Understanding the CIS Framework

What is the CIS Framework?

CIS is a cybersecurity framework that represents best practice recommendations from the Center for Internet Security to protect your organization from cyber threats. You can use controls from CIS as a foundation for your cybersecurity program, and like many cybersecurity frameworks, you can adopt some of the CIS controls to establish your core cybersecurity program and then build and scale with additional controls and sub-controls over time.

CIS released CIS v8 in the spring of 2021. Controls within CIS v8 are similar to action items. You can adapt them to create a defense against common and pervasive cyber threats. Unlike some more extensive cybersecurity frameworks, the list of 18 CIS controls is considered a high priority for organizations regardless of program maturity.

In this CIS knowledgebase, we’ll explore these controls, examine implementation groupings, and share information about who should be CIS compliant, as well as benefits of adopting CIS best practices.

Understanding the CIS Framework

CIS is a cybersecurity framework that represents actions you can take to protect your organization from cyber threats. The 20 controls outlined in CIS are prioritized actions to help protect your systems, data and networks. There are more than 170 related sub-controls that form action-specific items you can implement to build or mature your cybersecurity practices.

Overseen by the Center for Internet Security, a group of IT and security experts united to define controls outlined in CIS, which are considered industry best practices. As cyber breaches and attacks continue to increase across most industries around the globe, over time, cybersecurity professionals have become inundated with recommendations for how to best protect their attack surfaces. To address the growing threats, CIS defined this framework to focus on the most effective and critical controls an organization needs for security.

While CIS controls are great tools for preventing breaches, they can also help you deal with systems attackers that have been breached and guide you on ways to prevent additional damage, data loss, or exfiltration.

There are five primary tenants that underpin CIS controls:

1. Offense informs defense: You can apply knowledge from real-world attacks to learn how to build an effective defense.

2. Prioritization: Start your program by implementing controls that will decrease the greatest amount of risk.

3. Measurements and metrics: Understand and share program metrics with your executives and key stakeholders so you can continuously adapt and improve your program.

4. Continuous diagnostics and mitigation: Continuously evaluate your program’s effectiveness to ensure your controls work as designed and make plans to mitigate gaps and weaknesses.

5. Automation: Adopt automation to facilitate continuous security actions and related metrics.

CIS Implementation

If you’re considering implementing CIS controls, it’s important to understand how controls are prioritized. You should start at control 1 and work your way through the rest. To help facilitate this scalability, the 20 controls are broken into three implementation groups, which we’ll discuss in more detail later, but here’s a quick summary:

Implementation Group 1 is suitable for organizations with limited resources and cybersecurity knowledge.

Implementation Group 2 is suitable for organizations with moderate resources and cybersecurity knowledge.

Implementation Group 3 is suitable for more mature organizations with more resources and cybersecurity knowledge.

CIS Benchmarks

We mentioned earlier how IT and security experts worked together to establish globally recognized, cross-industry cybersecurity controls outlined in CIS. In addition to these controls, IT and security professionals helped create CIS Benchmarks that outline more than 100 configuration guidelines for more than 25 vendor product families to reduce the risk of cyber threats.

CIS benchmarks are best practices security configuration guidelines that secure target systems.

Benchmarks exist for a range of:

• Operating systems
• Server software
• Cloud providers
• Mobile devices
• Network devices
• Desktop software
• Multi-functional print devices

These benchmarks are routinely updated and each one generally consists of multiple configuration profiles. These profiles are divided into two distinct profile levels:

• Level 1: These are base recommendations you can quickly implement that should not impact performance or hinder operations.
• Level 2: These are “defense-in-depth” recommendations and if not implemented properly may adversely affect your operations.

CIS Hardened Images

In addition to CIS Benchmarks, CIS also has pre-configured virtual machine images configured to CIS Benchmark standards. Unlike a standard virtual machine, a hardened virtual machine is configured to limit weaknesses threat actors could exploit. You can use hardened virtual machines as secure computing environments with protection against a variety of threats including unauthorized access, data exfiltration, denial of service, and other risks.

All CIS hardened images are configured to CIS Benchmarks, meaning they employ best practices for cybersecurity. They include CIS-CAT Pro conformance and exception reports. These hardened images are available across a variety of platforms including:

• Amazon Web Services (AWS Marketplace, AWS IC, and AWS GovCloud)
• Microsoft Azure (Azure Marketplace and Azure Gov Marketplace)
• Google Cloud Platform
• Oracle Cloud Marketplace

To learn more about CIS hardened images, visit https://www.cisecurity.org/cis-hardened-images.

Building a Successful CIS Engagement Strategy

If you’re new to building a cybersecurity program or you have a more mature program and you want to evaluate its effectiveness, CIS v7 controls are a great place to start. But where do you begin? How do you build a successful CIS engagement strategy for your organization to keep it secure?

In Apptega’s CIS v7.1 Compliance Guide, we start by giving you a high-level overview of who CIS is, what the organization does, and the intent of CIS controls. The compliance guide is also a wonderful resource to help you dive further into CIS control implementation groups and to better understand the role of CIS-compliant hardened images and how they can save your organization valuable time as a starting point for secure operating systems.

In addition to examining each of the 20 CIS controls, this guide also provides insight into how to implement CIS controls and what you need to ensure you have proper documentation of your security processes.

Who Needs to be CIS Compliant?

A number of professionals have asked us if their organization should be CIS compliant. The answer is a resounding yes!

Regardless of your industry or organization size or type, it’s a good idea to become CIS compliant. Why? Because adopting CIS controls can prepare your organization to build a strong defense against cyber-attacks, give you the tools you need to respond if a breach occurs, help you stop an attack from moving throughout your network, and limit compromise to other systems.

In addition to implementing and testing CIS controls, to become CIS compliant you won’t have to pass a formal certification or assessment, but you can self-evaluate planning, and mitigation.

The key here is proper documentation and measurement of your CIS control effectiveness. You should create supporting policies and procedures and be sure to document those and other critical metrics including specifications and configuration requirements.

Don’t forget validation as part of your documentation processes. It’s not enough to just implement the controls and walk away. You should also work with your team to ensure each person understands expectations and requirements and that all controls function as they should under a wide variety of circumstances. Internal testing and auditing practices are key for CIS compliance success.

Understanding the Driving Principles for CIS

To help facilitate CIS implementation and adoption, the experts who worked together to develop the global, cross-industry CIS standards did so by embracing seven core principles. These core principles can help guide your organization on your journey to become CIS compliant.

Here are the principles and an overview of what they’re designed to do:

Address current attacks, tech, and changing requirements
CIS controls reflect current trends, the threat landscape, the proliferation of cybersecurity tools and resources, and other pressing challenges modern organizations face today securing their enterprises.

Key topic focus
CIS controls address and offer guidance for common security issues such as authentication, encryption, app whitelists, and more.

Framework alignment
CIS v7 controls work hand-in-hand with other cybersecurity frameworks and can easily be mapped to others.

Improve consistency and wording
The most current controls and sub-controls are clearer and simplified so it’s easier for to understand, implement, and measure.

Stronger foundation for integrations
Updated CIS controls make it easier to adopt and integrate them into other products, services, and decision-making processes.

Structural changes
The content with CIS v7 is restructured to be more responsive to diverse organizations.

Feedback
CIS will continue to garner feedback about the controls to make future adjustments and improvements as needed.

Understanding CIS Controls

There are 18 CIS controls. These controls are divided into three core areas: basic, foundational, and organizational. To implement an information security program from these controls, begin with basic controls (1-6), then move to foundational controls (7-16), and then finally adopt and implement the organizational controls (17-20). There are more than 150 related sub-controls in this framework.

