Skip to content
English
Customer portal
Contact us
  • There are no suggestions because the search field is empty.

06.06 The ComplianceForge SCF Extra

The Secure Controls Framework (SCF) is a freely-licensed, comprehensive control framework that maps to dozens of authority documents. The ComplianceForge SCF Extra installs the SCF library into SimpleRisk, maps SCF controls to your existing frameworks, and stays current via auto-update from ComplianceForge's GitHub source.

Requires: ComplianceForge SCF Extra

The SCF library import, the SCF-to-framework mapping engine, and the auto-update logic all live in the ComplianceForge SCF Extra at simplerisk/extras/complianceforgescf/. Without the Extra activated, SimpleRisk has no awareness of the SCF.

Why this matters

The Secure Controls Framework (SCF) is a freely-licensed, comprehensive control catalog maintained by ComplianceForge. It covers thousands of controls organized into ~30 control domains and includes pre-built mappings to dozens of authority documents (NIST CSF, ISO 27001, PCI DSS, HIPAA, GDPR, SOX, FedRAMP, CMMC, and many more). For programs that want a unified control catalog without the per-authority-document maintenance work, and without the commercial subscription cost of the Unified Compliance Framework (see Control Mapping with the UCF Extra), the SCF is a strong option.

The ComplianceForge SCF Extra brings the SCF library into SimpleRisk. Once activated, the SCF controls are available as a SimpleRisk framework, mapped to other installed frameworks via SCF's pre-built mappings, and auto-updated from the SCF GitHub source as ComplianceForge publishes new versions.

The honest scope to know up front: SCF is freely licensed for use; the SCF Extra is also free. ComplianceForge's licensing of the SCF allows free use for organizational compliance programs (the proprietary content ComplianceForge sells is the policy templates that map to SCF, not the framework itself). Compared to UCF (a paid commercial service), SCF is the lower-cost option for cross-framework mapping. The trade-off: SCF's mappings are ComplianceForge's interpretation; UCF's mappings are a different vendor's interpretation; auditors may have a preference for one or the other.

The other thing worth knowing: SCF and UCF are not complementary. They're parallel systems solving the same problem. Most programs use one or the other, not both. Picking is a function of cost (SCF wins), comprehensiveness (UCF has broader authority-document coverage in some areas), auditor preference, and which integrates with the rest of your tooling. If you've already got a UCF subscription via another GRC tool, UCF is likely the right pick; if you're starting fresh and want low-cost cross-framework mapping, SCF is.

The third thing: the Extra installs SCF data asynchronously. Activation queues a background install task; the SCF data populates over a few minutes (or longer for slow installs). The Extra exposes a status setting (extra_scf_status) that reports installing, ready, or error. Don't try to use SCF immediately after activation; wait for the status to be ready.

Before you start

Have these in hand:

  • Admin access to Configure → Extras → ComplianceForge SCF Extra for activation and to the framework management surface for using SCF data.
  • Internet access from the SimpleRisk server to GitHub (where SCF data is hosted) for the initial install and subsequent updates. Closed-network installs can still use the Extra, but they need a manual import path for the SCF data.
  • Awareness of disk and database growth. The SCF library is large (thousands of controls plus mappings). Activation adds substantial rows to the SCF tables; coordinate with your database capacity planning.
  • A plan for cross-framework rendering. Once SCF is mapped to your existing frameworks, the compliance views can show "this operational control satisfies SCF DCH-04 and (via SCF mapping) NIST 800-53 SC-12, ISO 27001 A.10.1.1, and PCI Req 3.5." Make sure your reporting expects this multi-framework attribution.

Step-by-step

1. Activate the ComplianceForge SCF Extra

Sidebar: Configure → Extras → ComplianceForge SCF Extra → Activate. The activation:

  1. Sets the extra_scf flag in settings.
  2. Creates the SCF tables: securecontrolsframework (the main SCF control catalog), securecontrolsframework_columns (the per-authority-document mapping columns), plus per-framework mapping tables.
  3. Queues an asynchronous task that fetches the SCF data from ComplianceForge's GitHub source and populates the tables.
  4. Sets extra_scf_status = 'installing'.

Wait for the install to complete. The status moves to ready when the SCF data is fully loaded; it moves to error if the install fails (typically due to network connectivity or GitHub API rate-limiting — check the application logs for details).

2. Verify the install completed

After activation, check:

  1. Configure → Extras → ComplianceForge SCF Extra — the Extra's settings page shows the install status.
  2. The status should be ready. If it's still installing after several minutes, check application logs (simplerisk_log or your debug log destination) for progress.
  3. The SCF version (extra_scf_version) should match the latest ComplianceForge SCF release.

If the install fails, the error message in the logs typically indicates the cause (network connectivity, GitHub rate-limiting, malformed SCF data). The recovery path is usually to retry; transient GitHub issues resolve themselves.

3. Configure auto-update behavior

The SCF Extra exposes settings for how to handle SCF updates:

  • extra_scf_auto_process_updates — whether to automatically pull and apply SCF updates as ComplianceForge publishes them. Recommended: true for most programs (SCF updates are ComplianceForge's interpretation; manual review of every update is rarely useful).
  • extra_scf_add_new — whether new SCF controls (added in updates) are automatically added to your install. Recommended: true.
  • extra_scf_update_existing — whether existing mapped SCF controls are updated when ComplianceForge changes their definitions. Recommended: true (otherwise your install drifts from the canonical SCF).
  • extra_scf_delete_removed — whether SCF controls removed from the source are deleted from your install. Recommended: false (deleting controls breaks any mapping that referenced them; archiving via extra_scf_legacy_framework_handler = 'archive' is safer).
  • extra_scf_legacy_framework_handlerarchive or delete for how to handle deprecated SCF content. Recommended: archive.

