We are pleased to share with you the publication of the Security Controls Framework (SCF) Version 2.2 Part 1 and Part 2. Both tracked-changed versions and clean versions can be found on the website.
SCF Part 2 Appendix B has been updated, to include:
- A caveat for a User to refer to the Agreed Interpretation for information on notifying the SSC of any new or materially changed component or functionality of its User Systems or employing a second or subsequent User System relating to SEC Section G3.9;
- Clarification that compliance with the SEC obligation in Appendix AD Section 3.3.1 – to use an XML format Signing Key to sign DUIS commands, that is different to the XML format Signing Key used to sign GBCS commands – will be assessed by the User CIO in a User Security Assessment; and
- Clarification that compliance with the SEC obligation in SEC Appendix Z Section 6.3 – to submit a Commercial Product Assurance (CPA) Remedial Plan for affected Devices to the SSC upon request, where a CPA certification expires or is withdrawn by the National Cyber Security Centre (NCSC) – will be assessed by the User CIO in a User Security Assessment.
If you have any questions on the above, please contact SSC@gemserv.com
Thank you