Mechanisms exist to determine cybersecurity & data privacy control ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide Does the organization determine cybersecurity & There
flows. is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process Asset
and uses Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
applicability by identifying, assigning and documenting the appropriate E-AST-02 (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- data privacy control applicability by identifying, determine cybersecurity & data privacy required to determine cybersecurity & data is required to determine
non-standardized methods cybersecurity
to implement & data standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Asset Scope asset scope categorization for all systems, applications, services and E-CPL-02 guide.com) guide.com) guide.com) guide.com) guide.com) assigning and documenting the appropriate asset control applicability by identifying, assigning privacy control applicability by identifying, privacy
secure, control
resilientapplicability
and compliant by identifying,
practices. centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-04.1 personnel (internal and third-parties). scope categorization for all systems, applications, 8 x Identify x and documenting the appropriate asset scope assigning and documenting the appropriate assigning and documenting the appropriate to ensure consistency. CMM Level 3 control not necessary to determine cybersecurity & not necessary to determine cybersecurity &
Classification E-DCH-01
E-DCH-02 services and personnel (internal and third-parties)? categorization for all systems, applications, asset scope categorization for all systems, asset scope categorization for all systems, maturity would reasonably expect all, or at data privacy control applicability by data privacy control applicability by
services and personnel (internal and third- applications, services and personnel (internal applications, services and personnel (internal least most, the following criteria to exist: identifying, assigning and documenting the identifying, assigning and documenting the
parties). and third-parties). and third-parties). • An IT Asset Management (ITAM) function, appropriate asset scope categorization for all appropriate asset scope categorization for all
Mechanisms exist to ensure control applicability is appropriately- ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide Does the organization ensure control applicability is There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
determined for systems, applications, services and third parties by (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- appropriately-determined for systems, applications, control applicability is appropriately- required to ensure control applicability is is required to ensure control applicability is standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Control Applicability graphically representing applicable boundaries. guide.com) guide.com) guide.com) guide.com) guide.com) services and third parties by graphically determined for systems, applications, services appropriately-determined for systems, appropriately-determined for systems, centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
E-AST-02
Asset Management Boundary Graphical AST-04.2 representing applicable boundaries? 6 x Identify x x and third parties by graphically representing applications, services and third parties by applications, services and third parties by to ensure consistency. CMM Level 3 control not necessary to ensure control applicability is not necessary to ensure control applicability is
E-CPL-02
Representation applicable boundaries. graphically representing applicable graphically representing applicable maturity would reasonably expect all, or at appropriately-determined for systems, appropriately-determined for systems,
boundaries. boundaries. least most, the following criteria to exist: applications, services and third parties by applications, services and third parties by
• An IT Asset Management (ITAM) function, graphically representing applicable graphically representing applicable
Mechanisms exist to create and maintain a current inventory of systems, ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide Does the organization create and maintain a There is no evidence of a capability to create or similar function, governs asset
applications and services that are in scope for statutory, regulatory and/or (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- current inventory of systems, applications and and maintain a current inventory of systems, management to help ensure compliance with
Compliance-Specific contractual compliance obligations that provides sufficient detail to E-AST-02 guide.com) guide.com) guide.com) guide.com) guide.com) services that are in scope for statutory, regulatory applications and services that are in scope for requirements for asset management.
Asset Management AST-04.3 determine control applicability, based on asset scope categorization. and/or contractual compliance obligations that 6 x Identify x x statutory, regulatory and/ or contractual
Asset Identification E-CPL-02
provides sufficient detail to determine control compliance obligations that provides sufficient
applicability, based on asset scope categorization? detail to determine control applicability, based
on asset scope

Asset Management AST-05 8 x Identify x

Asset Management AST-05.1 8 x Protect x x

Asset Management AST-06 9 x Protect x

Asset Management AST-06.1 7 x Protect x

Asset Management AST-07 8 x Protect x x

∙ Tamper detection tape ∙ Tamper detection tape ∙ Tamper detection tape ∙ Tamper detection tape ∙ Tamper detection tape

Asset Management AST-08 9 x Detect x

Asset Management AST-09 E-AST-03 10 x Identify x x

Asset Management Return of Assets AST-10 E-AST-01 8 x Protect x

Asset Management Removal of Assets AST-11 8 x Protect x

Licensed by Creative Commons Attribution-NoDerivatives 15 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to restrict the possession and usage of personally-owned ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / Does the organization restrict the possession and There is no evidence of a capability to restrict Asset Management (AST) efforts are ad hoc Asset Management (AST) efforts are Asset Management (AST) efforts are Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
technology devices within organization-controlled facilities. Acceptable Use Acceptable Use Acceptable Use Acceptable Use Acceptable Use usage of personally-owned technology devices the possession and usage of personally-owned and inconsistent. CMM Level 1 control requirements-driven and governed at a standardized across the organization and driven and provide sufficient management CMM5 criteria, since it is reasonable to
within organization-controlled facilities? technology devices within organization- maturity would reasonably expect all, or at local/regional level, but are not consistent centrally managed, where technically feasible, insight (based on a quantitative assume a continuously-improving process is
Asset Management Use of Personal Devices AST-12 10 x Protect x controlled facilities. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to restrict the possession and
• Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure usage of personally-owned technology devices
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for within organization-controlled facilities.
IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement.
Mechanisms exist to reduce the risk associated with third-party assets that ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / Does the organization reduce the risk associated There is no evidence of a capability to reduce Asset Management (AST) efforts are ad hoc Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics See C|P-CMM4. There are no defined C|P-
are attached to the network from harming organizational assets or Acceptable Use Acceptable Use Acceptable Use Acceptable Use Acceptable Use with third-party assets that are attached to the the risk associated with third-party assets that and inconsistent. CMM Level 1 control requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria, since it is reasonable to
Use of Third-Party exfiltrating organizational data. ∙ Network Access Control (NAC) ∙ Network Access Control (NAC) ∙ Network Access Control (NAC) network from harming organizational assets or are attached to the network from harming maturity would reasonably expect all, or at local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume a continuously-improving process is
Asset Management AST-13 exfiltrating organizational data? 9 x Protect x organizational assets or exfiltrating least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to reduce the risk associated
Devices
organizational data. • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure with third-party assets that are attached to
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for the network from harming organizational
IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement. assets or exfiltrating organizational data.
Mechanisms exist to monitor and enforce usage parameters that limit the ∙ Centralized log collector ∙ Centralized log collector ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization monitor and enforce usage There is no evidence of a capability to monitor C|P-CMM1 is N/A, since a structured process is Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics Asset Management (AST) efforts are “world-
potential damage caused from the unauthorized or unintentional alteration ∙ Manual event log reviews ∙ Manual event log reviews (SIEM) (SIEM) (SIEM) parameters that limit the potential damage caused and enforce usage parameters that limit the required to monitor and enforce usage requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management class” capabilities that leverage predictive
of system parameters. ∙ Security Incident Event Manager ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite from the unauthorized or unintentional alteration of potential damage caused from the parameters that limit the potential damage local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative analysis (e.g., machine learning, AI, etc.). In
Asset Management Usage Parameters AST-14 (SIEM) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) system parameters? 7 x Identify x unauthorized or unintentional alteration of caused from the unauthorized or unintentional across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to addition to CMM Level 4 criteria, CMM Level 5
∙ Netwrix Auditor ∙ Netwrix Auditor ∙ Netwrix Auditor system parameters. alteration of system parameters. maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure control maturity would reasonably expect all,
(https://netrix.com) (https://netrix.com) (https://netrix.com) least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for or at least most, the following criteria to exist:
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement. • Stakeholders make time-sensitive
Mechanisms exist to prevent the usage of Bluetooth and wireless devices ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / Does the organization prevent the usage of There is no evidence of a capability to prevent C|P-CMM1 is N/A, since a structured process is Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4.
decisions Thereoperational
to support are no defined C|P-
efficiency,
(e.g., Near Field Communications (NFC)) in sensitive areas or unless used in Acceptable Use Acceptable Use Acceptable Use Acceptable Use Acceptable Use Bluetooth and wireless devices (e.g., Near Field the usage of Bluetooth and wireless devices required to prevent the usage of Bluetooth requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria,
which may sinceautomated
include it is reasonable to
remediation
Bluetooth & Wireless a Radio Frequency (RF)-screened building. ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Communications (NFC)) in sensitive areas or unless (e.g., Near Field Communications (NFC)) in and wireless devices (e.g., Near Field local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume
actions. a continuously-improving process is
Asset Management AST-14.1 (SBC) (SBC) (SBC) (SBC) (SBC) used in a Radio Frequency (RF)-screened building? 7 x Protect x x sensitive areas or unless used in a Radio Communications (NFC)) in sensitive areas or across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to prevent the usage of not necessary to prevent the usage of
Devices
Frequency (RF)-screened building. unless used in a Radio Frequency (RF)- maturity would reasonably expect all, or at maturity would reasonably expect all, or at Bluetooth and wireless devices (e.g., Near Bluetooth and wireless devices (e.g., Near
screened building. least most, the following criteria to exist: least most, the following criteria to exist: Field Communications (NFC)) in sensitive Field Communications (NFC)) in sensitive
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, areas or unless used in a Radio Frequency areas or unless used in a Radio Frequency
Mechanisms exist to prevent line of sight and reflected infrared (IR) ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / Does the organization prevent line of sight and There is no evidence of a capability to prevent C|P-CMM1 is N/A, since a structured process is Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
communications use in an unsecured space. Acceptable Use Acceptable Use Acceptable Use Acceptable Use Acceptable Use reflected infrared (IR) communications use in an line of sight and reflected infrared (IR) required to prevent line of sight and reflected requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations unsecured space? communications use in an unsecured space. infrared (IR) communications use in an local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management Infrared Communications AST-14.2 (SBC) (SBC) (SBC) (SBC) (SBC) 5 x Protect x x unsecured space. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to prevent line of sight and not necessary to prevent line of sight and
maturity would reasonably expect all, or at maturity would reasonably expect all, or at reflected infrared (IR) communications use in reflected infrared (IR) communications use in
least most, the following criteria to exist: least most, the following criteria to exist: an unsecured space. an unsecured space.
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function,
Mechanisms exist to verify logical configuration settings and the physical ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) Does the organization verify logical configuration There is no evidence of a capability to verify Asset Management (AST) efforts are ad hoc Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics Asset Management (AST) efforts are “world-
integrity of critical technology assets throughout their lifecycle. ∙ File Integrity Monitoring (FIM) ∙ File Integrity Monitoring (FIM) ∙ File Integrity Monitoring (FIM) ∙ File Integrity Monitoring (FIM) ∙ File Integrity Monitoring (FIM) settings and the physical integrity of critical logical configuration settings and the physical and inconsistent. CMM Level 1 control requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management class” capabilities that leverage predictive
Logical Tampering ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite technology assets throughout their lifecycle? integrity of critical technology assets maturity would reasonably expect all, or at local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative analysis (e.g., machine learning, AI, etc.). In
Asset Management AST-15 E-AST-25 (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) 6 x Protect x x x throughout their lifecycle. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to addition to CMM Level 4 criteria, CMM Level 5
Protection
∙ Netwrix Auditor ∙ Netwrix Auditor ∙ Netwrix Auditor • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure control maturity would reasonably expect all,
(https://netrix.com) (https://netrix.com) (https://netrix.com) as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for or at least most, the following criteria to exist:
∙ Tripwire Enterprise ∙ Tripwire Enterprise ∙ Tripwire Enterprise IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement. • Stakeholders make time-sensitive
Mechanisms exist to physically and logically inspect critical technology ∙ Tamper detection tape ∙ Tamper detection tape ∙ Tamper detection tape
(https://tripwire.com) ∙ Tamper detection tape
(https://tripwire.com) ∙ Tamper detection tape
(https://tripwire.com) Does the organization physically and logically There is no evidence of a capability to Asset Management (AST) efforts are ad hoc Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare Asset Management (AST) efforts are metrics Asset Management
decisions to support(AST) efforts efficiency,
operational are “world-
assets to detect evidence of tampering. ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) inspect critical technology assets to detect evidence physically and logically inspect critical and inconsistent. CMM Level 1 control requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management class” capabilities
which may includethat leverage
automated predictive
remediation
Inspection of Systems, ∙ File Integrity Monitoring (FIM) ∙ File Integrity Monitoring (FIM) ∙ File Integrity Monitoring (FIM) ∙ File Integrity Monitoring (FIM) ∙ File Integrity Monitoring (FIM) of tampering? technology assets to detect evidence of maturity would reasonably expect all, or at local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative analysis
actions. (e.g., machine learning, AI, etc.). In
Asset Management AST-15.1 ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite 6 x Detect x x tampering. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to addition to CMM Level 4 criteria, CMM Level 5
Components & Devices
(https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure control maturity would reasonably expect all,
∙ Netwrix Auditor ∙ Netwrix Auditor ∙ Netwrix Auditor as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for or at least most, the following criteria to exist:
(https://netrix.com) (https://netrix.com) (https://netrix.com) IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement. • Stakeholders make time-sensitive
Mechanisms exist to implement and govern a Bring Your Own Device ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / Does the organization implement and govern a There is no evidence of a capability to Asset Management (AST) efforts are ad hoc Asset Management (AST) efforts are
a localized/regionalized function) and uses Asset Management (AST) efforts
or similar function, governs asset are Asset Management (AST) efforts are metrics See C|P-CMM4.
decisions Thereoperational
to support are no defined C|P-
efficiency,
(BYOD) program to reduce risk associated with personally-owned devices in Acceptable Use Acceptable Use Acceptable Use Acceptable Use Acceptable Use Bring Your Own Device (BYOD) program to reduce implement and govern a Bring Your Own and inconsistent. CMM Level 1 control requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance driven and provide sufficient management CMM5 criteria,
which may sinceautomated
include it is reasonable to
remediation
Bring Your Own Device the workplace. ∙ Mobile Device Management ∙ Mobile Device Management ∙ Mobile Device Management ∙ Mobile Device Management ∙ Mobile Device Management risk associated with personally-owned devices in Device (BYOD) program to reduce risk maturity would reasonably expect all, or at local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. insight (based on a quantitative assume
actions. a continuously-improving process is
Asset Management AST-16 (MDM) solution (MDM) solution (MDM) solution (MDM) solution (MDM) solution the workplace? 10 x Identify x x associated with personally-owned devices in least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to implement and govern a
(BYOD) Usage
the workplace. • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Bring Your Own Device (BYOD) program to
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for reduce risk associated with personally-owned
IT/cybersecurity personnel. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, improvement. devices in the workplace.
Mechanisms exist to govern Supply Chain Risk Management (SCRM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization govern Supply Chain Risk There is no evidence of a capability to govern C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
sanctions that require the removal and prohibition of certain technology program program program program program Management (SCRM) sanctions that require the Supply Chain Risk Management (SCRM) required to govern Supply Chain Risk is required to govern
non-standardized SupplytoChain
methods Risk
implement standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Prohibited Equipment & services and/or equipment that are designated as supply chain threats by a removal and prohibition of certain technology sanctions that require the removal and Management (SCRM) sanctions that require Management (SCRM)
secure, resilient sanctions practices.
and compliant that require centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-17 statutory or regulatory body. E-AST-10 services and/or equipment that are designated as 9 x Protect x x prohibition of certain technology services and/ the removal and prohibition of certain the removal and prohibition of certain to ensure consistency. CMM Level 3 control not necessary to govern Supply Chain Risk not necessary to govern Supply Chain Risk
Services
supply chain threats by a statutory or regulatory or equipment that are designated as supply technology services and/ or equipment that technology services and/ or equipment that maturity would reasonably expect all, or at Management (SCRM) sanctions that require Management (SCRM) sanctions that require
body? chain threats by a statutory or regulatory are designated as supply chain threats by a are designated as supply chain threats by a least most, the following criteria to exist: the removal and prohibition of certain the removal and prohibition of certain
body. statutory or regulatory body. statutory or regulatory body. • An IT Asset Management (ITAM) function, technology services and/ or equipment that technology services and/ or equipment that
Mechanisms exist to provision and protect the confidentiality, integrity and ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization provision and protect the There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
authenticity of product supplier keys and data that can be used as a “roots program program program program program confidentiality, integrity and authenticity of product provision and protect the confidentiality, required to provision and protect the is required to provision and protect the standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
of trust” basis for integrity verification. ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management supplier keys and data that can be used as a “roots integrity and authenticity of product supplier confidentiality, integrity and authenticity of confidentiality, integrity and authenticity of centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management Roots of Trust Protection AST-18 E-AST-26 Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) of trust” basis for integrity verification? 4 x Protect x x keys and data that can be used as a “roots of product supplier keys and data that can be product supplier keys and data that can be to ensure consistency. CMM Level 3 control not necessary to provision and protect the not necessary to provision and protect the
trust” basis for integrity verification. used as a “roots of trust” basis for integrity used as a “roots of trust” basis for integrity maturity would reasonably expect all, or at confidentiality, integrity and authenticity of confidentiality, integrity and authenticity of
verification. verification. least most, the following criteria to exist: product supplier keys and data that can be product supplier keys and data that can be
• An IT Asset Management (ITAM) function, used as a “roots of trust” basis for integrity used as a “roots of trust” basis for integrity
Mechanisms exist to establish usage restrictions and implementation ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / Does the organization establish usage restrictions There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Asset Management (AST) efforts are Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
guidance for telecommunication equipment to prevent potential damage or Acceptable Use Acceptable Use Acceptable Use Acceptable Use Acceptable Use and implementation guidance for establish usage restrictions and required to establish usage restrictions and requirements-driven and governed at a standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Telecommunications unauthorized modification and to prevent potential eavesdropping. ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations telecommunication equipment to prevent potential implementation guidance for implementation guidance for local/regional level, but are not consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-19 (SBC) (SBC) (SBC) (SBC) (SBC) damage or unauthorized modification and to 9 x Protect x x telecommunication equipment to prevent telecommunication equipment to prevent across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to establish usage restrictions not necessary to establish usage restrictions
Equipment
prevent potential eavesdropping? potential damage or unauthorized potential damage or unauthorized maturity would reasonably expect all, or at maturity would reasonably expect all, or at and implementation guidance for and implementation guidance for
modification and to prevent potential modification and to prevent potential least most, the following criteria to exist: least most, the following criteria to exist: telecommunication equipment to prevent telecommunication equipment to prevent
eavesdropping. eavesdropping. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, potential damage or unauthorized potential damage or unauthorized
Mechanisms exist to implement secure Video Teleconference (VTC) ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization implement secure Video There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
capabilities on endpoint devices and in designated conference rooms, to (SBC) (SBC) (SBC) (SBC) (SBC) Teleconference (VTC) capabilities on endpoint implement secure Video Teleconference (VTC) required to implement secure Video requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Video Teleconference prevent potential eavesdropping. ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical devices and in designated conference rooms, to capabilities on endpoint devices and in Teleconference (VTC) capabilities on endpoint local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-20 and/or physical) and/or physical) and/or physical) and/or physical) and/or physical) prevent potential eavesdropping? 8 x Protect x x designated conference rooms, to prevent devices and in designated conference rooms, across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to implement secure Video not necessary to implement secure Video
(VTC) Security
potential eavesdropping. to prevent potential eavesdropping. maturity would reasonably expect all, or at maturity would reasonably expect all, or at Teleconference (VTC) capabilities on endpoint Teleconference (VTC) capabilities on endpoint
least most, the following criteria to exist: least most, the following criteria to exist: devices and in designated conference rooms, devices and in designated conference rooms,
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, to prevent potential eavesdropping. to prevent potential eavesdropping.
Mechanisms exist to implement secure Internet Protocol Telephony (IPT) ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization implement secure Internet There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
that logically or physically separates Voice Over Internet Protocol (VoIP) (SBC) (SBC) (SBC) (SBC) (SBC) Protocol Telephony (IPT) that logically or physically implement secure Internet Protocol Telephony required to implement secure Internet requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Voice Over Internet traffic from data networks. ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical separates Voice Over Internet Protocol (VoIP) traffic (IPT) that logically or physically separates Protocol Telephony (IPT) that logically or local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-21 and/or physical) and/or physical) and/or physical) and/or physical) and/or physical) from data networks? 8 x Protect x Voice Over Internet Protocol (VoIP) traffic from physically separates Voice Over Internet across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to implement secure Internet not necessary to implement secure Internet
Protocol (VoIP) Security
data networks. Protocol (VoIP) traffic from data networks. maturity would reasonably expect all, or at maturity would reasonably expect all, or at Protocol Telephony (IPT) that logically or Protocol Telephony (IPT) that logically or
least most, the following criteria to exist: least most, the following criteria to exist: physically separates Voice Over Internet physically separates Voice Over Internet
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, Protocol (VoIP) traffic from data networks. Protocol (VoIP) traffic from data networks.
Mechanisms exist to configure assets to prohibit the use of endpoint-based ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / Does the organization configure assets to prohibit There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
microphones and web cameras in secure areas or where Acceptable Use Acceptable Use Acceptable Use Acceptable Use Acceptable Use the use of endpoint-based microphones and web configure assets to prohibit the use of required to configure assets to prohibit the requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Microphones & Web sensitive/regulated information is discussed. ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations cameras in secure areas or where endpoint-based microphones and web use of endpoint-based microphones and web local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-22 (SBC) (SBC) (SBC) (SBC) (SBC) sensitive/regulated information is discussed? 8 x Protect x x cameras in secure areas or where sensitive cameras in secure areas or where sensitive across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to configure assets to prohibit not necessary to configure assets to prohibit
Cameras
information is discussed. information is discussed. maturity would reasonably expect all, or at maturity would reasonably expect all, or at the use of endpoint-based microphones and the use of endpoint-based microphones and
least most, the following criteria to exist: least most, the following criteria to exist: web cameras in secure areas or where web cameras in secure areas or where
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, sensitive information is discussed. sensitive information is discussed.
Mechanisms exist to securely configure Multi-Function Devices (MFD) ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization securely configure Multi- There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Asset Management (AST)
a localized/regionalized efforts are
function) and uses Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
according to industry-recognized secure practices for the type of device. (SBC) (SBC) (SBC) (SBC) (SBC) Function Devices (MFD) according to industry- securely configure Multi-Function Devices required to securely configure Multi-Function requirements-driven
non-standardized methodsand governed at a
to implement standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Multi-Function Devices ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical recognized secure practices for the type of device? (MFD) according to industry-recognized secure Devices (MFD) according to industry- local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-23 E-TPM-01 and/or physical) and/or physical) and/or physical) and/or physical) and/or physical) 8 x Protect x practices for the type of device. recognized secure practices for the type of across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to securely configure Multi- not necessary to securely configure Multi-
(MFD)
device. maturity would reasonably expect all, or at maturity would reasonably expect all, or at Function Devices (MFD) according to industry- Function Devices (MFD) according to industry-
least most, the following criteria to exist: least most, the following criteria to exist: recognized secure practices for the type of recognized secure practices for the type of
• Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, device. device.
Mechanisms exist to issue personnel travelling overseas with temporary, ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization issue personnel travelling There is no evidence of a capability to issue C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
loaner or "travel-only" end user technology (e.g., laptops and mobile program program program program program overseas with temporary, loaner or "travel-only" personnel travelling overseas with temporary, required to issue personnel travelling is required to issuemethods
non-standardized personnel travelling
to implement standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
devices) when travelling to authoritarian countries with a higher-than ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations end user technology (e.g., laptops and mobile loaner or "travel-only" end user technology overseas with temporary, loaner or "travel- overseas with temporary,
secure, resilient loaner
and compliant or "travel-
practices. centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management Travel-Only Devices AST-24 average risk for Intellectual Property (IP) theft or espionage against (SBC) (SBC) (SBC) (SBC) (SBC) devices) when travelling to authoritarian countries 8 x Protect x x (e.g., laptops and mobile devices) when only" end user technology (e.g., laptops and only" end user technology (e.g., laptops and to ensure consistency. CMM Level 3 control not necessary to issue personnel travelling not necessary to issue personnel travelling
individuals and private companies. with a higher-than average risk for Intellectual travelling to authoritarian countries with a mobile devices) when travelling to mobile devices) when travelling to maturity would reasonably expect all, or at overseas with temporary, loaner or "travel- overseas with temporary, loaner or "travel-
Property (IP) theft or espionage against individuals higher-than average risk for Intellectual authoritarian countries with a higher-than authoritarian countries with a higher-than least most, the following criteria to exist: only" end user technology (e.g., laptops and only" end user technology (e.g., laptops and
and private companies? Property (IP) theft or espionage against average risk for Intellectual Property (IP) theft average risk for Intellectual Property (IP) theft • An IT Asset Management (ITAM) function, mobile devices) when travelling to mobile devices) when travelling to
Mechanisms exist to re-image end user technology (e.g., laptops and ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization re-image end user There is no evidence of a capability to re- C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
mobile devices) when returning from overseas travel to an authoritarian program program program program program technology (e.g., laptops and mobile devices) when image end user technology (e.g., laptops and required to re-image end user technology is required to re-image end user technology standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Re-Imaging Devices country with a higher-than average risk for Intellectual Property (IP) theft or returning from overseas travel to an authoritarian mobile devices) when returning from overseas (e.g., laptops and mobile devices) when (e.g., laptops and mobile devices) when centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-25 espionage against individuals and private companies. country with a higher-than average risk for 8 x Protect x x travel to an authoritarian country with a returning from overseas travel to an returning from overseas travel to an to ensure consistency. CMM Level 3 control not necessary to re-image end user not necessary to re-image end user
After Travel
Intellectual Property (IP) theft or espionage against higher-than average risk for Intellectual authoritarian country with a higher-than authoritarian country with a higher-than maturity would reasonably expect all, or at technology (e.g., laptops and mobile devices) technology (e.g., laptops and mobile devices)
individuals and private companies? Property (IP) theft or espionage against average risk for Intellectual Property (IP) theft average risk for Intellectual Property (IP) theft least most, the following criteria to exist: when returning from overseas travel to an when returning from overseas travel to an
individuals and private companies. or espionage against individuals and private or espionage against individuals and private • An IT Asset Management (ITAM) function, authoritarian country with a higher-than authoritarian country with a higher-than
Mechanisms exist to develop, implement and govern system administration ∙ Documented Standardized ∙ Documented Standardized ∙ Documented Standardized ∙ Documented Standardized ∙ Documented Standardized Does the organization develop, implement and There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Asset Management (AST) efforts are Asset Management
or similar (AST) efforts
function, governs assetare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
processes, with corresponding Standardized Operating Procedures (SOP), Operating Procedures (SOP) Operating Procedures (SOP) Operating Procedures (SOP) Operating Procedures (SOP) Operating Procedures (SOP) govern system administration processes, with develop, implement and govern system required to develop, implement and govern requirements-driven and governed at a standardized
management across
to helpthe organization
ensure andwith
compliance CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
System Administrative for operating and maintaining systems, applications and services. ∙ ComplianceForge - ∙ ComplianceForge - ∙ ComplianceForge - ∙ ComplianceForge - ∙ ComplianceForge - corresponding Standardized Operating Procedures administration processes, with corresponding system administration processes, with local/regional level, but are not consistent centrally managed,
requirements where
for asset technically feasible,
management. assume a quantitatively-controlled process is assume a continuously-improving process is
Asset Management AST-26 Cybersecurity Standardized Cybersecurity Standardized Cybersecurity Standardized Cybersecurity Standardized Cybersecurity Standardized (SOP), for operating and maintaining systems, 9 x Identify x Standardized Operating Procedures (SOP), for corresponding Standardized Operating across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to develop, implement and not necessary to develop, implement and
Processes
Operating Procedures (CSOP) Operating Procedures (CSOP) Operating Procedures (CSOP) Operating Procedures (CSOP) Operating Procedures (CSOP) applications and services? operating and maintaining systems, Procedures (SOP), for operating and maturity would reasonably expect all, or at maturity would reasonably expect all, or at govern system administration processes, with govern system administration processes, with
applications and services. maintaining systems, applications and least most, the following criteria to exist: least most, the following criteria to exist: corresponding Standardized Operating corresponding Standardized Operating
services. • Asset management is decentralized (e.g., • An IT Asset Management (ITAM) function, Procedures (SOP), for operating and Procedures (SOP), for operating and
Mechanisms exist to conduct remote system administrative functions via a ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) a localized/regionalized function) and uses or similar function, governs asset
"jump box" or "jump server" that is located in a separate network zone to program program program program program non-standardized methods to implement management to help ensure compliance with
user workstations. ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations secure, resilient and compliant practices. requirements for asset management.
Asset Management Jump Server AST-27 (SBC) (SBC) (SBC) (SBC) (SBC) 7 x Protect x x
∙ Network segmentation ∙ Network segmentation ∙ Network segmentation ∙ Network segmentation ∙

Asset Management AST-28 9 x Identify x

Asset Management AST-28.1 6 x Protect x x

Asset Management AST-29 3 x Protect x x

Asset Management AST-29.1 3 x Protect x x

Asset Management Decommissioning AST-30 4 x Protect x x

Mechanisms exist to categorize technology assets.

Asset Management Asset Categorization AST-31 E-AST-24 9 x Identify x x x

Asset Management AST-31.1 E-AST-24 9 x Identify x x x

Asset Management AST-31.2 9 x Protect x x

BCD-01 E-BCM-01 10 x Govern x x x

∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP)

