The CIS Critical Security Controls are a prioritized set of security safeguards developed by the Center for Internet Security to defend against the most prevalent cyberattacks. The controls distill key security concepts into actionable steps, providing organizations with a clear starting point for improving their security posture.

Version 8.1 Updates (June 2024)

Version 8.1 added a new Governance security function to align with NIST CSF 2.0, bringing the total to six functions: Identify, Protect, Detect, Respond, Recover, and Govern. A new asset class for Documentation (plans, policies, procedures) was added. The glossary was expanded with new definitions for reserved words.

Implementation Groups

CIS Controls use Implementation Groups (IG) to help organizations prioritize based on their risk profile and resources.

IG1 - Essential Cyber Hygiene (56 safeguards)

IG1 is for small to medium organizations with limited IT/cybersecurity expertise. It represents the foundational set of cyber defense that every organization should implement regardless of size. IG1 defends against the most common attacks and provides the greatest risk reduction for the least investment.

IG2 (IG1 + 74 additional safeguards)

IG2 is for organizations with dedicated IT staff, moderate complexity, and greater risk profiles. These organizations typically store sensitive client or organizational information across multiple departments.

IG3 (All 153 safeguards)

IG3 is for large or high-risk organizations with security specialists handling sensitive or regulated data. IG3 defends against sophisticated adversaries and zero-day attacks.

Every organization should start with IG1 before progressing to higher levels. Attempting IG2 without completing IG1 builds advanced security on an unstable foundation.

The 18 Control Categories

Basic Controls (1-6)

Control 1 covers Inventory and Control of Enterprise Assets including end-user devices, network devices, IoT, and servers. Control 2 addresses Inventory and Control of Software Assets to ensure only authorized software operates. Control 3 focuses on Data Protection including classification, handling, and disposal. Control 4 establishes Secure Configuration baselines. Control 5 manages Account credentials for users, administrators, and services. Control 6 governs Access Control for privileges and permissions.

Foundational Controls (7-16)

Control 7 implements Continuous Vulnerability Management. Control 8 handles Audit Log Management for security monitoring. Control 9 provides Email and Web Browser Protections. Control 10 deploys Malware Defenses. Control 11 ensures Data Recovery capabilities. Control 12 manages Network Infrastructure securely. Control 13 establishes Network Monitoring and Defense. Control 14 delivers Security Awareness and Skills Training. Control 15 covers Service Provider Management for third parties. Control 16 addresses Application Software Security.

Organizational Controls (17-18)

Control 17 develops Incident Response Management capabilities. Control 18 conducts Penetration Testing to validate controls.

Relationship to Other Frameworks

CIS Controls are technical and prescriptive while NIST CSF is strategic and outcome-based. Organizations commonly use NIST CSF for direction and CIS Controls for implementation. ISO 27001 provides certification while CIS Controls support specific control requirements.

Official CIS mappings are available for NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST SP 800-171, and ISO 27001:2022. The controls also map to PCI DSS, HIPAA, GDPR, CMMC, DORA, and NIS2.

Implementation Approach

Phase 1 involves assessment and foundation including asset inventory, risk assessment, and gap analysis against CIS Controls. Phase 2 establishes foundational defenses through asset management, secure configurations, and privileged access management. Phase 3 strengthens security with vulnerability management, malware defenses, and penetration testing. Phase 4 focuses on continuous improvement through monitoring and adaptation to evolving threats.

Organizations should expect 1-3 years to achieve initial conformance with critical controls.

Who Uses CIS Controls

Healthcare organizations use CIS Controls to safeguard patient data and support HIPAA compliance. CIS Controls v8.1 maps to HHS Healthcare and Public Health cybersecurity performance goals. Government agencies at federal, state, and local levels protect public information and critical infrastructure. CIS hosts the Multi-State Information Sharing and Analysis Center (MS-ISAC) serving US state, local, tribal, and territorial entities.

Financial services, education, critical infrastructure, manufacturing, and retail organizations all benefit from the framework’s prioritized approach.

Proven Results

When the US State Department implemented an early version of the Controls in 2009, it achieved an 88% reduction in vulnerability-based risk across 85,000 systems.

Resources

CIS provides the Controls Self Assessment Tool (CSAT) for verification and stakeholder reporting. Implementation guides are available for SMEs. CIS Benchmarks provide configuration guidance for specific technologies. All resources are available at cisecurity.org.