Secure Controls FrameworkSCF Certification Rollout

Advancing Baselines for Assurance Across Regulatory and Third-Party Assessment Programs

The Secure Controls Framework (SCF) Council, in close collaboration with The Cyber AB, is advancing a comprehensive and strategically sequenced release of organizational certification baselines throughout 2025. This initiative is designed to build strong, measurable competencies across critical cybersecurity domains and to harmonize assurance pathways across regulatory schemes, third-party assessment organizations (SCF 3PAOs), and global compliance frameworks.

The rollout reflects a deliberate effort to reinforce cross-framework alignment, operational maturity, and security assurance through a set of baseline certifications that are responsive to both domestic and international regulatory developments. Each release builds on a common controls foundation, supporting interoperability while strengthening the ability of organizations to demonstrate due diligence, resilience, and risk-informed decision-making in rapidly evolving threat and compliance environments.

Strategic Progression and Timeline

The certification schedule has been structured to follow a logical and impactful progression from foundational cybersecurity controls to specialized compliance obligations, supply chain risk, and sector-specific mandates. This approach ensures that each new certification is introduced with continuity, supporting consistent implementation practices and reusable evidence models across audits and assessments.

Currently Available

  1. SCF CORE Fundamentals
  2. NIST Cybersecurity Framework 2.0 (NIST CSF 2.0)
  3. NIST SP 800-161 R1 (C-SCRM baseline)
  4. HIPAA Security Rule (NIST SP 800-66 R2)
  5. NY DFS 23 NYCRR500 - 2023 Amendment 2
  6. New Zealand Health Information Security Framework 2022
  7. DHS Cybersecurity & Infrastructure Security Agency (CISA) Secure Software Development Attestation Form
  8. NIST SP 800-171 R3 (non-CMMC)
  9. Federal Acquisition Regulation (FAR) 52.204.21 (CMMC Level 1)

Planned for 2026

  1. SCF CORE External Service Provider (ESP)
  2. Australia Essential Eight
  3. EU Digital Operational Resilience Act (DORA)
  4. ENISA NIS2 (Directive (EU) 2022/2555)
  5. Gramm Leach Bliley Act (GLBA) - CFR 314

Building Competency and Confidence in Cybersecurity Assurance

This rollout represents a blueprint for building sustainable organizational cybersecurity practices through certifiable, standards-based benchmarks. By strategically layering foundational controls, secure development expectations, and sector-specific mandates, the SCF Council and The Cyber AB are creating a future-ready ecosystem of certifications that drive audit readiness, reduce redundant compliance efforts, and increase confidence in third-party risk assessments; resulting in certification.

As the cybersecurity landscape continues to grow in complexity, this coordinated rollout affirms the SCF Council’s commitment to delivering value-aligned, scalable, and globally relevant assurance solutions for current regulatory and risk management needs. More to come in 2026...