BCD-01.1 E-BCM-01 5 x Recover x x

BCD-01.2 E-BCM-01 5 x Recover x

Licensed by Creative Commons Attribution-NoDerivatives 16 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to redeploy personnel to other roles during a disruptive ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization redeploy personnel to other There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
event or in the execution of a continuity plan. (COOP) (COOP) (COOP) (COOP) (COOP) roles during a disruptive event or in the execution redeploy personnel to other roles during a required to redeploy personnel to other roles is required to redeploy personnel toother roles (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) of a continuity plan? disruptive event or in the execution of a during a disruptive event or in the execution during a disruptive event or in the execution organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Transfer to Alternate
& Disaster BCD-01.3 ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) 5 x Recover x continuity plan. of a continuity plan. of a continuity plan. technically feasible, to ensure consistency. not necessary to redeploy personnel to other not necessary to redeploy personnel to other
Processing / Storage Site
Recovery CMM Level 3 control maturity would roles during a disruptive event or in the roles during a disruptive event or in the
reasonably expect all, or at least most, the execution of a continuity plan. execution of a continuity plan.
following criteria to exist:
Mechanisms exist to facilitate recovery operations in accordance with ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization facilitate recovery operations There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs). (COOP) (COOP) (COOP) (COOP) (COOP) in accordance with Recovery Time Objectives facilitate recovery operations in accordance required to facilitate recovery operations in is required to facilitate recovery operations in (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) (RTOs) and Recovery Point Objectives (RPOs)? with Recovery Time Objectives (RTOs) and accordance with Recovery Time Objectives accordance with Recovery Time Objectives organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Recovery Time / Point E-BCM-02
& Disaster BCD-01.4 ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) 5 x Recover x Recovery Point Objectives (RPOs). (RTOs) and Recovery Point Objectives (RPOs). (RTOs) and Recovery Point Objectives (RPOs). technically feasible, to ensure consistency. quantitative understanding of process not necessary to facilitate recovery operations
Objectives (RTO / RPO) E-BCM-03
Recovery ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives CMM Level 3 control maturity would capabilities) to predict optimal performance, in accordance with Recovery Time Objectives
(RTOs) (RTOs) (RTOs) (RTOs) (RTOs) reasonably expect all, or at least most, the ensure continued operations and identify (RTOs) and Recovery Point Objectives (RPOs).
∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives following criteria to exist: areas for improvement. In addition to CMM
Mechanisms exist to define specific criteria that must be met to initiate ∙ Continuity of Operations Plan
(RPOs) ∙ Continuity of Operations Plan
(RPOs) ∙ Continuity of Operations Plan
(RPOs) ∙ Continuity of Operations Plan
(RPOs) ∙ Continuity of Operations Plan
(RPOs) Does the organization define specific criteria that There is no evidence of a capability to define C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Business Continuity / Disaster Recover (BC/DR) plans that facilitate (COOP) (COOP) (COOP) (COOP) (COOP) must be met to initiate Business Continuity / specific criteria that must be met to initiate required to define specific criteria that must is required to define specific criteria that must (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity business continuity operations capable of meeting applicable Recovery ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) Disaster Recover (BC/DR) plans that facilitate Business Continuity / Disaster Recover be met to initiate Business Continuity / be met to initiate Business Continuity / organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Recovery Operations
& Disaster BCD-01.5 Time Objectives (RTOs) and Recovery Point Objectives (RPOs). E-BCM-14 ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) business continuity operations capable of meeting 6 x Govern x (BC/DR) plans that facilitate business Disaster Recover (BC/DR) plans that facilitate Disaster Recover (BC/DR) plans that facilitate technically feasible, to ensure consistency. not necessary to define specific criteria that not necessary to define specific criteria that
Criteria
Recovery ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives applicable Recovery Time Objectives (RTOs) and continuity operations capable of meeting business continuity operations capable of business continuity operations capable of CMM Level 3 control maturity would must be met to initiate Business Continuity / must be met to initiate Business Continuity /
(RTOs) (RTOs) (RTOs) (RTOs) (RTOs) Recovery Point Objectives (RPOs)? applicable Recovery Time Objectives (RTOs) meeting applicable Recovery Time Objectives meeting applicable Recovery Time Objectives reasonably expect all, or at least most, the Disaster Recover (BC/DR) plans that facilitate Disaster Recover (BC/DR) plans that facilitate
∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives and Recovery Point Objectives (RPOs). (RTOs) and Recovery Point Objectives (RPOs). (RTOs) and Recovery Point Objectives (RPOs). following criteria to exist: business continuity operations capable of business continuity operations capable of
Mechanisms exist to communicate the status of recovery activities and ∙ Continuity of Operations Plan
(RPOs) ∙ Continuity of Operations Plan
(RPOs) ∙ Continuity of Operations Plan
(RPOs) ∙ Continuity of Operations Plan
(RPOs) ∙ Continuity of Operations Plan
(RPOs) Does the organization communicate the status of There is no evidence of a capability to Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
progress in restoring operational capabilities to designated internal and (COOP) (COOP) (COOP) (COOP) (COOP) recovery activities and progress in restoring communicate the status of recovery activities (BCD) efforts are ad hoc and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity external stakeholders. ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) operational capabilities to designated internal and and progress in restoring operational CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Recovery Operations
& Disaster BCD-01.6 E-BCM-01 ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) external stakeholders? 3 x Govern x capabilities to designated internal and reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to communicate the status of not necessary to communicate the status of
Communications
Recovery external stakeholders. following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would recovery activities and progress in restoring recovery activities and progress in restoring
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the operational capabilities to designated internal operational capabilities to designated internal
stakeholders to identify business-critical exist: following criteria to exist: and external stakeholders. and external stakeholders.
Mechanisms exist to identify and document the critical systems, ∙ Business Impact Analysis (BIA) ∙ Business Impact Analysis (BIA) ∙ Business Impact Analysis (BIA) ∙ Business Impact Analysis (BIA) ∙ Business Impact Analysis (BIA) Does the organization identify and document the There is no evidence of a capability to identify Business
systems andContinuity & Disaster
services, includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
applications and services that support essential missions and business ∙ Criticality assessments ∙ Criticality assessments ∙ Criticality assessments ∙ Criticality assessments ∙ Criticality assessments critical systems, applications and services that and document the critical systems, (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity functions. support essential missions and business functions? applications and services that support CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
& Disaster Identify Critical Assets BCD-02 E-BCM-08 9 x Recover x essential missions and business functions. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to identify and document the
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, critical systems, applications and services that
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify support essential missions and business
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM functions.
Mechanisms exist to resume all missions and business functions within ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization resume all missions and There is no evidence of a capability to resume Business
systems andContinuity & Disaster
services, includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
Recovery Time Objectives (RTOs) of the contingency plan's activation. (COOP) (COOP) (COOP) (COOP) (COOP) business functions within Recovery Time Objectives all missions and business functions within (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) (RTOs) of the contingency plan's activation? Recovery Time Objectives (RTOs) of the CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Resume All Missions &
& Disaster BCD-02.1 E-BCM-01 ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) 8 x Recover x contingency plan's activation. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to resume all missions and
Business Functions
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, business functions within Recovery Time
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify Objectives (RTOs) of the contingency plan's
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM activation.
Mechanisms exist to continue essential missions and business functions ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization continue essential missions There is no evidence of a capability to Business
systems andContinuity & Disaster
services, includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
with little or no loss of operational continuity and sustain that continuity (COOP) (COOP) (COOP) (COOP) (COOP) and business functions with little or no loss of continue essential missions and business (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity Continue Essential until full system restoration at primary processing and/or storage sites. ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) operational continuity and sustain that continuity functions with little or no loss of operational CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
& Disaster Mission & Business BCD-02.2 ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) until full system restoration at primary processing 8 x Recover x continuity and sustain that continuity until full reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to continue essential missions
Recovery Functions and/or storage sites? system restoration at primary processing and/ following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, and business functions with little or no loss of
or storage sites. • IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify operational continuity and sustain that
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM continuity until full system restoration at
Mechanisms exist to resume essential missions and business functions ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization resume essential missions There is no evidence of a capability to resume Business Continuity & Disaster Recovery
systems and services, including internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
within an organization-defined time period of contingency plan activation. (COOP) (COOP) (COOP) (COOP) (COOP) and business functions within an organization- essential missions and business functions (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity Resume Essential ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) ∙ Business Continuity Plan (BCP) defined time period of contingency plan activation? within an organization-defined time period of CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
& Disaster Missions & Business BCD-02.3 ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) 8 x Recover x contingency plan activation. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to resume essential missions
Recovery Functions following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, and business functions within an organization-
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify defined time period of contingency plan
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM activation.
Mechanisms exist to perform periodic security reviews of storage locations ∙ Business Impact Analysis (BIA) ∙ Business Impact Analysis (BIA) ∙ Business Impact Analysis (BIA) ∙ Business Impact Analysis (BIA) ∙ Business Impact Analysis (BIA) Does the organization perform periodic security There is no evidence of a capability to perform C|P-CMM1
systems and is N/A, sinceincluding
services, a structured process
internal is Business Continuity & Disaster Recovery
teams Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
that contain sensitive / regulated data. ∙ Criticality assessments ∙ Criticality assessments ∙ Criticality assessments ∙ Criticality assessments ∙ Criticality assessments reviews of storage locations that contain sensitive / periodic security reviews of storage locations required to perform
and third-party periodic
service security reviews (BCD) efforts are requirements-driven and
providers. (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity regulated data? that contain sensitive / regulated data. of storage locations that contain sensitive / governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Data Storage Location
& Disaster BCD-02.4 E-AST-23 8 x Recover x regulated data. consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to perform periodic security not necessary to perform periodic security
Reviews
Recovery 2 control maturity would reasonably expect CMM Level 3 control maturity would reviews of storage locations that contain reviews of storage locations that contain
all, or at least most, the following criteria to reasonably expect all, or at least most, the sensitive / regulated data. sensitive / regulated data.
exist: following criteria to exist:
Mechanisms exist to adequately train contingency personnel and applicable ∙ NIST NICE Framework ∙ NIST NICE Framework ∙ NIST NICE Framework ∙ NIST NICE Framework ∙ NIST NICE Framework Does the organization adequately train contingency There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
stakeholders in their contingency roles and responsibilities. ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises personnel and applicable stakeholders in their adequately train contingency personnel and required to adequately train contingency (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity ∙ Simulated events ∙ Simulated events contingency roles and responsibilities? applicable stakeholders in their contingency personnel and applicable stakeholders in their governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
& Disaster Contingency Training BCD-03 E-BCM-07 5 x Recover x x roles and responsibilities. contingency roles and responsibilities. consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to adequately train contingency
Recovery 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, personnel and applicable stakeholders in their
all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify contingency roles and responsibilities.
exist: following criteria to exist: areas for improvement. In addition to CMM
Mechanisms exist to incorporate simulated events into contingency training ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises Does the organization incorporate simulated events There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
to facilitate effective response by personnel in crisis situations. ∙ Simulated events ∙ Simulated events into contingency training to facilitate effective incorporate simulated events into contingency required to incorporate simulated events into is required to incorporate simulated events (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity response by personnel in crisis situations? training to facilitate effective response by contingency training to facilitate effective into contingency training to facilitate effective organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
& Disaster Simulated Events BCD-03.1 E-BCM-06 3 x Recover x x personnel in crisis situations. response by personnel in crisis situations. response by personnel in crisis situations. technically feasible, to ensure consistency. not necessary to incorporate simulated events not necessary to incorporate simulated events
Recovery CMM Level 3 control maturity would into contingency training to facilitate effective into contingency training to facilitate effective
reasonably expect all, or at least most, the response by personnel in crisis situations. response by personnel in crisis situations.
following criteria to exist:
Automated mechanisms exist to provide a more thorough and realistic Does the organization use automated mechanisms There is no evidence of a capability to provide C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
contingency training environment. to provide a more thorough and realistic a more thorough and realistic contingency required to provide a more thorough and is required to provide a more thorough and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity contingency training environment? training environment. realistic contingency training environment. realistic contingency training environment. organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Automated Training
& Disaster BCD-03.2 1 x Recover x x technically feasible, to ensure consistency. not necessary to provide a more thorough and not necessary to provide a more thorough and
Environments
Recovery CMM Level 3 control maturity would realistic contingency training environment. realistic contingency training environment.
reasonably expect all, or at least most, the
following criteria to exist:
Mechanisms exist to conduct tests and/or exercises to evaluate the ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises Does the organization conduct tests and/or There is no evidence of a capability to conduct Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
contingency plan's effectiveness and the organization's readiness to ∙ Simulated events ∙ Simulated events exercises to evaluate the contingency plan's tests and/or exercises to evaluate the (BCD) efforts are ad hoc and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity execute the plan. effectiveness and its readiness to execute the plan? contingency plan's effectiveness and its CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Contingency Plan Testing E-BCM-06
& Disaster BCD-04 6 x Recover x x readiness to execute the plan. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to conduct tests and/or
& Exercises E-BCM-07
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, exercises to evaluate the contingency plan's
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify effectiveness and its readiness to execute the
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM plan.
Mechanisms exist to coordinate contingency plan testing with internal and ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises ∙ Tabletop exercises Does the organization coordinate contingency plan There is no evidence of a capability to Business
systems andContinuity & Disaster
services, includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
external elements responsible for related plans. ∙ Red Team testing ∙ Red Team testing ∙ Red Team testing testing with internal and external elements coordinate contingency plan testing with (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity ∙ Penetration testing ∙ Penetration testing ∙ Penetration testing responsible for related plans? internal and external elements responsible for CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Coordinated Testing with
& Disaster BCD-04.1 3 x Recover x related plans. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to coordinate contingency plan
Related Plans
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, testing with internal and external elements
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify responsible for related plans.
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM
Mechanisms exist to test contingency plans at alternate storage & ∙ Failover testing ∙ Failover testing ∙ Failover testing ∙ Failover testing ∙ Failover testing Does the organization test contingency plans at There is no evidence of a capability to test C|P-CMM1
systems and is N/A, sinceincluding
services, a structured process
internal is Business Continuity & Disaster Recovery
teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
processing sites to both familiarize contingency personnel with the facility ∙ On-site visit to alternate site(s) ∙ On-site visit to alternate site(s) ∙ On-site visit to alternate site(s) ∙ On-site visit to alternate site(s) ∙ On-site visit to alternate site(s) alternate storage & processing sites to both contingency plans at alternate storage & required to test service
and third-party contingency plans at alternate (BCD) efforts are requirements-driven and
providers. (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity and evaluate the capabilities of the alternate processing site to support familiarize contingency personnel with the facility processing sites to both familiarize storage & processing sites to both familiarize governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Alternate Storage &
& Disaster BCD-04.2 contingency operations. and evaluate the capabilities of the alternate 5 x Recover x contingency personnel with the facility and contingency personnel with the facility and consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to test contingency plans at
Processing Sites
Recovery processing site to support contingency operations? evaluate the capabilities of the alternate evaluate the capabilities of the alternate 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, alternate storage & processing sites to both
processing site to support contingency processing site to support contingency all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify familiarize contingency personnel with the
operations. operations. exist: following criteria to exist: areas for improvement. In addition to CMM facility and evaluate the capabilities of the
Mechanisms exist to conduct a Root Cause Analysis (RCA) and "lessons ∙ Root Cause Analysis (RCA) ∙ Root Cause Analysis (RCA) ∙ Root Cause Analysis (RCA) ∙ Root Cause Analysis (RCA) ∙ Root Cause Analysis (RCA) Does the organization conduct a Root Cause There is no evidence of a capability to conduct Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
learned" activity every time the contingency plan is activated. (After Action Review (AAR), (After Action Review (AAR), (After Action Review (AAR), (After Action Review (AAR), (After Action Review (AAR), Analysis (RCA) and "lessons learned" activity every a Root Cause Analysis (RCA) and "lessons (BCD) efforts are ad hoc and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity Contingency Plan Root lessons learned, etc.) lessons learned, etc.) lessons learned, etc.) lessons learned, etc.) lessons learned, etc.) time the contingency plan is activated? learned" activity every time the contingency CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
& Disaster Cause Analysis (RCA) & BCD-05 E-BCM-04 9 x Detect x x plan is activated. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to conduct a Root Cause not necessary to conduct a Root Cause
Recovery Lessons Learned following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would Analysis (RCA) and "lessons learned" activity Analysis (RCA) and "lessons learned" activity
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the every time the contingency plan is activated. every time the contingency plan is activated.
stakeholders to identify business-critical exist: following criteria to exist:
Mechanisms exist to update contingency plans due to changes affecting: ∙ Documentation change control ∙ Documentation change control ∙ Documentation change control ∙ Documentation change control ∙ Documentation change control Does the organization update contingency plans Mechanisms exist to update contingency plans Business
systems andContinuity & Disaster
services, includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
(1) People (e.g., personnel changes); due to changes affecting: due to changes affecting: (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity (2) Processes (e.g., new, altered or decommissioned business practices, (1) People (e.g., personnel changes); (1) People (e.g., personnel changes); CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Ongoing Contingency
& Disaster BCD-06 including third-party services) E-BCM-05 (2) Processes (e.g., new, altered or decommissioned 8 x Recover x x (2) Processes (e.g., new, altered or reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to update contingency plans
Planning
Recovery (3) Technologies (e.g., new, altered or decommissioned technologies); business practices, including third-party services) decommissioned business practices, including following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, due to changes affecting:
(4) Data (e.g., changes to data flows and/or data repositories); (3) Technologies (e.g., new, altered or third-party services) • IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify (1) People (e.g., personnel changes);
(5) Facilities (e.g., new, altered or decommissioned physical infrastructure); decommissioned technologies); (3) Technologies (e.g., new, altered or stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM (2) Processes (e.g., new, altered or
Mechanisms
and/or exist to identify components that potentially impact the Does the organization identify components that Mechanisms
decommissionedexisttechnologies);
to identify components that C|P-CMM1
systems and is N/A, sinceincluding
services, a structured process
internal is Business Continuity & Disaster Recovery
teams Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There
decommissioned are no
business defined including
practices, C|P-
organization's ability to execute contingency plans, including changes to: potentially impact the organization's ability to potentially impact the organization's ability to required to identify
and third-party components
service providers.that (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria,
third-party since it is reasonable to
services)
Business Continuity (1) Personnel roles; execute contingency plans, including changes to: execute contingency plans, including changes potentially impact the organization's ability to governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Contingency Planning
& Disaster BCD-06.1 (2) Business processes (including the use of third-party services); (1) Personnel roles; 8 x Recover x to: execute contingency plans, including changes consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to identify components that not necessary to identify components that
Components
Recovery (3) Deployed technologies; (2) Business processes (including the use of third- (1) Personnel roles; to: 2 control maturity would reasonably expect CMM Level 3 control maturity would potentially impact the organization's ability to potentially impact the organization's ability to
(4) Data repositories and/or data flows; and/or party services); (2) Business processes (including the use of (1) Personnel roles; all, or at least most, the following criteria to reasonably expect all, or at least most, the execute contingency plans, including changes execute contingency plans, including changes
(5) Physical infrastructure. (3) Deployed technologies; third-party services); (2) Business processes (including the use of exist: following criteria to exist: to: to:
Mechanisms exist to keep stakeholders informed of changes to contingency Does the organization keep stakeholders informed Mechanisms exist to keep stakeholders C|P-CMM1
third-partyis N/A, since a structured process is Business Continuity & Disaster Recovery
services); Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
plans. of changes to contingency plans? informed of changes to contingency plans. required to keep stakeholders informed of (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity changes to contingency plans. governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Contingency Plan Update
& Disaster BCD-06.2 5 x Recover x consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to keep stakeholders informed not necessary to keep stakeholders informed
Notifications
Recovery 2 control maturity would reasonably expect CMM Level 3 control maturity would of changes to contingency plans. of changes to contingency plans.
all, or at least most, the following criteria to reasonably expect all, or at least most, the
exist: following criteria to exist:
Mechanisms exist to implement alternative or compensating controls to ∙ Compensating controls ∙ Compensating controls ∙ Compensating controls ∙ Compensating controls ∙ Compensating controls Does the organization implement alternative or There is no evidence of a capability to Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
satisfy security functions when the primary means of implementing the ∙ Configuration management ∙ Configuration management ∙ Configuration management ∙ Configuration management ∙ Configuration management compensating controls to satisfy security functions implement alternative or compensating (BCD) efforts are ad hoc and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity security function is unavailable or compromised. practices practices practices practices practices when the primary means of implementing the controls to satisfy security functions when the CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Alternative Security
& Disaster BCD-07 security function is unavailable or compromised? 9 x Protect x x primary means of implementing the security reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to implement alternative or not necessary to implement alternative or
Measures
Recovery function is unavailable or compromised. following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would compensating controls to satisfy security compensating controls to satisfy security
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the functions when the primary means of functions when the primary means of
stakeholders to identify business-critical exist: following criteria to exist: implementing the security function is implementing the security function is
Mechanisms exist to establish an alternate storage site that includes both ∙ SunGard ∙ SunGard ∙ SunGard ∙ SunGard ∙ SunGard Does the organization establish an alternate There is no evidence of a capability to C|P-CMM1
systems and is N/A, sinceincluding
services, a structured process
internal is Business Continuity & Disaster Recovery
teams Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
the assets and necessary agreements to permit the storage and recovery of ∙ AWS ∙ AWS ∙ AWS ∙ AWS ∙ AWS storage site that includes both the assets and establish an alternate storage site that required to establish
and third-party anproviders.
service alternate storage site (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity system backup information. ∙ Azure ∙ Azure ∙ Azure ∙ Azure ∙ Azure necessary agreements to permit the storage and includes both the assets and necessary that includes both the assets and necessary governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
& Disaster Alternate Storage Site BCD-08 recovery of system backup information? 9 x Protect x x agreements to permit the storage and agreements to permit the storage and consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to establish an alternate not necessary to establish an alternate
Recovery recovery of system backup information. recovery of system backup information. 2 control maturity would reasonably expect CMM Level 3 control maturity would storage site that includes both the assets and storage site that includes both the assets and
all, or at least most, the following criteria to reasonably expect all, or at least most, the necessary agreements to permit the storage necessary agreements to permit the storage
exist: following criteria to exist: and recovery of system backup information. and recovery of system backup information.
Mechanisms exist to separate the alternate storage site from the primary ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization separate the alternate There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Business Continuity & Disaster Recovery
storage site to reduce susceptibility to similar threats. (COOP) (COOP) (COOP) (COOP) (COOP) storage site from the primary storage site to reduce separate the alternate storage site from the required to separate the alternate storage site (BCD) efforts are requirements-driven and
Business Continuity susceptibility to similar threats? primary storage site to reduce susceptibility to from the primary storage site to reduce governed at a local/regional leve
Separation from Primary
& Disaster BCD-08.1 7 x Protect x x similar threats. susceptibility to similar threats.
Site
Recovery

Accessibility BCD-08.2 5 x Protect x

BCD-09 9 x Protect x x

BCD-09.1 7 x Protect x

Accessibility BCD-09.2 5 x Recover x

BCD-09.3 E-TPM-04 6 x Recover x

Preparation for Use BCD-09.4 5 x Protect x

BCD-09.5 5 x Protect x x

BCD-10 6 x Recover x x

Licensed by Creative Commons Attribution-NoDerivatives 17 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to formalize primary and alternate telecommunications ∙ Priority-of-service contract ∙ Priority-of-service contract ∙ Priority-of-service contract ∙ Priority-of-service contract ∙ Priority-of-service contract Does the organization formalize primary and There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
service agreements contain priority-of-service provisions that support provisions for hot / warm / cold provisions for hot / warm / cold provisions for hot / warm / cold provisions for hot / warm / cold provisions for hot / warm / cold alternate telecommunications service agreements formalize primary and alternate required to formalize primary and alternate (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity Telecommunications availability requirements, including Recovery Time Objectives (RTOs). sites. sites. sites. sites. sites. contain priority-of-service provisions that support telecommunications service agreements telecommunications service agreements governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
& Disaster Priority of Service BCD-10.1 E-TPM-04 availability requirements, including Recovery Time 6 x Recover x contain priority-of-service provisions that contain priority-of-service provisions that consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to formalize primary and not necessary to formalize primary and
Recovery Provisions Objectives (RTOs)? support availability requirements, including support availability requirements, including 2 control maturity would reasonably expect CMM Level 3 control maturity would alternate telecommunications service alternate telecommunications service
Recovery Time Objectives (RTOs). Recovery Time Objectives (RTOs). all, or at least most, the following criteria to reasonably expect all, or at least most, the agreements contain priority-of-service agreements contain priority-of-service
exist: following criteria to exist: provisions that support availability provisions that support availability
Mechanisms exist to obtain alternate telecommunications services from ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization obtain alternate There is no evidence of a capability to obtain C|P-CMM1 is N/A, since a structured process is Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
providers that are separated from primary service providers to reduce (COOP) (COOP) (COOP) (COOP) (COOP) telecommunications services from providers that alternate telecommunications services from required to obtain alternate (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity susceptibility to the same threats. are separated from primary service providers to providers that are separated from primary telecommunications services from providers governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Separation of Primary /
& Disaster BCD-10.2 reduce susceptibility to the same threats? 5 x Protect x x service providers to reduce susceptibility to that are separated from primary service consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to obtain alternate not necessary to obtain alternate
Alternate Providers
Recovery the same threats. providers to reduce susceptibility to the same 2 control maturity would reasonably expect CMM Level 3 control maturity would telecommunications services from providers telecommunications services from providers
threats. all, or at least most, the following criteria to reasonably expect all, or at least most, the that are separated from primary service that are separated from primary service
exist: following criteria to exist: providers to reduce susceptibility to the same providers to reduce susceptibility to the same
Mechanisms exist to contractually-require external service providers to ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk Does the organization contractually-require external There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
have contingency plans that meet organizational contingency Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program service providers to have contingency plans that contractually-require telecommunications required to contractually-require (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity requirements. meet organizational contingency requirements? service providers to have contingency plans telecommunications service providers to have governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Provider Contingency
& Disaster BCD-10.3 5 x Protect x x that meet organizational contingency contingency plans that meet organizational consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to contractually-require not necessary to contractually-require
Plan
Recovery requirements. contingency requirements. 2 control maturity would reasonably expect CMM Level 3 control maturity would telecommunications service providers to have telecommunications service providers to have
all, or at least most, the following criteria to reasonably expect all, or at least most, the contingency plans that meet organizational contingency plans that meet organizational
exist: following criteria to exist: contingency requirements. contingency requirements.
Mechanisms exist to maintain command and control capabilities via ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization maintain command and There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
alternate communications channels and designating alternative decision (COOP) (COOP) (COOP) (COOP) (COOP) control capabilities via alternate communications maintain command and control capabilities via required to maintain command and control (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity Alternate makers if primary decision makers are unavailable. channels and designating alternative decision alternate communications channels and capabilities via alternate communications governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
& Disaster Communications BCD-10.4 makers if primary decision makers are unavailable? 5 x Protect x x x designating alternative decision makers if channels and designating alternative decision consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to maintain command and not necessary to maintain command and
Recovery Channels primary decision makers are unavailable. makers if primary decision makers are 2 control maturity would reasonably expect CMM Level 3 control maturity would control capabilities via alternate control capabilities via alternate
unavailable. all, or at least most, the following criteria to reasonably expect all, or at least most, the communications channels and designating communications channels and designating
exist: following criteria to exist: alternative decision makers if primary decision alternative decision makers if primary decision
Mechanisms exist to create recurring backups of data, software and/or ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) Does the organization create recurring backups of There is no evidence of a capability to create Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
system images, as well as verify the integrity of these backups, to ensure E-BCM-10 ∙ On-site data backup solution ∙ On-site data backup solution ∙ On-site data backup solution ∙ On-site data backup solution ∙ On-site data backup solution data, software and/or system images, as well as recurring backups of data, software and/ or (BCD) efforts are ad hoc and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity the availability of the data to satisfying Recovery Time Objectives (RTOs) ∙ Off-site data backup service ∙ Off-site data backup service ∙ Off-site data backup service ∙ Off-site data backup service ∙ Off-site data backup service verify the integrity of these backups, to ensure the system images, as well as verify the integrity CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
E-BCM-11
& Disaster Data Backups BCD-11 and Recovery Point Objectives (RPOs). availability of the data to satisfying Recovery Time 10 x Protect x x x of these backups, to ensure the availability of reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to create recurring backups of
E-BCM-12
Recovery Objectives (RTOs) and Recovery Point Objectives the data to satisfying Recovery Time following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, data, software and/ or system images, as well
E-BCM-13
(RPOs)? Objectives (RTOs) and Recovery Point • IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify as verify the integrity of these backups, to
Objectives (RPOs). stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM ensure the availability of the data to satisfying
Mechanisms exist to routinely test backups that verify the reliability of the ∙ Randomized data recovery ∙ Randomized data recovery ∙ Randomized data recovery ∙ Randomized data recovery ∙ Randomized data recovery Does the organization routinely test backups that There is no evidence of a capability to Business
systems andContinuity & Disaster
services, includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
backup process, as well as the integrity and availability of the data. testing testing testing testing testing verify the reliability of the backup process, as well routinely test backups that verify the reliability (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity as the integrity and availability of the data? of the backup process, as well as the integrity CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Testing for Reliability &
& Disaster BCD-11.1 E-BCM-10 9 x Recover x x x and availability of the data. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to routinely test backups that
Integrity
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, verify the reliability of the backup process, as
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify well as the integrity and availability of the
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM data.
Mechanisms exist to store backup copies of critical software and other ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) ∙ Disaster Recovery Plan (DRP) Does the organization store backup copies of critical There is no evidence of a capability to store Business
systems andContinuity & Disaster
services, includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
security-related information in a separate facility or in a fire-rated container E-AST-08 ∙ On-site data backup solution ∙ On-site data backup solution ∙ On-site data backup solution ∙ On-site data backup solution ∙ On-site data backup solution software and other security-related information in a backup copies of critical software and other (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity that is not collocated with the system being backed up. ∙ Off-site data backup service ∙ Off-site data backup service ∙ Off-site data backup service ∙ Off-site data backup service ∙ Off-site data backup service separate facility or in a fire-rated container that is security-related information in a separate CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Separate Storage for E-BCM-11
& Disaster BCD-11.2 not collocated with the system being backed up? 8 x Protect x x facility or in a fire-rated container that is not reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to store backup copies of not necessary to store backup copies of
Critical Information E-BCM-12
Recovery collocated with the system being backed up. following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would critical software and other security-related critical software and other security-related
E-BCM-13
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the information in a separate facility or in a fire- information in a separate facility or in a fire-
stakeholders to identify business-critical exist: following criteria to exist: rated container that is not collocated with the rated container that is not collocated with the
Mechanisms exist to reimage assets from configuration-controlled and ∙ Virtual machines ∙ Virtual machines ∙ Virtual machines ∙ Virtual machines ∙ Virtual machines Does the organization reimage assets from There is no evidence of a capability to reimage Business
systems and services, including internal teams Business Continuity & Disaster Recovery
Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
integrity-protected images that represent a secure, operational state. ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) configuration-controlled and integrity-protected assets from configuration-controlled and (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) images that represent a secure, operational state? integrity-protected images that represent a CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Information System
& Disaster BCD-11.3 8 x Recover x secure, operational state. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to reimage assets from
Imaging
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, configuration-controlled and integrity-
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify protected images that represent a secure,
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM operational state.
Cryptographic mechanisms exist to prevent the unauthorized disclosure ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Are cryptographic mechanisms utilized to prevent There is no evidence of a capability to Business
systems andContinuity & Disaster
services, includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
and/or modification of backup information. (SBC) (SBC) (SBC) (SBC) (SBC) the unauthorized disclosure and/or modification of Cryptographic prevent the unauthorized (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity ∙ Data-at-rest cryptography ∙ Data-at-rest cryptography ∙ Data-at-rest cryptography ∙ Data-at-rest cryptography ∙ Data-at-rest cryptography backup information? disclosure and/ or modification of backup CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
& Disaster Cryptographic Protection BCD-11.4 9 x Protect x information. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to Cryptographic prevent the
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, unauthorized disclosure and/ or modification
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify of backup information.
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM
Mechanisms exist to utilize sampling of available backups to test recovery ∙ Randomized data recovery ∙ Randomized data recovery ∙ Randomized data recovery ∙ Randomized data recovery ∙ Randomized data recovery Does the organization utilize sampling of available There is no evidence of a capability to utilize Business
systems andContinuity & Disaster
services, includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
capabilities as part of business continuity plan testing. testing testing testing testing testing backups to test recovery capabilities as part of sampling of available backups to test recovery (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity business continuity plan testing? capabilities as part of business continuity plan CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Test Restoration Using
& Disaster BCD-11.5 E-BCM-15 5 x Protect x testing. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to utilize sampling of available
Sampling
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, backups to test recovery capabilities as part of
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify business continuity plan testing.
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM
Mechanisms exist to transfer backup data to the alternate storage site at a ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization transfer backup data to the There is no evidence of a capability to transfer C|P-CMM1
systems and is N/A, sinceincluding
services, a structured process
internal is Business Continuity & Disaster Recovery
teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
rate that is capable of meeting both Recovery Time Objectives (RTOs) and (COOP) (COOP) (COOP) (COOP) (COOP) alternate storage site at a rate that is capable of backup data to the alternate storage site at a required to transfer
and third-party backup
service data to the
providers. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity Recovery Point Objectives (RPOs). ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives meeting both Recovery Time Objectives (RTOs) and rate that is capable of meeting both Recovery alternate storage site at a rate that is capable governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Transfer to Alternate
& Disaster BCD-11.6 E-BCM-12 (RTOs) (RTOs) (RTOs) (RTOs) (RTOs) Recovery Point Objectives (RPOs)? 5 x Protect x x Time Objectives (RTOs) and Recovery Point of meeting both Recovery Time Objectives consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to transfer backup data to the
Storage Site
Recovery ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives Objectives (RPOs). (RTOs) and Recovery Point Objectives (RPOs). 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, alternate storage site at a rate that is capable
(RPOs) (RPOs) (RPOs) (RPOs) (RPOs) all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify of meeting both Recovery Time Objectives
exist: following criteria to exist: areas for improvement. In addition to CMM (RTOs) and Recovery Point Objectives (RPOs).
Mechanisms exist to maintain a failover system, which is not collocated ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan ∙ Continuity of Operations Plan Does the organization maintain a failover system, There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
with the primary system, application and/or service, which can be activated (COOP) (COOP) (COOP) (COOP) (COOP) which is not collocated with the primary system, maintain a failover system, which is not required to maintain a failover system, which (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity with little-to-no loss of information or disruption to operations. ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives ∙ Recovery Time Objectives application and/or service, which can be activated collocated with the primary system, is not collocated with the primary system, governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Redundant Secondary
& Disaster BCD-11.7 (RTOs) (RTOs) (RTOs) (RTOs) (RTOs) with little-to-no loss of information or disruption to 5 x Protect x x x application and/ or service, which can be application and/ or service, which can be consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to maintain a failover system, not necessary to maintain a failover system,
System
Recovery ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives ∙ Recovery Point Objectives operations? activated with little-to-no loss of information activated with little-to-no loss of information 2 control maturity would reasonably expect CMM Level 3 control maturity would which is not collocated with the primary which is not collocated with the primary
(RPOs) (RPOs) (RPOs) (RPOs) (RPOs) or disruption to operations. or disruption to operations. all, or at least most, the following criteria to reasonably expect all, or at least most, the system, application and/ or service, which can system, application and/ or service, which can
exist: following criteria to exist: be activated with little-to-no loss of be activated with little-to-no loss of
Mechanisms exist to implement and enforce dual authorization for the ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization implement and enforce dual There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
deletion or destruction of sensitive backup media and data. ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) authorization for the deletion or destruction of implement and enforce dual authorization for required to implement and enforce dual is required to implement and enforce dual (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity Dual Authorization For ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control sensitive backup media and data? the deletion or destruction of sensitive backup authorization for the deletion or destruction of authorization for the deletion or destruction of organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
& Disaster Backup Media BCD-11.8 (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) 5 x Protect x media and data. sensitive backup media and data. sensitive backup media and data. technically feasible, to ensure consistency. not necessary to implement and enforce dual not necessary to implement and enforce dual
Recovery Destruction ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) CMM Level 3 control maturity would authorization for the deletion or destruction of authorization for the deletion or destruction of
reasonably expect all, or at least most, the sensitive backup media and data. sensitive backup media and data.
following criteria to exist:
Mechanisms exist to restrict access to backups to privileged users with ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization restrict access to backups to There is no evidence of a capability to restrict C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
assigned roles for data backup and recovery operations. ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) privileged users with assigned roles for data backup access to backups to privileged users with required to restrict access to backups to is required to restrict access to backups to (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity and recovery operations? assigned roles for data backup and recovery privileged users with assigned roles for data privileged users with assigned roles for data organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
& Disaster Backup Access BCD-11.9 9 x Protect x x operations. backup and recovery operations. backup and recovery operations. technically feasible, to ensure consistency. not necessary to restrict access to backups to not necessary to restrict access to backups to
Recovery CMM Level 3 control maturity would privileged users with assigned roles for data privileged users with assigned roles for data
reasonably expect all, or at least most, the backup and recovery operations. backup and recovery operations.
following criteria to exist:
Mechanisms exist to restrict access to modify and/or delete backups to ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization restrict access to modify There is no evidence of a capability to restrict C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
privileged users with assigned data backup and recovery operations roles. ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) and/or delete backups to privileged users with access to modify and/ or delete backups to required to restrict access to modify and/ or is required to restrict access to modify and/ or (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity assigned data backup and recovery operations privileged users with assigned data backup delete backups to privileged users with delete backups to privileged users with organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Backup Modification
& Disaster BCD-11.10 roles? 9 x Protect x x and recovery operations roles. assigned data backup and recovery operations assigned data backup and recovery operations technically feasible, to ensure consistency. not necessary to restrict access to modify and/ not necessary to restrict access to modify and/
and/or Destruction
Recovery roles. roles. CMM Level 3 control maturity would or delete backups to privileged users with or delete backups to privileged users with
reasonably expect all, or at least most, the assigned data backup and recovery operations assigned data backup and recovery operations
following criteria to exist: roles. roles.
Mechanisms exist to ensure the secure recovery and reconstitution of ∙ Virtual machines ∙ Virtual machines ∙ Virtual machines ∙ Virtual machines ∙ Virtual machines Does the organization ensure the secure recovery There is no evidence of a capability to ensure Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
systems to a known state after a disruption, compromise or failure. ∙ Acronis (https://acronis.com) ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) and reconstitution of systems to a known state after the secure recovery and reconstitution of (BCD) efforts are ad hoc and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity Information System ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) a disruption, compromise or failure? systems to a known state after a disruption, CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
& Disaster Recovery & BCD-12 E-BCM-15 ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite 9 x Protect x x x compromise or failure. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to ensure the secure recovery
Recovery Reconstitution (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, and reconstitution of systems to a known
∙ Docker (https://docker.com) ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) • IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify state after a disruption, compromise or failure.
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM
Mechanisms exist to utilize specialized backup mechanisms that will allow Does the organization utilize specialized backup There is no evidence of a capability to utilize C|P-CMM1
systems and is N/A, sinceincluding
services, a structured process
internal is Business Continuity & Disaster Recovery
teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
transaction recovery for transaction-based applications and services in mechanisms that will allow transaction recovery for specialized backup mechanisms that will allow required to utilize
and third-party specialized
service backup
providers. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity accordance with Recovery Point Objectives (RPOs). transaction-based applications and services in transaction recovery for transaction-based mechanisms that will allow transaction governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
& Disaster Transaction Recovery BCD-12.1 accordance with Recovery Point Objectives (RPOs)? 9 x Recover x x x applications and services in accordance with recovery for transaction-based applications consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to utilize specialized backup
Recovery Recovery Point Objectives (RPOs). and services in accordance with Recovery 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, mechanisms that will allow transaction
Point Objectives (RPOs). all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify recovery for transaction-based applications
exist: following criteria to exist: areas for improvement. In addition to CMM and services in accordance with Recovery
Mechanisms exist to implement real-time or near-real-time failover ∙ Load balancers ∙ Load balancers ∙ Load balancers ∙ Load balancers ∙ Load balancers Does the organization implement real-time or near- There is no evidence of a capability to Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
capability to maintain availability of critical systems, applications and/or ∙ High Availability (HA) network ∙ High Availability (HA) network ∙ High Availability (HA) network ∙ High Availability (HA) network ∙ High Availability (HA) network real-time failover capability to maintain availability implement real-time or near-real-time failover (BCD) efforts are ad hoc and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Business Continuity services. appliances (e.g., firewalls, routers, appliances (e.g., firewalls, routers, appliances (e.g., firewalls, routers, appliances (e.g., firewalls, routers, appliances (e.g., firewalls, routers, of critical systems, applications and/or services? capability to maintain availability of critical CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
& Disaster Failover Capability BCD-12.2 switches, etc.) switches, etc.) switches, etc.) switches, etc.) switches, etc.) 8 x Recover x x x systems, applications and/ or services. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. not necessary to implement real-time or near- not necessary to implement real-time or near-
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would real-time failover capability to maintain real-time failover capability to maintain
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the availability of critical systems, applications availability of critical systems, applications
stakeholders to identify business-critical exist: following criteria to exist: and/ or services. and/ or services.
Mechanisms exist to utilize electronic discovery (eDiscovery) that covers ∙ Microsoft Purview ∙ Microsoft Purview ∙ Microsoft Purview ∙ Microsoft Purview ∙ Microsoft Purview Does the organization utilize electronic discovery There is no evidence of a capability to utilize Business
systems andContinuity
services,& Disaster
includingRecovery
internal teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
current and archived communication transactions. ∙ OpenText ∙ OpenText ∙ OpenText (eDiscovery) that covers current and archived electronic discovery (eDiscovery) that covers (BCD) efforts are
and third-party ad hocproviders.
service and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity (https://opentext.com) (https://opentext.com) (https://opentext.com) communication transactions? current and archived communication CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Electronic Discovery
& Disaster BCD-12.3 8 x Respond x x x transactions. reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to utilize electronic discovery
(eDiscovery)
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, (eDiscovery) that covers current and archived
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify communication transactions.
stakeholders to identify business-critical exist: following criteria to exist: areas for improvement. In addition to CMM
Mechanisms exist to restore systems, applications and/or services within ∙ Virtual machines ∙ Virtual machines ∙ Virtual machines ∙ Virtual machines ∙ Virtual machines Does the organization restore systems, applications There is no evidence of a capability to restore C|P-CMM1
systems and is N/A, sinceincluding
services, a structured process
internal is Business Continuity & Disaster Recovery
teams Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery See C|P-CMM4. There are no defined C|P-
organization-defined restoration time-periods from configuration-controlled ∙ Acronis (https://acronis.com) ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) and/or services within organization-defined systems, applications and/ or services within required to restore
and third-party systems,
service applications and/ (BCD) efforts are requirements-driven and
providers. (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide CMM5 criteria, since it is reasonable to
Business Continuity and integrity-protected information; representing a known, operational ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) ∙ Acronis (https://acronis.com) restoration time-periods from configuration- organization-defined restoration time-periods or services within organization-defined governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a assume a continuously-improving process is
Restore Within Time
& Disaster BCD-12.4 state for the asset. ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite controlled and integrity-protected information; 5 x Respond x x x from configuration-controlled and integrity- restoration time-periods from configuration- consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process not necessary to restore systems, applications
Period
Recovery (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) representing a known, operational state for the protected information; representing a known, controlled and integrity-protected information; 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance, and/ or services within organization-defined
∙ Docker (https://docker.com) ∙ Docker (https://docker.com) ∙ Docker (https://docker.com) asset? operational state for the asset. representing a known, operational state for all, or at least most, the following criteria to reasonably expect all, or at least most, the ensure continued operations and identify restoration time-periods from configuration-
the asset. exist: following criteria to exist: areas for improvement. In addition to CMM controlled and integrity-protected information;
Mechanisms exist to protect backup and restoration hardware and ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization protect backup and There is no evidence of a capability to protect Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery Business Continuity & Disaster Recovery
software. ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) restoration hardware and software? backup and restoration hardware and (BCD) efforts are ad hoc and inconsistent. (BCD) efforts are requirements-driven and (BCD) efforts are standardized across the (BCD) efforts are metrics driven and provide
Business Continuity software. CMM Level 1 control maturity would governed at a local/regional level, but are not organization and centrally managed, where sufficient management insight (based on a
Backup & Restoration E-GOV-10
& Disaster BCD-13 8 x Protect x x x reasonably expect all, or at least most, the consistent across the organization. CMM Level technically feasible, to ensure consistency. quantitative understanding of process
Hardware Protection E-GOV-11
Recovery following criteria to exist: 2 control maturity would reasonably expect CMM Level 3 control maturity would capabilities) to predict optimal performance,
• IT personnel work with business all, or at least most, the following criteria to reasonably expect all, or at least most, the
stakeholders to identify business-critical exist: following criteria to exist:
systems and services, including internal teams
and third-party service providers.

