← Frameworks / SWIFT CSCF / Control Mappings

SWIFT Customer Security Controls Framework v2024

Mandatory security controls framework for all 11,000+ SWIFT-connected financial institutions globally. 32 controls (25 mandatory, 7 advisory) across 3 objectives: secure your environment, know and limit access, detect and respond. Annual independent assessment attestation required. Covers network segmentation, privileged access, system hardening, transaction business controls, malware protection, logging/monitoring, and incident response for SWIFT financial messaging infrastructure. Aligned with ISO 27002, NIST CSF, PCI DSS 4.0.

Controls: 67

Total Mappings: 116

Publisher: SWIFT (Society for Worldwide Interbank Financial Telecommunication) Version: v2024

SWIFT CSCF → SP 800-53 SP 800-53 → SWIFT CSCF Coverage Analysis

AC (10) AT (3) AU (6) CA (2) CM (6) CP (2) IA (3) IR (5) MP (3) PE (4) PM (1) PS (3) RA (2) SA (3) SC (7) SI (4) SR (3)

AC Access Control

Control	Name	SWIFT CSCF References
AC-02	Account Management	SWIFT.1.2SWIFT.2.11ASWIFT.5.1
AC-03	Access Enforcement	SWIFT.2.11ASWIFT.2.9SWIFT.5.1SWIFT.5.4SWIFT.6.3
AC-04	Information Flow Enforcement	SWIFT.1.1SWIFT.1.3SWIFT.1.4SWIFT.1.5SWIFT.2.4A
AC-05	Separation Of Duties	SWIFT.1.2SWIFT.5.1
AC-06	Least Privilege	SWIFT.1.2SWIFT.5.1SWIFT.6.3
AC-07	Unsuccessful Login Attempts	SWIFT.4.1
AC-11	Session Lock	SWIFT.2.6
AC-12	Session Termination	SWIFT.2.6
AC-17	Remote Access	SWIFT.2.6
AC-20	Use Of External Information Systems	SWIFT.1.4

AT Awareness and Training

Control	Name	SWIFT CSCF References
AT-01	Security Awareness And Training Policy And Procedures	SWIFT.7.2
AT-02	Security Awareness	SWIFT.7.2
AT-03	Security Training	SWIFT.7.2

AU Audit and Accountability

Control	Name	SWIFT CSCF References
AU-02	Auditable Events	SWIFT.1.2SWIFT.2.9SWIFT.5.4SWIFT.6.4
AU-03	Content Of Audit Records	SWIFT.6.4
AU-06	Audit Monitoring, Analysis, And Reporting	SWIFT.2.9SWIFT.6.4
AU-09	Protection Of Audit Information	SWIFT.6.4
AU-12	Audit Record Generation	SWIFT.6.4
AU-14	Session Audit	SWIFT.2.6

CA Security Assessment and Authorization

Control	Name	SWIFT CSCF References
CA-03	Information System Connections	SWIFT.1.1SWIFT.1.5SWIFT.2.8
CA-08	Penetration Testing	SWIFT.7.3A

CM Configuration Management

Control	Name	SWIFT CSCF References
CM-02	Baseline Configuration	SWIFT.2.3
CM-03	Configuration Change Control	SWIFT.6.2
CM-05	Access Restrictions For Change	SWIFT.6.2
CM-06	Configuration Settings	SWIFT.1.3SWIFT.2.10SWIFT.2.3
CM-07	Least Functionality	SWIFT.1.1SWIFT.1.4SWIFT.2.10SWIFT.2.2SWIFT.2.3
CM-08	Information System Component Inventory	SWIFT.2.7

CP Contingency Planning

Control	Name	SWIFT CSCF References
CP-04	Contingency Plan Testing And Exercises	SWIFT.7.4A
CP-09	Information System Backup	SWIFT.6.3

IA Identification and Authentication

Control	Name	SWIFT CSCF References
IA-02	User Identification And Authentication	SWIFT.1.2SWIFT.4.2
IA-03	Device Identification And Authentication	SWIFT.2.1
IA-05	Authenticator Management	SWIFT.4.1SWIFT.4.2SWIFT.5.2SWIFT.5.4

IR Incident Response

Control	Name	SWIFT CSCF References
IR-01	Incident Response Policy And Procedures	SWIFT.7.1
IR-04	Incident Handling	SWIFT.7.1
IR-05	Incident Monitoring	SWIFT.7.1
IR-06	Incident Reporting	SWIFT.7.1
IR-08	Incident Response Plan	SWIFT.7.1

MP Media Protection

Control	Name	SWIFT CSCF References
MP-02	Media Access	SWIFT.3.1
MP-04	Media Storage	SWIFT.3.1
MP-05	Media Transport	SWIFT.2.5A

PE Physical and Environmental Protection

Control	Name	SWIFT CSCF References
PE-02	Physical Access Authorizations	SWIFT.3.1
PE-03	Physical Access Control	SWIFT.3.1SWIFT.5.2
PE-06	Monitoring Physical Access	SWIFT.3.1
PE-08	Access Records	SWIFT.3.1

PM Program Management

Control	Name	SWIFT CSCF References
PM-16	Threat Awareness Program	SWIFT.7.4A

PS Personnel Security

Control	Name	SWIFT CSCF References
PS-03	Personnel Screening	SWIFT.5.3A
PS-04	Personnel Termination	SWIFT.5.2
PS-06	Access Agreements	SWIFT.5.3A

RA Risk Assessment

Control	Name	SWIFT CSCF References
RA-03	Risk Assessment	SWIFT.7.4A
RA-05	Vulnerability Scanning	SWIFT.2.7SWIFT.7.3A

SA System and Services Acquisition

Control	Name	SWIFT CSCF References
SA-09	External Information System Services	SWIFT.2.8
SA-11	Developer Security Testing	SWIFT.2.10
SA-22	Unsupported System Components	SWIFT.2.2

SC System and Communications Protection

Control	Name	SWIFT CSCF References
SC-07	Boundary Protection	SWIFT.1.1SWIFT.1.3SWIFT.1.4SWIFT.1.5SWIFT.2.3SWIFT.6.5A
SC-08	Transmission Integrity	SWIFT.2.1SWIFT.2.4ASWIFT.2.5ASWIFT.2.6
SC-12	Cryptographic Key Establishment And Management	SWIFT.2.1SWIFT.2.5A
SC-13	Use Of Cryptography	SWIFT.2.1SWIFT.2.4A
SC-28	Protection of Information at Rest	SWIFT.1.3SWIFT.2.5ASWIFT.5.4SWIFT.6.3
SC-32	System Partitioning	SWIFT.1.1
SC-39	Process Isolation	SWIFT.1.3

SI System and Information Integrity

Control	Name	SWIFT CSCF References
SI-02	Flaw Remediation	SWIFT.2.2SWIFT.2.7
SI-03	Malicious Code Protection	SWIFT.6.1
SI-04	Information System Monitoring Tools And Techniques	SWIFT.2.9SWIFT.6.1SWIFT.6.4SWIFT.6.5A
SI-07	Software And Information Integrity	SWIFT.6.2SWIFT.6.3

SR Supply Chain Risk Management

Control	Name	SWIFT CSCF References
SR-01	Policy and Procedures	SWIFT.2.8
SR-03	Supply Chain Controls and Processes	SWIFT.2.8
SR-06	Supplier Assessments and Reviews	SWIFT.2.8