- Policies & Standards for SCF Cybersecurity Oversight, Resilience & Enablement (CORE) Fundamentals.
- Straightforward compliance solution for Texas SB2610 (policies & standards).
- Editable Microsoft Word & Excel templates - enables tailoring for an organization's specific needs.
- Immense time & cost savings - policies & standards require minimal effort to customize.
Don't Write It From Scratch.
Is your small or mid-sized business expected to prove it has reasonable cybersecurity practices? With what you have right now, could you show documented policies and standards to a customer, insurer, or regulator, or are they incomplete, outdated, or nonexistent? Building this from scratch is a heavy lift for a lean team. The CORE Fundamentals Policies & Standards gives you a running start: editable policies, control objectives, standards, and guidelines built on the Secure Controls Framework's CORE baseline of 68 controls across 20 domains, scoped for small and mid-sized businesses and aligned to safe-harbor laws like Texas SB 2610. The templates get you roughly 80 to 90 percent of the way there, then you tailor the rest to your environment.
As some context, The Secure Controls Framework (SCF) created the Cybersecurity Oversight, Resilience and Enablement (CORE) initiative as a means to help an organization tailor cybersecurity and data protection controls for its specific needs. The SCF CORE Fundamentals, a tailored set of sixty-eight (68) controls that are specifically designed for smaller organizations to protect People, Processes, Technologies, Data and Facilities (PPTDF) against common threats. The SCF CORE Fundamentals Policies & Standards consists of:
The genesis of the SCF CORE Fundamentals came from Texas SB 2610 that named the SCF as one of a select few cybersecurity frameworks with adequacy to provide necessary security coverage. The SCF created the SCF CORE Fundamentals as a SMB-focused control set to address this law and others that may follow. Texas SB 2610 is latest in a line of US State-level “cybersecurity safe harbor” laws that provide legal protection for businesses if at the time of the incident the business can prove it implemented reasonable cybersecurity practices. This type of legislation is meant to encourage SMBs to invest in cybersecurity to reduce legal exposure and this incentivization can enhance business resilience that benefits the everyone.
The CORE Fundamentals was created in response to Texas SB 2610, which named the SCF as one of a select few cybersecurity frameworks with adequacy to provide necessary security coverage. The control set is scoped to protect People, Processes, Technologies, Data, and Facilities (PPTDF) against common threats while remaining attainable for SMBs.
What Is The CORE Fundamentals?
The CORE Fundamentals Policies & Standards is editable cybersecurity documentation that provides policies, control objectives, standards, guidelines, and controls aligned to the SCF's CORE baseline. The product is delivered as a fully editable Microsoft Word document with a 1-to-1 mapping to the Secure Controls Framework.
Implementing cybersecurity has to be attainable for Small and Medium Businesses (SMB) and the SCF CORE Fundamentals is designed to enable SMBs to successfully implement and maintain fundamental cybersecurity practices. This control set includes many of the requirements found in the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0), so the SCF CORE Fundamentals can be an excellent starting point towards a path of maturity towards NIST CSF 2.0 alignment. SMBs have to start somewhere and the SCF CORE Fundamentals makes for an achievable objective in cybersecurity.
The controls in the SCF CORE Fundamentals are scoped for SMBs and are designed to meet the requirements in Texas SB 2610:
- Contain administrative, technical, and physical safeguards for the protection of personal identifying information and sensitive personal information (Section 542.004(1));
- Protect the security of personal identifying information and sensitive personal information (Section 542.004(3)(a));
- Protect against any threat or hazard to the integrity of personal identifying information and sensitive personal information (Section 542.003(4)(b)); and
- Protect against unauthorized access to or acquisition of personal identifying information and sensitive personal information that would result in a material risk of identity theft or other fraud to the individual to whom the information relates (Section 542.004(3)(c)).
Because the CORE Fundamentals has a 1-to-1 mapping to the SCF, it inherits cross-walks to over 200 leading laws, regulations, and frameworks. The control set includes many requirements from the NIST Cybersecurity Framework 2.0, making it an excellent starting point for SMBs on a path toward NIST CSF 2.0 alignment.
No Software To Install
This product is a one-time purchase of editable Microsoft Office-based documentation templates. There is no software to install, no agent to deploy, no account to provision, and no cloud environment to configure. If the organization can open and edit Microsoft Word files, the CORE Fundamentals is ready to use.
Microsoft Word & Excel
Delivered as a fully editable .docx file with companion .xlsx mapping. Compatible with Word 2016 and newer, Microsoft 365, OpenOffice, LibreOffice, and Google Docs.
Email Delivery
Documentation is delivered via email download link within 1-2 business days of purchase. There is no installer, no license server, and no activation step.