BCD-13.1 7 x Govern x

BCD-14 5 x Recover x x x

Reserve Hardware BCD-15 7 x Recover x x

BCD-16 10 x Respond x x x

CAP-01 E-CAP-01 8 x Govern x

Resource Priority CAP-02 E-CAP-02 8 x Protect x

Capacity Planning CAP-03 E-CAP-01 8 x Protect x x

Performance Monitoring CAP-04 E-CAP-03 7 x Detect x x

Elastic Expansion CAP-05 E-CAP-04 5 x Govern x x

Licensed by Creative Commons Attribution-NoDerivatives 18 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to support operations that are geographically dispersed Does the organization support operations that are There is no evidence of a capability to support C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Capability & Performance Planning (CAP) See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
via regional delivery of technological services. geographically dispersed via regional delivery of operations that are geographically dispersed required to is required to efforts are standardized across the CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Capacity & technological services? via regional delivery of technological services. organization and centrally managed, where assume a quantitatively-controlled process is assume a continuously-improving process is
Performance Regional Delivery CAP-06 1 x Govern x x technically feasible, to ensure consistency. not necessary to not necessary to
Planning CMM Level 3 control maturity would
reasonably expect all, or at least most, the
following criteria to exist:
Mechanisms exist to facilitate the implementation of a change management ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) Does the organization facilitate the implementation There is no evidence of a capability to Change Management (CHG) efforts are ad hoc Change Management (CHG) efforts are Change Management (CHG) efforts are Change Management (CHG) efforts are See C|P-CMM4. There are no defined C|P-
program. ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) of a change management program? facilitate the implementation of a change and inconsistent. CMM Level 1 control requirements-driven and governed at a standardized across the organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Change Change Management management program. maturity would reasonably expect all, or at local/regional level, but are not consistent centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
CHG-01 E-CHG-02 10 x Protect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to facilitate the implementation
Management Program
• IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure of a change management program.
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
and services to ensure their stability, reliability • Change management is decentralized • The Chief Information Security Officer improvement. In addition to CMM Level 3
Mechanisms exist to govern the technical configuration change control ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) Does the organization govern the technical There is no evidence of a capability to govern Change Management (CHG) efforts are ad hoc Change
and predictability. Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
(CISO), or (CHG)
similar function efforts
with are
technical Change Management (CHG) efforts are See C|P-CMM4. There are no defined C|P-
processes. ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management configuration change control processes? the technical configuration change control and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
competence to across the cybersecurity
address organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Change Configuration Change Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) processes. maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally
concerns,managed, where
analyzes the technically feasible,
organization's management insight (based on a quantitative assume a continuously-improving process is
CHG-02 E-CHG-02 ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) 8 x Protect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to govern the technical
Management Control
∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) • IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure configuration change control processes.
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
and services to ensure their stability, reliability • Change management is decentralized • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Mechanisms exist to prohibit unauthorized changes, unless organization- ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control Does the organization prohibit unauthorized There is no evidence of a capability to prohibit Change Management (CHG) efforts are ad hoc Change
and predictability. Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with Change Management (CHG) efforts are See C|P-CMM4. There are no defined C|P-
approved change requests are received. (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) changes, unless organization-approved change unauthorized changes, unless organization- and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Change ∙ Manual processes/workflows ∙ Manual processes/workflows ∙ Application whitelisting ∙ Application whitelisting ∙ Application whitelisting requests are received? approved change requests are received. maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
Prohibition Of Changes CHG-02.1 E-CHG-02 ∙ Application whitelisting ∙ Application whitelisting ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite 10 x Protect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to prohibit unauthorized
Management
(https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) • IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure changes, unless organization-approved
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for change requests are received.
and services to ensure their stability, reliability • Change management is decentralized • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Mechanisms exist to appropriately test and document proposed changes in ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) Does the organization appropriately test and There is no evidence of a capability to Change Management (CHG) efforts are ad hoc Change
and predictability. Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
a non-production environment before changes are implemented in a ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management document proposed changes in a non-production appropriately test and document proposed and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change Test, Validate & production environment. Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) environment before changes are implemented in a changes in a non-production environment maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CHG-02.2 E-CHG-03 ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) production environment? 9 x Protect x x before changes are implemented in a least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to appropriately test and not necessary to appropriately test and
Management Document Changes
production environment. • IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at document proposed changes in a non- document proposed changes in a non-
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: production environment before changes are production environment before changes are
and services to ensure their stability, reliability • Change management is decentralized • An IT Asset Management (ITAM) function, implemented in a production environment. implemented in a production environment.
Mechanisms exist to include a cybersecurity and/or data privacy ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) Does the organization include a cybersecurity There is no evidence of a capability to include Change Management (CHG) efforts are ad hoc Change
and predictability. Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with Change Management (CHG) efforts are See C|P-CMM4. There are no defined C|P-
Cybersecurity & Data representative in the configuration change control review process. ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) and/or data privacy representative in the a cybersecurity and/ or data privacy and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Change Privacy Representative configuration change control review process? representative in the configuration change maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
CHG-02.3 E-CHG-04 7 x Protect x x control review process. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to include a cybersecurity and/
Management for Asset Lifecycle
Changes • IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure or data privacy representative in the
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for configuration change control review process.
and services to ensure their stability, reliability • Change management is decentralized • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Automated mechanisms exist to implement remediation actions upon the ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite Does the organization use automated mechanisms There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2
and predictability. is N/A, since a well-defined
(e.g., a localized/regionalized function)process
and Change Management
or similar (CHG)compliance
function, ensures efforts are with Change Management (CHG) efforts are See C|P-CMM4. There are no defined C|P-
detection of unauthorized baseline configurations change(s). (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) to implement remediation actions upon the implement remediation actions up on the required to implement remediation actions up is required
uses to implement
non-standardized remediation
methods actions standardized
to implement requirements across themanagement.
for asset organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Change Automated Security detection of unauthorized baseline configurations detection of unauthorized baseline on the detection of unauthorized baseline up on the
secure, detection
resilient andof unauthorized
compliant baseline centrally managed, where technically feasible,
practices. management insight (based on a quantitative assume a continuously-improving process is
CHG-02.4 change(s)? 5 x Protect x x configurations change(s). configurations change(s). configurations change(s). to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to implement remediation
Management Response
maturity would reasonably expect all, or at predict optimal performance, ensure actions up on the detection of unauthorized
least most, the following criteria to exist: continued operations and identify areas for baseline configurations change(s).
• An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Mechanisms exist to govern assets involved in providing cryptographic Does the organization govern assets involved in There is no evidence of a capability to govern C|P-CMM1 is N/A, since a structured process is Change Management (CHG) efforts are Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
protections according to the organization's configuration management providing cryptographic protections according to its assets involved in providing cryptographic required to govern assets involved in requirements-driven and governed at a standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change Cryptographic processes. configuration management processes? protections according to its configuration providing cryptographic protections according local/regional level, but are not consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CHG-02.5 5 x Protect x x management processes. to its configuration management processes. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to govern assets involved in not necessary to govern assets involved in
Management Management
maturity would reasonably expect all, or at maturity would reasonably expect all, or at providing cryptographic protections according providing cryptographic protections according
least most, the following criteria to exist: least most, the following criteria to exist: to its configuration management processes. to its configuration management processes.
• Change management is decentralized • An IT Asset Management (ITAM) function,
Mechanisms exist to analyze proposed changes for potential security ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) Does the organization analyze proposed changes There is no evidence of a capability to analyze Change Management (CHG) efforts are ad hoc Change Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with Change Management (CHG) efforts are See C|P-CMM4. There are no defined C|P-
impacts, prior to the implementation of the change. ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) for potential security impacts, prior to the proposed changes for potential security and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Change Security Impact Analysis implementation of the change? impacts, prior to the implementation of the maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
CHG-03 E-CHG-04 9 x Protect x change. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to analyze proposed changes
Management for Changes
• IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure for potential security impacts, prior to the
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for implementation of the change.
and services to ensure their stability, reliability • Change management is decentralized • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Mechanisms exist to enforce configuration restrictions in an effort to restrict ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control Does the organization enforce configuration There is no evidence of a capability to enforce Change Management (CHG) efforts are ad hoc Change
and predictability. Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with Change Management (CHG) efforts are See C|P-CMM4. There are no defined C|P-
the ability of users to conduct unauthorized changes. (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) restrictions in an effort to restrict the ability of users configuration restrictions in an effort to and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Change Access Restriction For E-HRS-13 to conduct unauthorized changes? restrict the ability of users to conduct maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
CHG-04 8 x Protect x x unauthorized changes. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to enforce configuration
Management Change E-IAM-02
• IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure restrictions in an effort to restrict the ability of
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for users to conduct unauthorized changes.
and services to ensure their stability, reliability • Change management is decentralized • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Mechanisms exist to perform after-the-fact reviews of configuration change ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management ∙ Configuration Management Does the organization perform after-the-fact There is no evidence of a capability to perform C|P-CMM1 is N/A, since a structured process is C|P-CMM2
and predictability. is N/A, since a well-defined
(e.g., a localized/regionalized function)process
and Change Management
or similar (CHG)compliance
function, ensures efforts are with Change Management (CHG) efforts are See C|P-CMM4. There are no defined C|P-
logs to discover any unauthorized changes. Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) Database (CMDB) reviews of configuration change logs to discover after-the-fact reviews of configuration change required to perform after-the-fact reviews of is required
uses to perform after-the-fact
non-standardized reviews of standardized
methods to implement requirements across themanagement.
for asset organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Change Automated Access ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite any unauthorized changes? logs to discover any unauthorized changes. configuration change logs to discover any configuration
secure, resilientchange logs to discover
and compliant any
practices. centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
CHG-04.1 (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) 3 x Detect x unauthorized changes. unauthorized changes. to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to perform after-the-fact
Management Enforcement / Auditing
maturity would reasonably expect all, or at predict optimal performance, ensure reviews of configuration change logs to
least most, the following criteria to exist: continued operations and identify areas for discover any unauthorized changes.
• An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Mechanisms exist to prevent the installation of software and firmware Does the organization prevent the installation of There is no evidence of a capability to prevent C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Change Management
or similar (CHG)compliance
function, ensures efforts are with Change Management (CHG) efforts are See C|P-CMM4. There are no defined C|P-
components without verification that the component has been digitally software and firmware components without the installation of software and firmware required to prevent the installation of software is required to prevent the installation of standardized
requirements across themanagement.
for asset organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Change signed using an organization-approved certificate authority. verification that the component has been digitally components without verification that the and firmware components without verification software and firmware components without centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
Signed Components CHG-04.2 signed using an organization-approved certificate 3 x Protect x component has been digitally signed using an that the component has been digitally signed verification that the component has been to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to prevent the installation of
Management
authority? organization-approved certificate authority. using an organization-approved certificate digitally signed using an organization- maturity would reasonably expect all, or at predict optimal performance, ensure software and firmware components without
authority. approved certificate authority. least most, the following criteria to exist: continued operations and identify areas for verification that the component has been
• An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3 digitally signed using an organization-
Mechanisms exist to enforce a two-person rule for implementing changes to ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization enforce a two-person rule for There is no evidence of a capability to enforce C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
critical assets. ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) implementing changes to critical assets? a two-pers on rule for implementing changes required to enforce a two-pers on rule for is required to enforce a two-pers on rule for standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change Dual Authorization for ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control to critical assets. implementing changes to critical assets. implementing changes to critical assets. centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CHG-04.3 (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) 6 x Protect x x to ensure consistency. CMM Level 3 control not necessary to enforce a two-pers on rule not necessary to enforce a two-pers on rule
Management Change
∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) maturity would reasonably expect all, or at for implementing changes to critical assets. for implementing changes to critical assets.
least most, the following criteria to exist:
• An IT Asset Management (ITAM) function,
Mechanisms exist to limit operational privileges for implementing changes. ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control Does the organization limit operational privileges There is no evidence of a capability to limit C|P-CMM1 is N/A, since a structured process is Change Management (CHG) efforts are Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(RBAC) (RBAC) (RBAC) (RBAC) (RBAC) for implementing changes? operational privileges for implementing required to limit operational privileges for requirements-driven and governed at a standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change Permissions To ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) changes. implementing changes. local/regional level, but are not consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CHG-04.4 ∙ Privileged Account Management ∙ Privileged Account Management ∙ Privileged Account Management ∙ Privileged Account Management ∙ Privileged Account Management 6 x Protect x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to limit operational privileges not necessary to limit operational privileges
Management Implement Changes
(PAM) (PAM) (PAM) (PAM) (PAM) maturity would reasonably expect all, or at maturity would reasonably expect all, or at for implementing changes. for implementing changes.
∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite least most, the following criteria to exist: least most, the following criteria to exist:
(https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) • Change management is decentralized • An IT Asset Management (ITAM) function,
Mechanisms exist to restrict software library privileges to those individuals ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control Does the organization restrict software library There is no evidence of a capability to restrict Change Management (CHG) efforts are ad hoc Change Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
with a pertinent business need for access. (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) privileges to those individuals with a pertinent software library privileges to those individuals and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) business need for access? with a pertinent business need for access. maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Library Privileges CHG-04.5 ∙ Privileged Account Management ∙ Privileged Account Management ∙ Privileged Account Management ∙ Privileged Account Management ∙ Privileged Account Management 8 x Protect x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to restrict software library not necessary to restrict software library
Management
(PAM) (PAM) (PAM) (PAM) (PAM) • IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at privileges to those individuals with a pertinent privileges to those individuals with a pertinent
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: business need for access. business need for access.
and services to ensure their stability, reliability • Change management is decentralized • An IT Asset Management (ITAM) function,
Mechanisms exist to ensure stakeholders are made aware of and ∙ Change management ∙ Change management ∙ Change management ∙ Change management ∙ Change management Does the organization ensure stakeholders are There is no evidence of a capability to ensure Change Management (CHG) efforts are ad hoc Change
and predictability. Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
understand the impact of proposed changes. procedures procedures procedures procedures procedures made aware of and understand the impact of stakeholders are made aware of and and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change Stakeholder Notification ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) proposed changes? understand the impact of proposed changes. maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CHG-05 ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) 9 x Protect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to ensure stakeholders are not necessary to ensure stakeholders are
Management of Changes
∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) • IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at made aware of and understand the impact of made aware of and understand the impact of
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: proposed changes. proposed changes.
and services to ensure their stability, reliability • Change management is decentralized • An IT Asset Management (ITAM) function,
Mechanisms exist to verify the functionality of cybersecurity and/or data ∙ Information Assurance Program ∙ Information Assurance Program ∙ Information Assurance Program ∙ Information Assurance Program ∙ Information Assurance Program Does the organization verify the functionality of There is no evidence of a capability to verify Change Management (CHG) efforts are ad hoc Change
and predictability. Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
privacy controls following implemented changes to ensure applicable (IAP) (IAP) (IAP) (IAP) (IAP) cybersecurity and/or data privacy controls following the functionality of cybersecurity and/or data and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change Control Functionality controls operate as designed. ∙ Control Validation Testing (CVT) ∙ Control Validation Testing (CVT) ∙ Control Validation Testing (CVT) ∙ Control Validation Testing (CVT) ∙ Control Validation Testing (CVT) implemented changes to ensure applicable controls privacy controls following implemented maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CHG-06 / Security Test & Evaluation (STE) / Security Test & Evaluation (STE) / Security Test & Evaluation (STE) / Security Test & Evaluation (STE) / Security Test & Evaluation (STE) operate as designed? 9 x Protect x changes to ensure applicable controls operate least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to verify the functionality of not necessary to verify the functionality of
Management Verification
as designed. • IT personnel use an informal process to: maturity would reasonably expect all, or at maturity would reasonably expect all, or at cybersecurity and/or data privacy controls cybersecurity and/or data privacy controls
o Govern changes to systems, applications least most, the following criteria to exist: least most, the following criteria to exist: following implemented changes to ensure following implemented changes to ensure
and services to ensure their stability, reliability • Change management is decentralized • An IT Asset Management (ITAM) function, applicable controls operate as designed. applicable controls operate as designed.
Mechanisms exist to govern change management procedures for Does the organization govern change management Mechanisms exist to govern change C|P-CMM1 is N/A, since a structured process is Change
and predictability. Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
"emergency" changes. procedures for "emergency" changes? management procedures for "emergency" required to govern change management requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change changes. procedures for "emergency" changes. local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Emergency Changes CHG-07 9 x Protect x x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to govern change management not necessary to govern change management
Management
maturity would reasonably expect all, or at maturity would reasonably expect all, or at procedures for "emergency" changes. procedures for "emergency" changes.
least most, the following criteria to exist: least most, the following criteria to exist:
• Change management is decentralized • An IT Asset Management (ITAM) function,
Mechanisms exist to document the results of "emergency" changes, Does the organization document the results of Mechanisms exist to document the results of C|P-CMM1 is N/A, since a structured process is Change Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
including an explanation for why standard change management procedures "emergency" changes, including an explanation for "emergency" changes, including an required to document the results of requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change Documenting Emergency could not be followed. why standard change management procedures explanation for why standard change "emergency" changes, including an local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CHG-07.1 could not be followed? 7 x Protect x x management procedures could not be explanation for why standard change across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to document the results of not necessary to document the results of
Management Changes
followed. management procedures could not be maturity would reasonably expect all, or at maturity would reasonably expect all, or at "emergency" changes, including an "emergency" changes, including an
followed. least most, the following criteria to exist: least most, the following criteria to exist: explanation for why standard change explanation for why standard change
• Change management is decentralized • An IT Asset Management (ITAM) function, management procedures could not be management procedures could not be
Mechanisms exist to report the results of cybersecurity & data privacy ∙ Change management ∙ Change management ∙ Change management ∙ Change management ∙ Change management Does the organization report the results of There is no evidence of a capability to report C|P-CMM1 is N/A, since a structured process is Change Management (CHG) efforts
(e.g., a localized/regionalized are and
function) Change Management
or similar (CHG)compliance
function, ensures efforts are with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
function verification to appropriate organizational management. procedures procedures procedures procedures procedures cybersecurity & data privacy function verification to the results of cybersecurity & data privacy required to report the results of cybersecurity requirements-driven
uses non-standardized and governed
methods at a
to implement standardized
requirements across themanagement.
for asset organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Change Report Verification ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) appropriate organizational management? function verification to appropriate & data privacy function verification to local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CHG-06.1 ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) 5 x Identify x organizational management. appropriate organizational management. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to report the results of not necessary to report the results of
Management Results
maturity would reasonably expect all, or at maturity would reasonably expect all, or at cybersecurity & data privacy function cybersecurity & data privacy function
least most, the following criteria to exist: least most, the following criteria to exist: verification to appropriate organizational verification to appropriate organizational
• Change management is decentralized • An IT Asset Management (ITAM) function, management. management.
Mechanisms exist to facilitate the implementation of cloud management ∙ SCF Integrated Controls ∙ SCF Integrated Controls ∙ SCF Integrated Controls ∙ SCF Integrated Controls ∙ SCF Integrated Controls Does the organization facilitate the implementation There is no evidence of a capability to Cloud Security (CLD) efforts are ad hoc and Cloud
(e.g., aSecurity (CLD) efforts are
localized/regionalized requirements-
function) and Cloud Security
or similar (CLD)
function, efforts compliance
ensures are standardized
with See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
controls to ensure cloud instances are secure and in-line with industry Management (ICM) model Management (ICM) model Management (ICM) model Management (ICM) model Management (ICM) model of cloud management controls to ensure cloud facilitate the implementation of cloud inconsistent. CMM Level 1 control maturity driven and governed atmethods
uses non-standardized a local/regional level, across
to implement the organization
requirements and centrally
for asset management. CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
practices. (https://securecontrolsframework. (https://securecontrolsframework. (https://securecontrolsframework. (https://securecontrolsframework. (https://securecontrolsframework. instances are secure and in-line with industry management controls to ensure cloud would reasonably expect all, or at least most, but are not
secure, consistent
resilient across the
and compliant organization. managed, where technically feasible, to
practices. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security Cloud Services CLD-01 E-AST-06 com/integrated-controls- com/integrated-controls- com/integrated-controls- com/integrated-controls- com/integrated-controls- practices? 10 x Govern x x x instances are secure and in-line with industry the following criteria to exist: CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to facilitate the implementation not necessary to facilitate the implementation
management) management) management) management) management) practices. • Cloud-based technologies are governed reasonably expect all, or at least most, the maturity would reasonably expect all, or at of cloud management controls to ensure cloud of cloud management controls to ensure cloud
∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact no differently from on-premise network assets following criteria to exist: least most, the following criteria to exist: instances are secure and in-line with industry instances are secure and in-line with industry
Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) (e.g., cloud-based technology is viewed as an • Cloud security management is • The Chief Information Security Officer practices. practices.
Mechanisms exist to ensure cloud services are designed and configured so ∙ Change management ∙ Change management ∙ Change management ∙ Change management ∙ Change management Does the organization ensure cloud services are extension of the corporate network). decentralized (e.g., a localized/regionalized (CISO), or similar function with technical
systems, applications and processes are secured in accordance with procedures procedures procedures procedures procedures designed and configured so systems, applications function) and uses non-standardized methods competence to address cybersecurity
Cloud Infrastructure applicable organizational standards, as well as statutory, regulatory and ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) ∙ Change Control Board (CCB) and processes are secured in accordance with to implement secure, resilient and compliant concerns, analyzes the organization's
Cloud Security CLD-01.1 contractual obligations. ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) ∙ VisibleOps (https://itpi.org) applicable organizational standards, as well as 9 x Protect x x
Onboarding
statutory, regulatory and contractua

Cloud Security CLD-01.2 9 x Protect x x

Cloud Security CLD-02 E-TDA-09 8 x Protect x

Cloud Security CLD-03 6 x Protect x x

Cloud Security CLD-04 9 x Protect x x

Cloud Security Virtual Machine Images CLD-05 8 x Protect x

Cloud Security CLD-06 9 x Protect x x

Cloud Security CLD-06.1 E-CPL-03 8 x Identify x x x

Cloud Security CLD-06.2 8 x Identify x

Licensed by Creative Commons Attribution-NoDerivatives 19 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk Does the organization ensure Multi-Tenant Service There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Cloud Security (CLD) efforts are requirements- Cloud Security (CLD) efforts are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
prompt forensic investigations in the event of a suspected or confirmed Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Providers (MTSP) facilitate prompt forensic Multi-Tenant Service Providers (MTSP) required to ensure Multi-Tenant Service driven and governed at a local/regional level, across the organization and centrally CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Multi-Tenant Forensics security incident. investigations in the event of a suspected or facilitate prompt forensic investigations in the Providers (MTSP) facilitate prompt forensic but are not consistent across the organization. managed, where technically feasible, to assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security CLD-06.3 confirmed security incident? 8 x Identify x event of a suspected or confirmed security investigations in the event of a suspected or CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to ensure Multi-Tenant Service not necessary to ensure Multi-Tenant Service
Capabilities
incident. confirmed security incident. reasonably expect all, or at least most, the maturity would reasonably expect all, or at Providers (MTSP) facilitate prompt forensic Providers (MTSP) facilitate prompt forensic
following criteria to exist: least most, the following criteria to exist: investigations in the event of a suspected or investigations in the event of a suspected or
• Cloud security management is • Roles and associated responsibilities for confirmed security incident. confirmed security incident.
Mechanisms exist to ensure Multi-Tenant Service Providers (MTSP) facilitate ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk Does the organization ensure Multi-Tenant Service There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Cloud Security(e.g.,
decentralized (CLD)a efforts are requirements-
localized/regionalized Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
prompt response to suspected or confirmed security incidents and Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Providers (MTSP) facilitate prompt response to Multi-Tenant Service Providers (MTSP) required to ensure Multi-Tenant Service driven and
function) governed
and at a local/regional
uses non-standardized level,
methods across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Multi-Tenant Incident vulnerabilities, including timely notification to affected customers. suspected or confirmed security incidents and facilitate prompt response to suspected or Providers (MTSP) facilitate prompt response to but are not consistent
to implement across the
secure, resilient andorganization.
compliant managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security CLD-06.4 vulnerabilities, including timely notification to 8 x Identify x confirmed security incidents and suspected or confirmed security incidents and CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to ensure Multi-Tenant Service not necessary to ensure Multi-Tenant Service
Response Capabilities
affected customers? vulnerabilities, including timely notification to vulnerabilities, including timely notification to reasonably expect all, or at least most, the maturity would reasonably expect all, or at Providers (MTSP) facilitate prompt response to Providers (MTSP) facilitate prompt response to
affected customers. affected customers. following criteria to exist: least most, the following criteria to exist: suspected or confirmed security incidents and suspected or confirmed security incidents and
• Cloud security management is • Roles and associated responsibilities for vulnerabilities, including timely notification to vulnerabilities, including timely notification to
Mechanisms exist to ensure cloud providers use secure protocols for the ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk Does the organization ensure cloud providers use There is no evidence of a capability to ensure Cloud Security (CLD) efforts are ad hoc and Cloud Security(e.g.,
decentralized (CLD)a efforts are requirements-
localized/regionalized Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
import, export and management of data in cloud-based services. Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program secure protocols for the import, export and cloud providers use secure protocols for the inconsistent. CMM Level 1 control maturity driven and
function) governed
and at a local/regional
uses non-standardized level,
methods across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Handling & management of data in cloud-based services? import, export and management of data in would reasonably expect all, or at least most, but are not consistent
to implement across the
secure, resilient andorganization.
compliant managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security CLD-07 4 x Protect x cloud-based services. the following criteria to exist: CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to ensure cloud providers use not necessary to ensure cloud providers use
Portability
• Cloud-based technologies are governed reasonably expect all, or at least most, the maturity would reasonably expect all, or at secure protocols for the import, export and secure protocols for the import, export and
no differently from on-premise network assets following criteria to exist: least most, the following criteria to exist: management of data in cloud-based services. management of data in cloud-based services.
(e.g., cloud-based technology is viewed as an • Cloud security management is • Roles and associated responsibilities for
Mechanisms exist to ensure interoperability by requiring cloud providers to ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk Does the organization ensure interoperability by There is no evidence of a capability to ensure Cloud Security
extension of the(CLD) effortsnetwork).
corporate are ad hoc and Cloud Security(e.g.,
decentralized (CLD)a efforts are requirements-
localized/regionalized Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
use industry-recognized formats and provide documentation of custom Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program requiring cloud providers to use industry-recognized interoperability by requiring cloud providers to inconsistent. CMM Level 1 control maturity driven and
function) governed
and at a local/regional
uses non-standardized level,
methods across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Standardized changes for review. formats and provide documentation of custom use industry-recognized formats and provide would reasonably expect all, or at least most, but are not consistent
to implement across the
secure, resilient andorganization.
compliant managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security CLD-08 changes for review? 4 x Protect x x documentation of custom changes for review. the following criteria to exist: CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to ensure interoperability by not necessary to ensure interoperability by
Virtualization Formats
• Cloud-based technologies are governed reasonably expect all, or at least most, the maturity would reasonably expect all, or at requiring cloud providers to use industry- requiring cloud providers to use industry-
no differently from on-premise network assets following criteria to exist: least most, the following criteria to exist: recognized formats and provide recognized formats and provide
(e.g., cloud-based technology is viewed as an • Cloud security management is • Roles and associated responsibilities for documentation of custom changes for review. documentation of custom changes for review.
Mechanisms exist to control the location of cloud processing/storage based ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact Does the organization control the location of cloud There is no evidence of a capability to control Cloud Security
extension of the(CLD) effortsnetwork).
corporate are ad hoc and Cloud Security(e.g.,
decentralized (CLD)a efforts are requirements-
localized/regionalized Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized Cloud Security (CLD) efforts are metrics driven Cloud Security (CLD) efforts are “world-class”
Geolocation on business requirements that includes statutory, regulatory and Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) processing/storage based on business requirements the location of cloud processing/storage based inconsistent. CMM Level 1 control maturity driven and
function) governed
and at a local/regional
uses non-standardized level,
methods across the organization
provisioning, maintaining and centrally
and deprovisioning, and provide sufficient management insight capabilities that leverage predictive analysis
Requirements for contractual obligations. E-AST-06 ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk that includes statutory, regulatory and contractual on business requirements that includes would reasonably expect all, or at least most, but are not consistent
to implement across the
secure, resilient andorganization.
compliant managed,
are formallywhere technically feasible, to
assigned. (based on a quantitative understanding of (e.g., machine learning, AI, etc.). In addition to
Cloud Security CLD-09 Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program obligations? 10 x Protect x x statutory, regulatory and contractual the following criteria to exist: CMM Level 2 control maturity would ensure consistency. CMM Level 3 control process capabilities) to predict optimal CMM Level 4 criteria, CMM Level 5 control
Processing, Storage and E-AST-23
Service Locations obligations. • Cloud-based technologies are governed reasonably expect all, or at least most, the maturity would reasonably expect all, or at performance, ensure continued operations maturity would reasonably expect all, or at
no differently from on-premise network assets following criteria to exist: least most, the following criteria to exist: and identify areas for improvement. In least most, the following criteria to exist:
(e.g., cloud-based technology is viewed as an • Cloud security management is • Roles and associated responsibilities for addition to CMM Level 3 criteria, CMM Level 4 • Stakeholders make time-sensitive
Mechanisms exist to limit and manage the storage of sensitive/regulated ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact Does the organization limit and manage the storage There is no evidence of a capability to limit Cloud Security
extension of the(CLD) effortsnetwork).
corporate are ad hoc and Cloud Security(e.g.,
decentralized (CLD)a efforts are requirements-
localized/regionalized Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized Cloud Security (CLD) efforts are metrics driven See C|P-CMM4.
decisions Thereoperational
to support are no defined C|P-
efficiency,
data in public cloud providers. Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) of sensitive/regulated data in public cloud and manage the storage of inconsistent. CMM Level 1 control maturity driven and
function) governed
and at a local/regional
uses non-standardized level,
methods across the organization
provisioning, maintaining and centrally
and deprovisioning, and provide sufficient management insight CMM5 criteria,
which may sinceautomated
include it is reasonable to
remediation
Sensitive Data In Public ∙ Security and network ∙ Security and network ∙ Security and network ∙ Security and network ∙ Security and network providers? sensitive/regulated data in public cloud would reasonably expect all, or at least most, but are not consistent
to implement across the
secure, resilient andorganization.
compliant managed,
are formallywhere technically feasible, to
assigned. (based on a quantitative understanding of assume
actions. a continuously-improving process is
Cloud Security CLD-10 E-AST-08 architecture diagrams architecture diagrams architecture diagrams architecture diagrams architecture diagrams 6 x Protect x providers. the following criteria to exist: CMM Level 2 control maturity would ensure consistency. CMM Level 3 control process capabilities) to predict optimal not necessary to limit and manage the storage
Cloud Providers
∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) • Cloud-based technologies are governed reasonably expect all, or at least most, the maturity would reasonably expect all, or at performance, ensure continued operations of sensitive/regulated data in public cloud
∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk no differently from on-premise network assets following criteria to exist: least most, the following criteria to exist: and identify areas for improvement. In providers.
Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program (e.g., cloud-based technology is viewed as an • Cloud security management is • Roles and associated responsibilities for addition to CMM Level 3 criteria, CMM Level 4
Mechanisms exist to utilize a Cloud Access Security Broker (CASB), or ∙ Cloud Access Security Broker ∙ Cloud Access Security Broker ∙ Cloud Access Security Broker ∙ Cloud Access Security Broker ∙ Cloud Access Security Broker Does the organization utilize a Cloud Access There is no evidence of a capability to utilize a Cloud Security
extension of the(CLD) effortsnetwork).
corporate are ad hoc and C|P-CMM2 is N/A,
decentralized since
(e.g., a well-defined process
a localized/regionalized Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
similar technology, to provide boundary protection and monitoring (CASB) (CASB) (CASB) (CASB) (CASB) Security Broker (CASB), or similar technology, to Cloud Access Security Broker (CASB), or inconsistent. CMM Level 1 control maturity is required
function) to prevent
and "side channel attacks"
uses non-standardized methods across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cloud Access Security functions that both provide access to the cloud and protect the organization provide boundary protection and monitoring similar technology, to provide boundary would reasonably expect all, or at least most, when using a Content
to implement Deliveryand
secure, resilient Network (CDN)
compliant managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security CLD-11 from misuse of cloud resources. functions that both provide access to the cloud and 7 x Protect x protection and monitoring functions that both the following criteria to exist: by restricting access to the origin server's IP ensure consistency. CMM Level 3 control not necessary to utilize a Cloud Access not necessary to utilize a Cloud Access
Broker (CASB)
protect the organization from misuse of cloud provide access to the cloud and protect the • Cloud-based technologies are governed address to the CDN and an authorized maturity would reasonably expect all, or at Security Broker (CASB), or similar technology, Security Broker (CASB), or similar technology,
resources? organization from misuse of cloud resources. no differently from on-premise network assets management network. least most, the following criteria to exist: to provide boundary protection and to provide boundary protection and
(e.g., cloud-based technology is viewed as an • Roles and associated responsibilities for monitoring functions that both provide access monitoring functions that both provide access
Mechanisms exist to prevent "side channel attacks" when using a Content ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization prevent "side channel There is no evidence of a capability to prevent C|P-CMM1
extension ofis the
N/A,corporate
since a structured
network).process is C|P-CMM2 is N/A, since a well-defined process Cloud Security (CLD) efforts are
governing cloud instances, including standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Delivery Network (CDN) by restricting access to the origin server's IP (SBC) (SBC) (SBC) (SBC) (SBC) attacks" when using a Content Delivery Network "side channel attacks" when using a Content required to prevent "side channel attacks" is required to prevent "side channel attacks" across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Side Channel Attack address to the CDN and an authorized management network. (CDN) by restricting access to the origin server's IP Delivery Network (CDN) by restricting access when using a Content Delivery Network (CDN) when using a Content Delivery Network (CDN) managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security CLD-12 address to the CDN and an authorized management 3 x Protect x to the origin server's IP address to the CDN by restricting access to the origin server's IP by restricting access to the origin server's IP ensure consistency. CMM Level 3 control not necessary to prevent "side channel not necessary to prevent "side channel
Prevention
network? and an authorized management network. address to the CDN and an authorized address to the CDN and an authorized maturity would reasonably expect all, or at attacks" when using a Content Delivery attacks" when using a Content Delivery
management network. management network. least most, the following criteria to exist: Network (CDN) by restricting access to the Network (CDN) by restricting access to the
• Roles and associated responsibilities for origin server's IP address to the CDN and an origin server's IP address to the CDN and an
Mechanisms exist to specify applicable cybersecurity & data protection ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization specify applicable There is no evidence of a capability to specify C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
controls that must be implemented on external systems, consistent with (SBC) (SBC) (SBC) (SBC) (SBC) cybersecurity & data protection controls that must applicable cybersecurity & data protection required to specify applicable cybersecurity & is required to specify applicable cybersecurity across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Hosted Systems, the contractual obligations established with the External Service Providers ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk be implemented on external systems, consistent controls that must be implemented on data protection controls that must be & data protection controls that must be managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security CLD-13 (ESP) owning, operating and/or maintaining external systems, applications Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program with the contractual obligations established with the 9 x Protect x x external systems, consistent with the implemented on external systems, consistent implemented on external systems, consistent ensure consistency. CMM Level 3 control not necessary to specify applicable not necessary to specify applicable
Applications & Services
and/or services. External Service Providers (ESP) owning, operating contractual obligations established with the with the contractual obligations established with the contractual obligations established maturity would reasonably expect all, or at cybersecurity & data protection controls that cybersecurity & data protection controls that
and/or maintaining external systems, applications External Service Providers (ESP) owning, with the External Service Providers (ESP) with the External Service Providers (ESP) least most, the following criteria to exist: must be implemented on external systems, must be implemented on external systems,
and/or services? operating and/or maintaining external owning, operating and/or maintaining external owning, operating and/or maintaining external • Roles and associated responsibilities for consistent with the contractual obligations consistent with the contractual obligations
Mechanisms exist to authorize specified individuals to access External ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk Does the organization authorize specified There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Service Providers (ESP) owned, operated and/or maintained external Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program individuals to access External Service Providers authorize specified individuals to access required to authorize specified individuals to is required to authorize specified individuals to across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Authorized Individuals systems, applications and/or services. ∙ Responsible, Accountable, ∙ Responsible, Accountable, ∙ Responsible, Accountable, ∙ Responsible, Accountable, ∙ Responsible, Accountable, (ESP) owned, operated and/or maintained external External Service Providers (ESP) owned, access External Service Providers (ESP) access External Service Providers (ESP) managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security For Hosted Systems, CLD-13.1 Supporting, Consulted and Supporting, Consulted and Supporting, Consulted and Supporting, Consulted and Supporting, Consulted and systems, applications and/or services? 9 x Protect x x operated and/or maintained external systems, owned, operated and/or maintained external owned, operated and/or maintained external ensure consistency. CMM Level 3 control not necessary to authorize specified not necessary to authorize specified
Applications & Services Informed (RASCI) matrix Informed (RASCI) matrix Informed (RASCI) matrix Informed (RASCI) matrix Informed (RASCI) matrix applications and/or services. systems, applications and/or services. systems, applications and/or services. maturity would reasonably expect all, or at individuals to access External Service individuals to access External Service
least most, the following criteria to exist: Providers (ESP) owned, operated and/or Providers (ESP) owned, operated and/or
• Roles and associated responsibilities for maintained external systems, applications maintained external systems, applications
Mechanisms exist to define formal processes to store, process and/or ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk Does the organization define formal processes to There is no evidence of a capability to define C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
transmit sensitive/regulated data using External Service Providers (ESP) Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program store, process and/or transmit sensitive/regulated formal processes to store, process and/or required to define formal processes to store, is required to define formal processes to store, across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Sensitive/Regulated Data owned, operated and/or maintained external systems, applications and/or data using External Service Providers (ESP) owned, transmit sensitive/regulated data using process and/or transmit sensitive/regulated process and/or transmit sensitive/regulated managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security On Hosted Systems, CLD-13.2 services , in accordance with all applicable statutory, regulatory and/or operated and/or maintained external systems, 9 x Protect x x External Service Providers (ESP) owned, data using External Service Providers (ESP) data using External Service Providers (ESP) ensure consistency. CMM Level 3 control not necessary to define formal processes to not necessary to define formal processes to
Applications & Services contractual obligations. applications and/or services , in accordance with all operated and/or maintained external systems, owned, operated and/or maintained external owned, operated and/or maintained external maturity would reasonably expect all, or at store, process and/or transmit store, process and/or transmit
applicable statutory, regulatory and/or contractual applications and/or services , in accordance systems, applications and/or services , in systems, applications and/or services , in least most, the following criteria to exist: sensitive/regulated data using External sensitive/regulated data using External
obligations? with all applicable statutory, regulatory and/or accordance with all applicable statutory, accordance with all applicable statutory, • Roles and associated responsibilities for Service Providers (ESP) owned, operated Service Providers (ESP) owned, operated
Mechanisms exist to prohibit access to, or usage of, hosted systems, ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk ∙ Cybersecurity Supply Chain Risk Does the organization prohibit access to, or usage There is no evidence of a capability to prohibit C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cloud Security
governing cloud(CLD) effortsincluding
instances, are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
applications and/or services until applicable cybersecurity & data protection Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program Management (C-SCRM) program of, hosted systems, applications and/or services access to, or usage of, hosted systems, required to prohibit access to, or usage of, is required to prohibit access to, or usage of, across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Prohibition On Unverified control implementation is verified. until applicable cybersecurity & data protection applications and/or services until applicable hosted systems, applications and/or services hosted systems, applications and/or services managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Cloud Security Hosted Systems, CLD-14 control implementation is verified? 8 x Protect x x cybersecurity & data protection control until applicable cybersecurity & data until applicable cybersecurity & data ensure consistency. CMM Level 3 control not necessary to prohibit access to, or usage not necessary to prohibit access to, or usage
Applications & Services implementation is verified. protection control implementation is verified. protection control implementation is verified. maturity would reasonably expect all, or at of, hosted systems, applications and/or of, hosted systems, applications and/or
least most, the following criteria to exist: services until applicable cybersecurity & data services until applicable cybersecurity & data
• Roles and associated responsibilities for protection control implementation is verified. protection control implementation is verified.
Mechanisms exist to facilitate the identification and implementation of ∙ SCF Integrated Controls ∙ SCF Integrated Controls ∙ SCF Integrated Controls ∙ SCF Integrated Controls ∙ SCF Integrated Controls Does the organization facilitate the identification There is no evidence of a capability to Compliance (CPL) efforts are ad hoc and Compliance (CPL) efforts are requirements- Compliance (CPL)instances,
governing cloud efforts are standardized
including See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
relevant statutory, regulatory and contractual controls. Management (ICM) model Management (ICM) model Management (ICM) model Management (ICM) model Management (ICM) model and implementation of relevant statutory, facilitate the identification and inconsistent. CMM Level 1 control maturity driven and governed at a local/regional level, across the organization
provisioning, maintaining and centrally
and deprovisioning, CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Statutory, Regulatory & E-CPL-01 (https://securecontrolsframework. (https://securecontrolsframework. (https://securecontrolsframework. (https://securecontrolsframework. (https://securecontrolsframework. regulatory and contractual controls? implementation of relevant statutory, would reasonably expect all, or at least most, but are not consistent across the organization. managed,
are formallywhere technically feasible, to
assigned. assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance CPL-01 com/integrated-controls- com/integrated-controls- com/integrated-controls- com/integrated-controls- com/integrated-controls- 10 x Govern x x regulatory and contractual controls. the following criteria to exist: CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to facilitate the identification not necessary to facilitate the identification
Contractual Compliance E-GOV-10
management) management) management) management) management) • IT personnel use an informal process to reasonably expect all, or at least most, the maturity would reasonably expect all, or at and implementation of relevant statutory, and implementation of relevant statutory,
∙ Governance, Risk and ∙ Governance, Risk and ∙ Governance, Risk and ∙ Governance, Risk and ∙ Governance, Risk and govern statutory, regulatory and contractual following criteria to exist: least most, the following criteria to exist: regulatory and contractual controls. regulatory and contractual controls.
Compliance (GRC) solution (e.g., Compliance (GRC) solution (e.g., Compliance (GRC) solution (e.g., Compliance (GRC) solution (e.g., Compliance (GRC) solution (e.g., compliance obligations. • Compliance activities are decentralized • The Chief Information Security Officer
Mechanisms exist to document and review instances of non-compliance ∙ Governance,
SCFConnect, Risk and Ostendio,
SureCloud, ∙ Governance,
SCFConnect, Risk and Ostendio,
SureCloud, ∙ Governance,
SCFConnect, Risk and Ostendio,
SureCloud, ∙ Governance,
SCFConnect, Risk and Ostendio,
SureCloud, ∙ Governance,
SCFConnect, Risk and Ostendio,
SureCloud, Does the organization document and review There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Compliance (CPL) efforts are requirements-
(e.g., a localized/regionalized function) and Compliance (CPL)function
(CISO), or similar efforts are
withstandardized
technical See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
with statutory, regulatory and/or contractual obligations to develop Compliance (GRC) solution
SimpleRisk, Ignyte, ZenGRC,(e.g., Compliance (GRC) solution
SimpleRisk, Ignyte, ZenGRC,(e.g., Compliance (GRC) solution
SimpleRisk, Ignyte, ZenGRC,(e.g., Compliance (GRC) solution
SimpleRisk, Ignyte, ZenGRC,(e.g., Compliance (GRC) solution
SimpleRisk, Ignyte, ZenGRC,(e.g., instances of non-compliance with statutory, document and review instances of non- required to document and review instances of driven and governed atmethods
uses non-standardized a local/regional level,
to implement across the organization
competence to address and centrally
cybersecurity CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Non-Compliance appropriate risk mitigation actions. SCFConnect, SureCloud, Ostendio, SCFConnect, SureCloud, Ostendio, SCFConnect, SureCloud, Ostendio, SCFConnect, SureCloud, Ostendio, SCFConnect, SureCloud, Ostendio, regulatory and/or contractual obligations to develop compliance with statutory, regulatory and/ or non-compliance with statutory, regulatory but are not
secure, consistent
resilient across the
and compliant organization.
practices. managed, where technically
concerns, analyzes feasible, to
the organization's assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance CPL-01.1 E-CPL-05 SimpleRisk, Ignyte, ZenGRC, SimpleRisk, Ignyte, ZenGRC, SimpleRisk, Ignyte, ZenGRC, SimpleRisk, Ignyte, ZenGRC, SimpleRisk, Ignyte, ZenGRC, appropriate risk mitigation actions? 9 x Respond x contractual obligations to develop appropriate and/ or contractual obligations to develop CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to document and review not necessary to document and review
Oversight
Galvanize, MetricStream, Archer, Galvanize, MetricStream, Archer, Galvanize, MetricStream, Archer, Galvanize, MetricStream, Archer, Galvanize, MetricStream, Archer, risk mitigation actions. appropriate risk mitigation actions. reasonably expect all, or at least most, the maturity would reasonably expect all, or at instances of non-compliance with statutory, instances of non-compliance with statutory,
etc.) etc.) etc.) etc.) etc.) following criteria to exist: least most, the following criteria to exist: regulatory and/ or contractual obligations to regulatory and/ or contractual obligations to
• Compliance activities are decentralized • A Governance, Risk & Compliance (GRC) develop appropriate risk mitigation actions. develop appropriate risk mitigation actions.
Mechanisms exist to document and validate the scope of cybersecurity & ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide ∙ Unified Scoping Guide Does the organization document and validate the There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Compliance (CPL) efforts are requirements-
(e.g., a localized/regionalized function) and Compliance (CPL) efforts
function, or similar are provides
function, standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
data privacy controls that are determined to meet statutory, regulatory (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- (https://unified-scoping- scope of cybersecurity & data privacy controls that document and validate the scope of required to document and validate the scope driven and governed atmethods
uses non-standardized a local/regional level,
to implement across the organization
governance oversight for and
thecentrally
implementation CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
and/or contractual compliance obligations. E-AST-02 guide.com) guide.com) guide.com) guide.com) guide.com) are determined to meet statutory, regulatory and/or cybersecurity & data privacy controls that are of cybersecurity & data protection controls but are not
secure, consistent
resilient across the
and compliant organization.
practices. managed, where
of applicable technically
statutory, feasible,
regulatory andto assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance Compliance Scope CPL-01.2 E-CPL-02 contractual compliance obligations? 10 x Identify x x x determined to meet statutory, regulatory and/ that are determined to meet statutory, CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to document and validate the not necessary to document and validate the
E-GOV-10 or contractual compliance obligations. regulatory and/ or contractual compliance reasonably expect all, or at least most, the maturity would reasonably expect all, or at scope of cybersecurity & data protection scope of cybersecurity & data protection
obligations. following criteria to exist: least most, the following criteria to exist: controls that are determined to meet controls that are determined to meet
• Compliance activities are decentralized • A Governance, Risk & Compliance (GRC) statutory, regulatory and/ or contractual statutory, regulatory and/ or contractual
Mechanisms exist to ensure the organization is able to demonstrate Does the organization ensure it is able to There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Compliance (CPL) efforts are requirements-
(e.g., a localized/regionalized function) and Compliance (CPL) efforts
function, or similar are provides
function, standardized Compliance (CPL) efforts are metrics driven See C|P-CMM4. There are no defined C|P-
conformity with applicable cybersecurity and data protection laws, demonstrate conformity with applicable the organization is able to demonstrate required to demonstrate conformity with driven and governed atmethods
uses non-standardized a local/regional level,
to implement across the organization
governance oversight for and
thecentrally
implementation and provide sufficient management insight CMM5 criteria, since it is reasonable to
Ability To Demonstrate regulations and/or contractual obligations. cybersecurity and data protection laws, regulations conformity with applicable cybersecurity and applicable cybersecurity and data protection but are not
secure, consistent
resilient across the
and compliant organization.
practices. managed, where
of applicable technically
statutory, feasible,
regulatory andto (based on a quantitative understanding of assume a continuously-improving process is
Compliance CPL-01.3 and/or contractual obligations? 8 x Protect x x x data protection laws, regulations and/or laws, regulations and/or contractual CMM Level 2 control maturity would ensure consistency. CMM Level 3 control process capabilities) to predict optimal not necessary to demonstrate conformity with
Conformity
contractual obligations. obligations. reasonably expect all, or at least most, the maturity would reasonably expect all, or at performance, ensure continued operations applicable cybersecurity and data protection
following criteria to exist: least most, the following criteria to exist: and identify areas for improvement. In laws, regulations and/or contractual
• Compliance activities are decentralized • A Governance, Risk & Compliance (GRC) addition to CMM Level 3 criteria, CMM Level 4 obligations.
Mechanisms exist to conduct assessments to demonstrate conformity with Does the organization conduct assessments to Mechanisms exist to conduct assessments to C|P-CMM1 is N/A, since a structured process is Compliance (CPL) efforts are requirements-
(e.g., a localized/regionalized function) and Compliance (CPL) efforts
function, or similar are provides
function, standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
applicable cybersecurity and data protection laws, regulations and/or demonstrate conformity with applicable demonstrate conformity with applicable required to conduct assessments to driven and governed atmethods
uses non-standardized a local/regional level,
to implement across the organization
governance oversight for and
thecentrally
implementation CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
contractual obligations. cybersecurity and data protection laws, regulations cybersecurity and data protection laws, demonstrate conformity with applicable but are not
secure, consistent
resilient across the
and compliant organization.
practices. managed, where
of applicable technically
statutory, feasible,
regulatory andto assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance Conformity Assessment CPL-01.4 and/or contractual obligations? 9 x Govern x regulations and/or contractual obligations. cybersecurity and data protection laws, CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to conduct assessments to not necessary to conduct assessments to
regulations and/or contractual obligations. reasonably expect all, or at least most, the maturity would reasonably expect all, or at demonstrate conformity with applicable demonstrate conformity with applicable
following criteria to exist: least most, the following criteria to exist: cybersecurity and data protection laws, cybersecurity and data protection laws,
• Compliance activities are decentralized • A Governance, Risk & Compliance (GRC) regulations and/or contractual obligations. regulations and/or contractual obligations.
Mechanisms exist to generate a declaration of conformity for each Does the organization generate a declaration of Mechanisms exist to generate a declaration of C|P-CMM1 is N/A, since a structured process is Compliance (CPL) efforts are requirements-
(e.g., a localized/regionalized function) and Compliance (CPL) efforts
function, or similar are provides
function, standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
conformity assessment, where the document: conformity for each conformity assessment, where conformity for each conformity assessment, required to generate a declaration of driven and governed atmethods
uses non-standardized a local/regional level,
to implement across the organization
governance oversight for and
thecentrally
implementation CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Declaration of (1) Is concise; the document: where the document: conformity for each conformity assessment, but are not
secure, consistent
resilient across the
and compliant organization.
practices. managed, where
of applicable technically
statutory, feasible,
regulatory andto assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance CPL-01.5 (2) Unambiguously reflects the current status; (1) Is concise; 1 x Govern x (1) Is concise; where the document: CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to generate a declaration of not necessary to generate a declaration of
Conformity
(3) Is physically or electronically signed; and (2) Unambiguously reflects the current status; (2) Unambiguously reflects the current status; (1) Is concise; reasonably expect all, or at least most, the maturity would reasonably expect all, or at conformity for each conformity assessment, conformity for each conformity assessment,
(4) Where possible, is machine readable. (3) Is physically or electronically signed; and (3) Is physically or electronically signed; and (2) Unambiguously reflects the current status; following criteria to exist: least most, the following criteria to exist: where the document: where the document:
(4) Where possible, is machine readable? (4) Where possible, is machine readable. (3) Is physically or electronically signed; and • Compliance activities are decentralized • A Governance, Risk & Compliance (GRC) (1) Is concise; (1) Is concise;
Mechanisms exist to provide a cybersecurity & data protection controls E-CPL-07 ∙ SCF Integrated Controls ∙ SCF Integrated Controls (e.g., a localized/regionalized function) and function, or similar function, provides
oversight function that reports to the organization's executive leadership. E-CPL-09 Management (ICM) model uses non-standardized methods to implement governance oversight for the implementation
Cybersecurity & Data E-GOV-04 (https://securecontrolsframework. secure, resilient and compliant practices. of applicable statutory, regulatory and
Compliance Protection Controls CPL-02 E-GOV-05 com/integrated-controls- 10 x Detect x x x
Oversight E-GOV-06 management)
E-GOV-13 ∙ Governance, Risk and
E-RSK-03 Compliance (GRC) solution (e.g.,
∙ Internal audit
SCFConnect, programOstendio, ∙ Internal audit program
SureCloud, ∙ Internal audit program ∙ Internal audit program ∙ Internal audit program
SimpleRisk, Ignyte, ZenGRC,

Compliance Internal Audit Function CPL-02.1 5 x Detect x

Compliance Periodic Audits CPL-02.2 8 x Detect x

Compliance Corrective Action CPL-02.3 7 x Govern x

Compliance CPL-03 10 x Detect x x

Compliance Independent Assessors CPL-03.1 E-CPL-07 6 x Detect x

Compliance CPL-03.2 E-CPL-08 8 x Detect x x x

Compliance Assessor Access CPL-03.3 7 x Govern x

∙ Internal audit program ∙ Internal audit program ∙ Internal audit program ∙ Internal audit program ∙ Internal audit program

Compliance Audit Activities CPL-04 5 x Identify x

∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review

Compliance CPL-05 2 x Respond x

Compliance CPL-05.1 2 x Respond x

Compliance CPL-05.2 2 x Protect x

Licensed by Creative Commons Attribution-NoDerivatives 20 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to constrain the host government from having ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review ∙ Legal review Does the organization constrain the host There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Compliance (CPL) efforts are standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
unrestricted and non-monitored access to the organization's systems, ∙ Least functionality enforcement ∙ Least functionality enforcement ∙ Least functionality enforcement ∙ Least functionality enforcement ∙ Least functionality enforcement government from having unrestricted and non- constrain the host government from having required to constrain the host government is required to constrain the host government across the organization and centrally CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
applications and services that could potentially violate other applicable ∙ Legal privilege enforcement ∙ Legal privilege enforcement ∙ Legal privilege enforcement ∙ Legal privilege enforcement ∙ Legal privilege enforcement monitored access to its systems, applications and unrestricted and non-monitored access to its from having unrestricted and non-monitored from having unrestricted and non-monitored managed, where technically feasible, to assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance Government Surveillance CPL-06 statutory, regulatory and/or contractual obligations. ∙ Board of Directors (BoD) review ∙ Board of Directors (BoD) review ∙ Board of Directors (BoD) review services that could potentially violate other 10 x Protect x x x systems, applications and services that could access to its systems, applications and access to its systems, applications and ensure consistency. CMM Level 3 control not necessary to constrain the host not necessary to constrain the host
applicable statutory, regulatory and/or contractual potentially violate other applicable statutory, services that could potentially violate other services that could potentially violate other maturity would reasonably expect all, or at government from having unrestricted and government from having unrestricted and
obligations? regulatory and/or contractual obligations. applicable statutory, regulatory and/or applicable statutory, regulatory and/or least most, the following criteria to exist: non-monitored access to its systems, non-monitored access to its systems,
contractual obligations. contractual obligations. • A Governance, Risk & Compliance (GRC) applications and services that could applications and services that could
Mechanisms exist to govern the intake and analysis of grievances related to Does the organization govern the intake, analysis, There is no evidence of a capability to govern Compliance (CPL) efforts are ad hoc and Compliance (CPL) efforts are requirements- Compliance (CPL) efforts
function, or similar are provides
function, standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
the organization's cybersecurity and/or data protection practices. assignment and remediation of grievances related the intake and analysis of grievances related inconsistent. CMM Level 1 control maturity driven and governed at a local/regional level, across the organization
governance oversight forand
thecentrally
implementation CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
to its cybersecurity and/or data protection to the organization's cybersecurity and/or data would reasonably expect all, or at least most, but are not consistent across the organization. managed, where
of applicable technically
statutory, feasible,
regulatory andto assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance Grievances CPL-07 practices? 5 x Respond x protection practices. the following criteria to exist: CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to govern the intake and not necessary to govern the intake and
• IT personnel use an informal process to reasonably expect all, or at least most, the maturity would reasonably expect all, or at analysis of grievances related to the analysis of grievances related to the
govern statutory, regulatory and contractual following criteria to exist: least most, the following criteria to exist: organization's cybersecurity and/or data organization's cybersecurity and/or data
compliance obligations. • Compliance activities are decentralized • A Governance, Risk & Compliance (GRC) protection practices. protection practices.
Mechanisms exist to respond to legitimate grievances related to the Does the organization respond to legitimate There is no evidence of a capability to respond Compliance (CPL) efforts are ad hoc and Compliance (CPL) efforts are requirements-
(e.g., a localized/regionalized function) and Compliance (CPL) efforts
function, or similar are provides
function, standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
organization's cybersecurity and/or data protection practices. grievances related to its cybersecurity and/or data to legitimate grievances related to the inconsistent. CMM Level 1 control maturity driven and governed atmethods
uses non-standardized a local/regional level,
to implement across the organization
governance oversight forand
thecentrally
implementation CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
protection practices? organization's cybersecurity and/or data would reasonably expect all, or at least most, but are not
secure, consistent
resilient across the
and compliant organization.
practices. managed, where
of applicable technically
statutory, feasible,
regulatory andto assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance Grievance Response CPL-07.1 5 x Respond x protection practices. the following criteria to exist: CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to respond to legitimate not necessary to respond to legitimate
• IT personnel use an informal process to reasonably expect all, or at least most, the maturity would reasonably expect all, or at grievances related to the organization's grievances related to the organization's
govern statutory, regulatory and contractual following criteria to exist: least most, the following criteria to exist: cybersecurity and/or data protection cybersecurity and/or data protection
compliance obligations. • Compliance activities are decentralized • A Governance, Risk & Compliance (GRC) practices. practices.
Mechanisms exist to appoint localized representation with a physical Does the organization appoint localized Mechanisms exist to appoint localized C|P-CMM1 is N/A, since a structured process is Compliance (CPL) efforts are requirements-
(e.g., a localized/regionalized function) and Compliance (CPL) efforts
function, or similar are provides
function, standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
presence in localities, as required by applicable laws and/or regulations. representation with a physical presence in localities, representation with a physical presence in required to appoint localized representation driven and governed atmethods
uses non-standardized a local/regional level,
to implement across the organization
governance oversight forand
thecentrally
implementation CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
as required by applicable laws and/or regulations? localities, as required by applicable laws with a physical presence in localities, as but are not
secure, consistent
resilient across the
and compliant organization.
practices. managed, where
of applicable technically
statutory, feasible,
regulatory andto assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance Localized Representation CPL-08 2 x Govern x x and/or regulations. required by applicable laws and/or CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to appoint localized not necessary to appoint localized
regulations. reasonably expect all, or at least most, the maturity would reasonably expect all, or at representation with a physical presence in representation with a physical presence in
following criteria to exist: least most, the following criteria to exist: localities, as required by applicable laws localities, as required by applicable laws
• Compliance activities are decentralized • A Governance, Risk & Compliance (GRC) and/or regulations. and/or regulations.
Mechanisms exist to contract localized representation to perform specified Does the organization contract localized Mechanisms exist to contract localized C|P-CMM1 is N/A, since a structured process is Compliance (CPL) efforts are requirements-
(e.g., a localized/regionalized function) and Compliance (CPL) efforts
function, or similar are provides
function, standardized See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
functions in regard to representing statutory and/or regulatory compliance representation to perform specified functions in representation to perform specified functions required to contract localized representation driven and governed atmethods
uses non-standardized a local/regional level,
to implement across the organization
governance oversight forand
thecentrally
implementation CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
matters. regard to representing statutory and/or regulatory in regard to representing statutory and/or to perform specified functions in regard to but are not
secure, consistent
resilient across the
and compliant organization.
practices. managed, where
of applicable technically
statutory, feasible,
regulatory andto assume a quantitatively-controlled process is assume a continuously-improving process is
Compliance Representative Powers CPL-08.1 compliance matters? 2 x Govern x x regulatory compliance matters. representing statutory and/or regulatory CMM Level 2 control maturity would ensure consistency. CMM Level 3 control not necessary to contract localized not necessary to contract localized
compliance matters. reasonably expect all, or at least most, the maturity would reasonably expect all, or at representation to perform specified functions representation to perform specified functions
following criteria to exist: least most, the following criteria to exist: in regard to representing statutory and/or in regard to representing statutory and/or
• Compliance activities are decentralized • A Governance, Risk & Compliance (GRC) regulatory compliance matters. regulatory compliance matters.
Mechanisms exist to facilitate the implementation of configuration ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) Does the organization facilitate the implementation There is no evidence of a capability to Configuration Management (CFG) efforts are Configuration Management (CFG)
(e.g., a localized/regionalized efforts
function) andare Configuration Management
function, or similar function,(CFG) efforts are
provides Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
management controls. program program program program program of configuration management controls? facilitate the implementation of configuration ad hoc and inconsistent. CMM Level 1 control requirements-driven
uses non-standardized and governed
methods at a
to implement standardized across the
governance oversight fororganization and
the implementation metrics driven and provide sufficient “world-class” capabilities that leverage
Configuration Configuration ∙ Change control program ∙ Change control program ∙ Change control program ∙ Change control program ∙ Change control program management controls. maturity would reasonably expect all, or at local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally managed,
of applicable where
statutory, technically
regulatory andfeasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
CFG-01 E-AST-01 9 x Govern x x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management Management Program
• IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
configurations for test, development, staging • Configuration management is • The Chief Information Security Officer improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to implement a segregation of duties for configuration ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control Does the organization implement a segregation of There is no evidence of a capability to C|P-CMM1 is N/A,
and production since a structured process is
environments. Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
(CISO), or similar (CFG)
function with efforts are
technical See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
management that prevents developers from performing production (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) duties for configuration management that prevents implement a segregation of duties for required to implement a segregation of duties requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Configuration Assignment of configuration management duties. ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) developers from performing production configuration management that prevents for configuration management that prevents local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed, where
analyzes the technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
CFG-01.1 configuration management duties? 5 x Identify x x developers from performing production developers from performing production across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to implement a segregation of not necessary to implement a segregation of
Management Responsibility
configuration management duties. configuration management duties. maturity would reasonably expect all, or at maturity would reasonably expect all, or at duties for configuration management that duties for configuration management that
E-AST-12 least most, the following criteria to exist: least most, the following criteria to exist: prevents developers from performing prevents developers from performing
E-AST-13 • Configuration management is • The configuration management function production configuration management duties. production configuration management duties.
Mechanisms exist to develop, document and maintain secure baseline E-AST-14 ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization develop, document and There is no evidence of a capability to Configuration Management (CFG) efforts are Configuration Management (CFG) efforts
decentralized (e.g., a localized/regionalized are Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
configurations for technology platforms that are consistent with industry- E-AST-15 (SBC) (SBC) (SBC) (SBC) (SBC) maintain secure baseline configurations for develop, document and maintain secure ad hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
System Hardening accepted system hardening standards. ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security technology platforms that are consistent with baseline configurations for technology maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Configuration E-AST-16
Through Baseline CFG-02 Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology industry-accepted system hardening standards? 10 x Protect x x x platforms that are consistent with industry- least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management E-AST-17
Configurations Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) accepted system hardening standards. • IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
E-AST-18
E-AST-19 ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
E-AST-20 (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks configurations for test, development, staging • Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to review and update baseline configurations: E-AST-21 ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) Does the organization review and update baseline There is no evidence of a capability to review Configuration
and productionManagement
environments. (CFG) efforts are Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
(1) At least annually; program program program program program configurations: and update baseline configurations: ad hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
Configuration (2) When required due to so; or ∙ Change control program ∙ Change control program ∙ Change control program ∙ Change control program ∙ Change control program (1) At least annually; (1) At least annually; maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Reviews & Updates CFG-02.1 (3) As part of system component installations and upgrades. E-AST-12 (2) When required due to so; or 8 x Detect x x (2) When required due to so; or least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management
(3) As part of system component installations and (3) As part of system component installations • IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
upgrades? and upgrades. design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
configurations for test, development, staging • Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Automated mechanisms exist to govern and report on baseline ∙ ManageEngine Vulnerability ∙ ManageEngine Vulnerability ∙ ManageEngine Vulnerability ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite Does the organization use automated mechanisms There is no evidence of an automated C|P-CMM1 is N/A,
and production since a structured process is
environments. Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
configurations of systems through Continuous Diagnostics and Mitigation Manager Plus Manager Plus Manager Plus (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) to govern and report on baseline configurations of capability to govern and report on baseline required to govern and report on baseline requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
Automated Central (CDM), or similar technologies. (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) ∙ Netwrix Auditor ∙ Netwrix Auditor systems through Continuous Diagnostics and configurations of systems through Continuous configurations of systems through Continuous local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Configuration
Management & CFG-02.2 ∙ CimTrak Integrity Suite (https://netrix.com) (https://netrix.com) Mitigation (CDM), or similar technologies? 7 x Detect x Diagnostics and Mitigation (CDM), or similar Diagnostics and Mitigation (CDM), or similar across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management
Verification (https://cimcor.com/cimtrak) technologies. technologies. maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
∙ Netwrix Auditor least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
(https://netrix.com) • Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to retain previous versions of baseline configuration to Does the organization retain previous versions of There is no evidence of a capability to retain Configuration Management (CFG) efforts are Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
support roll back. baseline configuration to support roll back? previous versions of baseline configuration to ad hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Configuration Retention Of Previous support roll back. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CFG-02.3 3 x Identify x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to retain previous versions of not necessary to retain previous versions of
Management Configurations
• IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at baseline configuration to support roll back. baseline configuration to support roll back.
design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist:
configurations for test, development, staging • Configuration management is • The configuration management function
Mechanisms exist to manage baseline configurations for development and Does the organization manage baseline There is no evidence of a capability to manage Configuration
and productionManagement
environments. (CFG) efforts are Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
test environments separately from operational baseline configurations to configurations for development and test baseline configurations for development and ad hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
Development & Test minimize the risk of unintentional changes. environments separately from operational baseline test environments separately from operational maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Configuration
Environment CFG-02.4 configurations to minimize the risk of unintentional 5 x Protect x x baseline configurations to minimize the risk of least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management
Configurations changes? unintentional changes. • IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
E-AST-12 design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
E-AST-13 configurations for test, development, staging • Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to configure systems utilized in high-risk areas with more E-AST-14 ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization configure systems utilized in There is no evidence of a capability to Configuration
and productionManagement
environments. (CFG) efforts are Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
restrictive baseline configurations. E-AST-15 (SBC) (SBC) (SBC) (SBC) (SBC) high-risk areas with more restrictive baseline configure systems utilized in high-risk areas ad hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
Configure Systems, ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security configurations? with more restrictive baseline configurations. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Configuration E-AST-16
Components or Services CFG-02.5 Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology 8 x Protect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management E-AST-17
for High-Risk Areas Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) • IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
E-AST-18
E-AST-19 ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
E-AST-20 (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks configurations for test, development, staging • Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to configure network devices to synchronize startup and E-AST-21 Does the organization configure network devices to There is no evidence of a capability to C|P-CMM1 is N/A,
and production since a structured process is
environments. Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
running configuration files. synchronize startup and running configuration files? configure network devices to synchronize required to configure network devices to requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Network Device startup and running configuration files. synchronize startup and running configuration local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Configuration
Configuration File CFG-02.6 7 x Protect x files. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to configure network devices to not necessary to configure network devices to
Management
Synchronization maturity would reasonably expect all, or at maturity would reasonably expect all, or at synchronize startup and running configuration synchronize startup and running configuration
least most, the following criteria to exist: least most, the following criteria to exist: files. files.
• Configuration management is • The configuration management function
Mechanisms exist to document, assess risk and approve or deny deviations ∙ Manual exception management ∙ Manual exception management ∙ Manual exception management ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite Does the organization document, assess risk and There is no evidence of a capability to Configuration Management (CFG) efforts are Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
to standardized configurations. process process process (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) approve or deny deviations to standardized document, assess risk and approve or deny ad hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
Configuration Approved Configuration ∙ CimTrak Integrity Suite ∙ Netwrix Auditor ∙ Netwrix Auditor configurations? deviations to standardized configurations. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
CFG-02.7 (https://cimcor.com/cimtrak) (https://netrix.com) (https://netrix.com) 9 x Protect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management Deviations
∙ Netwrix Auditor • IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
(https://netrix.com) design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
configurations for test, development, staging • Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to respond to unauthorized changes to configuration ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) Does the organization respond to unauthorized There is no evidence of a capability to respond C|P-CMM1 is N/A,
and production since a structured process is
environments. Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
settings as security incidents. ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite changes to configuration settings as security to unauthorized changes to configuration required to respond to unauthorized changes requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
Configuration Respond To (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) incidents? settings as security incidents. to configuration settings as security incidents. local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
CFG-02.8 9 x Respond x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management Unauthorized Changes
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
• Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to allow baseline controls to be specialized or customized ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization allow baseline controls to be There is no evidence of a capability to allow Configuration Management (CFG) efforts are Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
by applying a defined set of tailoring actions that are specific to: (SBC) (SBC) (SBC) (SBC) (SBC) specialized or customized by applying a defined set baseline controls to be specialized or ad hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
Configuration (1) Mission / business functions; ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security of tailoring actions that are specific to: customized by applying a defined set of maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Baseline Tailoring CFG-02.9 (2) Operational environment; Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology (1) Mission / business functions; 9 x Protect x x tailoring actions that are specific to: least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management
(3) Specific threats or vulnerabilities; or Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) (2) Operational environment; (1) Mission / business functions; • IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
(4) Other conditions or situations that could affect mission / business E-AST-12 ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security (3) Specific threats or vulnerabilities; or (2) Operational environment; design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
success. E-AST-13 (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks (4) Other conditions or situations that could affect (3) Specific threats or vulnerabilities; or configurations for test, development, staging • Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to configure systems to provide only essential E-AST-14 ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does
missionthe/ organization configure systems to provide
business success? There is no evidence of a capability to Configuration
and productionManagement
environments.(CFG) efforts are Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
capabilities by specifically prohibiting or restricting the use of ports, E-AST-15 (SBC) (SBC) (SBC) (SBC) (SBC) only essential capabilities by specifically prohibiting configure systems to provide only essential ad hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
Configuration protocols, and/or services. E-AST-16 ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security ∙ Defense Information Security or restricting the use of ports, protocols, and/or capabilities by specifically prohibiting or maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Least Functionality CFG-03 Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology Agency (DISA) Secure Technology services? 10 x Protect x restricting the use of ports, protocols, and/ or
least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management E-AST-17
E-AST-18 Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) Implementation Guides (STIGs) services. • IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
E-AST-19 ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security ∙ Center for Internet Security design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
E-AST-20 (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks (CIS) Benchmarks configurations for test, development, staging • Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to periodically review system configurations to identify E-AST-21 ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) Does the organization periodically review system There is no evidence of a capability to Configuration
and productionManagement
environments.(CFG) efforts are Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are
and disable unnecessary and/or non-secure functions, ports, protocols and program program program program program configurations to identify and disable unnecessary periodically review system configurations to ad hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient “world-class” capabilities that leverage
Configuration services. ∙ Change control program ∙ Change control program ∙ Change control program ∙ Change control program ∙ Change control program and/or non-secure functions, ports, protocols and identify and disable unnecessary and/ or non- maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Periodic Review CFG-03.1 services? 8 x Detect x x secure functions, ports, protocols and least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Management
services. • IT personnel use an informal process to maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
design, build and maintain secure least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
configurations for test, development, staging • Configuration management is • The configuration management function improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to configure systems to prevent the execution of ∙ whitelisting / blacklisting ∙ whitelisting / blacklisting ∙ whitelisting / blacklisting ∙ whitelisting / blacklisting ∙ whitelisting / blacklisting Does the organization configure systems to prevent There is no evidence of a capability to Configuration
and productionManagement
environments.(CFG) efforts are decentralized (e.g., a localized/regionalized is formally assigned with defined roles and
unauthorized software programs. applications applications applications applications applications the execution of unauthorized software programs? configure systems to prevent the execution of ad hoc and inconsistent. CMM Level 1 control function) and uses non-standardized methods responsibilities.
Configuration Prevent Unauthorized E-AST-20 ∙ Microsoft Windows Defender ∙ Microsoft Windows Defender ∙ Microsoft Windows Defender ∙ Microsoft Windows Defender ∙ Microsoft Windows Defender unauthorized software programs. maturity would reasonably expect all, or at to implement secure, resilient and compliant
CFG-03.2 Application Control (WDAC) Application Control (WDAC) Application Control (WDAC) Application Control (WDAC) Application Control (WDAC) 7 x Protect x least most, the following criteria to exist:
Management Software Execution E-AST-21
∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite • IT personnel use an informal process to
(https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) de