Basic CIS Controls

1. Inventory and Control of Hardware Assets
This control guides how you inventory, track, manage and address all hardware on your network including controls that limit unauthorized access. There are eight sub-controls related to managing assets that cover security functions of identification, response, and protection:

• 1.1 Utilize an Active Discovery Tool
• 1.2 Use a Passive Asset Discovery Tool
• 1.3 Use DHCP Logging to Update Asset Inventory
• 1.4 Maintain Detailed Asset Inventory
• 1.5 Maintain Asset Inventory Information
• 1.6 Address Unauthorized Assets
• 1.7 Deploy Port Level Access Control
• 1.8 Utilize Client Certificates to Authenticate Hardware Assets

2. Inventory and Control of Software Assets
This control guides how you inventory, track, manage and address all software on your network including ensuring only approved software installation on your devices and management strategies for unauthorized software. There are 10 sub-controls related to managing assets that cover security functions of identification, response, and protection:

• 2.1 Maintain Inventory of Authorized Software
• 2.2 Ensure Software is Supported by Vendor
• 2.3 Utilize Software Inventory Tools
• 2.4 Track Software Inventory Information
• 2.5 Integrate Software and Hardware Asset Inventories
• 2.6 Address Unapproved Software
• 2.7 Utilize Application Whitelisting
• 2.8 Implement Application Whitelisting of Libraries
• 2.9 Implement Application Whitelisting of Scripts
• 2.10 Physically or Logically Segregate High Risk Applications

3. Continuous Vulnerability Management
This control guides continuous management of vulnerabilities including how you discover them, remediate issues and decrease and close security gaps. There are seven sub-controls related to managing assets that cover security functions of detection, response, and protection:

• 3.1 Run Automated Vulnerability Scanning Tools
• 3.2 Perform Authenticated Vulnerability Scanning
• 3.3 Protect Dedicated Assessment Accounts
• 3.4 Deploy Automated Operating System Patch Management Tools
• 3.5 Deploy Automated Software Patch Management Tools
• 3.6 Compare Back-to-back Vulnerability Scans
• 3.7 Utilize a Risk-rating Process

4. Controlled Use of Administrative Privileges
This control outlines the processes and tools you will use to track, control, prevent, and correct administrative privileges on computers, networks and applications including use, assignment, and configuration. There are nine sub-controls related to managing assets that cover security functions of detection and protection:

• 4.1 Maintain Inventory of Administrative Accounts
• 4.2 Change Default Passwords
• 4.3 Ensure the Use of Dedicated Administrative Accounts
• 4.4 Use Unique Passwords
• 4.5 Use Multifactor Authentication For All Administrative Access
• 4.6 Use Dedicated Workstations For All Administrative
• 4.7 Limit Access to Scripting Tools
• 4.8 Log and Alert on Changes to Administrative Group Membership
• 4.9 Log and Alert on Unsuccessful Administrative Account Login

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
This control outlines how you will create, implement and manage security configurations for mobile devices, laptops, work stations, and servers including configuration management and change control processes. There are five sub-controls related to managing assets that cover security functions of detection and protection:

• 5.1 Establish Secure Configurations
• 5.2 Maintain Secure Images
• 5.3 Securely Store Master Images
• 5.4 Deploy System Configuration Management Tools
• 5.5 Implement Automated Configuration Monitoring Systems

6. Maintenance, Monitoring and Analysis of Audit Logs
This control outlines how you will collect, manage and analyze your audit logs. There are eight sub-controls related to managing assets that cover the detection security function:

• 6.1 Utilize Three Synchronized Time Sources
• 6.2 Activate Audit Logging
• 6.3 Enable Detailed Logging
• 6.4 Ensure Adequate Storage for Logs
• 6.5 Central Log Management
• 6.6 Deploy SIEM or Log Analytic Tools
• 6.7 Regularly Review Logs Regularly Tune SIEM