One-Time Purchase
A single-entity license is included with purchase. There is no recurring subscription requirement, although an optional update subscription is available to stay current as the SCF and CORE baseline evolve.
This deployment model is intentional. Cybersecurity documentation benefits from being in the organization's own hands, inside its own version control and document management systems, rather than locked inside a vendor's SaaS tool. Once delivered, the product belongs to the buyer.
What Problems Does the CORE Fundamentals Solve?
The CORE Fundamentals addresses the most common problems SMBs face when standing up a cybersecurity program for the first time or qualifying for a state-level cybersecurity safe harbor.
Lack Of In-House Security Documentation Experience
Writing security documentation is a skill that many good cybersecurity professionals simply are not proficient at and avoid the task at all cost. Tasking your security analysts and engineers to write comprehensive documentation means you are actively taking them away from protecting and defending your network, which is not a wise use of their time. The CORE Fundamentals is an efficient method to obtain comprehensive security policies, standards, controls and metrics for your organization!
Compliance Requirements
Nearly every organization, regardless of industry, is required to have formally-documented security policies and standards. Requirements range from PCI DSS to HIPAA to NIST 800-171. The CORE Fundamentals is designed with compliance in mind, since it focuses on leading security frameworks to address reasonably-expected security requirements.
Audit Failures
Security documentation does not age gracefully like a fine wine. Outdated documentation leads to gaps that expose organizations to audit failures and system compromises. The CORE Fundamentals' standards provides mapping to leading security frameworks to show you exactly what is required to both stay secure and compliant.
Vendor Requirements
It is very common for clients and partners to request evidence of a security program and this includes policies and standards. The CORE Fundamentals provides this evidence!
How Does the CORE Fundamentals Solve These Problems?
The CORE Fundamentals addresses SMB cybersecurity documentation challenges with concrete, editable deliverables tailored for organizations that need to demonstrate reasonable security practices.
Clear Documentation
The CORE Fundamentals provides comprehensive documentation to prove that your security program exists. This equates to a time saving of hundreds of hours and tens of thousands of dollars in staff and consultant expenses!
Time Savings
The CORE Fundamentals can provide your organization with a semi-customized solution that requires minimal resources to fine tune for your organization's specific needs.
Alignment With Over 200 Frameworks
Because the CORE Fundamentals has a 1-to-1 mapping to the SCF, it inherits cross-walks to over 200 leading laws, regulations, and industry frameworks at no extra effort.
Texas SB 2610 Safe-Harbor Ready
Designed specifically to satisfy the reasonable-practices requirements of Texas SB 2610 and similar state cybersecurity safe-harbor laws, the CORE Fundamentals provides the documented evidence required to claim that protection.
What Is Included?
The CORE Fundamentals is delivered as an editable Microsoft Word document with companion Excel mapping. Purchase includes a single-entity license and the first year of product updates, plus bonus supplemental templates included at no additional cost.
Microsoft Word Document
Cover page and document control template. 20 policies organized by SCF domain. 68 controls with detailed standards. Audit-ready mandatory language throughout. Revision history structure.
SCF Crosswalk Mapping
Excel companion mapping document. 1-to-1 mapping to SCF controls. Cross-walks inherited from the SCF cover 200+ leading frameworks including NIST CSF 2.0, NIST 800-171, ISO 27002, PCI DSS, HIPAA, and Texas SB 2610.
SCF Component Integration
Integrates several key SCF components including Cybersecurity & Data Privacy Principles, Data Privacy Management Principles (DPMP), the Capability Maturity Model (SCR-CMM), and the Risk Management Model (SCR-RMM).
Pairs With The Matching CSOP
The CORE Fundamentals provides policies and standards (the why and what). The companion CORE Fundamentals Procedures provides the how with step-by-step procedures mapped 1-to-1 to the CORE Fundamentals standards. Most SMBs purchase both as a bundle.
Cost Savings Estimate
When you look at the costs associated with either (1) hiring an external consultant to write cybersecurity documentation for you or (2) tasking your internal staff to write it, the cost comparisons paint a clear picture that buying from ComplianceForge is the logical option. Compared to hiring a consultant, you can save months of wait time and tens of thousands of dollars. Whereas, compared to writing your own documentation, you can potentially save hundreds of work hours and the associated cost of lost productivity. Purchasing the CORE Fundamentals from ComplianceForge offers these fundamental advantages when compared to the other options for obtaining quality cybersecurity documentation:
Internal Staff Cost
For your internal staff to generate comparable documentation, it would take them an estimated 240 internal staff work hours, which equates to a cost of approximately $22,500 in staff-related expenses. This is about 4 to 6 months of development time where your staff would be diverted from other work.
The CORE Fundamentals is approximately 3% of the cost for your internal staff to generate equivalent documentation.