CFG-03.3 5 x Protect x x

Split Tunneling CFG-03.4 8 x Protect x

CFG-04 9 x Protect x x

Open Source Software CFG-04.1 9 x Protect x x

CFG-04.2 7 x Protect x x

User-Installed Software CFG-05 10 x Protect x x x

CFG-05.1 8 x Detect x

CFG-05.2 9 x Protect x

CFG-06 7 x Protect x x

CFG-06.1 3 x Protect x

Licensed by Creative Commons Attribution-NoDerivatives 21 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to implement Zero-Touch Provisioning (ZTP), or similar ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization implement Zero-Touch There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Configuration Management (CFG) efforts are Configuration Management (CFG) efforts are See C|P-CMM4. There are no defined C|P-
technology, to automatically and securely configure devices upon being (SBC) (SBC) (SBC) (SBC) (SBC) Provisioning (ZTP), or similar technology, to implement Zero-Touch Provisioning (ZTP), or required to implement Zero-Touch is required to implement Zero-Touch standardized across the organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Configuration Zero-Touch Provisioning added to a network. automatically and securely configure devices upon similar technology, to automatically and Provisioning (ZTP), or similar technology, to Provisioning (ZTP), or similar technology, to centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
CFG-07 being added to a network? 8 x Protect x securely configure devices up on being added automatically and securely configure devices automatically and securely configure devices to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to implement Zero-Touch
Management (ZTP)
to a network. up on being added to a network. up on being added to a network. maturity would reasonably expect all, or at predict optimal performance, ensure Provisioning (ZTP), or similar technology, to
least most, the following criteria to exist: continued operations and identify areas for automatically and securely configure devices
• The configuration management function improvement. In addition to CMM Level 3 up on being added to a network.
Mechanisms exist to configure systems, applications and processes to ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization configure systems, There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Configuration Management (CFG) efforts are Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
restrict access to sensitive/regulated data. (SBC) (SBC) (SBC) (SBC) (SBC) applications and processes to restrict access to configure systems, applications and processes required to configure systems, applications requirements-driven and governed at a standardized across the organization and
responsibilities. CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Sensitive / Regulated sensitive/regulated data? to restrict access to sensitive/regulated data. and processes to restrict access to local/regional level, but are not consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Configuration
Data Access CFG-08 E-DCH-08 7 x Protect x x sensitive/regulated data. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to configure systems, not necessary to configure systems,
Management
Enforcement maturity would reasonably expect all, or at maturity would reasonably expect all, or at applications and processes to restrict access applications and processes to restrict access
least most, the following criteria to exist: least most, the following criteria to exist: to sensitive/regulated data. to sensitive/regulated data.
• Configuration management is • The configuration management function
Automated mechanisms exist to generate event logs whenever ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite Does the organization use automated mechanisms There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Configuration Management
decentralized (e.g., (CFG) efforts are
a localized/regionalized Configuration Management
is formally assigned (CFG)roles
with defined efforts
andare See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
sensitive/regulated data is collected, created, updated, deleted and/or (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) to generate event logs whenever generate event logs whenever required to generate event logs whenever requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Configuration Sensitive / Regulated archived. sensitive/regulated data is collected, created, sensitive/regulated data is collected, created, sensitive/regulated data is collected, created, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
CFG-08.1 updated, deleted and/or archived? 7 x Protect x updated, deleted and/ or archived. updated, deleted and/ or archived. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to generate event logs not necessary to generate event logs
Management Data Actions
maturity would reasonably expect all, or at maturity would reasonably expect all, or at whenever sensitive/regulated data is whenever sensitive/regulated data is
least most, the following criteria to exist: least most, the following criteria to exist: collected, created, updated, deleted and/ or collected, created, updated, deleted and/ or
• Configuration management is • The configuration management function archived. archived.
Mechanisms exist to facilitate the implementation of enterprise-wide ∙ Centralized event logging ∙ Centralized event logging ∙ Centralized event logging ∙ Centralized event logging ∙ Centralized event logging Does the organization facilitate the implementation There is no evidence of a capability to Continuous Monitoring (MON) efforts are ad Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring
is formally assigned (MON)
with efforts
defined are
roles and Continuous Monitoring (MON) efforts are See C|P-CMM4. There are no defined C|P-
monitoring controls. ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event ∙ Security Incident Event ∙ Security Incident Event of enterprise-wide monitoring controls? facilitate the implementation of enterprise- hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and
responsibilities. metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
E-MON-01 Provider (MSSP) (SIEM) Management (SIEM) Management (SIEM) Management (SIEM) wide monitoring controls. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
Continuous
Continuous Monitoring MON-01 E-MON-06 ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services 10 x Govern x x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to facilitate the implementation
Monitoring
E-MON-07 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure of enterprise-wide monitoring controls.
∙ Security Orchestration, ∙ Security Orchestration, ∙ Security Orchestration, event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
Automation & Response (SOAR) Automation & Response (SOAR) Automation & Response (SOAR) critical systems and/ or systems that store, • Situational awareness management is • The Chief Information Security Officer improvement. In addition to CMM Level 3
Mechanisms exist to implement Intrusion Detection / Prevention Systems ∙ Intrusion Detection / Prevention ∙ Intrusion Detection / Prevention ∙ Intrusion Detection / Prevention ∙ Intrusion Detection / Prevention ∙ Intrusion Detection / Prevention Does the organization implement Intrusion There is no evidence of a capability to Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring
(CISO), or similar (MON)
function withefforts are
technical See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(IDS / IPS) technologies on critical systems, key network segments and Systems (IDS / IPS) Systems (IDS / IPS) Systems (IDS / IPS) Systems (IDS / IPS) Systems (IDS / IPS) Detection / Prevention Systems (IDS / IPS) implement Intrusion Detection / Prevention hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Intrusion Detection & network choke points. E-MON-01 ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and technologies on critical systems, key network Systems (IDS / IPS) technologies on critical maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed, where
analyzes the technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
Continuous
Prevention Systems (IDS MON-01.1 E-MON-06 Response (XDR) Response (XDR) Response (XDR) segments and network choke points? 9 x Detect x systems, key network segments and network least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to implement Intrusion not necessary to implement Intrusion
Monitoring
& IPS) E-MON-07 choke points. • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at Detection / Prevention Systems (IDS / IPS) Detection / Prevention Systems (IDS / IPS)
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: technologies on critical systems, key network technologies on critical systems, key network
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, segments and network choke points. segments and network choke points.
Mechanisms exist to utilize a Security Incident Event Manager (SIEM), or ∙ Managed Security Services ∙ Managed Security Services ∙ Security Incident Event ∙ Security Incident Event ∙ Security Incident Event Does the organization utilize a Security Incident There is no evidence of a capability to utilize a C|P-CMM1 is N/A,
processes and/ orsince a structured
transmit process is Continuous
sensitive/regulated decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
similar automated tool, to support near real-time analysis and incident Provider (MSSP) Provider (MSSP) Management (SIEM) Management (SIEM) Management (SIEM) Event Manager (SIEM), or similar automated tool, to Security Incident Event Manager (SIEM), or required to utilize a Security Incident Event requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Automated Tools for escalation. E-MON-01 ∙ Security Orchestration, ∙ Security Orchestration, ∙ Security Orchestration, support near real-time analysis and incident similar automated tool, to support near real- Manager (SIEM), or similar automated tool, to local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-01.2 Automation & Response (SOAR) Automation & Response (SOAR) Automation & Response (SOAR) escalation? 9 x Detect x time analysis and incident escalation. support near real-time analysis and incident across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to utilize a Security Incident not necessary to utilize a Security Incident
Monitoring Real-Time Analysis E-MON-05
∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and escalation. maturity would reasonably expect all, or at maturity would reasonably expect all, or at Event Manager (SIEM), or similar automated Event Manager (SIEM), or similar automated
Response (XDR) Response (XDR) Response (XDR) least most, the following criteria to exist: least most, the following criteria to exist: tool, to support near real-time analysis and tool, to support near real-time analysis and
∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services • Situational awareness management is • An IT Asset Management (ITAM) function, incident escalation. incident escalation.
Mechanisms exist to continuously monitor inbound and outbound ∙ Intrusion Detection / Prevention ∙ Intrusion Detection / Prevention ∙ Intrusion
Provider Detection / Prevention
(MSSP) ∙ Intrusion
Provider Detection / Prevention
(MSSP) ∙ Intrusion
Provider Detection / Prevention
(MSSP) Does the organization continuously monitor There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
communications traffic for unusual or unauthorized activities or conditions. Systems (IDS / IPS) Systems (IDS / IPS) Systems (IDS / IPS) Systems (IDS / IPS) Systems (IDS / IPS) inbound and outbound communications traffic for continuously monitor inbound and outbound required to continuously monitor inbound and requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
E-MON-01 ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and unusual or unauthorized activities or conditions? communications traffic for unusual or outbound communications traffic for unusual local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Continuous Inbound & Outbound
MON-01.3 E-MON-06 Response (XDR) Response (XDR) Response (XDR) 9 x Detect x x unauthorized activities or conditions. or unauthorized activities or conditions. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to continuously monitor not necessary to continuously monitor
Monitoring Communications Traffic
E-MON-07 maturity would reasonably expect all, or at maturity would reasonably expect all, or at inbound and outbound communications traffic inbound and outbound communications traffic
least most, the following criteria to exist: least most, the following criteria to exist: for unusual or unauthorized activities or for unusual or unauthorized activities or
• Situational awareness management is • An IT Asset Management (ITAM) function, conditions. conditions.
Mechanisms exist to generate, monitor, correlate and respond to alerts ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization generate, monitor, correlate There is no evidence of a capability to Continuous Monitoring (MON) efforts are ad Continuous Monitoring (MON) efforts are
decentralized (e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
from physical, cybersecurity, data privacy and supply chain activities to (SBC) (SBC) (SBC) (SBC) (SBC) and respond to alerts from physical, cybersecurity, generate, monitor, correlate and respond to hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
achieve integrated situational awareness. E-MON-01 data privacy and supply chain activities to achieve alerts from physical, cybersecurity, data maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Continuous
System Generated Alerts MON-01.4 E-MON-06 integrated situational awareness? 7 x Detect x privacy and supply chain activities to achieve least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to generate, monitor, correlate not necessary to generate, monitor, correlate
Monitoring
E-MON-07 integrated situational awareness. • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at and respond to alerts from physical, and respond to alerts from physical,
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: cybersecurity, data privacy and supply chain cybersecurity, data privacy and supply chain
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, activities to achieve integrated situational activities to achieve integrated situational
Mechanisms exist to utilize Wireless Intrusion Detection / Protection ∙ Wireless Intrusion Detection / ∙ Wireless Intrusion Detection / ∙ Wireless Intrusion Detection / ∙ Wireless Intrusion Detection / ∙ Wireless Intrusion Detection / Does the organization utilize Wireless Intrusion There is no evidence of a capability to utilize C|P-CMM1 is N/A,
processes and/ orsince a structured
transmit process is Continuous
sensitive/regulated decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Systems (WIDS / WIPS) to identify rogue wireless devices and to detect Protection Systems (WIDS / WIPS) Protection Systems (WIDS / WIPS) Protection Systems (WIDS / WIPS) Protection Systems (WIDS / WIPS) Protection Systems (WIDS / WIPS) Detection / Protection Systems (WIDS / WIPS) to Wireless Intrusion Detection / Protection required to utilize Wireless Intrusion Detection requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Wireless Intrusion attack attempts via wireless networks. ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and identify rogue wireless devices and to detect attack Systems (WIDS / WIPS) to identify rogue / Protection Systems (WIDS / WIPS) to identify local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-01.5 Response (XDR) Response (XDR) Response (XDR) attempts via wireless networks? 5 x Detect x wireless devices and to detect attack attempts rogue wireless devices and to detect attack across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to utilize Wireless Intrusion not necessary to utilize Wireless Intrusion
Monitoring Detection System (WIDS)
via wireless networks. attempts via wireless networks. maturity would reasonably expect all, or at maturity would reasonably expect all, or at Detection / Protection Systems (WIDS / WIPS) Detection / Protection Systems (WIDS / WIPS)
least most, the following criteria to exist: least most, the following criteria to exist: to identify rogue wireless devices and to to identify rogue wireless devices and to
• Situational awareness management is • An IT Asset Management (ITAM) function, detect attack attempts via wireless networks. detect attack attempts via wireless networks.
Mechanisms exist to utilize Host-based Intrusion Detection / Prevention ∙ Host-based Intrusion Detection / ∙ Host-based Intrusion Detection / ∙ Host-based Intrusion Detection / ∙ Host-based Intrusion Detection / ∙ Host-based Intrusion Detection / Does the organization utilize Host-based Intrusion There is no evidence of a capability to utilize Continuous Monitoring (MON) efforts are ad Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Systems (HIDS / HIPS) to actively alert on or block unwanted activities and Prevention Systems (HIDS / HIPS) Prevention Systems (HIDS / HIPS) Prevention Systems (HIDS / HIPS) Prevention Systems (HIDS / HIPS) Prevention Systems (HIDS / HIPS) Detection / Prevention Systems (HIDS / HIPS) to Host-based Intrusion Detection / Prevention hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous send logs to a Security Incident Event Manager (SIEM), or similar automated ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and actively alert on or block unwanted activities and Systems (HIDS / HIPS) to actively alert on or maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Host-Based Devices MON-01.6 tool, to maintain situational awareness. Response (XDR) Response (XDR) Response (XDR) send logs to a Security Incident Event Manager 8 x Detect x block unwanted activities and send logs to a least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to utilize Host-based Intrusion not necessary to utilize Host-based Intrusion
Monitoring
(SIEM), or similar automated tool, to maintain Security Incident Event Manager (SIEM), or • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at Detection / Prevention Systems (HIDS / HIPS) Detection / Prevention Systems (HIDS / HIPS)
situational awareness? similar automated tool, to maintain situational event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: to actively alert on or block unwanted to actively alert on or block unwanted
awareness. critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, activities and send logs to a Security Incident activities and send logs to a Security Incident
Mechanisms exist to utilize a File Integrity Monitor (FIM), or similar change- ∙ File Integrity Monitor (FIM) ∙ File Integrity Monitor (FIM) ∙ File Integrity Monitor (FIM) Does the organization utilize a File Integrity Monitor There is no evidence of a capability to utilize a Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
detection technology, on critical assets to generate alerts for unauthorized ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite (FIM), or similar change-detection technology, on File Integrity monitor (FIM), or similar change- hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous File Integrity Monitoring modifications. (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) critical assets to generate alerts for unauthorized detection technology, on critical assets to maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-01.7 E-MON-08 modifications? 9 x Detect x generate alerts for unauthorized least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to utilize a File Integrity monitor not necessary to utilize a File Integrity monitor
Monitoring (FIM)
modifications. • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at (FIM), or similar change-detection technology, (FIM), or similar change-detection technology,
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: on critical assets to generate alerts for on critical assets to generate alerts for
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, unauthorized modifications. unauthorized modifications.
Mechanisms exist to review event logs on an ongoing basis and escalate ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization review event logs on an There is no evidence of a capability to review Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
incidents in accordance with established timelines and procedures. Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) ongoing basis and escalate incidents in accordance event logs on an ongoing basis and escalate hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
E-MON-01 ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services with established timelines and procedures? incidents in accordance with established maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Continuous Security Event
MON-01.8 E-MON-02 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) 10 x Detect x x x timelines and procedures. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to review event logs on an not necessary to review event logs on an
Monitoring Monitoring
E-MON-05 • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at ongoing basis and escalate incidents in ongoing basis and escalate incidents in
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: accordance with established timelines and accordance with established timelines and
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, procedures. procedures.
Mechanisms exist to log all Internet-bound requests, in order to identify Does the organization log all Internet-bound There is no evidence of a capability to log all Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
prohibited activities and assist incident handlers with identifying potentially requests, in order to identify prohibited activities Internet-bound requests, in order to identify hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous compromised systems. and assist incident handlers with identifying prohibited activities and assist incident maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Proxy Logging MON-01.9 potentially compromised systems? 8 x Detect x handlers with identifying potentially least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to log all Internet-bound not necessary to log all Internet-bound
Monitoring
compromised systems. • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at requests, in order to identify prohibited requests, in order to identify prohibited
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: activities and assist incident handlers with activities and assist incident handlers with
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, identifying potentially compromised systems. identifying potentially compromised systems.
Mechanisms exist to monitor deactivated accounts for attempted usage. ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization monitor deactivated accounts There is no evidence of a capability to monitor Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) for attempted usage? deactivated accounts for attempted usage. hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Deactivated Account ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-01.10 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) 9 x Detect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to monitor deactivated not necessary to monitor deactivated
Monitoring Activity
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at accounts for attempted usage. accounts for attempted usage.
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist:
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to automatically implement pre-determined corrective ∙ Intrusion Detection / Prevention ∙ Intrusion Detection / Prevention ∙ Intrusion Detection / Prevention Does the organization automatically implement pre- There is no evidence of a capability to C|P-CMM1 is N/A,
processes and/ orsince a structured
transmit process is Continuous
sensitive/regulated decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: Continuous Monitoring (MON) efforts are Continuous Monitoring (MON) efforts are
actions in response to detected events that have security incident Systems (IDS / IPS) Systems (IDS / IPS) Systems (IDS / IPS) determined corrective actions in response to automatically implement pre-determined required to automatically implement pre- requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and metrics driven and provide sufficient “world-class” capabilities that leverage
Continuous Automated Response to implications. ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and detected events that have security incident corrective actions in response to detected determined corrective actions in response to local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
MON-01.11 Response (XDR) Response (XDR) Response (XDR) implications? 5 x Detect x events that have security incident detected events that have security incident across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Monitoring Suspicious Events
implications. implications. maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
• Situational awareness management is • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to automatically alert incident response personnel to ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization automatically alert incident There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
inappropriate or anomalous activities that have potential security incident Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) response personnel to inappropriate or anomalous automatically alert incident response required to automatically alert incident requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous implications. ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services activities that have potential security incident personnel to inappropriate or anomalous response personnel to inappropriate or local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Automated Alerts MON-01.12 E-MON-06 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) implications? 5 x Detect x activities that have potential security incident anomalous activities that have potential across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to automatically alert incident not necessary to automatically alert incident
Monitoring
implications. security incident implications. maturity would reasonably expect all, or at maturity would reasonably expect all, or at response personnel to inappropriate or response personnel to inappropriate or
least most, the following criteria to exist: least most, the following criteria to exist: anomalous activities that have potential anomalous activities that have potential
• Situational awareness management is • An IT Asset Management (ITAM) function, security incident implications. security incident implications.
Mechanisms exist to "tune" event monitoring technologies through ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization "tune" event monitoring There is no evidence of a capability to "tune" C|P-CMM1 is N/A, since a structured process is Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: Continuous Monitoring (MON) efforts are Continuous Monitoring (MON) efforts are
analyzing communications traffic/event patterns and developing profiles Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) technologies through analyzing communications event monitoring technologies through required to "tune" event monitoring requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and metrics driven and provide sufficient “world-class” capabilities that leverage
Continuous representing common traffic patterns and/or events. ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services traffic/event patterns and developing profiles analyzing communications traffic/event technologies through analyzing local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Alert Threshold Tuning MON-01.13 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) representing common traffic patterns and/or 5 x Detect x x patterns and developing profiles representing communications traffic/event patterns and across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Monitoring
events? common traffic patterns and/ or events. developing profiles representing common maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
traffic patterns and/ or events. least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
• Situational awareness management is • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to implement enhanced activity monitoring for ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization implement enhanced activity There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A,
decentralized since
(e.g., a well-defined process
a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: Continuous Monitoring (MON) efforts are Continuous Monitoring (MON) efforts are
individuals who have been identified as posing an increased level of risk. Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) monitoring for individuals who have been identified implement enhanced activity monitoring for required to implement enhanced activity is required
function) andto implement enhanced activity
uses non-standardized methods standardized across the organization and metrics driven and provide sufficient “world-class” capabilities that leverage
Continuous Individuals Posing ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services as posing an increased level of risk? individuals who have been identified as posing monitoring for individuals who have been monitoring
to implement forsecure,
individuals who and
resilient havecompliant
been centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
MON-01.14 E-MON-03 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) 5 x Detect x x an increased level of risk. identified as posing an increased level of risk. identified as posing an increased level of risk. to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Monitoring Greater Risk
maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
• An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to implement enhanced activity monitoring for privileged ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization implement enhanced activity There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Continuous Monitoring (MON) efforts are
or similar function: Continuous Monitoring (MON) efforts are Continuous Monitoring (MON) efforts are
users. Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) monitoring for privileged users? implement enhanced activity monitoring for required to implement enhanced activity is required to implement enhanced activity standardized across the organization and metrics driven and provide sufficient “world-class” capabilities that leverage
Continuous ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services privileged users. monitoring for privileged users. monitoring for privileged users. centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Privileged User Oversight MON-01.15 E-MON-03 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) 5 x Detect x to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
Monitoring
maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
• An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to assess the organization's needs for monitoring and Does the organization assess its needs for There is no evidence of a capability to assess C|P-CMM1 is N/A, since a structured process is Continuous Monitoring (MON) efforts are Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
prioritize the monitoring of assets, based on asset criticality and the monitoring and prioritize the monitoring of assets, its needs for monitoring and prioritize the required to assess its needs for monitoring requirements-driven and governed at a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Analyze and Prioritize sensitivity of the data it stores, transmits and processes. based on asset criticality and the sensitivity of the monitoring of assets, based on asset criticality and prioritize the monitoring of assets, based local/regional level, but are not consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-01.16 data it stores, transmits and processes? 5 x Detect x and the sensitivity of the data it stores, on asset criticality and the sensitivity of the across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to assess its needs for not necessary to assess its needs for
Monitoring Monitoring Requirements
transmits and processes. data it stores, transmits and processes. maturity would reasonably expect all, or at maturity would reasonably expect all, or at monitoring and prioritize the monitoring of monitoring and prioritize the monitoring of
least most, the following criteria to exist: least most, the following criteria to exist: assets, based on asset criticality and the assets, based on asset criticality and the
• Situational awareness management is • An IT Asset Management (ITAM) function, sensitivity of the data it stores, transmits and sensitivity of the data it stores, transmits and
Mechanisms exist to enable authorized personnel the ability to remotely Does the organization enable authorized personnel There is no evidence of a capability to enable decentralized (e.g., a localized/regionalized or similar function:
view and hear content related to an established user session in real time, in the ability to remotely view and hear content authorized personnel the ability to remotely function) and uses non-standardized methods
Continuous Real-Time Session accordance with organizational standards, as well as statutory, regulatory related to an established user session in real time, view and hear content related to an to implement secure, resilient and compliant
MON-01.17 and contractual obligations. in accordance with organizational standards, as well 4 x Detect x x established user session in real time, in
Monitoring Monitoring
as statutory, regulatory and contractual accordance with organizational standards, a
obligations?

MON-02 10 x Detect x x x

MON-02.1 9 x Detect x x

MON-02.2 5 x Detect x x x

MON-02.3 5 x Detect x x

MON-02.4 5 x Detect x x

Permitted Actions MON-02.5 5 x Protect x x

Audit Level Adjustments MON-02.6 5 x Detect x x

MON-02.7 5 x Detect x

MON-02.8 5 x Detect x x

Licensed by Creative Commons Attribution-NoDerivatives 22 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to maintain a current and accurate inventory of Does the organization maintain a current and Mechanisms exist to maintain a current and C|P-CMM1 is N/A, since a structured process is Continuous Monitoring (MON) efforts are Continuous Monitoring (MON) efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
technology assets being logged. accurate inventory of technology assets being accurate inventory of technology assets being required to maintain a current and accurate requirements-driven and governed at a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Inventory of Technology logged? logged. inventory of technology assets being logged. local/regional level, but are not consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-02.9 7 x Identify x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to maintain a current and not necessary to maintain a current and
Monitoring Asset Event Logging
maturity would reasonably expect all, or at maturity would reasonably expect all, or at accurate inventory of technology assets being accurate inventory of technology assets being
least most, the following criteria to exist: least most, the following criteria to exist: logged. logged.
• Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to configure systems to produce event logs that contain ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization configure systems to produce There is no evidence of a capability to Continuous Monitoring (MON) efforts are ad Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
sufficient information to, at a minimum: (SBC) (SBC) (SBC) (SBC) (SBC) event logs that contain sufficient information to, at configure systems to produce event logs that hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous (1) Establish what type of event occurred; E-AST-01 a minimum: contain sufficient information to, at a maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Content of Event Logs MON-03 (2) When (date and time) the event occurred; (1) Establish what type of event occurred; 10 x Detect x x x minimum: least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to configure systems to not necessary to configure systems to
Monitoring E-CPL-01
(3) Where the event occurred; (2) When (date and time) the event occurred; (1) Establish what type of event occurred; • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at produce event logs that contain sufficient produce event logs that contain sufficient
(4) The source of the event; (3) Where the event occurred; (2) When (date and time) the event occurred; event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: information to, at a minimum: information to, at a minimum:
(5) The outcome (success or failure) of the event; and (4) The source of the event; (3) Where the event occurred; critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, (1) Establish what type of event occurred; (1) Establish what type of event occurred;
Mechanisms exist to protect sensitive/regulated data contained in log files. ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization protect sensitive/regulated There is no evidence of a capability to protect Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(SBC) (SBC) (SBC) (SBC) (SBC) data contained in log files? sensitive/regulated data contained in log files. hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Sensitive Audit ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-03.1 (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) 8 x Detect x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to protect sensitive/regulated not necessary to protect sensitive/regulated
Monitoring Information
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at data contained in log files. data contained in log files.
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist:
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to link system access to individual users or service ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization link system access to There is no evidence of a capability to link Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
accounts. (SBC) (SBC) (SBC) (SBC) (SBC) individual users or service accounts? system access to individual users or service hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous accounts. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Audit Trails MON-03.2 10 x Detect x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to link system access to not necessary to link system access to
Monitoring
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at individual users or service accounts. individual users or service accounts.
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist:
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to log and review the actions of users and/or services ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization log and review the actions of There is no evidence of a capability to log and Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
with elevated privileges. Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) users and/or services with elevated privileges? review the actions of users and/ or services hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Privileged Functions ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services with elevated privileges. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-03.3 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) 8 x Detect x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to log and review the actions of not necessary to log and review the actions of
Monitoring Logging
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at users and/ or services with elevated users and/ or services with elevated
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: privileges. privileges.
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to verbosely log all traffic (both allowed and blocked) ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization verbosely log all traffic (both There is no evidence of a capability to Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
arriving at network boundary devices, including firewalls, Intrusion (SBC) (SBC) (SBC) (SBC) (SBC) allowed and blocked) arriving at network boundary verbosely log all traffic (both allowed and hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Verbosity Logging for Detection / Prevention Systems (IDS/IPS) and inbound and outbound devices, including firewalls, Intrusion Detection / blocked) arriving at network boundary maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-03.4 proxies. Prevention Systems (IDS/IPS) and inbound and 5 x Detect x devices, including firewalls, Intrusion least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to verbosely log all traffic (both not necessary to verbosely log all traffic (both
Monitoring Boundary Devices
outbound proxies? Detection / Prevention Systems (IDS/IPS) and • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at allowed and blocked) arriving at network allowed and blocked) arriving at network
inbound and outbound proxies. event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: boundary devices, including firewalls, boundary devices, including firewalls,
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, Intrusion Detection / Prevention Systems Intrusion Detection / Prevention Systems
Mechanisms exist to limit Personal Data (PD) contained in audit records to ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization limit Personal Data (PD) There is no evidence of a capability to limit Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
the elements identified in the data privacy risk assessment. (SBC) (SBC) (SBC) (SBC) (SBC) contained in audit records to the elements Personal Data (PD) contained in audit records hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Limit Personal Data (PD) identified in the data privacy risk assessment? to the elements identified in the data privacy maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-03.5 8 x Detect x x risk assessment. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to limit Personal Data (PD) not necessary to limit Personal Data (PD)
Monitoring In Audit Records
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at contained in audit records to the elements contained in audit records to the elements
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: identified in the data privacy risk assessment. identified in the data privacy risk assessment.
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to centrally manage and configure the content required Does the organization centrally manage and There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Continuous Monitoring (MON) efforts
processes and/ or transmit sensitive/regulated decentralized (e.g., a localized/regionalized are Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
to be captured in audit records generated by organization-defined configure the content required to be captured in centrally manage and configure the content required to centrally manage and configure requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Centralized Management information system components. audit records generated by organization-defined required to be captured in audit records the content required to be captured in audit local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Continuous
of Planned Audit Record MON-03.6 information system components? 5 x Detect x x x generated by organization-defined information records generated by organization-defined across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to centrally manage and not necessary to centrally manage and
Monitoring
Content system components. information system components. maturity would reasonably expect all, or at maturity would reasonably expect all, or at configure the content required to be captured configure the content required to be captured
least most, the following criteria to exist: least most, the following criteria to exist: in audit records generated by organization- in audit records generated by organization-
• Situational awareness management is • An IT Asset Management (ITAM) function, defined information system components. defined information system components.
Mechanisms exist to ensure databases produce audit records that contain ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization ensure databases produce There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
sufficient information to monitor database activities. (SBC) (SBC) (SBC) (SBC) (SBC) audit records that contain sufficient information to databases produce audit records that contain required to ensure databases produce audit requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous monitor database activities? sufficient information to monitor database records that contain sufficient information to local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Database Logging MON-03.7 8 x Detect x activities. monitor database activities. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to ensure databases produce not necessary to ensure databases produce
Monitoring
maturity would reasonably expect all, or at maturity would reasonably expect all, or at audit records that contain sufficient audit records that contain sufficient
least most, the following criteria to exist: least most, the following criteria to exist: information to monitor database activities. information to monitor database activities.
• Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to allocate and proactively manage sufficient event log ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization allocate and proactively There is no evidence of a capability to allocate C|P-CMM1 is N/A, since a structured process is Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: Continuous Monitoring (MON) efforts are See C|P-CMM4. There are no defined C|P-
storage capacity to reduce the likelihood of such capacity being exceeded. program program program program program manage sufficient event log storage capacity to and proactively manage sufficient event log required to allocate and proactively manage requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Continuous Event Log Storage ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) ∙ ITIL 4 (https://axelos.com) reduce the likelihood of such capacity being storage capacity to reduce the likelihood of sufficient event log storage capacity to reduce local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
MON-04 exceeded? 8 x Detect x x such capacity being exceeded. the likelihood of such capacity being across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to allocate and proactively
Monitoring Capacity
exceeded. maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure manage sufficient event log storage capacity
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for to reduce the likelihood of such capacity being
• Situational awareness management is • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3 exceeded.
Mechanisms exist to alert appropriate personnel in the event of a log ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) ∙ Incident Response Plan (IRP) Does the organization alert appropriate personnel in There is no evidence of a capability to alert Continuous Monitoring (MON) efforts are ad Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: Continuous Monitoring (MON) efforts are See C|P-CMM4. There are no defined C|P-
processing failure and take actions to remedy the disruption. ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager the event of a log processing failure and take appropriate personnel in the event of a log hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Continuous Response To Event Log Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) actions to remedy the disruption? processing failure and take actions to remedy maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
MON-05 ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services 8 x Detect x x the disruption. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to alert appropriate personnel
Monitoring Processing Failures
Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure in the event of a log processing failure and
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for take actions to remedy the disruption.
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Mechanisms exist to provide 24x7x365 near real-time alerting capability ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization provide 24x7x365 near real- There is no evidence of a capability to provide C|P-CMM1 is N/A,
processes and/ orsince a structured
transmit process is Continuous
sensitive/regulated decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
when an event log processing failure occurs. Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) time alerting capability when an event log 24x7x365 near real-time alerting capability required to provide 24x7x365 near real-time requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Real-Time Alerts of Event ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services processing failure occurs? when an event log processing failure occurs. alerting capability when an event log local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-05.1 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) 6 x Detect x processing failure occurs. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to provide 24x7x365 near real- not necessary to provide 24x7x365 near real-
Monitoring Logging Failure
maturity would reasonably expect all, or at maturity would reasonably expect all, or at time alerting capability when an event log time alerting capability when an event log
least most, the following criteria to exist: least most, the following criteria to exist: processing failure occurs. processing failure occurs.
• Situational awareness management is • An IT Asset Management (ITAM) function,
Automated mechanisms exist to alert appropriate personnel when the ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization use automated mechanisms There is no evidence of a capability to alert C|P-CMM1 is N/A, since a structured process is Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: Continuous Monitoring (MON) efforts are See C|P-CMM4. There are no defined C|P-
allocated volume reaches an organization-defined percentage of maximum Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) to alert appropriate personnel when the allocated appropriate personnel when the allocated required to alert appropriate personnel when requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Continuous Event Log Storage event log storage capacity. ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services volume reaches an organization-defined percentage volume reaches an organization-defined the allocated volume reaches an organization- local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
MON-05.2 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) of maximum event log storage capacity? 5 x Detect x percentage of maximum event log storage defined percentage of maximum event log across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to alert appropriate personnel
Monitoring Capacity Alerting
capacity. storage capacity. maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure when the allocated volume reaches an
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for organization-defined percentage of maximum
• Situational awareness management is • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3 event log storage capacity.
Mechanisms exist to provide an event log report generation capability to ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization provide an event log report There is no evidence of a capability to provide C|P-CMM1 is N/A, since a structured process is Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
aid in detecting and assessing anomalous activities. Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) generation capability to aid in detecting and an event log report generation capability to required to provide an event log report requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services assessing anomalous activities? aid in detecting and assessing anomalous generation capability to aid in detecting and local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Monitoring Reporting MON-06 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) 7 x Detect x x activities. assessing anomalous activities. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to provide an event log report not necessary to provide an event log report
Monitoring
maturity would reasonably expect all, or at maturity would reasonably expect all, or at generation capability to aid in detecting and generation capability to aid in detecting and
least most, the following criteria to exist: least most, the following criteria to exist: assessing anomalous activities. assessing anomalous activities.
• Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to provide and implement the capability for auditing the ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization provide and implement the There is no evidence of a capability to provide C|P-CMM1 is N/A, since a structured process is Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: Continuous Monitoring (MON) efforts are See C|P-CMM4. There are no defined C|P-
parameters of user query events for data sets containing Personal Data (SBC) (SBC) (SBC) (SBC) (SBC) capability for auditing the parameters of user query and implement the capability for auditing the required to provide and implement the requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Continuous Query Parameter Audits (PD). events for data sets containing Personal Data (PD)? parameters of user query events for data sets capability for auditing the parameters of user local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
MON-06.1 3 x Detect x x containing Personal Data (PD). query events for data sets containing Personal across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to provide and implement the
Monitoring of Personal Data (PD)
Data (PD). maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure capability for auditing the parameters of user
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for query events for data sets containing Personal
• Situational awareness management is • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3 Data (PD).
Mechanisms exist to employ trend analyses to determine if security control ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization employ trend analyses to There is no evidence of a capability to employ C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A,
decentralized since
(e.g., a well-defined process
a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
implementations, the frequency of continuous monitoring activities, and/or Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) determine if security control implementations, the trend analyses to determine if security control required to employ trend analyses to is required
function) andto employ trend analyses methods
uses non-standardized to standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous the types of activities used in the continuous monitoring process need to be ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services frequency of continuous monitoring activities, implementations, the frequency of continuous determine if security control implementations, determine
to implementif security
secure,control
resilientimplementations,
and compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Trend Analysis Reporting MON-06.2 modified based on empirical data. Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) and/or the types of activities used in the continuous 5 x Detect x monitoring activities, and/ or the types of the frequency of continuous monitoring the frequency of continuous monitoring to ensure consistency. CMM Level 3 control not necessary to employ trend analyses to not necessary to employ trend analyses to
Monitoring
monitoring process need to be modified based on activities used in the continuous monitoring activities, and/ or the types of activities used activities, and/ or the types of activities used maturity would reasonably expect all, or at determine if security control implementations, determine if security control implementations,
empirical data? process need to be modified based on in the continuous monitoring process need to in the continuous monitoring process need to least most, the following criteria to exist: the frequency of continuous monitoring the frequency of continuous monitoring
empirical data. be modified based on empirical data. be modified based on empirical data. • An IT Asset Management (ITAM) function, activities, and/ or the types of activities used activities, and/ or the types of activities used
Mechanisms exist to configure systems to use an authoritative time source ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization configure systems to use an There is no evidence of a capability to Continuous Monitoring (MON) efforts are ad Continuous Monitoring (MON) efforts are Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
to generate time stamps for event logs. (SBC) (SBC) (SBC) (SBC) (SBC) authoritative time source to generate time stamps configure systems to use an authoritative time hoc and inconsistent. CMM Level 1 control requirements-driven and governed at a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous for event logs? source to generate time stamps for event maturity would reasonably expect all, or at local/regional level, but are not consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Time Stamps MON-07 10 x Detect x logs. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to configure systems to use an not necessary to configure systems to use an
Monitoring
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at authoritative time source to generate time authoritative time source to generate time
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: stamps for event logs. stamps for event logs.
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to synchronize internal system clocks with an ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization synchronize internal system There is no evidence of a capability to Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
authoritative time source. (SBC) (SBC) (SBC) (SBC) (SBC) clocks with an authoritative time source? synchronize internal system clocks with an hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Synchronization With authoritative time source. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Continuous
Authoritative Time MON-07.1 8 x Detect x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to synchronize internal system not necessary to synchronize internal system
Monitoring
Source • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at clocks with an authoritative time source. clocks with an authoritative time source.
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist:
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to protect event logs and audit tools from unauthorized ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization protect event logs and audit There is no evidence of a capability to protect Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
access, modification and deletion. (SBC) (SBC) (SBC) (SBC) (SBC) tools from unauthorized access, modification and event logs and audit tools from unauthorized hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control deletion? access, modification and deletion. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Protection of Event Logs MON-08 (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) 10 x Detect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to protect event logs and audit not necessary to protect event logs and audit
Monitoring
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at tools from unauthorized access, modification tools from unauthorized access, modification
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: and deletion. and deletion.
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to back up event logs onto a physically different system ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization back up event logs onto a There is no evidence of a capability to back up C|P-CMM1 is N/A,
processes and/ orsince a structured
transmit process is Continuous
sensitive/regulated decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
or system component than the Security Incident Event Manager (SIEM) or Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) physically different system or system component event logs onto a physically different system required to back up event logs onto a requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Event Log Backup on similar automated tool. ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services than the Security Incident Event Manager (SIEM) or or system component than the Security physically different system or system local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Continuous
Separate Physical MON-08.1 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) similar automated tool? 5 x Detect x x Incident Event Manager (SIEM) or similar component than the Security Incident Event across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to back up event logs onto a not necessary to back up event logs onto a
Monitoring
Systems / Components automated tool. Manager (SIEM) or similar automated tool. maturity would reasonably expect all, or at maturity would reasonably expect all, or at physically different system or system physically different system or system
least most, the following criteria to exist: least most, the following criteria to exist: component than the Security Incident Event component than the Security Incident Event
• Situational awareness management is • An IT Asset Management (ITAM) function, Manager (SIEM) or similar automated tool. Manager (SIEM) or similar automated tool.
Mechanisms exist to restrict access to the management of event logs to ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization restrict access to the There is no evidence of a capability to restrict Continuous Monitoring (MON) efforts are ad Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
privileged users with a specific business need. (SBC) (SBC) (SBC) (SBC) (SBC) management of event logs to privileged users with access to the management of event logs to hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Access by Subset of ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control a specific business need? privileged users with a specific business need. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-08.2 (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) 8 x Detect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to restrict access to the not necessary to restrict access to the
Monitoring Privileged Users
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at management of event logs to privileged users management of event logs to privileged users
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: with a specific business need. with a specific business need.
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Cryptographic mechanisms exist to protect the integrity of event logs and ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Are cryptographic mechanisms utilized to protect processes and/ or transmit sensitive/regulated decentralized (e.g., a localized/regionalized or similar function:
audit tools. (SBC) (SBC) (SBC) (SBC) (SBC) the integrity of function) and uses non-standardized methods
Continuous Cryptographic Protection to implement secure, resilient and compliant
MON-08.3 5 x Protect x
Monitoring of Event Log Information

MON-08.4 5 x Protect x x

Non-Repudiation MON-09 8 x Protect x

Identity Binding MON-09.1 4 x Protect x x

Event Log Retention MON-10 E-AST-11 10 x Detect x x

MON-11 8 x Detect x x

∙ Content filtering ∙ Content filtering ∙ Content filtering ∙ Content filtering ∙ Content filtering

MON-11.1 5 x Detect x x

MON-11.2 5 x Detect x x

MON-11.3 5 x Detect x x

Licensed by Creative Commons Attribution-NoDerivatives 23 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to provide session audit capabilities that can: ∙ ManageEngine PAM360 ∙ ManageEngine PAM360 ∙ ManageEngine PAM360 ∙ ManageEngine PAM360 ∙ ManageEngine PAM360 Does the organization provide session audit There is no evidence of a capability to provide C|P-CMM1 is N/A, since a structured process is Continuous Monitoring (MON) efforts are Continuous Monitoring (MON) efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
(1) Capture and log all content related to a user session; and (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) capabilities that can: session audit capabilities that can: required to provide session audit capabilities requirements-driven and governed at a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous (2) Remotely view all content related to an established user session in real ∙ Ekran User Activity Monitoring ∙ Ekran User Activity Monitoring ∙ Ekran User Activity Monitoring (1) Capture and log all content related to a user (1) Capture and log all content related to a that can: local/regional level, but are not consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Session Audit MON-12 time. (UAM) (https://ekransystem.com) (UAM) (https://ekransystem.com) (UAM) (https://ekransystem.com) session; and 7 x Detect x x user session; and (1) Capture and log all content related to a across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to provide session audit not necessary to provide session audit
Monitoring
(2) Remotely view all content related to an (2) Remotely view all content related to an user session; and maturity would reasonably expect all, or at maturity would reasonably expect all, or at capabilities that can: capabilities that can:
established user session in real time? established user session in real time. (2) Remotely view all content related to an least most, the following criteria to exist: least most, the following criteria to exist: (1) Capture and log all content related to a (1) Capture and log all content related to a
established user session in real time. • Situational awareness management is • An IT Asset Management (ITAM) function, user session; and user session; and
Mechanisms exist to provide an alternate event logging capability in the ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization provide an alternate event There is no evidence of a capability to provide Continuous Monitoring (MON) efforts are ad Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
event of a failure in primary audit capability. Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) logging capability in the event of a failure in an alternate event logging capability in the hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Alternate Event Logging ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services primary audit capability? event of a failure in primary audit capability. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-13 Provider (MSSP) Provider (MSSP) Provider (MSSP) Provider (MSSP) 3 x Detect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to provide an alternate event not necessary to provide an alternate event
Monitoring Capability
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at logging capability in the event of a failure in logging capability in the event of a failure in
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: primary audit capability. primary audit capability.
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to coordinate sanitized event logs among external ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization coordinate sanitized event There is no evidence of a capability to Continuous
processes and/Monitoring (MON)
or transmit efforts are ad Continuous
sensitive/regulated
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
organizations to identify anomalous events when event logs are shared Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) logs among external organizations to identify coordinate sanitized event logs among hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Cross-Organizational across organizational boundaries, without giving away sensitive or critical ∙ Managed Security Services ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and anomalous events when event logs are shared external organizations to identify anomalous maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-14 business data. Provider (MSSP) Response (XDR) Response (XDR) Response (XDR) across organizational boundaries, without giving 3 x Detect x x events when event logs are shared across least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to coordinate sanitized event not necessary to coordinate sanitized event
Monitoring Monitoring
∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services away sensitive or critical business data? organizational boundaries, without giving • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at logs among external organizations to identify logs among external organizations to identify
Provider (MSSP) Provider (MSSP) Provider (MSSP) away sensitive or critical business data. event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: anomalous events when event logs are shared anomalous events when event logs are shared
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, across organizational boundaries, without across organizational boundaries, without
Mechanisms exist to share event logs with third-party organizations based ∙ Vocabulary for Event Recording ∙ Vocabulary for Event Recording ∙ Vocabulary for Event Recording ∙ Vocabulary for Event Recording ∙ Vocabulary for Event Recording Does the organization share event logs with third- There is no evidence of a capability to share C|P-CMM1 is N/A,
processes and/ orsince a structured
transmit process is
Continuous
sensitive/regulated
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
on specific cross-organizational sharing agreements. and Incident Sharing (VERIS) and Incident Sharing (VERIS) and Incident Sharing (VERIS) and Incident Sharing (VERIS) and Incident Sharing (VERIS) party organizations based on specific cross- event logs with third-party organizations required to share event logs with third-party requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous (https://verisframework.org) (https://verisframework.org) (https://verisframework.org) (https://verisframework.org) (https://verisframework.org) organizational sharing agreements? based on specific cross-organizational sharing organizations based on specific cross- local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Sharing of Event Logs MON-14.1 5 x Detect x x agreements. organizational sharing agreements. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to share event logs with third- not necessary to share event logs with third-
Monitoring
maturity would reasonably expect all, or at maturity would reasonably expect all, or at party organizations based on specific cross- party organizations based on specific cross-
least most, the following criteria to exist: least most, the following criteria to exist: organizational sharing agreements. organizational sharing agreements.
• Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to conduct covert channel analysis to identify aspects of ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager Does the organization conduct covert channel There is no evidence of a capability to conduct C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A,
decentralized since
(e.g., a well-defined process
a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
communications that are potential avenues for covert channels. Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) analysis to identify aspects of communications that covert channel analysis to identify aspects of required to conduct covert channel analysis to is required
function) andto conduct covert channelmethods
uses non-standardized analysis standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous ∙ Managed Security Services ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and are potential avenues for covert channels? communications that are potential avenues for identify aspects of communications that are to identify
implementaspects of communications
secure, that are
resilient and compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Covert Channel Analysis MON-15 Provider (MSSP) Response (XDR) Response (XDR) Response (XDR) 3 x Detect x x covert channels. potential avenues for covert channels. potential avenues for covert channels. to ensure consistency. CMM Level 3 control not necessary to conduct covert channel not necessary to conduct covert channel
Monitoring
∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services maturity would reasonably expect all, or at analysis to identify aspects of communications analysis to identify aspects of communications
Provider (MSSP) Provider (MSSP) Provider (MSSP) least most, the following criteria to exist: that are potential avenues for covert that are potential avenues for covert
• An IT Asset Management (ITAM) function, channels. channels.
Mechanisms exist to detect and respond to anomalous behavior that could ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) Does the organization detect and respond to There is no evidence of a capability to detect Continuous Monitoring (MON) efforts are ad Continuous Monitoring (MON) efforts are Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
indicate account compromise or other malicious activities. ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) anomalous behavior that could indicate account and respond to anomalous behavior that could hoc and inconsistent. CMM Level 1 control requirements-driven and governed at a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous E-IRO-02 ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager compromise or other malicious activities? indicate account compromise or other maturity would reasonably expect all, or at local/regional level, but are not consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Anomalous Behavior MON-16 Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) 10 x Detect x x malicious activities. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to detect and respond to not necessary to detect and respond to
Monitoring E-MON-07
∙ Managed Security Services ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at anomalous behavior that could indicate anomalous behavior that could indicate
Provider (MSSP) Response (XDR) Response (XDR) Response (XDR) event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: account compromise or other malicious account compromise or other malicious
∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function, activities. activities.
Mechanisms exist to monitor internal personnel activity for potential ∙ Insider Threat program ∙ Insider Threat program ∙ Insider (MSSP)
Provider Threat program ∙ Insider (MSSP)
Provider Threat program ∙ Insider (MSSP)
Provider Threat program Does the organization monitor internal personnel There is no evidence of a capability to monitor Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
security incidents. ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) activity for potential security incidents? internal personnel activity for potential hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous E-IRO-02 ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) security incidents. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Insider Threats MON-16.1 ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager 8 x Detect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to monitor internal personnel not necessary to monitor internal personnel
Monitoring E-MON-07
Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at activity for potential security incidents. activity for potential security incidents.
∙ Managed Security Services ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist:
Provider (MSSP) Response (XDR) Response (XDR) Response (XDR) critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to monitor third-party personnel activity for potential ∙ Insider Threat program ∙ Insider Threat program ∙ Insider Threat program ∙ Insider Threat program ∙ Insider Threat program Does the organization monitor third-party personnel There is no evidence of a capability to monitor Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous Monitoring (MON) efforts are
decentralized (e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
security incidents. ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) activity for potential security incidents? third-party personnel activity for potential hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous E-IRO-02 ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) security incidents. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Third-Party Threats MON-16.2 ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager 8 x Detect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to monitor third-party personnel not necessary to monitor third-party personnel
Monitoring E-MON-07
(SIEM) (SIEM) (SIEM) (SIEM) • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at activity for potential security incidents. activity for potential security incidents.
∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist:
Response (XDR) Response (XDR) Response (XDR) critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to monitor for unauthorized activities, accounts, ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) ∙ Indicators of Compromise (IoC) Does the organization monitor for unauthorized There is no evidence of a capability to monitor Continuous
processes and/Monitoring (MON)
or transmit efforts are ad
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
connections, devices and software. ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) ∙ Indicators of Exposure (IoE) activities, accounts, connections, devices and for unauthorized activities, accounts, hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous E-IRO-02 ∙ Managed Security Services ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager ∙ Security Incident Event Manager software? connections, devices and software. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Unauthorized Activities MON-16.3 Provider (MSSP) (SIEM) (SIEM) (SIEM) (SIEM) 8 x Detect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to monitor for unauthorized not necessary to monitor for unauthorized
Monitoring E-MON-07
∙ Managed Security Services ∙ Extended Detection and ∙ Extended Detection and ∙ Extended Detection and • Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at activities, accounts, connections, devices and activities, accounts, connections, devices and
Provider (MSSP) Response (XDR) Response (XDR) Response (XDR) event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist: software. software.
∙ Managed Security Services ∙ Managed Security Services ∙ Managed Security Services critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Automated mechanisms exist to generate event logs for permissions ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure (MSSP)
Provider Baseline Configurations ∙ Secure (MSSP)
Provider Baseline Configurations ∙ Secure (MSSP)
Provider Baseline Configurations Does the organization use automated mechanisms There is no evidence of a capability to C|P-CMM1 is N/A,
processes and/ orsince a structured
transmit process is
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
changes to privileged accounts and/or groups. (SBC) (SBC) (SBC) (SBC) (SBC) to generate event logs for permissions changes to generate event logs for permissions changes required to generate event logs for requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Account Creation and privileged accounts and/or groups? to privileged accounts and/ or groups. permissions changes to privileged accounts local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-16.4 E-AST-01 7 x Detect x and/ or groups. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to generate event logs for not necessary to generate event logs for
Monitoring Modification Logging
maturity would reasonably expect all, or at maturity would reasonably expect all, or at permissions changes to privileged accounts permissions changes to privileged accounts
least most, the following criteria to exist: least most, the following criteria to exist: and/ or groups. and/ or groups.
• Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to ensure event log reviews include analysis and triage Does the organization ensure event log reviews There is no evidence of a capability to ensure Continuous Monitoring (MON) efforts are ad Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
practices that integrate with the organization's established incident include analysis and triage practices that integrate event log reviews include analysis and triage hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Event Log Analysis & response processes. with its established incident response processes? practices that integrate with the organization's maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-17 7 x Detect x x established incident response processes. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to not necessary to
Monitoring Triage
• Generating event logs and the review of maturity would reasonably expect all, or at maturity would reasonably expect all, or at
event logs is narrowly-focused to business- least most, the following criteria to exist: least most, the following criteria to exist:
critical systems and/ or systems that store, • Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to make event log review processes more efficient and Does the organization make event log review There is no evidence of a capability to make C|P-CMM1 is N/A,
processes and/ orsince a structured
transmit process is
sensitive/regulated Continuous
decentralized Monitoring (MON) efforts are
(e.g., a localized/regionalized Continuous Monitoring (MON) efforts are
or similar function: See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
effective by developing and maintaining an incident response escalation processes more efficient and effective by event log review processes more efficient and required to make event log review processes requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Continuous Event Log Review matrix. developing and maintaining an incident response effective by developing and maintaining an more efficient and effective by developing and local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
MON-17.1 escalation matrix? 7 x Detect x x incident response escalation matrix. maintaining an incident response escalation across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to not necessary to
Monitoring Escalation Matrix
matrix. maturity would reasonably expect all, or at maturity would reasonably expect all, or at
least most, the following criteria to exist: least most, the following criteria to exist:
• Situational awareness management is • An IT Asset Management (ITAM) function,
Mechanisms exist to facilitate the implementation of cryptographic ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization facilitate the implementation There is no evidence of a capability to Cryptographic Protections (CRY) efforts are ad Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic Protections (CRY) efforts are
or similar function: Cryptographic Protections (CRY) efforts are See C|P-CMM4. There are no defined C|P-
protections controls using known public standards and trusted program program program program program of cryptographic protections controls using known facilitate the implementation of cryptographic hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized across the organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Cryptographic Use of Cryptographic cryptographic technologies. ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) public standards and trusted cryptographic protections controls using known public maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
CRY-01 E-CRY-01 program program program program program technologies? 10 x Govern x x x standards and trusted cryptographic least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to facilitate the implementation
Protections Controls
∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations technologies. • Data classification and handling criteria maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure of cryptographic protections controls using
(SBC) (SBC) (SBC) (SBC) (SBC) govern requirements to encrypt least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for known public standards and trusted
sensitive/regulated data during transmission • Cryptographic management is • The Chief Information Security Officer improvement. In addition to CMM Level 3 cryptographic technologies.
Cryptographic mechanisms exist to prevent unauthorized disclosure of ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Are cryptographic mechanisms utilized to prevent There is no evidence of a capability to Cryptographic
and in storage.Protections (CRY) efforts are ad Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic Protections
(CISO), or similar (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
information as an alternative to physical safeguards. (SBC) (SBC) (SBC) (SBC) (SBC) unauthorized disclosure of information as an Cryptographic prevent unauthorized hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Alternate Physical alternative to physical safeguards? disclosure of information as an alternative to maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed, where
analyzes the technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
CRY-01.1 E-GOV-18 5 x Protect x physical safeguards. least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to Cryptographic prevent not necessary to Cryptographic prevent
Protections Protection
• Data classification and handling criteria maturity would reasonably expect all, or at maturity would reasonably expect all, or at unauthorized disclosure of information as an unauthorized disclosure of information as an
govern requirements to encrypt least most, the following criteria to exist: least most, the following criteria to exist: alternative to physical safeguards. alternative to physical safeguards.
sensitive/regulated data during transmission • Cryptographic management is • The Chief Information Security Officer
Mechanisms exist to address the exporting of cryptographic technologies in ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization address the exporting of There is no evidence of a capability to address C|P-CMM1 is N/A, since a structured process is
and in storage. Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic Protections
(CISO), or similar (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
compliance with relevant statutory and regulatory requirements. program program program program program cryptographic technologies in compliance with the exporting of cryptographic technologies in required to address the exporting of requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Export-Controlled relevant statutory and regulatory requirements? compliance with relevant statutory and cryptographic technologies in compliance with local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed, where
analyzes the technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
CRY-01.2 5 x Protect x regulatory requirements. relevant statutory and regulatory across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to address the exporting of not necessary to address the exporting of
Protections Cryptography
requirements. maturity would reasonably expect all, or at maturity would reasonably expect all, or at cryptographic technologies in compliance with cryptographic technologies in compliance with
least most, the following criteria to exist: least most, the following criteria to exist: relevant statutory and regulatory relevant statutory and regulatory
• Cryptographic management is • The Chief Information Security Officer requirements. requirements.
Cryptographic mechanisms exist to ensure the confidentiality and integrity Are cryptographic mechanisms utilized to ensure There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic Protections
(CISO), or similar (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
of information during preparation for transmission and during reception. the confidentiality and integrity of information Cryptographic ensure the confidentiality and required to Cryptographic ensure the requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Pre/Post Transmission during preparation for transmission and during integrity of information during preparation for confidentiality and integrity of information local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed, where
analyzes the technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
CRY-01.3 reception? 5 x Protect x transmission and during reception. during preparation for transmission and across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to Cryptographic ensure the not necessary to Cryptographic ensure the
Protections Handling
during reception. maturity would reasonably expect all, or at maturity would reasonably expect all, or at confidentiality and integrity of information confidentiality and integrity of information
least most, the following criteria to exist: least most, the following criteria to exist: during preparation for transmission and during preparation for transmission and
• Cryptographic management is • The Chief Information Security Officer during reception. during reception.
Cryptographic mechanisms exist to conceal or randomize communication Are cryptographic mechanisms utilized to conceal There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A,
decentralized since
(e.g., a well-defined process
a localized/regionalized Cryptographic Protections
(CISO), or similar (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
patterns. or randomize communication patterns? Cryptographic conceal or randomize required to Cryptographic conceal or is required
function) andto Cryptographic conceal or
uses non-standardized methods standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Conceal / Randomize communication patterns. randomize communication patterns. randomize
to implement communication patterns.
secure, resilient and compliant centrally
concerns,managed, where
analyzes the technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
CRY-01.4 5 x Protect x to ensure consistency. CMM Level 3 control not necessary to Cryptographic conceal or not necessary to Cryptographic conceal or
Protections Communications
maturity would reasonably expect all, or at randomize communication patterns. randomize communication patterns.
least most, the following criteria to exist:
• The Chief Information Security Officer
Mechanisms exist to identify, document and review deployed cryptographic Does the organization identify, document and There is no evidence of a capability to identify, C|P-CMM1 is N/A, since a structured process is Cryptographic Protections (CRY) efforts are Cryptographic Protections
(CISO), or similar (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
cipher suites and protocols to proactively respond to industry trends review deployed cryptographic cipher suites and document and review deployed cryptographic required to identify, document and review requirements-driven and governed at a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Cipher regarding the continued viability of utilized cryptographic cipher suites and protocols to proactively respond to industry trends cipher suites and protocols to proactively deployed cryptographic cipher suites and local/regional level, but are not consistent centrally
concerns,managed, where
analyzes the technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
Cryptographic
Suites and Protocols CRY-01.5 protocols. regarding the continued viability of utilized 9 x Protect x x x respond to industry trends regarding the protocols to proactively respond to industry across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to identify, document and not necessary to identify, document and
Protections
Inventory cryptographic cipher suites and protocols? continued viability of utilized cryptographic trends regarding the continued viability of maturity would reasonably expect all, or at maturity would reasonably expect all, or at review deployed cryptographic cipher suites review deployed cryptographic cipher suites
cipher suites and protocols. utilized cryptographic cipher suites and least most, the following criteria to exist: least most, the following criteria to exist: and protocols to proactively respond to and protocols to proactively respond to
protocols. • Cryptographic management is • The Chief Information Security Officer industry trends regarding the continued industry trends regarding the continued
Automated mechanisms exist to enable systems to authenticate to a Does the organization use automated mechanisms There is no evidence of a capability to enable C|P-CMM1 is N/A, since a structured process is Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic Protections
(CISO), or similar (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
cryptographic module. to enable systems to authenticate to a systems to authenticate to a cryptographic required to enable systems to authenticate to requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Cryptographic Module cryptographic module? module. a cryptographic module. local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed, where
analyzes the technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
CRY-02 8 x Protect x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to enable systems to not necessary to enable systems to
Protections Authentication
maturity would reasonably expect all, or at maturity would reasonably expect all, or at authenticate to a cryptographic module. authenticate to a cryptographic module.
least most, the following criteria to exist: least most, the following criteria to exist:
• Cryptographic management is • The Chief Information Security Officer
Cryptographic mechanisms exist to protect the confidentiality of data being ∙ NIST Cryptographic Module ∙ NIST Cryptographic Module ∙ NIST Cryptographic Module ∙ NIST Cryptographic Module ∙ NIST Cryptographic Module Are cryptographic mechanisms utilized to protect There is no evidence of a capability to Cryptographic Protections (CRY) efforts are ad Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic Protections
(CISO), or similar (CRY)technical
function with efforts are Cryptographic Protections (CRY) efforts are See C|P-CMM4. There are no defined C|P-
transmitted. Validation Program (CMVP) Validation Program (CMVP) Validation Program (CMVP) Validation Program (CMVP) Validation Program (CMVP) the confidentiality of data being transmitted? Cryptographic protect the confidentiality of hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Cryptographic Transmission (https://csrc.nist.gov) (https://csrc.nist.gov) (https://csrc.nist.gov) (https://csrc.nist.gov) (https://csrc.nist.gov) data being transmitted. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed, where
analyzes the technically feasible,
organization's management insight (based on a quantitative assume a continuously-improving process is
CRY-03 E-CRY-01 ∙ Transport Layer Security (TLS) ∙ Transport Layer Security (TLS) ∙ Transport Layer Security (TLS) ∙ Transport Layer Security (TLS) ∙ Transport Layer Security (TLS) 10 x Protect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to Cryptographic protect the
Protections Confidentiality
∙ IPSec encryption ∙ IPSec encryption ∙ IPSec encryption ∙ IPSec encryption ∙ IPSec encryption • Data classification and handling criteria maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure confidentiality of data being transmitted.
∙ Encrypted Multiprotocol Label ∙ Encrypted Multiprotocol Label ∙ Encrypted Multiprotocol Label ∙ Encrypted Multiprotocol Label ∙ Encrypted Multiprotocol Label govern requirements to encrypt least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
Switching (MPLS) Switching (MPLS) Switching (MPLS) Switching (MPLS) Switching (MPLS) sensitive/regulated data during transmission • Cryptographic management is • The Chief Information Security Officer improvement. In addition to CMM Level 3
Cryptographic mechanisms exist to protect the integrity of data being Are cryptographic mechanisms utilized to protect There is no evidence of a capability to Cryptographic
and in storage.Protections (CRY) efforts are ad Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic Protections
(CISO), or similar (CRY)technical
function with efforts are Cryptographic Protections (CRY) efforts are
transmitted. the integrity of data being transmitted? Cryptographic protect the integrity of data hoc and inconsistent. CMM Level 1 control requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and metrics driven and provide sufficient
Cryptographic being transmitted. maturity would reasonably expect all, or at local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed, where
analyzes the technically feasible,
organization's management insight (based on a quantitative
Transmission Integrity CRY-04 E-CRY-01 10 x Protect x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to
Protections
• Data classification and handling criteria maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, e
govern requirements to encrypt least most, the following criteria to exist: least most, the following criteria to exist:
sensitive/regulated data during transmission • Cryptographic management is • The Chief Information Security Officer
and in storage. decentralized (e.g., a localized/regionalized (CISO), or similar function with technical
function) and uses non-standardized methods competence to address cybersecurity
to implement secure, resilient and compliant concerns, analyzes the organization's
Encrypting Data At Rest CRY-05 E-CRY-01 10 x Protect x x

Storage Media CRY-05.1 8 x Protect x x

Offline Storage CRY-05.2 5 x Protect x x

Database Encryption CRY-05.3 8 x Protect x

CRY-06 9 x Protect x

CRY-07 9 x Protect x x x

CRY-08 9 x Protect x x x

Availability CRY-08.1 9 x Recover x x x

CRY-09 10 x Protect x x x

Licensed by Creative Commons Attribution-NoDerivatives 24 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to facilitate the production and management of ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization facilitate the production and There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Cryptographic Protections (CRY) efforts are Cryptographic Protections (CRY) efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
symmetric cryptographic keys using Federal Information Processing program program program program program management of symmetric cryptographic keys facilitate the production and management of required to facilitate the production and requirements-driven and governed at a standardized across the organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Standards (FIPS)-compliant key management technology and processes. using Federal Information Processing Standards symmetric cryptographic keys using Federal management of symmetric cryptographic keys local/regional level, but are not consistent centrally managed, where technically feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Symmetric Keys CRY-09.1 E-CRY-01 (FIPS)-compliant key management technology and 9 x Protect x x Information Processing Standards (FIPS)- using Federal Information Processing across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to facilitate the production and not necessary to facilitate the production and
Protections
processes? compliant key management technology and Standards (FIPS)-compliant key management maturity would reasonably expect all, or at maturity would reasonably expect all, or at management of symmetric cryptographic keys management of symmetric cryptographic keys
processes. technology and processes. least most, the following criteria to exist: least most, the following criteria to exist: using Federal Information Processing using Federal Information Processing
• Cryptographic management is • The Chief Information Security Officer Standards (FIPS)-compliant key management Standards (FIPS)-compliant key management
Mechanisms exist to facilitate the production and management of ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization facilitate the production and There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic
(CISO), or similarProtections (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
asymmetric cryptographic keys using Federal Information Processing program program program program program management of asymmetric cryptographic keys facilitate the production and management of required to facilitate the production and requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Standards (FIPS)-compliant key management technology and processes using Federal Information Processing Standards asymmetric cryptographic keys using Federal management of asymmetric cryptographic local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
Asymmetric Keys CRY-09.2 that protect the user’s private key. E-CRY-01 (FIPS)-compliant key management technology and 9 x Protect x x Information Processing Standards (FIPS)- keys using Federal Information Processing across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to facilitate the production and not necessary to facilitate the production and
Protections
processes that protect the user’s private key? compliant key management technology and Standards (FIPS)-compliant key management maturity would reasonably expect all, or at maturity would reasonably expect all, or at management of asymmetric cryptographic management of asymmetric cryptographic
processes that protect the user’s private key. technology and processes that protect the least most, the following criteria to exist: least most, the following criteria to exist: keys using Federal Information Processing keys using Federal Information Processing
user’s private key. • Cryptographic management is • The Chief Information Security Officer Standards (FIPS)-compliant key management Standards (FIPS)-compliant key management
Mechanisms exist to ensure the availability of information in the event of ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization ensure the availability of There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic
(CISO), or similarProtections (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
the loss of cryptographic keys by individual users. program program program program program information in the event of the loss of cryptographic the availability of information in the event of required to ensure the availability of requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Cryptographic Key Loss keys by individual users? the loss of cryptographic keys by individual information in the event of the loss of local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
CRY-09.3 8 x Protect x x x users. cryptographic keys by individual users. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to ensure the availability of not necessary to ensure the availability of
Protections or Change
maturity would reasonably expect all, or at maturity would reasonably expect all, or at information in the event of the loss of information in the event of the loss of
least most, the following criteria to exist: least most, the following criteria to exist: cryptographic keys by individual users. cryptographic keys by individual users.
• Cryptographic management is • The Chief Information Security Officer
Mechanisms exist to facilitate the secure distribution of symmetric and ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization facilitate the secure There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic
(CISO), or similarProtections (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
asymmetric cryptographic keys using industry recognized key management program program program program program distribution of symmetric and asymmetric facilitate the secure distribution of symmetric required to facilitate the secure distribution of requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Control & Distribution of technology and processes. cryptographic keys using industry recognized key and asymmetric cryptographic keys using symmetric and asymmetric cryptographic local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
CRY-09.4 management technology and processes? 9 x Protect x x x industry recognized key management keys using industry recognized key across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to facilitate the secure not necessary to facilitate the secure
Protections Cryptographic Keys
technology and processes. management technology and processes. maturity would reasonably expect all, or at maturity would reasonably expect all, or at distribution of symmetric and asymmetric distribution of symmetric and asymmetric
least most, the following criteria to exist: least most, the following criteria to exist: cryptographic keys using industry recognized cryptographic keys using industry recognized
• Cryptographic management is • The Chief Information Security Officer key management technology and processes. key management technology and processes.
Mechanisms exist to ensure cryptographic keys are bound to individual ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization ensure cryptographic keys There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic
(CISO), or similarProtections (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
identities. program program program program program are bound to individual identities? cryptographic keys are bound to individual required to ensure cryptographic keys are requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic identities. bound to individual identities. local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
Assigned Owners CRY-09.5 8 x Protect x x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to ensure cryptographic keys not necessary to ensure cryptographic keys
Protections
maturity would reasonably expect all, or at maturity would reasonably expect all, or at are bound to individual identities. are bound to individual identities.
least most, the following criteria to exist: least most, the following criteria to exist:
• Cryptographic management is • The Chief Information Security Officer
Mechanisms exist to ensure customers are provided with appropriate key ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization ensure customers are There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Cryptographic Protections
decentralized (e.g., (CRY) efforts are
a localized/regionalized Cryptographic
(CISO), or similarProtections (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
management guidance whenever cryptographic keys are shared. program program program program program provided with appropriate key management customers are provided with appropriate key required to ensure customers are provided requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic Third-Party guidance whenever cryptographic keys are shared? management guidance whenever with appropriate key management guidance local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
CRY-09.6 7 x Protect x cryptographic keys are shared. whenever cryptographic keys are shared. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to ensure customers are not necessary to ensure customers are
Protections Cryptographic Keys
maturity would reasonably expect all, or at maturity would reasonably expect all, or at provided with appropriate key management provided with appropriate key management
least most, the following criteria to exist: least most, the following criteria to exist: guidance whenever cryptographic keys are guidance whenever cryptographic keys are
• Cryptographic management is • The Chief Information Security Officer shared. shared.
Mechanisms exist to maintain control of cryptographic keys for encrypted ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization maintain control of There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A,
decentralized since
(e.g., a well-defined process
a localized/regionalized Cryptographic
(CISO), or similarProtections (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
material stored or transmitted through an external system. program program program program program cryptographic keys for encrypted material stored or maintain control of cryptographic keys for required to maintain control of cryptographic is required
function) andto maintain control of
uses non-standardized methods standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
External System transmitted through an external system? encrypted material stored or transmitted keys for encrypted material stored or cryptographic keys forresilient
to implement secure, encrypted
andmaterial
compliant centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
Cryptographic
Cryptographic Key CRY-09.7 5 x Protect x through an external system. transmitted through an external system. stored or transmitted through an external to ensure consistency. CMM Level 3 control not necessary to maintain control of not necessary to maintain control of
Protections
Control system. maturity would reasonably expect all, or at cryptographic keys for encrypted material cryptographic keys for encrypted material
least most, the following criteria to exist: stored or transmitted through an external stored or transmitted through an external
• The Chief Information Security Officer system. system.
Mechanisms exist to ensure systems associate security attributes with ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization ensure systems associate There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Cryptographic Protections (CRY) efforts are Cryptographic
(CISO), or similarProtections (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
information exchanged between systems. program program program program program security attributes with information exchanged systems associate security attributes with required to ensure systems associate security requirements-driven and governed at a standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Transmission of between systems? information exchanged between systems. attributes with information exchanged local/regional level, but are not consistent centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
Cryptographic
Cybersecurity & Data CRY-10 5 x Protect x between systems. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to ensure systems associate not necessary to ensure systems associate
Protections
Privacy Attributes maturity would reasonably expect all, or at maturity would reasonably expect all, or at security attributes with information security attributes with information
least most, the following criteria to exist: least most, the following criteria to exist: exchanged between systems. exchanged between systems.
• Cryptographic management is • The Chief Information Security Officer
Automated mechanisms exist to enable the use of organization-defined ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization use automated mechanisms There is no evidence of a capability to enable C|P-CMM1 is N/A, since a structured process is C|P-CMM2
decentralizedis N/A, since
(e.g., a well-defined process
a localized/regionalized Cryptographic
(CISO), or similarProtections (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Certificate Authorities (CAs) to facilitate the establishment of protected program program program program program to enable the use of organization-defined Certificate the use of organization-defined Certificate required to enable the use of organization- is required
function) andto enable the use of organization-
uses non-standardized methods standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic sessions. Authorities (CAs) to facilitate the establishment of Authorities (CAs) to facilitate the defined Certificate Authorities (CAs) to defined Certificate
to implement Authorities
secure, (CAs)
resilient and to
compliant centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
Certificate Authorities CRY-11 protected sessions? 8 x Protect x x establishment of protected sessions. facilitate the establishment of protected facilitate the establishment of protected to ensure consistency. CMM Level 3 control not necessary to enable the use of not necessary to enable the use of
Protections
sessions. sessions. maturity would reasonably expect all, or at organization-defined Certificate Authorities organization-defined Certificate Authorities
least most, the following criteria to exist: (CAs) to facilitate the establishment of (CAs) to facilitate the establishment of
• The Chief Information Security Officer protected sessions. protected sessions.
Automated mechanisms exist to discover when new certificates are issued ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Does the organization use automated mechanisms There is no evidence of an automated C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Cryptographic
(CISO), or similarProtections (CRY)technical
function with efforts are See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
for organization-controlled domains. program program program program program to discover when new certificates are issued for capability to discover when new certificates required to discover when new certificates are is required to discover when new certificates standardized
competence to across the cybersecurity
address organization and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Cryptographic organization-controlled domains? are issued for organization-controlled issued for organization-controlled domains. are issued for organization-controlled centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's assume a quantitatively-controlled process is assume a continuously-improving process is
Certificate Monitoring CRY-12 E-CRY-03 5 x Protect x x domains. domains. to ensure consistency. CMM Level 3 control not necessary to discover when new not necessary to discover when new
Protections
maturity would reasonably expect all, or at certificates are issued for organization- certificates are issued for organization-
least most, the following criteria to exist: controlled domains. controlled domains.
• The Chief Information Security Officer
Mechanisms exist to facilitate the implementation of data protection ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization facilitate the implementation There is no evidence of a capability to Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts Data Classification
(CISO), & Handling
or similar function with (DCH) efforts
technical Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
controls. ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) of data protection controls? facilitate the implementation of data are ad hoc and inconsistent. CMM Level 1 are requirements-driven and governed at a are standardized
competence across cybersecurity
to address the organization and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification ∙ Data governance program ∙ Data governance program ∙ Data governance program protection controls. control maturity would reasonably expect all, local/regional level, but are not consistent centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's management insight (based on a quantitative assume a continuously-improving process is
Data Protection DCH-01 E-CRY-01 ∙ Chief Data Officer (CDO) ∙ Chief Data Officer (CDO) 10 x Govern x x or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to facilitate the implementation
& Handling
• Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure of data protection controls.
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • The Chief Information Security Officer improvement. In addition to CMM Level 3
Mechanisms exist to ensure data stewardship is assigned, documented and ∙ Assigned roles & responsibilities ∙ Assigned roles & responsibilities ∙ Assigned roles & responsibilities ∙ Assigned roles & responsibilities ∙ Assigned roles & responsibilities Does the organization ensure data stewardship is There is no evidence of a capability to ensure Data Classification
systems & Handling
and data, including (DCH)media.
storage efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
(CISO), & Handling
or similar function with (DCH) efforts
technical Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
communicated. assigned, documented and communicated? data stewardship is assigned, documented are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
competence across cybersecurity
to address the organization and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification E-DCH-02 and communicated. control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's management insight (based on a quantitative assume a continuously-improving process is
Data Stewardship DCH-01.1 10 x Protect x x x or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to ensure data stewardship is
& Handling E-DCH-09
• Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure assigned, documented and communicated.
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to protect sensitive/regulated data wherever it is stored. ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization protect sensitive/regulated There is no evidence of a capability to protect Data Classification
systems & Handling
and data, including (DCH)media.
storage efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) data wherever it is stored? sensitive/regulated data wherever it is stored. are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making information across the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
E-CRY-01 ∙ Data governance program ∙ Data governance program ∙ Data governance program control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Data Classification Sensitive / Regulated
DCH-01.2 E-DCH-02 9 x Protect x x x or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to protect sensitive/regulated not necessary to protect sensitive/regulated
& Handling Data Protection
E-DCH-09 • Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at data wherever it is stored. data wherever it is stored.
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist:
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC)
Mechanisms exist to ensure media records for sensitive/regulated data ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization ensure media records for There is no evidence of a capability to ensure C|P-CMM1
systems and is N/A,
data,since a structured
including storageprocess
media. is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
contain sufficient information to determine the potential impact in the event ∙ Metadata tagging ∙ Metadata tagging ∙ Metadata tagging ∙ Metadata tagging ∙ Metadata tagging sensitive/regulated data contain sufficient media records for sensitive/regulated data required to ensure media records for is required to ensure
non-standardized mediato
methods records for
implement are standardized
making information across the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification Sensitive / Regulated of a data loss incident. information to determine the potential impact in the contain sufficient information to determine the sensitive/regulated data contain sufficient sensitive/regulated
secure, resilient anddata containpractices.
compliant sufficient centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
DCH-01.3 E-AST-08 event of a data loss incident? 6 x Protect x potential impact in the event of a data loss information to determine the potential impact information to determine the potential impact to ensure consistency. CMM Level 3 control not necessary to ensure media records for not necessary to ensure media records for
& Handling Media Records
incident. in the event of a data loss incident. in the event of a data loss incident. maturity would reasonably expect all, or at sensitive/regulated data contain sufficient sensitive/regulated data contain sufficient
least most, the following criteria to exist: information to determine the potential impact information to determine the potential impact
• A Governance, Risk & Compliance (GRC) in the event of a data loss incident. in the event of a data loss incident.
Mechanisms exist to explicitly define authorizations for specific individuals ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization explicitly define There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
and/or roles for logical and /or physical access to sensitive/regulated data. ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) authorizations for specific individuals and/or roles explicitly define authorizations for specific required to explicitly define authorizations for is required to explicitly define authorizations are standardized
making information across the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Defining Access ∙ Data governance program ∙ Data governance program ∙ Data governance program for logical and /or physical access to individuals and/or roles for logical and /or specific individuals and/or roles for logical for specific individuals and/or roles for logical centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Data Classification E-DCH-02
Authorizations for DCH-01.4 sensitive/regulated data? 9 x Protect x x physical access to sensitive/regulated data. and /or physical access to sensitive/regulated and /or physical access to sensitive/regulated to ensure consistency. CMM Level 3 control not necessary to explicitly define not necessary to explicitly define
& Handling E-DCH-08
Sensitive/Regulated Data data. data. maturity would reasonably expect all, or at authorizations for specific individuals and/or authorizations for specific individuals and/or
least most, the following criteria to exist: roles for logical and /or physical access to roles for logical and /or physical access to
• A Governance, Risk & Compliance (GRC) sensitive/regulated data. sensitive/regulated data.
Mechanisms exist to ensure data and assets are categorized in accordance ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization ensure data and assets are There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Data Classification & Handling (DCH) efforts Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
with applicable statutory, regulatory and contractual requirements. ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) categorized in accordance with applicable statutory, data and assets are categorized in accordance required to ensure data and assets are are requirements-driven and governed at a are standardized
making information across the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Data & Asset E-DCH-01 program program program program program regulatory and contractual requirements? with applicable statutory, regulatory and categorized in accordance with applicable local/regional level, but are not consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-02 ∙ Data governance program ∙ Data governance program ∙ Data governance program 10 x Identify x x x contractual requirements. statutory, regulatory and contractual across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to ensure data and assets are
& Handling Classification E-DCH-02
requirements. maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure categorized in accordance with applicable
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for statutory, regulatory and contractual
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 requirements.
Mechanisms exist to ensure that systems, applications and services are ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization ensure that systems, There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
classified according to the highest level of data sensitivity that is stored, ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) applications and services are classified according to that systems, applications and services are required to ensure that systems, applications are requirements-driven
non-standardized methods and
togoverned
implement at a are standardized
making information across the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification Highest Classification transmitted and/or processed. program program program program program the highest level of data sensitivity that is stored, classified according to the highest level of and services are classified according to the local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
DCH-02.1 ∙ Data governance program ∙ Data governance program ∙ Data governance program transmitted and/or processed? 8 x Protect x x x data sensitivity that is stored, transmitted highest level of data sensitivity that is stored, across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to ensure that systems, not necessary to ensure that systems,
& Handling Level
and/ or processed. transmitted and/ or processed. maturity would reasonably expect all, or at maturity would reasonably expect all, or at applications and services are classified applications and services are classified
least most, the following criteria to exist: least most, the following criteria to exist: according to the highest level of data according to the highest level of data
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) sensitivity that is stored, transmitted and/ or sensitivity that is stored, transmitted and/ or
Mechanisms exist to control and restrict access to digital and non-digital ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization control and restrict access to There is no evidence of a capability to control C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
media to authorized individuals. ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) digital and non-digital media to authorized and restrict access to digital and non-digital required to control and restrict access to are requirements-driven
non-standardized methods and
togoverned
implement at a are standardized
making information across the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification ∙ Data governance program ∙ Data governance program ∙ Data governance program individuals? media to authorized individuals. digital and non-digital media to authorized local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Media Access DCH-03 E-IAM-02 8 x Protect x x individuals. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to control and restrict access to
& Handling
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure digital and non-digital media to authorized
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for individuals.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to restrict the disclosure of sensitive / regulated data to ∙ Non-Disclosure Agreements ∙ Non-Disclosure Agreements ∙ Non-Disclosure Agreements ∙ Non-Disclosure Agreements ∙ Non-Disclosure Agreements Does the organization restrict the disclosure of There is no evidence of a capability to restrict C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
authorized parties with a need to know. (NDAs) (NDAs) (NDAs) (NDAs) (NDAs) sensitive / regulated data to authorized parties with the disclosure of sensitive / regulated data to required to restrict the disclosure of sensitive / are requirements-driven
non-standardized methods and
togoverned
implement at a are standardized
making information across the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification ∙ Data Loss Prevention (DLP) ∙ Data Loss Prevention (DLP) ∙ Data Loss Prevention (DLP) a need to know? authorized parties with a need to know. regulated data to authorized parties with a local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Disclosure of Information DCH-03.1 10 x Protect x x need to know. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to restrict the disclosure of
& Handling
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure sensitive / regulated data to authorized
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for parties with a need to know.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to apply data masking to sensitive/regulated information ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization apply data masking to There is no evidence of a capability to apply C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
that is displayed or printed. ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) sensitive/regulated information that is displayed or data masking to sensitive information that is required to apply data masking to sensitive are requirements-driven
non-standardized methods and
togoverned
implement at a are standardized
making information across the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification program program program program program printed? displayed or printed. information that is displayed or printed. local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Masking Displayed Data DCH-03.2 ∙ Data governance program ∙ Data governance program ∙ Data governance program 7 x Protect x x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to apply data masking to
& Handling
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure sensitive information that is displayed or
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for printed.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Automated mechanisms exist to validate cybersecurity & data privacy Does the organization use automated mechanisms There is no evidence of a capability to validate C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
attributes prior to releasing information to external systems. to validate cybersecurity & data privacy attributes cybersecurity & data privacy attributes prior required to validate cybersecurity & data is required to validate
non-standardized cybersecurity
methods & data
to implement are standardized
making information across the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification prior to releasing information to external systems? to releasing information to external systems. privacy attributes prior to releasing privacy
secure, attributes prior
resilient and to releasing
compliant practices. centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Controlled Release DCH-03.3 4 x Protect x x information to external systems. information to external systems. to ensure consistency. CMM Level 3 control not necessary to validate cybersecurity & data not necessary to validate cybersecurity & data
& Handling
maturity would reasonably expect all, or at privacy attributes prior to releasing privacy attributes prior to releasing
least most, the following criteria to exist: information to external systems. information to external systems.
• A Governance, Risk & Compliance (GRC)
Mechanisms exist to mark media in accordance with data protection ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization mark media in accordance There is no evidence of a capability to mark C|P-CMM1 is N/A, since a structured process is Data Classification & Handling (DCH) efforts function, or similar function, assists users in
requirements so that personnel are alerted to distribution limitations, ∙ Metadata tagging ∙ Metadata tagging ∙ Metadata tagging ∙ Metadata tagging ∙ Metadata tagging with data protection requirements so that personnel media in accordance with data protection required to mark media in accordance with are requirements-driven and governed at a making information sharing decisions to
Data Classification handling caveats and applicable security requirements. ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) are alerted to distribution limitations, handling requirements so that personnel are alerted to data protection requirements so that local/regional level, but are not consistent ensure data is appropriately protected,
Media Marking DCH-04 program program program program program caveats and applicable security requirements? 7 x Protect x x distribution limitations, handling caveats and personnel are alerted to distribution across the organization. CMM Level 2 control
& Handling
∙ Data governance program ∙ Data governance program ∙ Data governance program applicable security requirements. limitations, handling caveats and applicable maturity would reasonably expect all, or at
security requirements. least most, the following criteria to exist:
• Data management is decentralized (e.g.,
a localized/regionalized function) and uses
non-standardized methods to implement
secure, resilient an
Automated Marking DCH-04.1 2 x Protect x

