# Common Controls Frameworks A Common Controls Framework (CCF) is a map of controls for the purpose of efficient [[compliance]] audits. Many organizations map their controls for the purposes of compliance with mandated [[cybersecurity]] control frameworks, such as [[NIST CSF]], [[NIST 800-53]], [[NIST 800-218]], [[CISA Zero Trust Maturity Model]], [[PCI DSS 4.0]], etc. This process allows for efficiency by helping the organization to disseminate control requirements to capability owners so that they can drive capability compliance. This compliance overlay provides a map of several frameworks to the related Capability Scope. ## Capability Scope | **Control Domain** | Published in | **Capability Scope** | | ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------- | | Access Management | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Identity and Access Management]] | | Acquisition or sale of facilities, technology, and services | [[Unified Compliance Framework\|UCF]] | | | Application Security | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Application Management]]<br>[[Code Management]]<br>[[Control Development]]<br>[[Control Verification]] | | Artificial and Autonomous Technology | [[Secure Controls Framework\|SCF]] | | | Asset Management | [[Adobe Common Controls Framework\|Adobe CCF]]<br>[[Secure Controls Framework\|SCF]] | [[Asset Management]] | | Audit Compliance | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Compliance]]<br>[[Control Development]]<br>[[Control Verification]] | | Audits and Risk Management | [[Unified Compliance Framework\|UCF]] | [[Compliance]]<br>[[Control Development]]<br>[[Control Verification]] | | Backup Management | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Backup and Recovery]] | | Business Continuity | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Backup and Recovery]] | | Business Continuity & Disaster Recovery | [[Secure Controls Framework\|SCF]] | [[Backup and Recovery]] | | Business Continuity & Resilience | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Backup and Recovery]] | | Capacity & Performance Planning | [[Secure Controls Framework\|SCF]] | | | Change Management | [[Adobe Common Controls Framework\|Adobe CCF]]<br>[[Secure Controls Framework\|SCF]] | [[Policy Automation]] | | Change & Configuration Management | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Policy Automation]] | | Cloud Security | [[Secure Controls Framework\|SCF]] | | | Compliance | [[Secure Controls Framework\|SCF]] | [[Compliance]] | | Configuration Management | [[Adobe Common Controls Framework\|Adobe CCF]]<br>[[Secure Controls Framework\|SCF]] | [[Policy Automation]] | | Continuous Monitoring | [[Secure Controls Framework\|SCF]] | | | Cryptographic Protections | [[Secure Controls Framework\|SCF]] | [[Identity and Access Management]] | | Cryptography | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Identity and Access Management]] | | Cryptography Management | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Identity and Access Management]] | | Customer Managed Security | [[Adobe Common Controls Framework\|Adobe CCF]] | | | Cybersecurity & Data Privacy Governance | [[Secure Controls Framework\|SCF]] | [[Data Management]] | | Data Classification & Handling | [[Secure Controls Framework\|SCF]] | [[Data Management]] | | Data Management | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Data Management]] | | Data Privacy | [[Secure Controls Framework\|SCF]] | [[Data Management]] | | Data Security Management | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Data Management]] | | Embedded Technology | [[Secure Controls Framework\|SCF]] | | | Endpoint Security | [[Secure Controls Framework\|SCF]] | [[Device Management]] | | Entity Management | [[Adobe Common Controls Framework\|Adobe CCF]] | | | Global Procurement | [[Cisco Cloud Controls Framework\|Cisco CCF]] | | | Governance, Risk, and Compliance | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Defense Modeling]] | | Harmonization Methods and Manual of Style | [[Unified Compliance Framework\|UCF]] | | | Human Resources Security | [[Secure Controls Framework\|SCF]] | | | Human Resources Management | [[Unified Compliance Framework\|UCF]] | | | Identification & Authentication | [[Secure Controls Framework\|SCF]] | [[Identity and Access Management]] | | Identity and Access Management | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Identity and Access Management]] | | Incident Response | [[Adobe