External Consultant Cost
If you hire a consultant to generate this documentation, it would take them an estimated 180 consultant work hours, which equates to a cost of approximately $57,000. This is about 2 to 3 months of development time for a contractor to provide you with the deliverable.
The CORE Fundamentals is approximately 1% of the cost for an external consultant to generate equivalent documentation.
Product Examples
Our customers choose the CORE Fundamentals Policies & Standards because they need a scalable and affordable solution from a reputable company. The CORE Fundamentals is a hybrid, "best in class" approach to cybersecurity documentation to create a foundational set of cybersecurity policies, standards and controls. The CORE Fundamentals Policies & Standards has a 1-1 mapping relationship with the Secure Controls Framework (SCF) so it maps to over 200 leading practices!
Below are PDF examples of what you would expect from our Microsoft Word and Excel documentation, so you can see the quality and structure of the CORE Fundamentals.
Below is a PDF example containing a sample of what you would receive upon purchasing the SCF CORE Fundamentals.
Below is a PDF example containing crosswalk mappings pertinent to the SCF CORE Fundamentals.
The PDF document shown below provides additional context into what to expect from ComplianceForge documentation and two, side-by-side examples as to what policies, control objectives, all the way through metrics, should look like. This provides a bit of a teaser into what the actual content looks like.
How Much Customization Remains?
Given the difficult nature of writing templated policy and standards, ComplianceForge aims for approximately an 90% solution since it is impossible to write a 100% complete cookie-cutter document that can be equally applied across multiple organizations. ComplianceForge did the heavy lifting, and all that remains is to fine-tune the policies and standards with the specific information that only the organization knows to make it applicable to its environment.
In practice, customization is filling in the blanks and following the helpful guidance provided to identify the who, what, when, where, why, and how. Typical customization tasks include adding the company name and logo, tailoring parameters such as review cadences and thresholds, naming specific owner roles, and removing sections that do not apply to the SMB scope.
Professional Services
ComplianceForge offers optional professional services to customize purchased documentation. Professional services are not required to customize ComplianceForge documentation. However, some clients want our subject matter expertise to help customize their documentation to meet their specific business needs. If you have any questions about our professional services, please contact us at:
We offer the following professional service bundles:
5-Hour Bundle
This includes five (5) hours of professional services, which may be beneficial for companies that need some guidance on getting started with how to tailor their documentation.
10-Hour Bundle
This includes ten (10) hours of professional services, which may be beneficial for companies that need additional guidance on tailoring their documentation to meet their compliance requirements.
20-Hour Bundle
This includes twenty (20) hours of professional services, which may be beneficial for companies that need robust services, beyond just 10 hours, to assist in tailoring their documentation to meet their compliance requirements.
Purchased professional service hours expire 120 days (4 months) from the time of purchase if unused. Hours are intended to supplement, not replace, your own customization work, since only your organization knows the exact details to tailor your documentation. For questions regarding scoping a professional services engagement or configuring a custom package, contact ComplianceForge directly through the Contact Us page.
Framework Specialization
The CORE Fundamentals differs from broader, multi-framework products like the SCRP because it is intentionally specialized for SMBs that need a starting point on a cybersecurity safe-harbor journey. The 68 controls across 20 domains are scoped to be achievable for organizations without dedicated GRC teams, while still providing the documented evidence required to claim Texas SB 2610 protection.
If the organization is larger or needs to address multiple regulated frameworks at once, the SCRP or a baseline-aligned CDPP is the recommended alternative. If the primary goal is SMB safe-harbor compliance with room to grow toward NIST CSF 2.0 alignment, the CORE Fundamentals provides the most direct fit.
Companion Product
The CORE Fundamentals answers the what and why questions for SMB cybersecurity through policies and standards. The matching CORE Fundamentals Procedures answers the how question with step-by-step procedures that map 1-to-1 to the CORE Fundamentals standards.
Buying both as a bundle is the most common configuration for SMBs that want a complete documentation set. Procedures are not optional from an audit or safe-harbor standpoint, since auditors need to verify that standards are actually implemented in operational practice, and procedures are the documented evidence of that implementation.
Executive Alignment
The CORE Fundamentals is designed for SMB leadership who need to demonstrate reasonable cybersecurity practices to investors, insurers, customers, and regulators. Texas SB 2610 and similar state safe-harbor laws are increasingly making cybersecurity a board-level concern, even at smaller organizations, and the CORE Fundamentals provides the documented evidence required to claim that protection.
The product integrates the SCF's Capability Maturity Model (SCR-CMM) and Risk Management Model (SCR-RMM), which give SMB leadership concrete tools to measure program maturity and prioritize risk remediation without needing to build those frameworks from scratch.