Organization-Level Cybersecurity Certifications

The Secure Controls Framework Conformity Assessment Program (SCF CAP) is an organization-level conformity assessment methodology. The SCF CAP is designed to utilize SCF cybersecurity and privacy controls that specifically address the applicable statutory, regulatory and contractual obligations an Organization Seeking Assessment (OSA) is required to comply with. By using the metaframework nature of the SCF, an OSA is able to perform conformity assessment that spans multiple cybersecurity and privacy-specific laws, regulations and frameworks.

Earning a SCF Certified™ conformity designation is meant to signify an accomplishment, rather than be viewed as a “participation ribbon” that has little practical value for the OSA or stakeholders in the OSA’s supply chain to understand the OSA’s security posture.

The SCF CAP is focused on using the SCF as the control set to provide a company-level certification. While the SCF-CAP shares some similarities with other existing, single-focused certifications (e.g., ISO 27001, CMMC, FedRAMP, etc.), the SCF CAP is unique in its metaframework approach to covering cybersecurity and data protection requirements that span multiple laws, regulations and frameworks

Key Takeaways - SCF Certifications

The SCF Conformity Assessment Program (SCF CAP) enables organizations to earn certifications where no traditional certification exists.
Governed by The Cyber AB. The same accreditation body the DoD uses for CMMC. Ensuring the highest level of assurance.
Currently available. SCF Certified, NIST CSF 2.0 and SCF Certified, HIPAA Security Rule.
Assessments are conducted by accredited SCF Third-Party Assessment Organizations (3PAOs) using SCF controls.
ComplianceForge provides end-to-end support from gap assessment through certification, with partnership with StrikePath as a recommended 3PAO.
Designed to be affordable, scalable and practitioner-driven. By cybersecurity professionals, for cybersecurity professionals.

A New Approach

A Third-Party Certification Using SCF Controls

As cybersecurity and data protection operations are multi-faceted, the SCF CAP is designed to ensure that assessed controls reflect the real-world requirements faced by an organization from a statutory, regulatory and contractual perspective. An assessment that only covers a part of an organization's cybersecurity and privacy program results in an inaccurate and incomplete report on its overall security posture, providing a false sense of security.

The SCF CAP is designed for cybersecurity & privacy practitioners by cybersecurity & data privacy practitioners. This concept is based on the need within the industry for a tailored conformity assessment solution that is capable of addressing several key considerations:

View compliance as a natural by-product of secure practices;
Scale to address multifaceted operational requirements (e.g., laws, regulations and frameworks);
Acknowledge the stated risk tolerance of the OSC since not all organizations have the same risk tolerance;
Minimize the risk of “gaming” the certification process that provides no useful insights into the security posture of the Organization Seeking Assessment (OSA);
Utilize technology to make the assessment process more efficient to drive down labor-related assessment costs; and
Leverage existing industry recognized practices, where possible.

What Is The SCF CAP Ecosystem?

SCF CAP Ecosystem Overview

The SCF CAP Ecosystem is made up of several key stakeholders that cover organization-level certification, individual-level certification and more. You can download a PDF with more information on the various components that make up the SCF CAP Ecosystem.

SCF Certification Process Flow

Flow Chart For How An SCF CAP Assessment

The flow chart below provides a very high level processes flow for how a SCF CAP assessment is structured: