Controls are your cybersecurity & data privacy program ---- A control is the power to influence or direct behaviors and the course of events.

Secure Controls Framework (SCF) Council

STRM Bundle - Excel Versions

$20.00
2 reviews Write a Review
Excel version of STRM mapping
SKU:
STRM-Bundle

This is for a digital download of the current Excel spreadsheet versions of the Set Theory Relationship Mapping (STRM) used to crosswalk the Secure Controls Framework (SCF). 

There is a one (1) month period of time to access the STRM download (from the date of purchase). Included in the 2026.1 STRM mappings in Excel format include the following:

  1. AICPA Privacy Management Framework (PMF) (2020)
  2. Trust Services Criteria (TSC) (2017)
  3. APEC Privacy Framework (2015)
  4. Standard 200-1 (v1.0)
  5. Critical Security Controls (CSC) (v8.1)
  6. Critical Security Controls (CSC) (v8.1) - IG1
  7. Critical Security Controls (CSC) (v8.1) - IG2
  8. Critical Security Controls (CSC) (v8.1) - IG3
  9. Control Objectives for Information and Related Technologies (COBIT) (2019)
  10. Committee of Sponsoring Organizations (COSO) (2013)
  11. Cloud Controls Matrix (CCM) (v4.1.0)
  12. IoT Security Controls Framework (v2)
  13. Cyber Resilience Capability Maturity Model (CR-CMM) (2026)
  14. GovRAMP
  15. GovRAMP Core
  16. GovRAMP Low
  17. GovRAMP Low+
  18. GovRAMP Moderate
  19. GovRAMP High
  20. IEC TR 60601-4-5 (2021)
  21. IEC 62443-2-1 (2024)
  22. IEC 62443-3-3 (2013)
  23. IEC 62443-4-1 (2018)
  24. IEC 62443-4-2 (2019)
  25. International Maritime Organization (IMO) Guidelines on Maritime Cyber Risk Management (2025)
  26. ISO 21434 (2021)
  27. ISO 22301 (2019)
  28. ISO 27001 (2022)
  29. ISO 27002 (2022)
  30. ISO 27017 (2015)
  31. ISO 27018 (2025)
  32. ISO 27701 (2025)
  33. ISO 29100 (2024)
  34. ISO 31000 (2018)
  35. ISO 31010 (2009)
  36. ISO 42001 (2023)
  37. MITRE ATT&CK (v16.1)
  38. Content Security Best Practices Common Guidelines (v5.3.1)
  39. Insurance Data Security Model Law 668 (2017)
  40. NIST AI 100-1 (AI RMF 1.0)
  41. NIST AI 600-1
  42. NIST Privacy Framework (v1.0)
  43. NIST SP 800-37 R2
  44. NIST SP 800-39
  45. NIST SP 800-53 R5
  46. NIST SP 800-53 R5 - Privacy Baseline
  47. NIST SP 800-53 R5 - Low Baseline
  48. NIST SP 800-53 R5 - Moderate Baseline
  49. NIST SP 800-53 R5 - High Baseline
  50. NIST SP 800-66 R2
  51. NIST SP 800-82 R3
  52. NIST SP 800-82 R3 - Low OT Overlay
  53. NIST SP 800-82 R3 - Moderate OT Overlay
  54. NIST SP 800-82 R3 - High OT Overlay
  55. NIST SP 800-160 (Vol 2, Rev 1)
  56. NIST SP 800-161 R1 UDP1
  57. NIST SP 800-161 R1 UDP1 - C-SCRM Baseline
  58. NIST SP 800-161 R1 UDP1 - Flow Down Baseline
  59. NIST SP 800-161 R1 UDP1 - Level 1 Baseline
  60. NIST SP 800-161 R1 UDP1 - Level 2 Baseline
  61. NIST SP 800-161 R1 UDP1 - Level 3 Baseline
  62. NIST SP 800-171 R2
  63. NIST SP 800-171 R3
  64. NIST SP 800-171A
  65. NIST SP 800-171A R3
  66. NIST SP 800-172
  67. NIST SP 800-207
  68. NIST SP 800-218
  69. NIST Cybersecurity Framework (v2.0)
  70. OECD Privacy Principles (2010)
  71. OWASP Top 10 (2025)
  72. Payment Card Industry Data Security Standard (PCI DSS) (v4.01)
  73. Payment Card Industry Data Security Standard (PCI DSS) - SAQ A (v4.0.1)
  74. Payment Card Industry Data Security Standard (PCI DSS) - SAQ A-EP (v4.0.1)
  75. Payment Card Industry Data Security Standard (PCI DSS) - SAQ B (v4.0.1)
  76. Payment Card Industry Data Security Standard (PCI DSS) - SAQ B-IP (v4.0.1)
  77. Payment Card Industry Data Security Standard (PCI DSS) - SAQ C (v4.0.1)
  78. Payment Card Industry Data Security Standard (PCI DSS) - SAQ C-VT (v4.0.1)
  79. Payment Card Industry Data Security Standard (PCI DSS) - SAQ D Merchant (v4.0.1)
  80. Payment Card Industry Data Security Standard (PCI DSS) - SAQ D Service Provider (v4.0.1)
  81. Payment Card Industry Data Security Standard (PCI DSS) - SAQ P2PE (v4.0.1)
  82. Data Privacy Management Principle (DPMP) (2025)
  83. SPARTA Countermeasures
  84. SWIFT Customer Security Controls Framework (2025)
  85. TISAX ISA (6.0.3)
  86. UL 2900-1 (2017)
  87. UL 2900-2-2 (2016)
  88. UN Regulation No. 155 (2021)
  89. UNECE WP.29 (2020)
  90. CERT-RMM (v1.2)
  91. Children's Online Privacy Protection Act (COPPA) (2024)
  92. CISA Secure Software Development Attestation Form (SSDAF) (2024)
  93. CISA Trusted Internet Connections 3.0 Security Capabilities Catalog (TIC 3.0)
  94. CISA Cross-Sector Cybersecurity Performance Goals (CPG) (2.0)
  95. Criminal Justice Information Services (CJIS) Security Policy (v6.0)
  96. Cybersecurity Capability Maturity Model (C2M2) (v2.1)
  97. Cybersecurity Maturity Model Certification (CMMC) 2.0 - Level 1
  98. Cybersecurity Maturity Model Certification (CMMC) 2.0 - Level 1 Assessment Objectives
  99. Cybersecurity Maturity Model Certification (CMMC) 2.0 - Level 2
  100. Cybersecurity Maturity Model Certification (CMMC) 2.0 - Level 3
  101. Data Privacy Framework (2023)
  102. Department of War (DoW) - Zero Trust Execution Roadmap (v1.1)
  103. Department of War (DoW) - Zero Trust Reference Architecture (v2)
  104. DFARS 252.204-7012
  105. Executive Order 14028 - Improving the Nation's Cybersecurity
  106. Fair & Accurate Credit Transactions Act (FACTA) & Fair Credit Reporting Act (FCRA) (2023)
  107. FAR 52.204-21
  108. FAR 52.204-25 (NDAA Section 889)
  109. FAR 52.204-27
  110. Farm Credit Administration (FCA) Cyber Risk Management (2023)
  111. Food & Drug Administration (FDA) 21 CFR Part 11 (2025)
  112. FedRAMP R5 - Low Baseline
  113. FedRAMP R5 - Moderate Baseline
  114. FedRAMP R5 - High Baseline
  115. FedRAMP R5 - Li-SAAS Baseline
  116. Family Educational Rights and Privacy Act (FERPA) (2010)
  117. FINRA Cybersecurity Rules
  118. US Fair Information Practice Principles (FIPPs) (1973)
  119. Federal Trade Commission (FTC) Act
  120. Gramm Leach Bliley Act (GLBA) (2023)
  121. HHS § 155.260 (2016)
  122. HIPAA Administrative Simplification (2013)
  123. HIPAA Security Rule (2013)
  124. IRS 1075 (2021)
  125. MARS-E Document Suite (2.0)
  126. NERC Critical Infrastructure Protection (CIP) (2024)
  127. National Industrial Security Program Operating Manual (NISPOM) (2020)
  128. Safeguarding of NNPI (2010)
  129. SEC Cybersecurity Rule (2023)
  130. SOX (2002)
  131. TSA Security Directive 1580/82-2022-01
  132. Alaska Personal Information Protection Act (PIPA) (2009)
  133. California SB327 (2018)
  134. California Consumer Privacy Act (CCPA) (2026)
  135. California SB1386 (2002)
  136. Colorado Privacy Act (2021)
  137. Illinois Biometric Information Privacy Act (BIPA) (2008)
  138. Illinois Identity Protection Act (IPA) (2009)
  139. Illinois Personal Information Protection Act (PIPA) (2006)
  140. Massachusetts 201 CMR 17.00 (2008)
  141. Nevada Privacy Law (2023)
  142. Nevada Operation of Gaming Establishment (NOGE) Regulation 5.260 (2024)
  143. Nevada SB220 (2019)
  144. New York Department of Financial Services 23NYCRR Part 500 (2023 Amendment 2)
  145. New York SHIELD Act (SB S5575B) (2019)
  146. Oregon Consumer Information Protection Act (ORS 646A) (2025)
  147. Oregon Consumer Privacy Act (SB 619) (2023)
  148. Tennessee Information Protection Act (TIPA) (2025)
  149. Texas Identity Theft Enforcement and Protection Act (BC521) (2009)
  150. Texas Consumer Data Protection Act (2025)
  151. Texas DIR Security Control Standards Catalog (v2.2)
  152. Texas SB820 (2019)
  153. Texas Safe Harbor Law (SB2610) (2025)
  154. TX-RAMP 2.0 - Level 1
  155. TX-RAMP 2.0 - Level 2
  156. Virginia Consumer Data Protection Act (2023)
  157. Vermont Data Broker Registration Act (Act 171 of 2018)
  158. EU Artificial Intelligence Act (AI Act) (2024)
  159. EU Cyber Resilience Act (CRA) (2022)
  160. EU Cyber Resilience Act Annexes (CRA Annexes) (2022)
  161. EU Digital Operational Resilience Act (DORA) (2023)
  162. EU General Data Protection Regulation (GDPR) (2016)
  163. EU NIS2 Directive (2022)
  164. EU NIS2 Annex (2024)
  165. Saudi Arabia - Cybersecurity Guidelines for Internet of Things (CGIoT-1:2024)
  166. Saudi Arabia - Personal Data Protection Law (PDPL) (2023)
  167. Spain - BOE-A-2022-7191
  168. UAE - National Information Assurance Framework (NIAF) (2023)
  169. UK - Cyber Assessment Framework (CAF) (v4.0)
  170. UK - Defstan 05-138 (2024)
  171. UK - Defstan 05-138 (2024) - L0
  172. UK - Defstan 05-138 (2024) - L1
  173. UK - Defstan 05-138 (2024) - L2
  174. UK - Defstan 05-138 (2024) - L3
  175. Australia - Essential Eight (2024)
  176. Australia - Information Security Manual (ISM) (June 2024)
  177. China - Cybersecurity Law (2017)
  178. India - DPDPA (2023)
  179. India - SEBI CSCRF (2024)
  180. Japan - Information System Security Management and Assessment Program (ISMAP)
  181. New Zealand - HISF MLHSP (2023)
  182. New Zealand - HISF MicroSmall (2023)
  183. New Zealand - HISF Guidance for Suppliers (2023)
  184. Canada - OSFI B-13 (2022)
  185. Canada - ITSP.10.171 (2025)

 

 

2 Reviews

  • 4
    STRM

    Posted by Eric Andresen on Jun 23rd 2025

    You will save a long time trying to map these controls out yourself if all you do is purchase the material for your latest NIS2 project. There are no doubt many ways that this can be applied and if we have this material to show an auditor how the material was organized, I am sure without a doubt that the material will pay off in a big way. The Secure Control Framework is amazing, and I am happy to support the project in any small way that we can.

  • 5
    Excellent value and huge time saver!

    Posted by Udo Schneider on Oct 10th 2024

    We use SCF to map product features to multiple compliance frameworks using control cross-walking. Adding the STRM information, especially the actual requirement text, allows us to tailor our answers specifically to the framework. And for the price, it's a real bargain! Even if you only need to copy and paste requirement descriptions manually, you'll end up paying more in lost work time than buying the whole package. Plus, you'll miss out on the STRM weights, which help to prioritize controls.

© 2026 Secure Controls Framework All rights reserved. | Sitemap