Definition

The SAMA Cybersecurity Framework (CSF, 2017) and the SAMA Cyber Supply Chain Controls Framework (CSCF, 2023) are complementary but distinct regulatory frameworks issued by the Saudi Central Bank. The CSF covers 28 cybersecurity domains applicable to all SAMA-regulated entities; the CSCF adds 10 supply-chain-specific control families targeting ICT and software vendor risk. Running one unified programme requires gap analysis to identify overlap (approximately 60% of controls) and to isolate CSCF-only obligations on vendor onboarding and software integrity.

Why it matters

The pressure on Regulatory (UAE/GCC) programmes is shifting in specific, observable ways:

• SAMA's annual cybersecurity assessment questionnaire (CAQ) scores both CSF and CSCF domains separately; a low CSCF score on supply-chain controls triggers a follow-up inspection regardless of overall CSF performance.
• CSCF control 2.4 (software bill of materials) and CSF domain 3.3.5 (third-party cybersecurity) overlap but are evidenced differently; treating them as identical risks leaving CSCF-specific SBOM and patch-verification obligations unmet.
• Saudi Vision 2030 fintech accelerators (Fintech Saudi) require SAMA CSF compliance as a baseline for sandbox participation; demonstrating dual-framework coverage accelerates licence progression.
• Deduplicating controls across CSF and CSCF reduces evidence-collection effort by an estimated 30–40%, freeing compliance team capacity estimated at 200–400 hours per annual cycle.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Unified control library spreadsheet — control ID (CSF domain.subdomain, CSCF family.control), description, shared evidence artefact, CSCF-specific delta requirement.
• Software Bill of Materials (SBOM) — generated by Syft or Dependency-Track; component name, version, CVE status, patch date.
• Vendor onboarding assessment records — CSCF Section 3 questionnaire, vendor risk score, contract clauses referencing CSCF obligations.
• SAMA CAQ submission — scoring per domain, prior-year comparison, remediation commitments.
• Penetration test report (CSCF 5.2) — scope including supply-chain attack vectors (e.g. CI/CD pipeline injection), findings, remediation status.
• Patch management log — asset ID, CVE reference, CVSS score, patch applied date, SLA compliance (critical: ≤72 hours).

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0–30: Compliance Manager builds CSF–CSCF overlap matrix; colour-codes controls as 'shared evidence', 'CSF-only' or 'CSCF-only'; quantifies gap reduction opportunity.
• Day 31–60: IT Security Manager implements SBOM generation in CI/CD pipelines using Syft; integrates with Dependency-Track for continuous CVE monitoring; links output to CSCF control 2.4 evidence.
• Day 61–90: Third-Party Risk Manager re-runs vendor assessments using unified CSF+CSCF questionnaire; updates contracts to reference CSCF obligations for software vendors.
• Day 90+: Compliance Manager consolidates evidence in GRC tool (Archer or ServiceNow GRC); maps evidence items to both CSF and CSCF control IDs; prepares for SAMA CAQ submission.
• Ongoing: Security team monitors CVE feeds; patches critical vulnerabilities within 72 hours; updates SBOM records; reviews CSCF control library annually following SAMA guidance updates.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Control overlap efficiency: ≥60% of CSF controls evidenced by artefacts also satisfying mapped CSCF controls.
• SBOM coverage: 100% of externally deployed software products have a current SBOM (updated within 30 days of any dependency change).
• Critical vulnerability patching: ≥98% of CVSS 9.0+ vulnerabilities remediated within 72 hours of identification.
• SAMA CAQ score: target ≥80% maturity across all CSF domains; ≥75% across all CSCF families.
• Vendor CSCF assessment currency: ≥90% of ICT vendors in scope for CSCF assessed within the last 12 months.

The executive frame

For an executive sponsor, the decision behind this piece reduces to three questions: what changes in the next two quarters, what is the cost of not acting, and what is the minimum credible response?

Held against TDRA / NESA / SIA / DESC and RBI, SEBI, IRDAI, MeitY (cross-border programmes), the answer is rarely "do nothing" — but it is also rarely "rebuild the programme". The honest answer for most Regulatory (UAE/GCC) buyers is a sharply scoped uplift focused on the two indicators that move the most: % of regulator-mandated controls with current evidence and open thematic-review findings by age.

• What changes. The supervisory bar has moved on operating evidence, not on the control text itself.
• Cost of inaction. Findings carried into the next cycle compound; remediation in a regulator-driven timeframe costs 3–5× what proactive remediation costs.
• Minimum credible response. A 90-day uplift focused on the two indicators above, with a board-level commitment to the next review point.

Pitfalls we keep seeing

Across MAST Consulting Group's Regulatory (UAE/GCC) portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: evidence packs that are unique to each regulator instead of harmonised. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: controls listed against the regulator but not operating consistently. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: thematic-review responses prepared in the week of the visit. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: no single source of truth across multiple supervisors. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Regulatory (UAE/GCC) engagements because the integrations are cheap and the evidence is defensible:

• a unified control framework (UCF) in a GRC tool or curated spreadsheet — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• evidence repository with regulator tagging — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• data extracts from core systems on a fixed cadence — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Regulatory (UAE/GCC) programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this briefing is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Regulatory (UAE/GCC) programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.