Foundational CIS Controls

7. Email and Web Browser Protections
This control outlines how you can minimize your attack surface, specifically relating to web browsers and email. There are 10 sub-controls related to managing assets that cover the detection and protection security functions:

• 7.1 Ensure Use of Only Fully Supported Browsers and Email Clients
• 7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins
• 7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients
• 7.4 Maintain and Enforce Network-Based URL Filters
• 7.5 Subscribe to URL-Categorization Service
• 7.6 Log all URL Requests
• 7.7 Use of DNS Filtering Services
• 7.8 Implement DMARC and Enable Receiver- Side Verification
• 7.9 Block Unnecessary File Types
• 7.10 Sandbox All Email Attachments

8. Malware Defenses
This control outlines installation, spread, and malicious code execution with optimized automation for defense strategies and remediation. There are eight sub-controls related to managing assets that cover the detection and protection security functions:

• 8.1 Utilize Centrally Managed Anti-Malware Software
• 8.2 Ensure Anti-Malware Software and Signatures are Updated
• 8.3 Enable Operating System Anti-Exploitation Features/Deploy Anti-Exploit Technologies
• 8.4 Configure Anti-Malware Scanning of Removable Devices
• 8.5 Configure Devices to Not Auto-Run Content
• 8.6 Centralize Anti-Malware Logging
• 8.7 Enable DNS Query Logging
• 8.8 Enable Command-Line Audit Logging

9. Limitation and Control of Network Ports, Protocols and Services
This control outlines how you will track, control, and correct issues regarding port usage, protocols, and services for your network devices. There are five sub-controls related to managing assets that cover the security functions for detection, identification, and protection:

• 9.1 Associate Active Ports, Services and Protocols to Asset Inventory
• 9.2 Ensure Only Approved Ports, Protocols and Services Are Running
• 9.3 Perform Regular Automated Port Scans
• 9.4 Apply Host-Based Firewalls or Port Filtering
• 9.5 Implement Application Firewalls

10. Data Recovery Capabilities
This control outlines the processes and tools you should use for critical information backup and timely recovery. There are five sub-controls related to managing assets that cover the protection security function:

• 10.1 Ensure Regular Automated Backups
• 10.2 Perform Complete System Backups
• 10.3 Test Data on Backup Media
• 10.4 Protect Backups
• 10.5 Ensure Backups Have At least One Non-Continuously Addressable Destination

11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
This control outlines how you will establish, implement, and manage your network infrastructure security configuration and change control processes. There are seven sub-controls related to managing assets that cover the security functions of detection, identification, and protection:

• 11.1 Maintain Standard Security Configurations for Network Devices
• 11.2 Document Traffic Configuration Rules
• 11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
• 11.4 Install the Latest Stable Version of Any Security- Related Updates on All Network Devices
• 11.5 Manage Network Devices Using Multi- Factor Authentication and Encrypted Sessions
• 11.6 Use Dedicated Workstations For All Network Administrative Tasks
• 11.7 Manage Network Infrastructure Through a Dedicated Network

12. Boundary Defense
This control outlines how you will detection, prevent, and correction information flow on networks with different trust levels. There are 12 sub-controls related to managing assets that cover the security functions of detection and protection:

• 12.1 Maintain an Inventory of Network Boundaries
• 12.2 Scan for Unauthorized Connections across Trusted Network Boundaries
• 12.3 Deny Communications with Known Malicious IP Addresses
• 12.4 Deny Communication over Unauthorized Ports
• 12.5 Configure Monitoring Systems to Record Network Packets
• 12.6 Deploy Network-Based IDS Sensors
• 12.7 Deploy Network-Based Intrusion Prevention Systems
• 12.8 Deploy NetFlow Collection on Networking Boundary Devices
• 12.9 Deploy Application Layer Filtering Proxy Server
• 12.10 Decrypt Network Traffic at Proxy
• 12.11 Require All Remote Logins to Use Multi- Factor Authentication
• 12.12 Manage All Devices Remotely Logging into Internal Network

