Publication of the SCF V2.3 and AIs V2.2

11 March 2021

We are pleased to share with you the publication of the Security Controls Framework (SCF) V2.3 Part 1, Part 2 and the Agreed Interpretations V2.2. Both tracked-changed versions and clean versions can be found on the website.

Amendments have been made to the SCF Parts 1 and 2 to clarify that:

  • SECAS (on behalf of the User CIO) will share the User Assessment Reports for Shared Resource Providers (SRPs) with Users who employ that SRP under SEC G10.8, as well as the outcome of the SSC review of each assessment;
  • An SRP is obliged under the SEC to provide its Users with a copy of its User management response to the observations of a User Security Assessment;
  • Alt HAN equipment does not need to be separately assured by a Supplier where independent assurance has already been provided by Alt HAN;
  • Users do not need to duplicate the SMETS1 penetration testing undertaken by the DCC to satisfy the User CIO in respect of SEC obligations G3.26, G3.27 and G3.28;
  • For compliance with SEC Appendix AD 3.3.1, the User CIO will look for evidence of use of separate XML format User Role Signing Private Keys for DUIS and GBCS commands. If evidence is not readily available, the User should consider allowing the User CIO to witness a User with Administrative Access to log on and demonstrate the separate User Role Signing Private Keys; and
  • For compliance with G3.7, Senior Level Tiger Scheme is accepted as equivalent to a CHECK assessment.

The Agreed Interpretation Section 7 has been amended to explain a proportionate approach for the reviewing of risk assessments, subsequent to the initial FUSA.

If you have any questions on the above, please contact

Thank you