Center for Internet Security (CIS) Releases CIS Critical Security Controls v8 to Reflect Evolving Technology, Threats
Version 8 is organized by activity, resulting in fewer Critical Security Controls and Safeguards
EAST GREENBUSH, N.Y., May 18, 2021 – As enterprises continue to integrate cloud resources and mobile devices into their networks, the Center for Internet Security, Inc. (CIS®) announces the launch of CIS Controls v8. The updated Controls have been enhanced to keep up with modern systems and software, and the ever-changing cyber ecosystem, and includes cloud and mobile technologies.
CIS Controls v8 has other changes as well; the new version combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important in the new version; this is reflected through revised terminology and grouping of Safeguards (formerly Sub-Controls), resulting in a decrease of the number of Controls from 20 to 18. The 18 top-level Controls contain 153 Safeguards that provide a prioritized path to improve an enterprise’s cybersecurity posture.
“Whether you use the CIS Controls or another framework to guide your cybersecurity program, you should recognize that it’s not just about the list,” said Curtis Dukes, CIS Executive Vice President and General Manager, Security Best Practices. “Think of the Controls as a prioritized set of actions to take to provide an effective cyber defense. It’s important to look for the ecosystem that grows up around the list.”
The v8 release is not just an update to the Controls; the whole ecosystem surrounding the Controls has been (or soon will be) updated as well. This includes:
- CIS Controls Self Assessment Tool (CSAT) (Hosted & Pro) – a way for enterprises to conduct, track, and assess their implementation of the CIS Controls over time, and measure implementation against industry peers; CIS CSAT hosted is free for use in a non-commercial capacity
- Updated CIS CSAT Pro – on-premises, data sharing optional, different user roles for different organizations, separation of administrative function, different look and feel
- Community Defense Model (CDM) – data-driven, rigorous, transparent approach that helps prioritize the Controls based on the evolving threat; CDM v1.0 utilized the 2019 Verizon Data Breach Investigations Report (DBIR) to determine top attacks and the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework v6.3
- CDM v2.0 – Maps Safeguards as mitigations down to the ATT&CK Technique and Sub-Technique level (MITRE ATT&CK Framework v8.2), uses well-known industry threat reporting to determine the top attack types
- CIS Risk Assessment Method (CIS RAM) – helps an enterprise justify investments for reasonable implementation of the CIS Controls, define their acceptable level of risk, prioritize and implement the CIS Controls reasonably, and help demonstrate “due care”
- CIS RAM 2.0 – includes a simplified CIS RAM worksheet for IG1, and additional modules tailored to developing key risk indicators using quantitative analysis
- CIS Controls Mobile Companion Guide – helps enterprises implement the consensus-developed best practices using CIS Controls v8 for phones, tablets, and mobile application
- CIS Controls Cloud Companion Guide – guidance on how to apply the security best practices found in CIS Controls v8 to any cloud environment from the consumer/customer perspective
- Mappings to other regulatory frameworks – enterprises that implement the CIS Controls can show compliance to other frameworks
CIS Controls v8 and some of these tools and resources are available today. As additional resources are updated, they’ll be added to the v8 page.
Developed by a community of cybersecurity experts and partners, the updated CIS Controls cooperate with and point to existing independent standards and security recommendations where they exist. The Cloud Security Alliance (CSA) provided input into v8 to help users secure their cloud environments, and SAFECode was a key contributor to the application software security Control (CIS Control 16).
SANS served on the editorial panel of Controls v8 and offers two training and one certification course focused on CIS Controls v8:
- SEC440: CIS Critical Controls: A Practical Introduction
- SEC566: Implementing and Auditing CIS Critical Controls
- GIAC Critical Controls Certification (GCCC)
The CIS Controls are a prioritized set of Safeguards to mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks, and have recently been included in state cybersecurity statutes in Ohio and Utah.
The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.