What are CIS Controls?
The Center for Internet Security (CIS) Controls are a prioritized set of Safeguards to mitigate the most common cyber-attacks against systems and networks. The SANS 20 Critical Security Controls, formerly known as the SANS Top 20, is now called the CIS Controls and has been reduced from 20 to 18 Controls since version 8.
June 2024 CIS announced CIS Controls 8.1 which includes new asset classes and the new "Governance" security function introduced in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0.
The following are the new updates that have been included in CIS Control 8.1:
- Realigned NIST CSF security function mappings to match NIST CSF 2.0
- Included new and expanded glossary definitions for reserved words used throughout the Controls (e.g., plan, process, sensitive data)
- Revised asset classes, alongside new mappings to Safeguards
- Fixed minor typos in Safeguard descriptions
- Added clarification to a few anemic Safeguard descriptions
The 18 CIS Controls v8.1 are:
CIS 8.1 Asset Classes
To better match the specific parts of an enterprise's infrastructure that each Safeguard applies to, the new asset classes and definitions needed to be consistently applied throughout the Controls. In doing so, some minor updates were made.
The New Asset Classes found in CIS 8.1 are:
18 CIS critical security controls version 8.1 explained
The CIS Controls have been updated with new asset classes to better align each Safeguard with specific parts of an enterprise’s infrastructure. These new classes necessitated updated definitions, leading to enhanced descriptions for several Safeguards to improve detail, practicality, and clarity.
This breakdown will provide a comprehensive understanding of the technical foundations and practical applications of the CIS Controls for CIS Compliance:
- CIS Control 1: Inventory and Control of Enterprise Assets: Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise.
- CIS Control 2: Inventory and Control of Software Assets: Actively manage all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
- CIS Control 3: Data Protection: Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
- CIS Control 4: Secure Configuration of Enterprise Assets and Software:
- Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
- CIS Control 5: Account Management: Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software. CIS Control 6: Access Control Management: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
- CIS Control 7: Continuous Vulnerability Management: Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
- CIS Control 8: Audit Log Management: Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
- CIS Control 9: Email and Web Browser Protections: Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
- CIS Control 10: Malware Defenses: Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
- CIS Control 11: Data Recovery Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
- CIS Control 12: Network Infrastructure Management: Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.
- CIS Control 13: Network Monitoring and Defense: Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.
- CIS Control 14: Security Awareness and Skills Training: Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.
- CIS Control 15: Service Provider Management: Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
- CIS Control 16: Application Software Security: Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
- CIS Control 17: Incident Response Management: Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.
- CIS Control 18: Penetration Testing: Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.
CIS Controls vs CIS Benchmarks
The CIS Controls and CIS Benchmarks can cause a bit of confusion. Here is a simple explanation:
CIS Controls are a general set of recommended best practices for securing a wide range of systems and devices and are referenced throughout the CIS Benchmarks.
CIS Benchmarks are guidelines that provide actionable best practices for specific platforms and technologies for hardening specific operating systems, middleware, software applications, and network devices.
CIS Control Safeguards
There are a total of 153 Safeguards in CIS Controls v8 which are prioritized into Implementation Groups (IGs). Every enterprise should start with IG1. IG1 is defined as "essential cyber hygiene," the foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most common attacks
"Safeguards" were known as "Sub-Controls" prior to Version 8 of the CIS Controls.
Source: CIS Implementation Group v8.1
CIS Implementation Groups (IGs) Explanation
CIS Controls Implementation Groups (IGs) provide guidance on how to prioritize implementation. The IGs are self-assessed categories for organizations based on relevant cybersecurity attributes. Each IG identifies a subset of the CIS Control standards that are identified to be applicable for an enterprise with a similar risk profile and resources to strive to implement. These IGs represent a horizontal look across the CIS Controls tailored to different types of enterprises.
Essential Cyber Hygiene is defined as IG1 the foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most common attacks. Each IG then builds upon the previous one: IG2 includes IG1, and IG3 includes all CIS Safeguards in IG1 and IG2.
Source: CIS Implementation Group v8.1
Factors Impacting Implementation Groups
CIS recommends following these five factors as a basis for determining your IG: Size and/or Complexity, Data Types, Resources and Technology, Threat Types, and Risk.
Source: CIS Implementation Group v8.1
CIS Community Defense Model
CIS released the Community Defense Model (CDM), which is a data-driven approach to identifying the usefulness of specific CIS Control recommendations. The CDM looks at the conclusions of recent Verizon Data Breach Investigations Report (DBIR), along with data from the Multi-State Information Sharing and Analysis Center (MS-ISAC), to identify what CIS believes to be the five most important types of attacks.
CIS describes those attacks using the MITRE Adversarial Tactics, Techniques, and Common Knowledge (MITRE ATT&CK) Framework in order to create attack patterns (or specific combinations of Tactics and Techniques used in those attacks). This allows CIS to analyze the value of individual defensive actions (i.e., Safeguards) against those attacks. It also provides a consistent and explainable way to look at the security value of a given set of defensive actions across the attacker's life cycle and provides a basis for strategies like defense-in-depth.
The following attack patterns are included within the CDM:
- Web-Application Hacking
- Insider and Privilege Misuse
- Malware
- Ransomware
- Targeted Intrusions
Why CIS Controls are Important for System Hardening
System hardening involves implementing security measures to reduce vulnerabilities and protect against potential threats. CIS Controls play a vital role in system hardening by offering organizations a structured and effective approach to increase their cybersecurity defenses, and the CIS Controls provide a comprehensive framework to achieve this goal.
The Controls are developed based on real-world attack data and insights from cybersecurity experts. This means they are rooted in practical experiences and reflect the evolving threat landscape, making them highly relevant and applicable to organizations across various industries.
Implementing the CIS Controls is essential for system hardening. Learn more about how CalCom's Hardening Automation Suite can help you increase your security posture.