Configure these per your program's update tolerance; the recommended defaults are conservative.

4. Map your existing frameworks to SCF

The value comes from cross-framework mapping. SCF ships with its own controls; the mappings to authority documents (NIST, ISO, etc.) are the cross-walk.

For each SimpleRisk framework you've installed:

  1. Open the framework in Governance → Frameworks.
  2. Find the SCF mapping section (added by the Extra).
  3. Map the framework to the corresponding SCF authority document.
  4. Save.

Once mapped, the cross-framework relationships propagate: a SCF control that addresses NIST SP 800-53 AC-2 also indirectly addresses your SimpleRisk-side NIST framework's AC-2.

5. Map operational controls to SCF controls

For your operational controls (the ones that do actual things — firewalls, access policies, training programs), map each to the relevant SCF control(s):

  1. Open the operational control.
  2. Find the SCF mapping section.
  3. Pick the SCF control that the operational control implements.
  4. Save.

Now the operational control inherits SCF's cross-framework mapping: it satisfies whatever authority documents the SCF control maps to.

6. Use SCF in compliance views

With mapping in place:

  • Compliance dashboards can roll up satisfaction across frameworks via SCF.
  • Audit responses can attribute operational controls to multiple authority documents in one statement.
  • Multi-framework gap analysis is easier: SCF tells you which controls have no operational equivalent.

7. Plan for periodic updates

ComplianceForge releases SCF updates periodically (typically quarterly). With auto-update on:

  • The Extra polls the ComplianceForge source.
  • New / changed SCF controls and mappings sync into your install.
  • Your operational mappings are preserved (the SCF control IDs are stable across updates).

With auto-update off, you manually trigger updates via the Extra's admin page. Less work for the application; more discipline required from the operator.

8. Plan for deactivation

Deactivating the SCF Extra:

  1. Sets extra_scf = 'false'.
  2. Optionally drops the SCF tables (depending on the Extra version's deactivation behavior).
  3. The SCF mapping UI disappears from the governance pages.

Deactivation removes SCF from the install. Mappings that referenced SCF controls become orphaned (or are removed; behavior depends on the Extra version). Plan if you've come to rely on SCF; without it, your cross-framework attribution work is manual again.

Common pitfalls

A handful of patterns recur with the SCF Extra.

  • Activating the Extra and assuming it's immediately ready. The install is asynchronous; queries against SCF data before the status is ready return empty results. Wait for the install to complete.

  • Using both UCF and SCF. They're parallel; the cross-framework mappings will conflict where they cover the same ground. Pick one. Programs that have both typically end up using only one in practice.

  • Disabling auto-update to "stay in control." SCF updates are usually compatible improvements; the cost of manual updates is often higher than the value. Default to auto-update unless your program has a specific reason for change-management gating on framework data.

  • Setting extra_scf_delete_removed = true. Deleting SCF controls that ComplianceForge has removed breaks any operational control mappings that referenced them. Archive (the default) preserves the mappings; deleted controls just no longer appear in new mappings.

  • Treating SCF coverage as exhaustive. SCF is broad but not infinite. Some specialized frameworks (industry-specific, regional, very new) may not be in SCF. For those, native SimpleRisk framework management is the path.

  • Not coordinating SCF maps with auditor expectations. Auditors may have their own framework mapping methodology. Have the conversation early: "we use SCF mappings produced by ComplianceForge; here's how we map our operational controls."

  • Forgetting that SCF data uses substantial database storage. A fresh SCF install is multiple thousands of rows across the SCF tables. Most installs handle this fine; very small installs (e.g., shared hosting with strict storage quotas) may notice.

  • Not version-tracking SCF updates against your audit cycle. SCF updates can change which controls satisfy which authority documents. An audit response that referenced "SCF v2024.1 says X" may not match "SCF v2025.1 says Y" after auto-update. Document the SCF version active during each audit cycle.

  • Confusing the free SCF framework with ComplianceForge's commercial policy templates. ComplianceForge sells policy and procedure templates that implement SCF; the SCF framework itself is free. Don't pay for the framework; do consider the policy templates if they match your program's needs (entirely separate purchase from SimpleRisk).

  • Treating SCF as a substitute for actual control implementation. Mapping operational controls to SCF doesn't mean the controls are working; mapping is the map, not the territory. Continue testing controls and tracking effectiveness independently of the framework mapping.

Related

Reference

  • Permission required: governance (or admin) for SCF mapping; check_admin for the Extra activation and auto-update configuration.
  • API endpoint(s): The Extra exposes SCF mapping data via governance API endpoints; specific routes depend on the Extra version.
  • Implementing files: simplerisk/extras/complianceforgescf/index.php (enable_complianceforge_scf_extra(), the SCF library import logic, the mapping engine, the auto-update poller).
  • Database tables: securecontrolsframework (the main SCF catalog); securecontrolsframework_columns (per-authority-document mapping columns); plus per-framework mapping tables created during framework-to-SCF mapping.
  • config_settings keys: extra_scf (Extra activation flag); extra_scf_status (installing/ready/error); extra_scf_version; extra_scf_auto_process_updates; extra_scf_add_new; extra_scf_update_existing; extra_scf_delete_removed; extra_scf_legacy_framework_handler (archive/delete).
  • External dependencies: Internet access to GitHub (for fetching ComplianceForge SCF data) during install and updates. ComplianceForge's SCF GitHub repository (community-maintained; see https://www.securecontrolsframework.com/).