The Secure Controls Framework (SCF) is a publicly available control framework that organizes cybersecurity, privacy, and resilience requirements into a standardized set of controls. Within the Cyturus CRT, the SCF serves as the Master Control Library.
Why the SCF Matters
Most organizations must comply with multiple frameworks such as CMMC, ISO 27001, HIPAA, and others. These frameworks often require similar security capabilities, but express those requirements differently, which leads to duplicated work and inconsistent controls across programs.
The SCF addresses this by mapping cybersecurity, privacy, and resilience requirements across frameworks into a single standardized control set. This allows organizations to manage security operations once while demonstrating compliance across many frameworks.
Controls and Assessment Objectives in the SCF
A control represents a safeguard implemented to improve an organization's security, compliance, and resilience posture. Controls in the SCF may include policies, procedures, technical safeguards, operational processes, and governance practices.
Each control contains Assessment Objectives, verifiable actions or evidence requirements that describe what must be demonstrated to show the control has been implemented. Assessment Objectives enable organizations to measure control implementation in a structured and repeatable way.
The SCF as the Master Control Library
Within the CRT, the SCF serves as the Master Control Library, the complete universe of controls available to your organization. It is the only supported Master Control Library for full Living Control Set functionality, meaning organizations building an LCS in the CRT will use the SCF as their control foundation.
Organizations do not typically implement every control in the SCF. Instead, they select the controls relevant to their environment, compliance obligations, and risk tolerance. That selected subset becomes the organization's Living Control Set, the active, organization-specific set of controls used to manage security, compliance, and risk in the CRT.
This architecture allows organizations to maintain a single operational control set while supporting multiple regulatory frameworks, reducing duplication and giving leadership a unified view of the security and compliance program.