Release Notes: 2.43.1.4 SCF Minor Upgrade 2021.2

High-Level Summary:

SCF Minor Upgrade 2021.2

Added Mappings:

•         CIS CSC v8
•         CSA CCM v4
•         CSA IoT SCF v2    
•         NIST SSDF    
•         NIST  800-161 R1 draft [partial]    
•         StateRAMP
•         VA CDPA    
•         UK GDPR    
•         New Zealand Health ISF
•         New Zealand Privacy Act of 2020
•         Bermuda BMA CCC
•         Canada CSAG

Added Content:

Threat Catalog

•         MT-8 - Dysfunctional Management Practices

Controls Catalog

•         AST-01.3 - Standardized Naming Convention    
•         BCD-14 – Isolated Recovery Environment
•         CAP-04 - Performance Monitoring    
•         CFG-07 - Zero-Touch Provisioning (ZTP)    
•         EMB-09 - Power Level Monitoring    
•         EMB-10 - Embedded Technology Reviews    
•         EMB-11 - Message Queuing Telemetry Transport (MQTT) Security    
•         EMB-12 - Restrict Communications    
•         EMB-13 - Authorized Communications    
•         EMB-14 – Operating Environment Certification
•         EMB-15 - Safety Assessment    
•         EMB-16 - Certificate-Based Authentication    
•         EMB-17 - Chip-To-Cloud Security    
•         EMB-18 - Real-Time Operating System (RTOS) Security    
•         EMB-19 - Safe Operations
•         IAC-29 - Attribute-Based Access Control (ABAC)     
•         MDM-09 – Mobile Device Geofencing
•         MDM-10 – Separate Mobile Device Profiles
•         PES-17 - Proximity Sensor     
•         PRI-01.5 - Binding Corporate Rules (BCR)    
•         PRI-01.6 - Security of Personal Data    
•         PRI-01.7 - Limiting Personal Data Disclosures    
•         PRI-04.2 - Primary Sources    
•         TDA-04.2 - Software Bill of Materials (SBOM)    
•         TDA-06.3 - Software Assurance Maturity Model (SAAM)    
•         TDA-06.4 - Supporting Toolchain    
•         TDA-06.5 - Software Design Review    
•         TDA-09.6 - Secure Settings By Default    
•         TDA-20.1 – Software Release Integrity Violation
•         TDA-20.2 - Archiving Software Releases
•         TPM-01.1 – Third-Party Inventories 

Renamed:

•         AST-02.4 – Approved Baseline Deviations
•         CFG-02.7 – Approved Configuration Deviations
•         MON-01.13 – Alert Threshold Tuning
•         DCH-25 – Transfer of Sensitive Data
•         END-06 – Endpoint File Integrity Monitoring (FIM)
•         PRI-05.2 – Personal Data Accuracy & Integrity
•         PRI-06.1 – Correcting Inaccurate Information
•         VPM-05 – Software & Firmware Patching

Wordsmithed:

•         AST-14.1
•         BCD-12
•         CFG-02.7
•         CRY-08 
•         DCH-25 
•         END-05
•         IAC-02
•         IAC-03
•         IAC-04
•         IAC-06
•         NET-14
•         NET-14.2
•         PRI-06.1 
•         VPM-06.6
•         VPM-06.7

Updated Mapping:

•         CFG-03.1 – added ISO 27002 controls 12.6.1 & 14.2.5
•         MON-01.7 – added CIS 7.1 controls for 14.9
•         IRO-02 – corrected typo from “095” to “096” for CMMC
•         DCH-06 – corrected typo from “9.79” to “9.7” for PCI DSS
•         NET-03.3 – corrected typo from “1.3.8” to “1.3.7” for PCI DSS
•         Multiple - South Africa's POPIA
•         NIST SP 800-53B (high baseline)

o    AU-6(5) 

o    AU-6(6) 

o    SI-4(14) 

•         NIST SP 800-53B (Not Otherwise Categorized (NOC))

o    AU-6(4)

o    SI-4(15)

o    PT-4(1)

o    PT-4(2)

o    PT-4(3)

o    PT-5(1)

o    SA-9(3)

o    SA-9(4)

o    SA-9(5)

Removed:

·         New Zealand Privacy Act of 1993 (replaced with 2020 version)