A Master Control Library (MCL) is the complete catalog of controls and Assessment Objectives available in the CRT: the full universe of controls from which an organization builds its Living Control Set.
Purpose of the Master Control Library
Without a centralized control library, organizations typically manage controls separately for each compliance framework, leading to duplication, inconsistency, and redundant work. The MCL solves this by establishing a single source of available controls and associated definitions that all assessment and compliance activity is built from.
The Master Control Library provides a structured way to:
- Define all available security and compliance controls in one place
- Standardize how controls are described and assessed
- Support consistent evaluation across different frameworks
- Enable reuse of controls, evidence, assessments, and work efforts
The MCL in the CRT
In the CRT platform, the Secure Controls Framework (SCF) serves as the default Master Control Library. The SCF contains the complete set of controls available in the system, drawing from over 250 global regulatory and control frameworks. All control selection and assessment activity originates from the SCF, and the organization's LCS is built as a subset of applicable SCF controls.
The SCF is currently the only MCL in the CRT. It supports full framework threading, meaning controls can be associated with multiple frameworks simultaneously, and a single control action can satisfy requirements across many frameworks at once.
The MCL and the Living Control Set
The Master Control Library defines what is possible. The Living Control Set defines what the organization has implemented, is required to implement, or intends to implement as its operational baseline.
Organizations do not operate directly from the full library. Instead, they select a subset of applicable controls from the MCL to form their Living Control Set, reflecting their specific compliance obligations, risk posture, and operational needs.
The LCS is created by selecting controls from the MCL based on Minimum Compliance Requirements (MCR), the controls required to meet laws, regulations, or contracts, and Discretionary Security Requirements (DSR), controls based on the organization's specific risks, threats, and security goals.
As the organization evolves, the LCS is updated to reflect changes in regulatory obligations, risk posture, and operational maturity. By defining a target control set once and reusing controls, evidence, assessments, and work efforts across frameworks, organizations can streamline operations and focus on control effectiveness rather than repetitive compliance cycles.