forked from securecontrolsframework/securecontrolsframework
-
Notifications
You must be signed in to change notification settings - Fork 0
/
SCF 2024.1 Errata.txt
115 lines (110 loc) · 3.22 KB
/
SCF 2024.1 Errata.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
Version 2024.1 represents a minor update.
- There are new controls to address newly mapped laws, regulations and frameworks.
- The SCF started utilizing Set Theory Relationship Mapping (STRM) per NIST IR 8477 - https://securecontrolsframework.com/set-theory-relationship-mapping-strm/
Added Mapping:
- NIST Cybersecurity Framework 2.0 (NIST CSF 2.0)
- NIST SP 800-207
- DoD Zero Trust Reference Architecture v2 (July 2022)
- Australia Essential 8
- China Cybersecurity Law (2017)
- Criminal Justice Information Services (CJIS) 5.9.3
- Trusted Internet Connections 3.0
- Digital Operational Resilience Act (DORA)
- FTC's Standards for Safeguarding Consumer Information (GLBA 2023)
- IEC TR 60601-4-5:2021
- ISO 42001:2024
- NIS 2 Directive
- NY DFS NYCRR500 (2023)
- SEC Cybersecurity Rule (2023)
- Spain Royal Decree 311/2022
- Space Attack Research & Tactic Analysis (SPARTA) Countermeasures
- Tennessee Information Protection Act
- Trust Services Criteria (TSC) 2017 with 2022 Points of Focus
New Controls:
- GOV-16: Materiality Determination
- GOV-16.1: Material Risks
- GOV-16.2: Material Threats
- GOV-17: Cybersecurity & Data Privacy Status Reporting
- AAT-12.1: Data Source Identification
- AAT-12.2: Data Source Integrity
- BCD-01.5: Recovery Operations Criteria
- BCD-01.6: Recovery Operations Communications
- BCD-13.1: Restoration Integrity Verification
- CAP-05: Elastic Expansion
- CAP-06: Regional Delivery
- CRY-12: Certificate Monitoring
- DCH-27: Data Rights Management (DRM)
- END-14.3: Participant Identity Verification
- END-14.4: Participant Connection Management
- END-14.5: Malicious Link & File Protections
- IAC-04.2: Device Authorization Enforcement
- IAC-13.3: Continuous Authentication
- NET-06.6: Microsegmentation
- NET-08.3: Host Containment
- NET-08.4: Resource Containment
- NET-18.4: Protocol Compliance Enforcement
- NET-18.5: Domain Name Verification
- NET-18.6: Internet Address Denylisting
- NET-18.7: Bandwidth Control
- NET-18.8: Authenticated Proxy
- NET-18.9: Certificate Denylisting
- NET-19: Content Disarm and Reconstruction (CDR)
- NET-20: Email Content Protections
- NET-20.1: Email Domain Reputation Protections
- NET-20.2: Sender Denylisting
- NET-20.3: Authenticated Received Chain (ARC)
- NET-20.4: Domain-Based Message Authentication Reporting and Conformance (DMARC)
- NET-20.5: User Digital Signatures for Outgoing Email
- NET-20.6: Encryption for Outgoing Email
- NET-20.7: Adaptive Email Protections
- NET-20.8: Email Labeling
- NET-20.9: User Threat Reporting
- PRI-18: Data Controller Communications
- SEA-04.4: System Privileges Isolation
- SEA-21: Application Container
- OPS-06: Security Orchestration, Automation, and Response (SOAR)
- OPS-07: Shadow Information Technology Detection
- THR-11: Behavioral Baselining
Renamed Controls:
none
Control Wordsmithing:
- AAT-12
- CFG-02.2
- DCH-22
- NET-18
- PRI-01.3
- PRI-02
- RSK-01
- RSK-01.1
- TPM-05
Updated Mapping:
- NIST SP 800-53 R5
> AST-08
> IAC-09.3
> TDA-06.2
> TDA-13
- NIST 800-171 R2
> IAC-08
> IAC-15.1
- DORA
> GOV-01
> GOV-01.2
> GOV-15
> CPL-01
> CPL-01.2
> MON-01
> MON-16
> IRO-01
> IRO-10
> NET-08
> RSK-09
> SEA-01
> TDA-17.1
> TPM-01
> TPM-03
> TPM-03.1
> TPM-04
> TPM-05
> TPM-05.7
> TPM-08
> VPM-07.1