Secure Controls Framework2025 Organizational Certification Rollout

Advancing Baselines for Assurance Across Regulatory and Third-Party Assessment Programs

The Secure Controls Framework (SCF) Council, in close collaboration with The Cyber AB, is advancing a comprehensive and strategically sequenced release of organizational certification baselines throughout 2025. This initiative is designed to build strong, measurable competencies across critical cybersecurity domains and to harmonize assurance pathways across regulatory schemes, third-party assessment organizations (SCF 3PAOs), and global compliance frameworks.

The rollout reflects a deliberate effort to reinforce cross-framework alignment, operational maturity, and security assurance through a set of baseline certifications that are responsive to both domestic and international regulatory developments. Each release builds on a common controls foundation, supporting interoperability while strengthening the ability of organizations to demonstrate due diligence, resilience, and risk-informed decision-making in rapidly evolving threat and compliance environments.

Strategic Progression and Timeline

The certification schedule has been structured to follow a logical and impactful progression from foundational cybersecurity controls to specialized compliance obligations, supply chain risk, and sector-specific mandates. This approach ensures that each new certification is introduced with continuity, supporting consistent implementation practices and reusable evidence models across audits and assessments.

Published to Date: Establishing the Foundation

  • NIST CSF 2.0 – A refreshed, industry-recognized framework anchoring risk-based cybersecurity practices.
  • HIPAA Security Rule / NIST SP 800-66 R2 – Strengthens alignment with healthcare privacy and security obligations.
  • CMMC 2.0 Level 2 to NIST CSF 2.0 Mapping – Establishes a crosswalk for organizations seeking both DoD compliance and broader cybersecurity assurance.

Planned for June 2025: Securing the Software Supply Chain

  • CISA Secure Software Development Attestation Form (CODE 1 for SCA)
  • NIST SP 800-218 v1.1 (CODE 2 for SCA)
  • NIST SP 800-171 Revision 3 – Supports evolving defense industrial base (DIB) compliance requirements.
  • New Zealand Health Information Security Framework 2022 – Expands international applicability and interoperability.

Planned for Q3 2025: Advancing Zero Trust and Risk Management

  • DHS Zero Trust Capability Framework (ZTCF) – Completed and pending DHS release approval.
  • NIST SP 800-161 Revision 1 (C-SCRM) – Strengthens cyber supply chain risk management baselines.
  • NY DFS 23 NYCRR 500 – 2023 Amendment 2 – Updates reflect changes in New York’s financial cybersecurity regulations.

Planned for Q4 2025: Supporting Global Resilience and Sectoral Regulations

  • Gramm-Leach-Bliley Act (GLBA) – 16 CFR Part 314 – U.S. financial sector security and privacy compliance.
  • EU Digital Operational Resilience Act (DORA) – Reinforces operational resilience across financial entities in the EU.
  • ENISA NIS2 Directive (Directive (EU) 2022/2555) – Strengthens cybersecurity across essential and important sectors.

Building Competency and Confidence in Cybersecurity Assurance

This rollout represents a blueprint for building sustainable organizational cybersecurity practices through certifiable, standards-based benchmarks. By strategically layering foundational controls, secure development expectations, and sector-specific mandates, the SCF Council and The Cyber AB are creating a future-ready ecosystem of certifications that drive audit readiness, reduce redundant compliance efforts, and increase confidence in third-party risk assessments; resulting in certification.

As the cybersecurity landscape continues to grow in complexity, this coordinated rollout affirms the SCF Council’s commitment to delivering value-aligned, scalable, and globally relevant assurance solutions for current regulatory and risk management needs. More to come in 2026...