13. Data Protection

This control outlines the processes and tools you will use to stop exfiltration of data and mitigate exfiltration effects to protect privacy for sensitive information. There are nine sub-controls related to managing assets that cover the security functions of detection, identification, and protection:

• 13.1 Maintain an Inventory of Sensitive Information
• 13.2 Remove Sensitive Data or Systems Not Regularly Accessed by Organization
• 13.3 Monitor and Block Unauthorized Network Traffic
• 13.4 Only Allow Access to Authorized Cloud Storage or Email Providers
• 13.5 Monitor and Detect Any Unauthorized Use of Encryption
• 13.6 Encrypt the Hard Drive of All Mobile Devices
• 13.7 Manage USB Devices
• 13.8 Manage System’s External Removable Media’s Read/Write Configurations
• 13.9 Encrypt Data on USB Storage Devices

14. Controlled Access Based on the Need to Know
This control outlines the processes and tools you will use track, control, prevent, and correct access issues for critical assets based on approved classifications. There are nine sub-controls related to managing assets that cover the security functions of detection and protection:

• 14.1 Segment the Network Based on Sensitivity
• 14.2 Enable Firewall Filtering Between VLANs
• 14.3 Disable Workstation to Workstation Communication
• 14.4 Encrypt All Sensitive Information in Transit
• 14.5 Utilize an Active Discovery Tool to Identify Sensitive Data
• 14.6 Protect Information through Access Control Lists
• 14.7 Enforce Access Control to Data through Automated Tools
• 14.8 Encrypt Sensitive Information at Rest
• 14.9 Enforce Detail Logging for Access or Changes to Sensitive Data

15. Wireless Access Control
This control outlines the processes and tools you will use track, control, prevent, and correct security issues for wireless local area networks (WLANs), access points, and other wireless client systems. There are 10 sub-controls related to managing assets that cover the security functions of detection, identification, and protection:

• 15.1 Maintain an Inventory of Authorized Wireless Access Points
• 15.2 Detect Wireless Access Points Connected to the Wired Network
• 15.3 Use a Wireless Intrusion Detection System
• 15.4 Disable Wireless Access on Devices if it is Not Required
• 15.5 Limit Wireless Access on Client Devices
• 15.6 Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients
• 15.7 Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
• 15.8 Use Wireless Authentication Protocols that Require Mutual, Multi-Factor Authentication
• 15.9 Disable Wireless Peripheral Access to Devices
• 15.10 Create Separate Wireless Network for Personal and Untrusted Devices

16. Account Monitoring and Control
This control outlines how you will actively manage system and application account lifecycles, including creation, use, dormancy, and deletion. There are 13 sub-controls related to managing assets that cover the security functions of detection, identification, protection, and response:

• 16.1 Maintain an Inventory of Authentication Systems
• 16.2 Configure Centralized Point of Authentication
• 16.3 Require Multi-Factor Authentication
• 16.4 Encrypt or Hash all Authentication Credentials
• 16.5 Encrypt Transmittal of Username and Authentication Credentials
• 16.6 Maintain an Inventory of Accounts
• 16.7 Establish Process for Revoking Access
• 16.8 Disable Any Unassociated Accounts
• 16.9 Disable Dormant Accounts
• 16.10 Ensure All Accounts Have An Expiration Date
• 16.11 Lock Workstation Sessions After Inactivity
• 16.12 Monitor Attempts to Access Deactivated Accounts
• 16.13 Alert on Account Login Behavior Deviation

Organization Controls

17. Implement a Security Awareness and Training Program
This control outlines how you will address functional roles within your organization, including identification of knowledge, skills, and abilities for the roles. This control also outlines how you will develop and execute an integrated plan for assessing, identification, and remediation of gaps using policies, planning, training, and awareness programs. There are nine sub-controls:

