- ComplianceForge documentation has been successfully used for CMMC, PCI DSS, ISO 27001, SOC 2, HIPAA, FedRAMP, FISMA, and many more compliance certifications.
- The SCF Conformity Assessment Program (SCF CAP) is a new approach to certification, enabling third-party assessments where no prior certification path existed.
- The Cyber AB (same accreditation body the DoD uses for CMMC) is the SCF's accreditation body for the SCF CAP.
- The SCF CAP roadmap covers 18 certifications including NIST CSF 2.0, HIPAA, NIS2, DORA, GLBA, NIST 800-171, and more.
- The metaframework nature of the SCF enables a single assessment to span multiple laws, regulations, and frameworks simultaneously.
Cybersecurity Compliance Starts With Unambiguous Documentation
ComplianceForge documentation is designed to scale for any cybersecurity or data privacy compliance need. Our clients have successfully used ComplianceForge documentation for a wide variety of compliance efforts, including:
- NIST 800-171 / Cybersecurity Maturity Model Certification (CMMC);
- Payment Card Industry Data Security Standard (PCI DSS);
- ISO 27001;
- System and Organization Controls (SOC 2);
- Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH);
- Federal Risk and Authorization Management Program (FedRAMP);
- Federal Information Security Modernization Act (FISMA) ;
- Risk Management Framework (RMF) / DoD Information Assurance Certification and Accreditation Process (DIACAP);
- Criminal Justice Information Services (CJIS);
- Family Educational Rights and Privacy Act (FERPA);
- Internal Revenue Service (IRS) 1075;
- European Union General Data Protection Regulation (EU GDPR);
- Gramm-Leach-Bliley Act (GLBA);
- Sarbanes–Oxley Act (SOX);
- Federal Financial Institutions Examination Council (FFIEC);
- California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) ;
- New York Department of Financial Services (23 NYCRR 500);
- And more!
There are a lot of cybersecurity and data privacy compliance requirements, but only a fraction have the ability to earn a certification. To address the needs of businesses that want to demonstrate compliance via a third-party assessment, the Secure Controls Framework (SCF) developed a conformity assessment methodology. The Cyber AB (same accreditation body as the DoD uses for CMMC) is the SCF's accrediation body for the SCF's Conformity Assessment Program (SCF CAP).
SCF Conformity Assessment Program (SCF CAP)
The Secure Controls Framework Conformity Assessment Program (SCF CAP) is a new approach to cybersecurity certifcations, since it enables an organization to demonstrate compliance with a law, regulation or framework, where an existing certification does not exist (e.g., NIST CSF 2.0 certification). The SCF CAP is designed for cybersecurity & privacy practitioners by cybersecurity & data privacy practitioners. This concept is based on the need within the industry for a tailored conformity assessment solution that is capable of addressing several key considerations:
- View compliance as a natural by-product of secure practices;
- Scale to address multifaceted operational requirements (e.g., laws, regulations and frameworks);
- Acknowledge the stated risk tolerance of the OSC since not all organizations have the same risk tolerance;
- Minimize the risk of “gaming” the certification process that provides no useful insights into the security posture of the Organization Seeking Certification (OSC);
- Utilize technology to make the assessment process more efficient to drive down labor-related assessment costs; and
- Leverage existing industry recognized practices, where possible.
The SCF CAP is designed to utilize tailored cybersecurity and data privacy controls to specifically address the applicable statutory, regulatory and contractual obligations an organization needs to comply with. The metaframework nature of the SCF enables an organization to perform a conformity assessment that can span multiple cybersecurity and data privacy-specific laws, regulations and frameworks.
SCF CAP Certification Roadmap
The SCF CAP has a roadmap to enable the following SCF-based certifications.
- Australia Essential Eight;
- Canada B-13;
- Department of Homeland Security (DHS) Zero Trust Capability Framework (ZTCF);
- DHS Cybersecurity & Infrastructure Security Agency (CISA) Secure Software Development Attestation Form;
- EU Digital Operational Resilience Act (DORA);
- ENISA NIS2 (Directive (EU) 2022/2555);
- Federal Acquisition Regulation (FAR) 52.204.21;
- Gramm Leach Bliley Act (GLBA) - CFR 314;
- New Zealand Health Information Security Framework 2022;
- NIST Cybersecurity Framework (NIST CSF) 2.0;
- NIST SP 800-66 R2 (HIPAA Secure Rule);
- NIST SP 800-161 R1 (C-SCRM baseline);
- NIST SP 800-171 R2 (non-CMMC);
- NIST SP 800-171 R3 (non-CMMC);
- NIST SP 800-207 (zero trust principles);
- NY DFS 23 NYCRR500 - 2023 Amendment 2;
- Secure Code Alliance (SCA) Secure Software Development Practices (SSDP); and
- Trusted Information Security Assessment Exchange (TISAX) Information Security Assessment (ISA).