DCH-05 2 x Protect x

DCH-05.1 2 x Protect x

DCH-05.2 8 x Protect x

DCH-05.3 2 x Protect x

DCH-05.4 2 x Protect x

DCH-05.5 8 x Protect x

DCH-05.6 2 x Protect x

Licensed by Creative Commons Attribution-NoDerivatives 25 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to provide a consistent, organizationally agreed upon Does the organization provide a consistent, There is no evidence of a capability to provide C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
interpretation of cybersecurity & data privacy attributes employed in access organizationally agreed upon interpretation of a consistent, organizationally agreed up on required to provide a consistent, is required to provide a consistent, are standardized across the organization and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Consistent Attribute enforcement and flow enforcement decisions between distributed system cybersecurity & data privacy attributes employed in interpretation of cybersecurity & data privacy organizationally agreed up on interpretation of organizationally agreed up on interpretation of centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-05.7 components. access enforcement and flow enforcement 2 x Protect x attributes employed in access enforcement cybersecurity & data privacy attributes cybersecurity & data privacy attributes to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to provide a consistent,
& Handling Interpretation
decisions between distributed system components? and flow enforcement decisions between employed in access enforcement and flow employed in access enforcement and flow maturity would reasonably expect all, or at predict optimal performance, ensure organizationally agreed up on interpretation of
distributed system components. enforcement decisions between distributed enforcement decisions between distributed least most, the following criteria to exist: continued operations and identify areas for cybersecurity & data privacy attributes
system components. system components. • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 employed in access enforcement and flow
Mechanisms exist to associate cybersecurity & data privacy attributes to Does the organization associate cybersecurity & There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
information. data privacy attributes to information? associate cybersecurity & data privacy required to associate cybersecurity & data is required to associate cybersecurity & data are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Identity Association attributes to information. privacy attributes to information. privacy attributes to information. centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Data Classification
Techniques & DCH-05.8 2 x Protect x x to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to associate cybersecurity &
& Handling
Technologies maturity would reasonably expect all, or at predict optimal performance, ensure data privacy attributes to information.
least most, the following criteria to exist: continued operations and identify areas for
• A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to reclassify data as required, due to changing Does the organization reclassify data as required, There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Data Classification & Handling (DCH) efforts Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
business/technical requirements. due to changing business/technical requirements? reclassify data as required, due to changing required to reclassify data as required, due to are requirements-driven and governed at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification business/technical requirements. changing business/technical requirements. local/regional level, but are not consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Attribute Reassignment DCH-05.9 7 x Protect x x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to reclassify data as required,
& Handling
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure due to changing business/technical
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for requirements.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to provide authorized individuals the capability to define Does the organization provide authorized There is no evidence of a capability to provide C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
or change the type and value of cybersecurity & data privacy attributes individuals the capability to define or change the authorized individuals the capability to define required to provide authorized individuals the are requirements-driven
non-standardized methods and
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification Attribute Configuration available for association with subjects and objects. type and value of cybersecurity & data privacy or change the type and value of cybersecurity capability to define or change the type and local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
DCH-05.10 attributes available for association with subjects 8 x Protect x x & data privacy attributes available for value of cybersecurity & data privacy across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to provide authorized not necessary to provide authorized
& Handling By Authorized Individuals
and objects? association with subjects and objects. attributes available for association with maturity would reasonably expect all, or at maturity would reasonably expect all, or at individuals the capability to define or change individuals the capability to define or change
subjects and objects. least most, the following criteria to exist: least most, the following criteria to exist: the type and value of cybersecurity & data the type and value of cybersecurity & data
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) privacy attributes available for association privacy attributes available for association
Mechanisms exist to audit changes to cybersecurity & data privacy ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite Does the organization audit changes to There is no evidence of a capability to audit C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
attributes and responds to events in accordance with incident response (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) cybersecurity & data privacy attributes and changes to cybersecurity & data privacy required to audit changes to cybersecurity & is required to auditmethods
non-standardized changestotoimplement
cybersecurity are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Data Classification procedures. responds to events in accordance with incident attributes and responds to events in data privacy attributes and responds to events & data privacy
secure, resilientattributes and responds
and compliant to
practices. centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Audit Changes DCH-05.11 response procedures? 7 x Detect x x accordance with incident response in accordance with incident response events in accordance with incident response to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling
procedures. procedures. procedures. maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
• A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to: ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) Does the organization: There is no evidence of a capability: Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
(1) Physically control and securely store digital and non-digital media within ∙ Data governance program ∙ Data governance program (1) Physically control and securely store digital and (1) Physically control and securely store are ad hoc and inconsistent. CMM Level 1 are requirements-driven and governed at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Data Classification controlled areas using organization-defined security measures; and non-digital media within controlled areas using digital and non-digital media within controlled control maturity would reasonably expect all, local/regional level, but are not consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Media Storage DCH-06 (2) Protect system media until the media are destroyed or sanitized using E-DCH-02 organization-defined security measures; and 8 x Protect x x x areas using organization-defined security or at least most, the following criteria to exist:
across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling
approved equipment, techniques and procedures. (2) Protect system media until the media are measures; and • Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
destroyed or sanitized using approved equipment, (2) Protect system media until the media are administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
techniques and procedures? destroyed or sanitized using approved standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to physically secure all media that contains sensitive ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) Does the organization physically secure all media There is no evidence
equipment, techniquesof and
a capability to
procedures. Data Classification
systems & Handling
and data, including (DCH)media.
storage effortsData Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
information. that contains sensitive information? physically secure all media that contains are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methods and
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Physically Secure All sensitive information. control maturity would reasonably expect all, local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-06.1 9 x Protect x or at least most, the following criteria to exist:
across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to physically secure all media
& Handling Media
• Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure that contains sensitive information.
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to maintain inventory logs of all sensitive media and ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization maintain inventory logs of all There is no evidence of a capability to C|P-CMM1
systems and is N/A,
data,since a structured
including storageprocess
media. is
Data Classification & Handling (DCH) efforts
a localized/regionalized function) and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
conduct sensitive media inventories at least annually. ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories sensitive media and conduct sensitive media maintain inventory logs of all sensitive media required to maintain inventory logs of all are requirements-driven
non-standardized methods and
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Sensitive Data ∙ Data governance program ∙ Data governance program inventories at least annually? and conduct sensitive media inventories at sensitive media and conduct sensitive media local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-06.2 E-AST-08 9 x Detect x least annually. inventories at least annually. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to maintain inventory logs of all
& Handling Inventories
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure sensitive media and conduct sensitive media
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for inventories at least annually.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to periodically scan unstructured data sources for Does the organization periodically scan There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
sensitive/regulated data or data requiring special protection measures by unstructured data sources for sensitive/regulated periodically scan unstructured data sources required to periodically scan unstructured is required to periodically
non-standardized methodsscan unstructured
to implement are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Periodic Scans for statutory, regulatory or contractual obligations. data or data requiring special protection measures for sensitive/regulated data or data requiring data sources for sensitive/regulated data or data sources
secure, for and
resilient sensitive/regulated data or
compliant practices. centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Data Classification
Sensitive / Regulated DCH-06.3 E-DCH-10 by statutory, regulatory or contractual obligations? 7 x Detect x x special protection measures by statutory, data requiring special protection measures by data requiring special protection measures by to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to periodically scan
& Handling
Data regulatory or contractual obligations. statutory, regulatory or contractual statutory, regulatory or contractual maturity would reasonably expect all, or at predict optimal performance, ensure unstructured data sources for
obligations. obligations. least most, the following criteria to exist: continued operations and identify areas for sensitive/regulated data or data requiring
• A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 special protection measures by statutory,
Mechanisms exist to ensure sensitive/regulated data is rendered human ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization ensure sensitive/regulated There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Data Classification & Handling (DCH) efforts Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
unreadable anywhere sensitive/regulated data is stored. ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories data is rendered human unreadable anywhere sensitive/regulated data is rendered human required to ensure sensitive/regulated data is are requirements-driven and governed at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Making Sensitive Data ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance sensitive/regulated data is stored? unreadable anywhere sensitive/regulated data rendered human unreadable anywhere local/regional level, but are not consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-06.4 program program program program program 9 x Protect x x is stored. sensitive/regulated data is stored. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to ensure sensitive/regulated
& Handling Unreadable In Storage
∙ Data governance program ∙ Data governance program maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure data is rendered human unreadable anywhere
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for sensitive/regulated data is stored.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to prohibit the storage of sensitive transaction ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization prohibit the storage of There is no evidence of a capability to prohibit C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
authentication data after authorization. (SBC) (SBC) (SBC) (SBC) (SBC) sensitive transaction authentication data after the storage of sensitive transaction required to prohibit the storage of sensitive are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification Storing Authentication authorization? authentication data after authorization. transaction authentication data after local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
DCH-06.5 5 x Protect x x authorization. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to prohibit the storage of not necessary to prohibit the storage of
& Handling Data
maturity would reasonably expect all, or at maturity would reasonably expect all, or at sensitive transaction authentication data after sensitive transaction authentication data after
least most, the following criteria to exist: least most, the following criteria to exist: authorization. authorization.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC)
Mechanisms exist to protect and control digital and non-digital media ∙ Assigned couriers ∙ Assigned couriers ∙ Assigned couriers ∙ Assigned couriers ∙ Assigned couriers Does the organization protect and control digital There is no evidence of a capability to protect C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
during transport outside of controlled areas using appropriate security and non-digital media during transport outside of and control digital and non-digital media required to protect and control digital and are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification measures. controlled areas using appropriate security during transport outside of controlled areas non-digital media during transport outside of local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Media Transportation DCH-07 measures? 9 x Protect x x using appropriate security measures. controlled areas using appropriate security across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to protect and control digital
& Handling
measures. maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure and non-digital media during transport outside
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for of controlled areas using appropriate security
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 measures.
Mechanisms exist to identify custodians throughout the transport of digital ∙ Chain of custody ∙ Chain of custody ∙ Chain of custody ∙ Chain of custody ∙ Chain of custody Does the organization identify custodians There is no evidence of a capability to identify C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
or non-digital media. throughout the transport of digital or non-digital custodians throughout the transport of digital required to identify custodians throughout the are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification media? or non-digital media. transport of digital or non-digital media. local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Custodians DCH-07.1 9 x Protect x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to identify custodians
& Handling
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure throughout the transport of digital or non-
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for digital media.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Cryptographic mechanisms exist to protect the confidentiality and integrity ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance ∙ Cryptographic governance Are cryptographic mechanisms utilized to protect There is no evidence of a capability to Data Classification & Handling (DCH) efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
of information stored on digital media during transport outside of controlled program program program program program the confidentiality and integrity of information Cryptographic protect the confidentiality and are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification Encrypting Data In areas. ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations stored on digital media during transport outside of integrity of information stored on digital media control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
DCH-07.2 (SBC) (SBC) (SBC) (SBC) (SBC) controlled areas? 5 x Protect x x during transport outside of controlled areas. or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to Cryptographic protect the not necessary to Cryptographic protect the
& Handling Storage Media
∙ NIST Cryptographic Module ∙ NIST Cryptographic Module ∙ NIST Cryptographic Module ∙ NIST Cryptographic Module ∙ NIST Cryptographic Module • Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at confidentiality and integrity of information confidentiality and integrity of information
Validation Program (CMVP) Validation Program (CMVP) Validation Program (CMVP) Validation Program (CMVP) Validation Program (CMVP) administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: stored on digital media during transport stored on digital media during transport
(https://csrc.nist.gov) (https://csrc.nist.gov) (https://csrc.nist.gov) (https://csrc.nist.gov) (https://csrc.nist.gov) standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) outside of controlled areas. outside of controlled areas.
Mechanisms exist to securely dispose of media when it is no longer ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) Does the organization securely dispose of media There is no evidence of a capability to C|P-CMM1
systems and is N/A,
data,since a structured
including storageprocess
media. is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
required, using formal procedures. ∙ IronMountain ∙ IronMountain ∙ IronMountain ∙ IronMountain ∙ IronMountain when it is no longer required, using formal securely dispose of media when it is no longer required to securely dispose of media when it are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification (https://ironmountain.com) (https://ironmountain.com) (https://ironmountain.com) (https://ironmountain.com) (https://ironmountain.com) procedures? required, using formal procedures. is no longer required, using formal local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Physical Media Disposal DCH-08 E-AST-03 ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) 10 x Protect x x procedures. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to securely dispose of media
& Handling
∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure when it is no longer required, using formal
∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for procedures.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to sanitize system media with the strength and integrity ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) Does the organization sanitize system media with There is no evidence of a capability to sanitize C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
commensurate with the classification or sensitivity of the information prior ∙ IronMountain ∙ IronMountain ∙ IronMountain ∙ IronMountain ∙ IronMountain the strength and integrity commensurate with the system media with the strength and integrity required to sanitize system media with the are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification System Media to disposal, release out of organizational control or release for reuse. E-AST-03 (https://ironmountain.com) (https://ironmountain.com) (https://ironmountain.com) (https://ironmountain.com) (https://ironmountain.com) classification or sensitivity of the information prior commensurate with the classification or strength and integrity commensurate with the local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-09 ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) to disposal, release out of organizational control or 10 x Protect x x sensitivity of the information prior to disposal, classification or sensitivity of the information across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to sanitize system media with
& Handling Sanitization E-DCH-07
∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) release for reuse? release out of organizational control or release prior to disposal, release out of organizational maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure the strength and integrity commensurate with
∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers for reuse. control or release for reuse. least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for the classification or sensitivity of the
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 information prior to disposal, release out of
Mechanisms exist to supervise, track, document and verify system media ∙ Certificate of destruction ∙ Certificate of destruction ∙ Certificate of destruction ∙ Certificate of destruction ∙ Certificate of destruction Does the organization supervise, track, document There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
sanitization and disposal actions. and verify system media sanitization and disposal supervise, track, document and verify system required to supervise, track, document and are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
System Media actions? media sanitization and disposal actions. verify system media sanitization and disposal local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Data Classification E-AST-03
Sanitization DCH-09.1 7 x Protect x actions. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to supervise, track, document
& Handling E-DCH-07
Documentation maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure and verify system media sanitization and
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for disposal actions.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to test sanitization equipment and procedures to verify Does the organization test sanitization equipment There is no evidence of a capability to test C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
that the intended result is achieved. and procedures to verify that the intended result is sanitization equipment and procedures to required to test sanitization equipment and are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification achieved? verify that the intended result is achieved. procedures to verify that the intended result is local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Equipment Testing DCH-09.2 5 x Detect x x achieved. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to test sanitization equipment
& Handling
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure and procedures to verify that the intended
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for result is achieved.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to facilitate the sanitization of Personal Data (PD). ∙ De-identifying sensitive ∙ De-identifying sensitive ∙ De-identifying sensitive ∙ De-identifying sensitive ∙ De-identifying sensitive Does the organization facilitate the sanitization of There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
Personal Data (sPD) Personal Data (sPD) Personal Data (sPD) Personal Data (sPD) Personal Data (sPD) Personal Data (PD)? facilitate the sanitization of Personal Data required to facilitate the sanitization of are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Sanitization of Personal (PD). Personal Data (PD). local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-09.3 9 x Protect x x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to facilitate the sanitization of
& Handling Data (PD)
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Personal Data (PD).
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to apply nondestructive sanitization techniques to ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) Does the organization apply nondestructive There is no evidence of a capability to apply C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
portable storage devices prior to first use. ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) sanitization techniques to portable storage devices nondestructive sanitization techniques to required to apply nondestructive sanitization are requirements-driven
non-standardized methodsand
togoverned
implement at a are standardized
making informationacross the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification First Time Use ∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers prior to first use? portable storage devices prior to first use. techniques to portable storage devices prior to local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
DCH-09.4 5 x Protect x x first use. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to apply nondestructive not necessary to apply nondestructive
& Handling Sanitization
maturity would reasonably expect all, or at maturity would reasonably expect all, or at sanitization techniques to portable storage sanitization techniques to portable storage
least most, the following criteria to exist: least most, the following criteria to exist: devices prior to first use. devices prior to first use.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC)
Mechanisms exist to enforce dual authorization for the destruction, disposal ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) ∙ Logical Access Control (LAC) Does the organization enforce dual authorization for There is no evidence of a capability to enforce C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
or sanitization of digital media that contains sensitive / regulated data. ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) ∙ Physical Access Control (PAC) the destruction, disposal or sanitization of digital dual authorization for the destruction, disposal required to enforce dual authorization for the is required to enforce
non-standardized dual authorization
methods to implementfor are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Dual Authorization for ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control ∙ Role Based Access Control media that contains sensitive / regulated data? or sanitization of digital media that contains destruction, disposal or sanitization of digital the destruction,
secure, resilient disposal or sanitization
and compliant of
practices. centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuousl
Data Classification
Sensitive Data DCH-09.5 (RBAC) (RBAC) (RBAC) (RBAC) (RBAC) 5 x Protect x x sensitive / regulated data. media that contains sensitive / regulated data. digital media that contains sensitive / to ensure consistency. CMM Level 3 control understanding of process capabilities) to
& Handling
Destruction ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) ∙ Separation of Duties (SoD) regulated data. maturity would reasonably expect all, or at predict optimal performance, ensure
least most, the following criteria to exist: continued operations and identify areas for
• A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
function, or similar function, assists users in
making information sharing decisions to
ensure data is appropriately protected,
Media Use DCH-10 8 x Protect x

Limitations on Use DCH-10.1 10 x Protect x

DCH-10.2 5 x Protect x x

∙ Data classification program ∙ Data classification program ∙ Data classification program

Data Reclassification DCH-11 8 x Protect x x

DCH-12 10 x Protect x x x

DCH-13 9 x Protect x x x

DCH-13.1 8 x Protect x x

DCH-13.2 9 x Protect x x

DCH-13.3 10 x Protect x x x

Licensed by Creative Commons Attribution-NoDerivatives 26 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to restrict the use of non-organizationally owned ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / ∙ Rules of Behavior (RoB) / Does the organization restrict the use of non- There is no evidence of a capability to restrict Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
information systems, system components or devices to process, store or Acceptable Use Acceptable Use Acceptable Use Acceptable Use Acceptable Use organizationally owned information systems, the use of non-organizationally owned are ad hoc and inconsistent. CMM Level 1 are requirements-driven and governed at a are standardized across the organization and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Non-Organizationally transmit organizational information. ∙ Network Access Control (NAC) ∙ Network Access Control (NAC) ∙ Network Access Control (NAC) system components or devices to process, store or information systems, system components or control maturity would reasonably expect all, local/regional level, but are not consistent centrally managed, where technically feasible, management insight (based on a quantitative assume a continuously-improving process is
Data Classification
Owned Systems / DCH-13.4 transmit organizational information? 5 x Protect x x devices to process, store or transmit or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to restrict the use of non-
& Handling
Components / Devices organizational information. • Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure organizationally owned information systems,
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for system components or devices to process,
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 store or transmit organizational information.
Mechanisms exist to utilize a process to assist users in making information ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization utilize a process to assist There is no evidence of a capability to utilize a C|P-CMM1
systems and is N/A,
data,since a structured
including storageprocess
media. is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
sharing decisions to ensure data is appropriately protected. ∙ Data governance program ∙ Data governance program users in making information sharing decisions to process to assist users in making information required to utilize a process to assist users in are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Data Classification E-DCH-09 ensure data is appropriately protected? sharing decisions to ensure data is making information sharing decisions to local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Information Sharing DCH-14 9 x Protect x x appropriately protected. ensure data is appropriately protected. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling E-SAT-05
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to ensure information systems implement data search ∙ Data Loss Prevention (DLP) ∙ Data Loss Prevention (DLP) ∙ Data Loss Prevention (DLP) ∙ Data Loss Prevention (DLP) ∙ Data Loss Prevention (DLP) Does the organization ensure information systems There is no evidence of a capability to ensure C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
and retrieval functions that properly enforce data protection / sharing implement data search and retrieval functions that information systems implement data search required to ensure information systems are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification Information Search & restrictions. properly enforce data protection / sharing and retrieval functions that properly enforce implement data search and retrieval functions local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
DCH-14.1 restrictions? 5 x Protect x x data protection / sharing restrictions. that properly enforce data protection / sharing across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to ensure information systems not necessary to ensure information systems
& Handling Retrieval
restrictions. maturity would reasonably expect all, or at maturity would reasonably expect all, or at implement data search and retrieval functions implement data search and retrieval functions
least most, the following criteria to exist: least most, the following criteria to exist: that properly enforce data protection / sharing that properly enforce data protection / sharing
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) restrictions. restrictions.
Mechanisms exist to verify that individuals or systems transferring data Does the organization verify that individuals or There is no evidence of a capability to verify C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
between interconnecting systems have the requisite authorizations (e.g., systems transferring data between interconnecting that individuals or systems transferring data required to verify that individuals or systems are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification write permissions or privileges) prior to transferring said data. systems have the requisite authorizations (e.g., between interconnecting systems have the transferring data between interconnecting local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Transfer Authorizations DCH-14.2 write permissions or privileges) prior to transferring 8 x Protect x requisite authorizations (e.g., write systems have the requisite authorizations across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to verify that individuals or not necessary to verify that individuals or
& Handling
said data? permissions or privileges) prior to transferring (e.g., write permissions or privileges) prior to maturity would reasonably expect all, or at maturity would reasonably expect all, or at systems transferring data between systems transferring data between
said data. transferring said data. least most, the following criteria to exist: least most, the following criteria to exist: interconnecting systems have the requisite interconnecting systems have the requisite
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) authorizations (e.g., write permissions or authorizations (e.g., write permissions or
Mechanisms exist to leverage data-specific Access Control Lists (ACL) or ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) Does the organization leverage data-specific Access There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Interconnection Security Agreements (ISAs) to generate a logical map of ∙ Interconnection Security ∙ Interconnection Security ∙ Interconnection Security ∙ Interconnection Security ∙ Interconnection Security Control Lists (ACL) or Interconnection Security leverage data-specific Access Control Lists required to leverage data-specific Access are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification the parties with whom sensitive/regulated data is shared. Agreements (ISAs) Agreements (ISAs) Agreements (ISAs) Agreements (ISAs) Agreements (ISAs) Agreements (ISAs) to generate a logical map of the (ACL) or Interconnection Security Agreements Control Lists (ACL) or Interconnection Security local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Data Access Mapping DCH-14.3 parties with whom sensitive/regulated data is 9 x Identify x x (ISAs) to generate a logical map of the parties Agreements (ISAs) to generate a logical map across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to leverage data-specific Access not necessary to leverage data-specific Access
& Handling
shared? with whom sensitive/regulated data is shared. of the parties with whom sensitive/regulated maturity would reasonably expect all, or at maturity would reasonably expect all, or at Control Lists (ACL) or Interconnection Security Control Lists (ACL) or Interconnection Security
data is shared. least most, the following criteria to exist: least most, the following criteria to exist: Agreements (ISAs) to generate a logical map Agreements (ISAs) to generate a logical map
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) of the parties with whom sensitive/regulated of the parties with whom sensitive/regulated
Mechanisms exist to control publicly-accessible content. Does the organization control publicly-accessible There is no evidence of a capability to control Data Classification & Handling (DCH) efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
content? publicly-accessible content. are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Publicly Accessible control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-15 10 x Protect x x or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to control publicly-accessible
& Handling Content
• Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure content.
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to protect data storage objects against unauthorized data ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization protect data storage objects There is no evidence of a capability to protect Data Classification
systems & Handling
and data, including (DCH)media.
storage efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
mining and data harvesting techniques. (SBC) (SBC) (SBC) (SBC) (SBC) against unauthorized data mining and data data storage objects against unauthorized are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification ∙ Defense-in-depth (DiD) ∙ Defense-in-depth (DiD) ∙ Defense-in-depth (DiD) ∙ Defense-in-depth (DiD) ∙ Defense-in-depth (DiD) harvesting techniques? data mining and data harvesting techniques. control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Data Mining Protection DCH-16 architecture architecture architecture architecture architecture 7 x Protect x x or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to protect data storage objects
& Handling
• Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure against unauthorized data mining and data
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for harvesting techniques.
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to secure ad-hoc exchanges of large digital files with ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization secure ad-hoc exchanges of There is no evidence of a capability to secure Data Classification
systems & Handling
and data, including (DCH)media.
storage efforts Data Classification & Handling (DCH) efforts
a localized/regionalized function) and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
internal or external parties. ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations large digital files with internal or external parties? ad-hoc exchanges of large digital files with are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Data Classification (SBC) (SBC) (SBC) (SBC) (SBC) internal or external parties. control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Ad-Hoc Transfers DCH-17 ∙ Content / DNS filtering ∙ Content / DNS filtering ∙ Content / DNS filtering ∙ Content / DNS filtering∙ Data ∙ Content / DNS filtering∙ Data 8 x Protect x x or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling
governance program governance program • Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to retain media and data in accordance with applicable ∙ Data retention program ∙ Data retention program ∙ Data retention program ∙ Data retention program ∙ Data retention program Does the organization retain media and data in There is no evidence of a capability to retain Data Classification
systems & Handling
and data, including (DCH)media.
storage efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
statutory, regulatory and contractual obligations. ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program accordance with applicable statutory, regulatory media and data in accordance with applicable are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification ∙ Data governance program ∙ Data governance program and contractual obligations? statutory, regulatory and contractual control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Media & Data Retention DCH-18 E-AST-11 8 x Protect x x obligations. or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to retain media and data in
& Handling
• Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure accordance with applicable statutory,
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for regulatory and contractual obligations.
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to minimize sensitive/regulated data that is collected, ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization minimize sensitive/regulated There is no evidence of a capability to Data Classification
systems & Handling
and data, including (DCH)media.
storage efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
received, processed, stored and/or transmitted throughout the information ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management data that is collected, received, processed, stored minimize sensitive/regulated data that is are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Data Classification Minimize Sensitive / lifecycle to only those elements necessary to support necessary business ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact and/or transmitted throughout the information processed, stored and/or transmitted control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
DCH-18.1 processes. Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) lifecycle to only those elements necessary to 8 x Protect x throughout the information lifecycle to only or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling Regulated Data
∙ Data governance program ∙ Data governance program support necessary business processes? those elements necessary to support • Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
necessary business processes. administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to minimize the use of sensitive/regulated data for ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization minimize the use of Personal There is no evidence of a capability to Data Classification
systems & Handling
and data, including (DCH)media.
storage efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
Limit Sensitive / research, testing, or training, in accordance with authorized, legitimate ∙ Data privacy program ∙ Data privacy program ∙ Data privacy program ∙ Data privacy program ∙ Data privacy program Data (PD) for research, testing, or training, in minimize the use of Personal Data (PD) for are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Regulated Data In business practices. ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact accordance with the Data Protection Impact research, testing, or training, in accordance control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-18.2 Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA)? 8 x Protect x x with the Data Protection Impact Assessment or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to minimize the use of Personal
& Handling Testing, Training &
Research ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management (DPIA). • Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Data (PD) for research, testing, or training, in
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for accordance with the Data Protection Impact
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 Assessment (DPIA).
Mechanisms exist to perform periodic checks of temporary files for the Does the organization perform periodic checks of There is no evidence of a capability to perform Data Classification
systems & Handling
and data, including (DCH)media.
storage efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
existence of Personal Data (PD). temporary files for the existence of Personal Data periodic checks of temporary files for the are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Temporary Files (PD)? existence of Personal Data (PD). control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Data Classification
Containing Personal Data DCH-18.3 5 x Protect x or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling
(PD) • Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to inventory, document and maintain data flows for data ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization inventory, document and There is no evidence of a capability to Data Classification
systems & Handling
and data, including (DCH)media.
storage efforts Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
that is resident (permanently or temporarily) within a service's program program program program program maintain data flows for data that is resident inventory, document and maintain data flows are ad hoc and inconsistent. CMM Level 1 are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Data Classification Geographic Location of geographically distributed applications (physical and virtual), infrastructure, ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program (permanently or temporarily) within a service's for data that is resident (permanently or control maturity would reasonably expect all, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
DCH-19 systems components and/or shared with other third-parties. E-AST-23 ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories geographically distributed applications (physical 9 x Identify x x temporarily) within a service's geographically or at least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling Data
∙ System Security & Privacy Plan ∙ System Security & Privacy Plan ∙ System Security & Privacy Plan ∙ System Security & Privacy Plan ∙ System Security & Privacy Plan and virtual), infrastructure, systems components distributed applications (physical and virtual), • Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
(SSPP) (SSPP) (SSPP) (SSPP) (SSPP) and/or shared with other third-parties? infrastructure, systems components and/ or administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management shared with other third-parties. standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to protect archived data in accordance with applicable ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories Does the organization protect archived data in There is no evidence of a capability to protect C|P-CMM1
systems and is N/A,
data,since a structured
including storageprocess
media. is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
statutory, regulatory and contractual obligations. accordance with applicable statutory, regulatory archived data in accordance with applicable required to protect archived data in are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification and contractual obligations? statutory, regulatory and contractual accordance with applicable statutory, local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Archived Data Sets DCH-20 8 x Protect x obligations. regulatory and contractual obligations. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to protect archived data in
& Handling
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure accordance with applicable statutory,
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for regulatory and contractual obligations.
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to securely dispose of, destroy or erase information. ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) ∙ Shred-it (https://shredit.com) Does the organization securely dispose of, destroy There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Data Classification & Handling
a localized/regionalized (DCH)
function) and efforts
Data
uses Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
∙ IronMountain ∙ IronMountain ∙ IronMountain ∙ IronMountain ∙ IronMountain or erase information? securely dispose of, destroy or erase required to securely dispose of, destroy or are requirements-driven
non-standardized methodsand
togoverned
implement at a
are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification (https://ironmountain.com) (https://ironmountain.com) (https://ironmountain.com) (https://ironmountain.com) (https://ironmountain.com) information. erase information. local/regional level,
secure, resilient andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
Information Disposal DCH-21 ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) ∙ BitRaser (https://bitraser.com) 10 x Protect x x x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to securely dispose of, destroy
& Handling
∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) ∙ DBAN (https://dban.org) maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure or erase information.
∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers ∙ DoD-strength data erasers least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to check for Redundant, Obsolete/Outdated, Toxic or ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management Does the organization check for Redundant, There is no evidence of a capability to check C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
Trivial (ROTT) data to ensure the accuracy, relevance, timeliness, impact, ∙ Data governance program ∙ Data governance program Obsolete/Outdated, Toxic or Trivial (ROTT) data to for Redundant, Obsolete/Outdated, Toxic or required to check for Redundant, is required to check
non-standardized for Redundant,
methods to implement are standardized
making informationthroughout the organization
sharing decisions to are metrics driven and provide sufficient are “world-class” capabilities that leverage
Data Classification completeness and de-identification of information throughout the ensure the accuracy, relevance, timeliness, impact, Trivial (ROTT) data to ensure the accuracy, Obsolete/Outdated, Toxic or Trivial (ROTT) Obsolete/Outdated,
secure, resilient andToxic or Trivial
compliant (ROTT)
practices. and centrally
ensure data ismanaged, where
appropriately technically
protected, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Data Quality Operations DCH-22 information lifecycle. completeness and de-identification of information 5 x Protect x x relevance, timeliness, impact, completeness data to ensure the accuracy, relevance, data to ensure the accuracy, relevance, feasible, to ensure consistency. CMM Level 3 understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling
throughout the information lifecycle. and de-identification of information timeliness, impact, completeness and de- timeliness, impact, completeness and de- control maturity would reasonably expect all, predict optimal performance, ensure Level 5 control maturity would reasonably
throughout the information lifecycle. identification of information throughout the identification of information throughout the or at least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
information lifecycle. information lifecycle. • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to utilize technical controls to correct Personal Data (PD) ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management Does the organization utilize technical controls to There is no evidence of a capability to utilize C|P-CMM1 is N/A, since a structured process is Data Classification & Handling (DCH) efforts Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
that is inaccurate or outdated, incorrectly determined regarding impact, or ∙ Data governance program ∙ Data governance program correct Personal Data (PD) that is inaccurate or technical controls to correct Personal Data required to utilize technical controls to correct are requirements-driven and governed at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Updating & Correcting incorrectly de-identified. outdated, incorrectly determined regarding impact, (PD) that is inaccurate or outdated, incorrectly Personal Data (PD) that is inaccurate or local/regional level, but are not consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-22.1 or incorrectly de-identified? 6 x Protect x determined regarding impact, or incorrectly outdated, incorrectly determined regarding across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to utilize technical controls to
& Handling Personal Data (PD)
de-identified. impact, or incorrectly de-identified. maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure correct Personal Data (PD) that is inaccurate
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for or outdated, incorrectly determined regarding
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 impact, or incorrectly de-identified.
Mechanisms exist to utilize data tags to automate tracking of ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization utilize data tags to automate There is no evidence of a capability to utilize C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
sensitive/regulated data across the information lifecycle. ∙ Metadata tagging ∙ Metadata tagging ∙ Metadata tagging ∙ Metadata tagging ∙ Metadata tagging tracking of sensitive/regulated data across the data tags to automate tracking of required to utilize data tags to automate is required to utilize
non-standardized data tags
methods to automate
to implement are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Data Classification information lifecycle? sensitive/regulated data across the tracking of sensitive/regulated data across the tracking of sensitive/regulated
secure, resilient and compliant data across the
practices. centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Data Tags DCH-22.2 3 x Protect x information lifecycle. information lifecycle. information lifecycle. to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling
maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
• A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to collect Personal Data (PD) directly from the individual. ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program Does the organization collect Personal Data (PD) There is no evidence of a capability to collect C|P-CMM1 is N/A, since a structured process is Data Classification & Handling (DCH) efforts Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts See C|P-CMM4. There are no defined C|P-
∙ Data privacy program ∙ Data privacy program ∙ Data privacy program ∙ Data privacy program ∙ Data privacy program directly from the individual? Personal Data (PD) directly from the required to collect Personal Data (PD) directly are requirements-driven and governed at a are standardized
making informationacross the decisions
sharing organization
to and are metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Data Classification Primary Source Personal ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management individual. from the individual. local/regional level, but are not consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
DCH-22.3 ∙ Data governance program ∙ Data governance program 8 x Identify x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to collect Personal Data (PD)
& Handling Data (PD) Collection
maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure directly from the individual.
least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3
Mechanisms exist to anonymize data by removing Personal Data (PD) from ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program a localized/regionalized function) and uses function, or similar function, assists users in
datasets. ∙ Data privacy program ∙ Data privacy program ∙ Data privacy program ∙ Data privacy program ∙ Data privacy program non-standardized methods to implement making information sharing decisions to
Data Classification De-Identification ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project management ∙ Product / project manag secure, resilient and compliant practices. ensure data is appropriately protected,
DCH-23 8 x Protect x x
& Handling (Anonymization)