Common Controls Framework\|Adobe CCF]]<br>[[Secure Controls Framework\|SCF]] | [[Incident Containment]] | | Information Assurance | [[Secure Controls Framework\|SCF]] | | | Infrastructure Operations | [[Cisco Cloud Controls Framework\|Cisco CCF]] | | | Leadership and High Level Objectives | [[Unified Compliance Framework\|UCF]] | | | Maintenance | [[Secure Controls Framework\|SCF]] | | | Mobile Device Management | [[Adobe Common Controls Framework\|Adobe CCF]]<br>[[Secure Controls Framework\|SCF]] | [[Device Management]] | | Monitoring and Measurement | [[Unified Compliance Framework\|UCF]] | | | Network Operations | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Network Management]] | | Network Security | [[Secure Controls Framework\|SCF]] | [[Network Management]] | | Operational Management | [[Unified Compliance Framework\|UCF]] | | | Operational and Systems Security | [[Unified Compliance Framework\|UCF]] | | | People and Communities | [[Cisco Cloud Controls Framework\|Cisco CCF]] | | | People Resources | [[Adobe Common Controls Framework\|Adobe CCF]] | | | Physical and Environmental Protection | [[Unified Compliance Framework\|UCF]] | | | Physical & Environmental Security | [[Secure Controls Framework\|SCF]] | | | Physical Security | [[Cisco Cloud Controls Framework\|Cisco CCF]] | | | Privacy | [[Adobe Common Controls Framework\|Adobe CCF]]<br>[[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Data Management]] | | Privacy protection for information and data | [[Unified Compliance Framework\|UCF]] | [[Data Management]] | | Proactive Security | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Code Management]] | | Project & Resource Management | [[Secure Controls Framework\|SCF]] | | | Records Management | [[Unified Compliance Framework\|UCF]] | [[Data Management]] | | Risk Management | [[Adobe Common Controls Framework\|Adobe CCF]]<br>[[Secure Controls Framework\|SCF]] | | | Secure Engineering & Architecture | [[Secure Controls Framework\|SCF]] | | | Security Awareness & Training | [[Secure Controls Framework\|SCF]] | [[Training]] | | Security Governance | [[Adobe Common Controls Framework\|Adobe CCF]] | | | Security Incident | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Incident Containment]] | | Security Operations | [[Secure Controls Framework\|SCF]] | | | Service Lifecycle | [[Adobe Common Controls Framework\|Adobe CCF]] | | | Site Operations | [[Adobe Common Controls Framework\|Adobe CCF]] | | | System Design Documentation | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Device Management]] | | System hardening through Configuration Management | [[Unified Compliance Framework\|UCF]] | [[Device Management]] | | Systems design, build, and implementation | [[Unified Compliance Framework\|UCF]] | [[Device Management]] | | Systems Monitoring | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Device Management]]<br>[[Log Management]]<br>[[Stream Processing]]<br>[[Incident Containment]] | | Technology Development & Acquisition | [[Secure Controls Framework\|SCF]] | | | Technical Security | [[Unified Compliance Framework\|UCF]] | | | Third Party and supply chain oversight | [[Unified Compliance Framework\|UCF]] | [[Third Party Management]] | | Third Party Management | [[Adobe Common Controls Framework\|Adobe CCF]]<br>[[Secure Controls Framework\|SCF]] | [[Third Party Management]] | | Threat Management | [[Secure Controls Framework\|SCF]] | [[Adversary Research]] | | Training and Awareness | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Training]] | | Vulnerability & Patch Management | [[Secure Controls Framework\|SCF]] | [[Control Verification]] | | Vulnerability Detection | [[Cisco Cloud Controls Framework\|Cisco CCF]] | [[Control Verification]] | | Vulnerability Management | [[Adobe Common Controls Framework\|Adobe CCF]] | [[Control Verification]] | | Web Security | [[Secure Controls Framework\|SCF]] | [[Application Management]]<br>[[Code Management]] | ## Inspiration & Resources + [Adobe Common Controls Framework | Adobe Trust Center](https://www.adobe.com/trust/compliance/adobe-ccf.html) + [Unified Compliance](https://www.unifiedcompliance.com/) + [Secure Controls Framework](https://securecontrolsframework.com/) + [Cisco Cloud Controls Framework - Cisco](https://www.cisco.com/c/en/us/about/trust-center/compliance/ccf.html) ## Release Notes + [[WIP - Q3 2024 Release#Map Common Controls Frameworks to Cybersecurity Capabilities]] ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.