• 17.1 Perform a Skills Gap Analysis
• 17.2 Deliver Training to Fill the Skills Gap
• 17.3 Implement a Security Awareness Program
• 17.4 Update Awareness Content Frequently
• 17.5 Train Workforce on Secure Authentication
• 17.6 Train Workforce on Identifying Social Engineering Attacks
• 17.7 Train Workforce on Sensitive Data Handling
• 17.8 Train Workforce on Causes of Unintentional Data Exposure
• 17.9 Train Workforce Members on Identifying and Reporting Incidents

18. Application Software Security
This control outlines how you will manage the security lifecycle for all of your software to prevent, detect, and fix security issues. There are 11 sub-controls:

• 18.1 Establish Secure Coding Practices
• 18.2 Ensure Explicit Error Checking is Performed for All In-House Developed Software
• 18.3 Verify That Acquired Software is Still Supported
• 18.4 Only Use Up-to-Date And Trusted Third-Party Components
• 18.5 Only Standardized and Extensively Reviewed Encryption Algorithms
• 18.6 Ensure Software Development Personnel are Trained in Secure Coding
• 18.7 Apply Static and Dynamic Code Analysis Tools
• 18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities
• 18.9 Separate Production and Non-Production Systems
• 18.10 Deploy Web Application Firewalls
• 18.11 Use Standard Hardening Configuration Templates for Databases

19. Incident Response and Management
This control outlines how you will protect your organization’s information and reputation through the use of incident response practices so you can quickly identify an attack, contain the damage, remove the attack from your systems, and restore system integrity. There are eight sub-controls:

• 19.1 Document Incident Response Procedures
• 19.2 Assign Job Titles and Duties for Incident Response
• 19.3 Designate Management Personnel to Support Incident Handling
• 19.4 Devise Organization-wide Standards for Reporting Incidents
• 19.5 Maintain Contact Information For Reporting Security Incidents
• 19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents
• 19.7 Conduct Periodic Incident Scenario Sessions for Personnel
• 19.8 Create Incident Scoring and Prioritization Schema

20. Penetration Tests and Red Team Exercises
This control will simulate the objectives and actions for an attacker to help you test your organization’s security defenses including technology, people, and processes. There are eight sub-controls:

• 20.1 Establish a Penetration Testing Program
• 20.2 Conduct Regular External and Internal Penetration Tests
• 20.3 Perform Periodic Red Team Exercises
• 20.4 Include Tests for Presence of Unprotected System Information and Artifacts
• 20.5 Create a Test Bed for Elements Not Typically Tested in Production
• 20.6 Use Vulnerability Scanning and Penetration Testing Tools in Concert
• 20.7 Ensure Results from Penetration Test are Documented Using Open, Machine-readable Standards
• 20.8 Control and Monitor Accounts Associated with Penetration Testing

Understanding CIS Implementation Groups

The 20 CIS controls are divided among three implementation groups. These groups will help you set the foundation of your cybersecurity program and scale it. Let’s look at each of these three groups and to see which stage best suits your program now and your plans for maturing the program in the future.

• Implementation Group 1: For organizations with limited resources and experience to implement CIS sub-controls.
• Implementation Group 3: For organizations with significant resources and experience to allocate to CIS sub-controls.
• Implementation Group 2: For organizations with moderate resources and experience to implement CIS sub-controls.

While there is no formal certification for CIS compliance, you can self-assess control implementation, effectiveness, and documentation through each of these three implementation groups.

Consider controls and sub-controls in Implementation Group 1 as elements of basic cyber hygiene. Group 2 builds off group one and then Group 3 continues that momentum by building off Group 1 and Group 2.

While these tiered groupings help you mature your cybersecurity practices, they also often reflect increased organizational size and complexity, which can introduce additional security risks. As you move through the implementation groups into higher levels, you may want to adopt additional controls for stronger security.

CIS FAQs

Still have a question?

Get in touch with us and we would be happy to help.