DCH-23.1 8 x Protect x

Archiving DCH-23.2 8 x Protect x

Release DCH-23.3 8 x Protect x

DCH-23.4 8 x Protect x x

DCH-23.5 1 x Protect x

Differential Data Privacy DCH-23.6 1 x Protect x

DCH-23.7 1 x Protect x

Motivated Intruder DCH-23.8 3 x Protect x

Code Names DCH-23.9 1 x Protect x

Information Location DCH-24 E-AST-23 10 x Identify x x

Licensed by Creative Commons Attribution-NoDerivatives 27 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Automated mechanisms exist to identify by data classification type to ∙ Data Rights Management (DRM) ∙ Data Rights Management (DRM) ∙ Data Rights Management (DRM) ∙ Data Rights Management (DRM) ∙ Data Rights Management (DRM) Does the organization use automated mechanisms There is no evidence of a capability to identify C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
ensure adequate cybersecurity & data privacy controls are in place to solution solution solution solution solution to identify by data classification type to ensure by data classification type to ensure adequate required to identify by data classification type is required to identify by data classification are standardized across the organization and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Automated Tools to protect organizational information and individual data privacy. adequate cybersecurity & data privacy controls are cybersecurity & data privacy controls are in to ensure adequate cybersecurity & data type to ensure adequate cybersecurity & data centrally managed, where technically feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
Data Classification
Support Information DCH-24.1 in place to protect organizational information and 6 x Identify x x place to protect organizational information protection controls are in place to protect protection controls are in place to protect to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling
Location individual data privacy? and individual data privacy. organizational information and individual data organizational information and individual data maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
privacy. privacy. least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
• A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to restrict and govern the transfer of sensitive and/or ∙ Model contracts ∙ Model contracts ∙ Model contracts ∙ Model contracts ∙ Model contracts Does the organization restrict and govern the There is no evidence of a capability to restrict Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in Data Classification & Handling (DCH) efforts Data Classification & Handling (DCH) efforts
regulated data to third-countries or international organizations. ∙ Binding Corporate Rules (BCR) ∙ Binding Corporate Rules (BCR) ∙ Binding Corporate Rules (BCR) ∙ Binding Corporate Rules (BCR) ∙ Binding Corporate Rules (BCR) transfer of sensitive and/or regulated data to third- and govern the transfer of sensitive and/ or are ad hoc and inconsistent. CMM Level 1 are requirements-driven and governed at a are standardized
making information across the decisions
sharing organization
to and are metrics driven and provide sufficient are “world-class” capabilities that leverage
Data Classification Transfer of Sensitive countries or international organizations? regulated data to third-countries or control maturity would reasonably expect all, local/regional level, but are not consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative predictive analysis (e.g., machine learning, AI,
DCH-25 10 x Protect x international organizations. or at least most, the following criteria to exist:
across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to etc.). In addition to CMM Level 4 criteria, CMM
& Handling and/or Regulated Data
• Data protection controls are primarily maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure Level 5 control maturity would reasonably
administrative in nature (e.g., policies & least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for expect all, or at least most, the following
standards) to classify, protect and dispose of • Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) improvement. In addition to CMM Level 3 criteria to exist:
Mechanisms exist to establish organization-defined "normal business ∙ Indicators of Fraud (IoF) (e.g., ∙ Indicators of Fraud (IoF) (e.g., ∙ Indicators of Fraud (IoF) (e.g., ∙ Indicators of Fraud (IoF) (e.g., ∙ Indicators of Fraud (IoF) (e.g., Does the organization establish organization- There is no evidence of a capability to C|P-CMM1
systems and is N/A,
data,since a structured
including storageprocess
media. isData Classification & Handling
a localized/regionalized (DCH)
function) and efforts
uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
activities" to identify anomalous transaction activities that can reduce the fraud "red flags") fraud "red flags") fraud "red flags") fraud "red flags") fraud "red flags") defined "normal business activities" to identify establish organization-defined "normal required to establish organization-defined are requirements-driven
non-standardized methods and
togoverned
implement at a are standardized
making information across the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification opportunity for sending (outbound) and/or receiving (inbound) fraudulent anomalous transaction activities that can reduce business activities" to identify anomalous "normal business activities" to identify local/regional
secure, resilientlevel,
andbut are not practices.
compliant consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Transfer Activity Limits DCH-25.1 actions. the opportunity for sending (outbound) and/or 7 x Protect x transaction activities that can reduce the anomalous transaction activities that can across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to establish organization- not necessary to establish organization-
& Handling
receiving (inbound) fraudulent actions? opportunity for sending (outbound) and/ or reduce the opportunity for sending (outbound) maturity would reasonably expect all, or at maturity would reasonably expect all, or at defined "normal business activities" to identify defined "normal business activities" to identify
receiving (inbound) fraudulent actions. and/ or receiving (inbound) fraudulent actions. least most, the following criteria to exist: least most, the following criteria to exist: anomalous transaction activities that can anomalous transaction activities that can
• Data management is decentralized (e.g., • A Governance, Risk & Compliance (GRC) reduce the opportunity for sending (outbound) reduce the opportunity for sending (outbound)
Mechanisms exist to constrain the impact of "digital sovereignty laws," that ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance ∙ Governance, Risk & Compliance Does the organization constrain the impact of There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since afunction)
a localized/regionalized well-defined process
and uses Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
require localized data within the host country, where data and processes (GRC) program (GRC) program (GRC) program (GRC) program (GRC) program "digital sovereignty laws," that require localized constrain the impact of "digital sovereignty required to constrain the impact of "digital is required to constrain
non-standardized the to
methods impact of "digital
implement are standardized
making information across the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification may be subjected to arbitrary enforcement actions that potentially violate ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) data within the host country, where data and laws," that require localized data within the sovereignty laws," that require localized data sovereignty laws,"
secure, resilient that
and require localized
compliant practices.data centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
Data Localization DCH-26 other applicable statutory, regulatory and/or contractual obligations. program program program program program processes may be subjected to arbitrary 10 x Protect x x x host country, where data and processes may within the host country, where data and within the host country, where data and to ensure consistency. CMM Level 3 control not necessary to constrain the impact of not necessary to constrain the impact of
& Handling
∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program enforcement actions that potentially violate other be subjected to arbitrary enforcement actions processes may be subjected to arbitrary processes may be subjected to arbitrary maturity would reasonably expect all, or at "digital sovereignty laws," that require "digital sovereignty laws," that require
∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories applicable statutory, regulatory and/or contractual that potentially violate other applicable enforcement actions that potentially violate enforcement actions that potentially violate least most, the following criteria to exist: localized data within the host country, where localized data within the host country, where
∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) obligations? statutory, regulatory and/ or contractual other applicable statutory, regulatory and/ or other applicable statutory, regulatory and/ or • A Governance, Risk & Compliance (GRC) data and processes may be subjected to data and processes may be subjected to
Mechanisms exist to utilize Data Rights Management (DRM), or similar ∙ Data Rights Management (DRM) ∙ Data Rights Management (DRM) ∙ Data Rights Management (DRM) ∙ Data Rights Management (DRM) ∙ Data Rights Management (DRM) Does the organization utilize Data Rights There is no evidence of a capability to utilize C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Data Classification
function, or similar & Handling
function, (DCH)users
assists efforts
in See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
technologies, to protect Intellectual Property (IP) rights by preventing the solution solution solution solution solution Management (DRM), or similar technologies, to Data Rights Management (DRM), or similar required to utilize Data Rights Management is required to utilize Data Rights Management are standardized
making information across the decisions
sharing organization
to and CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Data Classification Data Rights unauthorized distribution and/or modification of sensitive IP. protect Intellectual Property (IP) rights by technologies, to protect Intellectual Property (DRM), or similar technologies, to protect (DRM), or similar technologies, to protect centrally
ensure datamanaged, where technically
is appropriately protected,feasible, assume a quantitatively-controlled process is assume a continuously-improving process is
DCH-27 preventing the unauthorized distribution and/or 6 x Protect x x (IP) rights by preventing the unauthorized Intellectual Property (IP) rights by preventing Intellectual Property (IP) rights by preventing to ensure consistency. CMM Level 3 control not necessary to utilize Data Rights not necessary to utilize Data Rights
& Handling Management (DRM)
modification of sensitive IP? distribution and/or modification of sensitive IP. the unauthorized distribution and/or the unauthorized distribution and/or maturity would reasonably expect all, or at Management (DRM), or similar technologies, Management (DRM), or similar technologies,
modification of sensitive IP. modification of sensitive IP. least most, the following criteria to exist: to protect Intellectual Property (IP) rights by to protect Intellectual Property (IP) rights by
• A Governance, Risk & Compliance (GRC) preventing the unauthorized distribution preventing the unauthorized distribution
Mechanisms exist to facilitate the implementation of embedded technology ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Does the organization facilitate the implementation There is no evidence of a capability to Embedded Technology (EMB) efforts are ad Embedded Technology (EMB) efforts are Embedded
function, orTechnology (EMB)assists
similar function, effortsusers
are in Embedded Technology (EMB) efforts are See C|P-CMM4. There are no defined C|P-
controls. program program program program program of embedded technology controls? facilitate the implementation of embedded hoc and inconsistent. CMM Level 1 control requirements-driven and governed at a standardized across sharing
making information the organization
decisions and
to metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Embedded Embedded Technology technology controls. maturity would reasonably expect all, or at local/regional level, but are not consistent centrally
ensure datamanaged, where technically
is appropriately protected,feasible, management insight (based on a quantitative assume a continuously-improving process is
EMB-01 E-AST-07 10 x Protect x x x least most, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to facilitate the implementation
Technology Security Program
• Embedded technologies (e.g., maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure of embedded technology controls.
Operational Technology (OT) and Internet of least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
Things (IoT) are managed in the same manner • Embedded technology management is • The Chief Information Security Officer improvement. In addition to CMM Level 3
Mechanisms exist to proactively manage the cybersecurity & data privacy ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization proactively manage the There is no evidence of a capability to C|P-CMM1 is N/A,
as any other since aasset.
technology structured process is Embedded
decentralizedTechnology (EMB) efforts are
(e.g., a localized/regionalized Embedded Technology
(CISO), or similar (EMB)
function withefforts are
technical Embedded Technology (EMB) efforts are See C|P-CMM4. There are no defined C|P-
risks associated with Internet of Things (IoT). (SBC) (SBC) (SBC) (SBC) (SBC) cybersecurity & data privacy risks associated with proactively manage the cybersecurity & data required to proactively manage the requirements-driven and governed atmethods
function) and uses non-standardized a standardized
competence to across the cybersecurity
address organization and metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Embedded ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Internet of Things (IoT)? privacy risks associated with Internet of cybersecurity & data privacy risks associated local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally
concerns,managed,
analyzes thewhere technically feasible,
organization's management insight (based on a quantitative assume a continuously-improving process is
Internet of Things (IOT) EMB-02 program program program program program 9 x Protect x Things (IoT). with Internet of Things (IoT). across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to proactively manage the
Technology
∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure cybersecurity & data privacy risks associated
∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for with Internet of Things (IoT).
∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) • Embedded technology management is • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Mechanisms exist to proactively manage the cybersecurity & data privacy ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization proactively manage the There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Embedded Technology (EMB) efforts are
decentralized (e.g., a localized/regionalized Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded Embedded Technology (EMB) efforts are See C|P-CMM4. There are no defined C|P-
risks associated with Operational Technology (OT). (SBC) (SBC) (SBC) (SBC) (SBC) cybersecurity & data privacy risks associated with proactively manage the cybersecurity & data required to proactively manage the requirements-driven and governed atmethods
function) and uses non-standardized a standardized across theto
technologies according organization
the data the and
asset metrics driven and provide sufficient CMM5 criteria, since it is reasonable to
Embedded Operational Technology ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) ∙ IT Asset Management (ITAM) Operational Technology (OT)? privacy risks associated with Operational cybersecurity & data privacy risks associated local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure management insight (based on a quantitative assume a continuously-improving process is
EMB-03 program program program program program 9 x Protect x Technology (OT). with Operational Technology (OT). across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to proactively manage the
Technology (OT)
∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program ∙ Data classification program maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure cybersecurity & data privacy risks associated
∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories ∙ Sensitive data inventories least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for with Operational Technology (OT).
∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) ∙ Data Flow Diagram (DFD) • Embedded technology management is • An IT Asset Management (ITAM) function, improvement. In addition to CMM Level 3
Mechanisms exist to protect embedded devices against unauthorized use of ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization protect embedded devices There is no evidence of a capability to protect C|P-CMM1 is N/A, since a structured process is Embedded
decentralizedTechnology (EMB) efforts are
(e.g., a localized/regionalized Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
the physical factory diagnostic and test interface(s). (SBC) (SBC) (SBC) (SBC) (SBC) against unauthorized use of the physical factory embedded devices against unauthorized use required to protect embedded devices against requirements-driven and governed atmethods
function) and uses non-standardized a standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded diagnostic and test interface(s)? of the physical factory diagnostic and test unauthorized use of the physical factory local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
Interface Security EMB-04 4 x Protect x interface(s). diagnostic and test interface(s). across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to protect embedded devices not necessary to protect embedded devices
Technology
maturity would reasonably expect all, or at maturity would reasonably expect all, or at against unauthorized use of the physical against unauthorized use of the physical
least most, the following criteria to exist: least most, the following criteria to exist: factory diagnostic and test interface(s). factory diagnostic and test interface(s).
• Embedded technology management is • An IT Asset Management (ITAM) function,
Mechanisms exist to generate log entries on embedded devices when Does the organization generate log entries on There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Embedded
decentralizedTechnology (EMB) efforts are
(e.g., a localized/regionalized Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
configuration changes or attempts to access interfaces are detected. embedded devices when configuration changes or generate log entries on embedded devices required to generate log entries on embedded requirements-driven and governed atmethods
function) and uses non-standardized a standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded Embedded Technology attempts to access interfaces are detected? when configuration changes or attempts to devices when configuration changes or local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
EMB-05 6 x Detect x x access interfaces are detected. attempts to access interfaces are detected. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to generate log entries on not necessary to generate log entries on
Technology Configuration Monitoring
maturity would reasonably expect all, or at maturity would reasonably expect all, or at embedded devices when configuration embedded devices when configuration
least most, the following criteria to exist: least most, the following criteria to exist: changes or attempts to access interfaces are changes or attempts to access interfaces are
• Embedded technology management is • An IT Asset Management (ITAM) function, detected. detected.
Mechanisms exist to protect embedded devices by preventing the ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization protect embedded devices by There is no evidence of a capability to protect C|P-CMM1 is N/A, since a structured process is Embedded
decentralizedTechnology (EMB) efforts are
(e.g., a localized/regionalized Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
unauthorized installation and execution of software. (SBC) (SBC) (SBC) (SBC) (SBC) preventing the unauthorized installation and embedded devices by preventing the required to protect embedded devices by requirements-driven and governed atmethods
function) and uses non-standardized a standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded execution of software? unauthorized installation and execution of preventing the unauthorized installation and local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
Prevent Alterations EMB-06 6 x Protect x software. execution of software. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to protect embedded devices not necessary to protect embedded devices
Technology
maturity would reasonably expect all, or at maturity would reasonably expect all, or at by preventing the unauthorized installation by preventing the unauthorized installation
least most, the following criteria to exist: least most, the following criteria to exist: and execution of software. and execution of software.
• Embedded technology management is • An IT Asset Management (ITAM) function,
Mechanisms exist to securely update software and upgrade functionality on ∙ Technology maintenance ∙ Technology maintenance ∙ Technology maintenance ∙ Technology maintenance ∙ Technology maintenance Does the organization securely update software and There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Embedded
decentralizedTechnology (EMB) efforts are
(e.g., a localized/regionalized Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
embedded devices. program program program program program upgrade functionality on embedded devices? securely update software and upgrade required to securely update software and requirements-driven and governed atmethods
function) and uses non-standardized a standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded Embedded Technology ∙ Vulnerability & Patch ∙ Vulnerability & Patch ∙ Vulnerability & Patch ∙ Vulnerability & Patch ∙ Vulnerability & Patch functionality on embedded devices. upgrade functionality on embedded devices. local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
EMB-07 Management Program (VPMP) Management Program (VPMP) Management Program (VPMP) Management Program (VPMP) Management Program (VPMP) 6 x Protect x x across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to securely update software not necessary to securely update software
Technology Maintenance
maturity would reasonably expect all, or at maturity would reasonably expect all, or at and upgrade functionality on embedded and upgrade functionality on embedded
least most, the following criteria to exist: least most, the following criteria to exist: devices. devices.
• Embedded technology management is • An IT Asset Management (ITAM) function,
Mechanisms exist to configure embedded technology to be resilient to data Does the organization configure embedded There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is Embedded
decentralizedTechnology (EMB) efforts are
(e.g., a localized/regionalized Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
network and power outages. technology to be resilient to data network and configure embedded technology to be resilient required to configure embedded technology to requirements-driven and governed atmethods
function) and uses non-standardized a standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded power outages? to data network and power outages. be resilient to data network and power local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
Resilience To Outages EMB-08 2 x Protect x x outages. across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control not necessary to configure embedded not necessary to configure embedded
Technology
maturity would reasonably expect all, or at maturity would reasonably expect all, or at technology to be resilient to data network and technology to be resilient to data network and
least most, the following criteria to exist: least most, the following criteria to exist: power outages. power outages.
• Embedded technology management is • An IT Asset Management (ITAM) function,
Automated mechanisms exist to monitor the power levels of embedded Does the organization use automated mechanisms There is no evidence of a capability to monitor C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A,
decentralized since
(e.g., a well-defined process
a localized/regionalized Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
technologies for decreased or excessive power usage, including battery to monitor the power levels of embedded the power levels of embedded technologies required to monitor the power levels of is required
function) andto monitor the power levels
uses non-standardized of
methods standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded drainage, to investigate for device tampering. technologies for decreased or excessive power for decreased or excessive power usage, embedded technologies for decreased or embedded
to implement technologies for decreased
secure, resilient or
and compliant centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
Power Level Monitoring EMB-09 usage, including battery drainage, to investigate for 4 x Detect x including battery drainage, to investigate for excessive power usage, including battery excessive power usage, including battery to ensure consistency. CMM Level 3 control not necessary to monitor the power levels of not necessary to monitor the power levels of
Technology
device tampering? device tampering. drainage, to investigate for device tampering. drainage, to investigate for device tampering. maturity would reasonably expect all, or at embedded technologies for decreased or embedded technologies for decreased or
least most, the following criteria to exist: excessive power usage, including battery excessive power usage, including battery
• An IT Asset Management (ITAM) function, drainage, to investigate for device tampering. drainage, to investigate for device tampering.
Mechanisms exist to perform evaluations of deployed embedded ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) ∙ Configuration Management (CM) Does the organization perform evaluations of There is no evidence of a capability to perform C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
technologies as needed, or at least on an annual basis, to ensure that program program program program program deployed embedded technologies as needed, or at evaluations of deployed embedded required to perform evaluations of deployed is required to perform evaluations of deployed standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded Embedded Technology necessary updates to mitigate the risks associated with legacy embedded ∙ Technology maintenance ∙ Technology maintenance ∙ Technology maintenance ∙ Technology maintenance ∙ Technology maintenance least on an annual basis, to ensure that necessary technologies as needed, or at least on an embedded technologies as needed, or at least embedded technologies as needed, or at least centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
EMB-10 technologies are identified and implemented. program program program program program updates to mitigate the risks associated with legacy 8 x Identify x x annual basis, to ensure that necessary on an annual basis, to ensure that necessary on an annual basis, to ensure that necessary to ensure consistency. CMM Level 3 control not necessary to perform evaluations of not necessary to perform evaluations of
Technology Reviews
∙ Technology maintenance ∙ Technology maintenance ∙ Technology maintenance ∙ Technology maintenance ∙ Technology maintenance embedded technologies are identified and updates to mitigate the risks associated with updates to mitigate the risks associated with updates to mitigate the risks associated with maturity would reasonably expect all, or at deployed embedded technologies as needed, deployed embedded technologies as needed,
program program program program program implemented? legacy embedded technologies are identified legacy embedded technologies are identified legacy embedded technologies are identified least most, the following criteria to exist: or at least on an annual basis, to ensure that or at least on an annual basis, to ensure that
∙ Vulnerability & Patch ∙ Vulnerability & Patch ∙ Vulnerability & Patch ∙ Vulnerability & Patch ∙ Vulnerability & Patch and implemented. and implemented. and implemented. • An IT Asset Management (ITAM) function, necessary updates to mitigate the risks necessary updates to mitigate the risks
Mechanisms exist to enforce the security of Message Queuing Telemetry ∙ Secure Baseline
Management Configurations
Program (VPMP) ∙ Secure Baseline
Management Configurations
Program (VPMP) ∙ Secure Baseline
Management Configurations
Program (VPMP) ∙ Secure Baseline
Management Configurations
Program (VPMP) ∙ Secure Baseline
Management Configurations
Program (VPMP) Does the organization enforce the security of There is no evidence of a capability to enforce C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
Transport (MQTT) traffic. (SBC) (SBC) (SBC) (SBC) (SBC) Message Queuing Telemetry Transport (MQTT) the security of Message Queuing Telemetry required to enforce the security of Message is required to enforce the security of Message standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Message Queuing traffic? Transport (MQTT) traffic. Queuing Telemetry Transport (MQTT) traffic. Queuing Telemetry Transport (MQTT) traffic. centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
Embedded
Telemetry Transport EMB-11 7 x Protect x to ensure consistency. CMM Level 3 control not necessary to enforce the security of not necessary to enforce the security of
Technology
(MQTT) Security maturity would reasonably expect all, or at Message Queuing Telemetry Transport (MQTT) Message Queuing Telemetry Transport (MQTT)
least most, the following criteria to exist: traffic. traffic.
• An IT Asset Management (ITAM) function,
Mechanisms exist to require embedded technologies to initiate all ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization require embedded There is no evidence of a capability to require C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
communications and drop new, incoming communications. (SBC) (SBC) (SBC) (SBC) (SBC) technologies to initiate all communications and embedded technologies to initiate all required to require embedded technologies to is required to require embedded technologies standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical drop new, incoming communications? communications and drop new, incoming initiate all communications and drop new, to initiate all communications and drop new, centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
Restrict Communications EMB-12 and/or physical) and/or physical) and/or physical) and/or physical) and/or physical) 8 x Protect x communications. incoming communications. incoming communications. to ensure consistency. CMM Level 3 control not necessary to require embedded not necessary to require embedded
Technology
∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) maturity would reasonably expect all, or at technologies to initiate all communications technologies to initiate all communications
least most, the following criteria to exist: and drop new, incoming communications. and drop new, incoming communications.
• An IT Asset Management (ITAM) function,
Mechanisms exist to restrict embedded technologies to communicate only ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization restrict embedded There is no evidence of a capability to restrict C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
with authorized peers and service endpoints. (SBC) (SBC) (SBC) (SBC) (SBC) technologies to communicate only with authorized embedded technologies to communicate only required to restrict embedded technologies to is required to restrict embedded technologies standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded Authorized ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical ∙ Network segmentation (logical peers and service endpoints? with authorized peers and service endpoints. communicate only with authorized peers and to communicate only with authorized peers centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
EMB-13 and/or physical) and/or physical) and/or physical) and/or physical) and/or physical) 8 x Protect x service endpoints. and service endpoints. to ensure consistency. CMM Level 3 control not necessary to restrict embedded not necessary to restrict embedded
Technology Communications
∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) ∙ Access Control Lists (ACL) maturity would reasonably expect all, or at technologies to communicate only with technologies to communicate only with
least most, the following criteria to exist: authorized peers and service endpoints. authorized peers and service endpoints.
• An IT Asset Management (ITAM) function,
Mechanisms exist to determine if embedded technologies are certified for Does the organization determine if embedded There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
secure use in the proposed operating environment. technologies are certified for secure use in the determine if embedded technologies are required to determine if embedded is required to determine if embedded standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded Operating Environment proposed operating environment? certified for secure use in the proposed technologies are certified for secure use in the technologies are certified for secure use in the centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
EMB-14 9 x Identify x x operating environment. proposed operating environment. proposed operating environment. to ensure consistency. CMM Level 3 control not necessary to determine if embedded not necessary to determine if embedded
Technology Certification
maturity would reasonably expect all, or at technologies are certified for secure use in the technologies are certified for secure use in the
least most, the following criteria to exist: proposed operating environment. proposed operating environment.
• An IT Asset Management (ITAM) function,
Mechanisms exist to evaluate the safety aspects of embedded technologies ∙ IoT / OT safety assessment ∙ IoT / OT safety assessment ∙ IoT / OT safety assessment ∙ IoT / OT safety assessment ∙ IoT / OT safety assessment Does the organization evaluate the safety aspects There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P- See C|P-CMM4. There are no defined C|P-
via a fault tree analysis, or similar method, to determine possible ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact ∙ Data Protection Impact of embedded technologies via a fault tree analysis, evaluate the safety aspects of embedded required to evaluate the safety aspects of is required to evaluate the safety aspects of standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to CMM5 criteria, since it is reasonable to
Embedded consequences of misuse, misconfiguration and/or failure. Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) Assessment (DPIA) or similar method, to determine possible technologies via a fault tree analysis, or embedded technologies via a fault tree embedded technologies via a fault tree centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure assume a quantitatively-controlled process is assume a continuously-improving process is
Safety Assessment EMB-15 consequences of misuse, misconfiguration and/or 9 x Identify x x similar method, to determine possible analysis, or similar method, to determine analysis, or similar method, to determine to ensure consistency. CMM Level 3 control not necessary to evaluate the safety aspects not necessary to evaluate the safety aspects
Technology
failure? consequences of misuse, misconfiguration possible consequences of misuse, possible consequences of misuse, maturity would reasonably expect all, or at of embedded technologies via a fault tree of embedded technologies via a fault tree
and/ or failure. misconfiguration and/ or failure. misconfiguration and/ or failure. least most, the following criteria to exist: analysis, or similar method, to determine analysis, or similar method, to determine
• An IT Asset Management (ITAM) function, possible consequences of misuse, possible consequences of misuse,
Mechanisms exist to enforce certificate-based authentication for embedded Does the organization enforce certificate-based There is no evidence of a capability to enforce C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Embedded Technology
or similar function, (EMB) efforts
categorizes are
embedded See C|P-CMM3. There are no defined C|P-
technologies (e.g., IoT, OT, etc.) and their supporting services. authentication for embedded technologies (e.g., certificate-based authentication for embedded required to enforce certificate-based is required to enforce certificate-based standardized across theto
technologies according organization
the data the and
asset CMM4 criteria, since it is reasonable to
Embedded Certificate-Based IoT, OT, etc.) and their supporting services? technologies (e.g., IoT, OT, etc.) and their authentication for embedded technologies authentication for embedded technologies centrally managed,
stores, transmits where
and/ technically
or processes to feasible,
ensure ass
EMB-16 5 x Protect x supporting services. (e.g., IoT, OT, etc.) and their supporting (e.g., IoT, OT, etc.) and their supporting to ensure consistency. CMM Level 3 control
Technology Authentication
services. services. maturity would reasonably expect all, or at
least most, the following criteria to exist:
• An IT Asset Management (ITAM) function,
or similar function, categorizes embedded
technologies according to the data the asset
stores, transmits and/ or processes to ensure
Chip-To-Cloud Security EMB-17 6 x Protect x

EMB-18 5 x Protect x

Safe Operations EMB-19 9 x Protect x x

Endpoint Security Endpoint Security END-01 10 x Govern x x x

Endpoint Security END-02 9 x Protect x x

Endpoint Security END-03 E-IAM-02 9 x Protect x x x

Mechanisms exist to generate an alert when new software is detected.

Endpoint Security END-03.1 8 x Protect x

Endpoint Security END-03.2 8 x Protect x x

∙ Antimalware software ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software

Endpoint Security END-04 10 x Detect x x

Licensed by Creative Commons Attribution-NoDerivatives 28 of 196

version 2025.2 Secure Controls Framework (SCF) 07/23/2025

Possible Solutions & Possible Solutions & Possible Solutions & SCRM Focus
Possible Solutions & Possible Solutions & PPTDF PPTDF PPTDF PPTDF PPTDF SCRM Focus SCRM Focus
Considerations Considerations Considerations Relative NIST CSF
Secure Controls Framework (SCF) Evidence Request Considerations Considerations Applicability Applicability Applicability Applicability Applicability C|P-CMM 0 C|P-CMM 1 C|P-CMM 2 C|P-CMM 3 C|P-CMM 4 C|P-CMM 5
SCF Domain SCF Control SCF # Micro-Small Business (<10 Medium Business (50-249 Large Business (250-999 SCF Control Question Control Function TIER 2
Control Description List (ERL) # Small Business (10-49 staff) Enterprise (> 1,000 staff) TIER 1 TIER 3 Not Performed Performed Informally Planned & Tracked+AI:AL Well Defined Quantitatively Controlled Continuously Improving
staff) staff) staff) Weighting Grouping OPERATIONA
BLS Firm Size Classes 3-4 BLS Firm Size Class 9 PEOPLE PROCESS TECHNOLOGY DATA FACILITY STRATEGIC TACTICAL
BLS Firm Size Classes 1-2 BLS Firm Size Classes 5-6 BLS Firm Size Classes 7-8 L

Mechanisms exist to automatically update antimalware technologies, ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations ∙ Secure Baseline Configurations Does the organization automatically update There is no evidence of a capability to Endpoint Security (END) efforts are ad hoc and Endpoint Security (END) efforts are Endpoint Security (END) efforts are Endpoint Security (END) efforts are metrics See C|P-CMM4. There are no defined C|P-
including signature definitions. (SBC) (SBC) (SBC) (SBC) (SBC) antimalware technologies, including signature automatically update antimalware inconsistent. CMM Level 1 control maturity requirements-driven and governed at a standardized across the organization and driven and provide sufficient management CMM5 criteria, since it is reasonable to
Automatic Antimalware definitions? technologies, including signature definitions. would reasonably expect all, or at least most, local/regional level, but are not consistent centrally managed, where technically feasible, insight (based on a quantitative assume a continuously-improving process is
Endpoint Security END-04.1 9 x Protect x x the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to automatically update
Signature Updates
• Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure antimalware technologies, including signature
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for definitions.
IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3
Mechanisms exist to document antimalware technologies. Does the organization document antimalware There is no evidence of a capability to Endpoint Security (END) efforts are ad hoc and Endpoint Security
decentralized (e.g.,(END) efforts are
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics See C|P-CMM4. There are no defined C|P-
technologies? document antimalware technologies. inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management CMM5 criteria, since it is reasonable to
Documented Protection would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative assume a continuously-improving process is
Endpoint Security END-04.2 3 x Identify x the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to document antimalware
Measures
• Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure technologies.
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3
Mechanisms exist to centrally-manage antimalware technologies. ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software Does the organization centrally-manage There is no evidence of a capability to Endpoint Security (END) efforts are ad hoc and Endpoint Security
decentralized (e.g.,(END) efforts are
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics See C|P-CMM4. There are no defined C|P-
antimalware technologies? centrally-manage antimalware technologies. inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management CMM5 criteria, since it is reasonable to
Centralized Management would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative assume a continuously-improving process is
Endpoint Security of Antimalware END-04.3 E-MON-02 8 x Detect x x x the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to centrally-manage
Technologies • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure antimalware technologies.
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for
IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3
Mechanisms exist to utilize heuristic / nonsignature-based antimalware ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software Does the organization utilize heuristic / There is no evidence of a capability to utilize Endpoint Security (END) efforts are ad hoc and Endpoint Security
decentralized (e.g.,(END) efforts are
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics See C|P-CMM4. There are no defined C|P-
detection capabilities. nonsignature-based antimalware detection heuristic / nonsignature-based antimalware inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management CMM5 criteria, since it is reasonable to
Heuristic / Nonsignature- capabilities? detection capabilities. would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative assume a continuously-improving process is
Endpoint Security END-04.4 8 x Detect x x the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to utilize heuristic /
Based Detection
• Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure nonsignature-based antimalware detection
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for capabilities.
IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3
Mechanisms exist to test antimalware technologies by introducing a known ∙ EICAR test file ∙ EICAR test file ∙ EICAR test file ∙ EICAR test file ∙ EICAR test file Does the organization test antimalware There is no evidence of a capability to test Endpoint Security (END) efforts are ad hoc and Endpoint Security
decentralized (e.g.,(END) efforts are
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics See C|P-CMM4. There are no defined C|P-
benign, non-spreading test case into the system and subsequently verifying technologies by introducing a known benign, non- antimalware technologies by introducing a inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management CMM5 criteria, since it is reasonable to
Malware Protection that both detection of the test case and associated incident reporting spreading test case into the system and known benign, non-spreading test case into would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative assume a continuously-improving process is
Endpoint Security END-04.5 occurs. subsequently verifying that both detection of the 5 x Detect x x the system and subsequently verifying that the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to test antimalware
Mechanism Testing
test case and associated incident reporting occurs? both detection of the test case and associated • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure technologies by introducing a known benign,
incident reporting occurs. as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for non-spreading test case into the system and
IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3 subsequently verifying that both detection of
Mechanisms exist to perform periodic evaluations evolving malware threats Does the organization perform periodic evaluations There is no evidence of a capability to perform Endpoint Security (END) efforts are ad hoc and Endpoint Security
decentralized (e.g.,(END) efforts are
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics See C|P-CMM4. There are no defined C|P-
to assess systems that are generally not considered to be commonly evolving malware threats to assess systems that periodic evaluations evolving malware threats inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management CMM5 criteria, since it is reasonable to
Evolving Malware affected by malicious software. are generally not considered to be commonly to assess systems that are generally not would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative assume a continuously-improving process is
Endpoint Security END-04.6 affected by malicious software? 3 x Detect x considered to be commonly affected by the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to perform periodic evaluations
Threats
malicious software. • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure evolving malware threats to assess systems
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for that are generally not considered to be
IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3 commonly affected by malicious software.
Mechanisms exist to ensure that anti-malware technologies are ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software ∙ Antimalware software Does the organization ensure that anti-malware There is no evidence of a capability to ensure Endpoint Security (END) efforts are ad hoc and Endpoint Security
decentralized (e.g.,(END) efforts are
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics See C|P-CMM4. There are no defined C|P-
continuously running in real-time and cannot be disabled or altered by non- technologies are continuously running in real-time that anti-malware technologies are inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management CMM5 criteria, since it is reasonable to
privileged users, unless specifically authorized by management on a case- and cannot be disabled or altered by non-privileged continuously running in real-time and cannot would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative assume a continuously-improving process is
Endpoint Security Always On Protection END-04.7 by-case basis for a limited time period. users, unless specifically authorized by 9 x Detect x be disabled or altered by non-privileged users, the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to ensure that anti-malware
management on a case-by-case basis for a limited unless specifically authorized by management • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure technologies are continuously running in real-
time period? on a case-by-case basis for a limited time as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for time and cannot be disabled or altered by
period. IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3 non-privileged users, unless specifically
Mechanisms exist to utilize host-based firewall software, or a similar ∙Host-based firewall software ∙Host-based firewall software ∙Host-based firewall software ∙Host-based firewall software ∙Host-based firewall software Does the organization utilize host-based firewall There is no evidence of a capability to utilize Endpoint Security (END) efforts are ad hoc and Endpoint Security (END) efforts are
decentralized (e.g., a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics See C|P-CMM4. There are no defined C|P-
technology, on all information systems, where technically feasible. software, or a similar technology, on all information host-based firewall software, or a similar inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management CMM5 criteria, since it is reasonable to
systems, where technically feasible? technology, on all information systems, where would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative assume a continuously-improving process is
Endpoint Security Software Firewall END-05 9 x Protect x technically feasible. the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to utilize host-based firewall
• Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure software, or a similar technology, on all
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for information systems, where technically
IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3 feasible.
Mechanisms exist to utilize File Integrity Monitor (FIM), or similar ∙ File Integrity Monitor (FIM) ∙ File Integrity Monitor (FIM) ∙ File Integrity Monitor (FIM) ∙ File Integrity Monitor (FIM) ∙ File Integrity Monitor (FIM) Does the organization utilize File Integrity Monitor There is no evidence of a capability to utilize Endpoint Security (END) efforts are ad hoc and Endpoint Security
decentralized (e.g.,(END) efforts are
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics Endpoint Security (END) efforts are “world-
technologies, to detect and report on unauthorized changes to selected ∙ ManageEngine Endpoint Central ∙ ManageEngine Endpoint Central ∙ ManageEngine Endpoint Central ∙ ManageEngine Endpoint Central ∙ ManageEngine Endpoint Central (FIM), or similar technologies, to detect and report File Integrity Monitor (FIM), or similar inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management class” capabilities that leverage predictive
Endpoint File Integrity files and configuration settings. (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) (https://manageengine.com) on unauthorized changes to selected files and technologies, to detect and report on would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative analysis (e.g., machine learning, AI, etc.). In
Endpoint Security END-06 E-AST-27 ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite configuration settings? 8 x Protect x x unauthorized changes to selected files and the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to addition to CMM Level 4 criteria, CMM Level 5
Monitoring (FIM)
(https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) configuration settings. • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure control maturity would reasonably expect all,
∙ Netwrix Auditor ∙ Netwrix Auditor ∙ Netwrix Auditor as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for or at least most, the following criteria to exist:
(https://netrix.com) (https://netrix.com) (https://netrix.com) IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3 • Stakeholders make time-sensitive
Mechanisms exist to validate configurations through integrity checking of ∙ File Integrity Monitor (FIM) ∙ File Integrity Monitor (FIM) ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite Does the organization validate configurations There is no evidence of a capability to validate Endpoint Security (END) efforts are ad hoc and Endpoint Security
decentralized (e.g.,(END) efforts are
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics Endpoint
decisions Security (END)
to support efforts are
operational “world-
efficiency,
software and firmware. (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) through integrity checking of software and configurations through integrity checking of inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management class” capabilities
which may includethat leverage
automated predictive
remediation
∙ Netwrix Auditor ∙ Netwrix Auditor ∙ Netwrix Auditor firmware? software and firmware. would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative analysis
actions. (e.g., machine learning, AI, etc.). In
Endpoint Security Integrity Checks END-06.1 (https://netrix.com) (https://netrix.com) (https://netrix.com) 6 x Detect x the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to addition to CMM Level 4 criteria, CMM Level 5
∙ File Integrity Monitor (FIM) ∙ File Integrity Monitor (FIM) ∙ File Integrity Monitor (FIM) • Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure control maturity would reasonably expect all,
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for or at least most, the following criteria to exist:
IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3 • Stakeholders make time-sensitive
Mechanisms exist to detect and respond to unauthorized configuration ∙ ManageEngine Endpoint Central ∙ ManageEngine Endpoint Central ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite ∙ CimTrak Integrity Suite Does the organization detect and respond to There is no evidence of a capability to detect Endpoint Security (END) efforts are ad hoc and Endpoint Security
decentralized (e.g.,(END) efforts are
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics See C|P-CMM4.
decisions Thereoperational
to support are no defined C|P-
efficiency,
changes as cybersecurity incidents. (https://manageengine.com) (https://manageengine.com) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) (https://cimcor.com/cimtrak) unauthorized configuration changes as and respond to unauthorized configuration inconsistent. CMM Level 1 control maturity requirements-driven and governed atmethods
function) and uses non-standardized a standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management CMM5 criteria,
which may sinceautomated
include it is reasonable to
remediation
Endpoint Detection & ∙ Netwrix Auditor ∙ Netwrix Auditor ∙ Netwrix Auditor cybersecurity incidents? changes as cybersecurity incidents. would reasonably expect all, or at least most, local/regional level, but
to implement secure, are notand
resilient consistent
compliant centrally managed, where technically feasible, insight (based on a quantitative assume
actions. a continuously-improving process is
Endpoint Security END-06.2 (https://netrix.com) (https://netrix.com) (https://netrix.com) 9 x Respond x the following criteria to exist: across the organization. CMM Level 2 control to ensure consistency. CMM Level 3 control understanding of process capabilities) to not necessary to detect and respond to
Response (EDR)
• Asset management is informally assigned maturity would reasonably expect all, or at maturity would reasonably expect all, or at predict optimal performance, ensure unauthorized configuration changes as
as an additional duty to existing least most, the following criteria to exist: least most, the following criteria to exist: continued operations and identify areas for cybersecurity incidents.
IT/cybersecurity personnel. • Endpoint security management is • Configuration management is centralized improvement. In addition to CMM Level 3
Automated mechanisms exist to alert incident response personnel upon Does the organization use automated mechanisms There is no evidence of a capability to alert C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A,
decentralized since
(e.g., a well-defined process
a localized/regionalized Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics Endpoint Security (END) efforts are “world-
discovering discrepancies during integrity verification. to alert incident response personnel upon incident response personnel up on discovering required to alert incident response personnel is required
function) to alert
and uses incident response methods
non-standardized standardized across thetechnologies.
and other configurable organization and driven and provide sufficient management class” capabilities that leverage predictive
Automated Notifications discovering discrepancies during integrity discrepancies during integrity verification. up on discovering discrepancies during personnel up on
to implement discovering
secure, discrepancies
resilient and compliant centrally managed, where technically feasible, insight (based on a quantitative analysis (e.g., machine learning, AI, etc.). In
Endpoint Security END-06.3 verification? 5 x Respond x integrity verification. during integrity verification. to ensure consistency. CMM Level 3 control understanding of process capabilities) to addition to CMM Level 4 criteria, CMM Level 5
of Integrity Violations
maturity would reasonably expect all, or at predict optimal performance, ensure control maturity would reasonably expect all,
least most, the following criteria to exist: continued operations and identify areas for or at least most, the following criteria to exist:
• Configuration management is centralized improvement. In addition to CMM Level 3 • Stakeholders make time-sensitive
Automated mechanisms exist to implement remediation actions when Does the organization use automated mechanisms There is no evidence of a capability to C|P-CMM1 is N/A, since a structured process is C|P-CMM2 is N/A, since a well-defined process Endpoint Security
for all operating (END) efforts
systems, are
applications, servers Endpoint Security (END) efforts are metrics Endpoint
decisions Security (END)
to support efforts are
operational “world-
efficiency,
integrity violations are discovered. to implement remediation actions when integrity implement remediation actions when integrity required to implem