18 is the New 20: CIS Critical Security Controls v8 is Here!

By: Autum Pylant

The moment we’ve all been waiting for is finally here. The Center for Internet Security (CIS) officially launched CIS Critical Security Controls (CIS Controls) v8, which was enhanced to keep up with evolving technology (modern systems and software), evolving threats, and even the evolving workplace. The pandemic changed a lot of things, and it also prompted changes in the CIS Controls.

The newest version of the Controls now includes cloud and mobile technologies. There’s even a new CIS Control: Service Provider Management, that provides guidance on how enterprises can manage their cloud services.

 

Task-Based Focus Regardless of Who’s Executing the Control

Since networks are basically borderless — meaning there is no longer an enclosed, centralized network where all the endpoints reside — the Controls are now organized by activity vs. how things are managed.

Efforts to streamline the Controls and organize them by activity resulted in fewer Controls and fewer Safeguards (formerly Sub-Controls). There are now 18 top-level Controls and 153 Safeguards dispersed amongst the three Implementation Groups (IGs).

You read that right; there are no longer 20 CIS Controls. Apparently, 18 is the new 20!

IG1 = Basic Cyber Hygiene

CIS Controls v8 officially defines IG1 as basic cyber hygiene and represents an emerging minimum standard of information security for all enterprises. IG1 (56 Safeguards) is a foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most prevalent attacks. IG2 (an additional 74 Safeguards) and IG3 (an additional 23 Safeguards) build upon previous IGs, with IG1 being the on-ramp to the Controls and IG3 including all the Safeguards for a total of 153.

The recently released 2021 Verizon Data Breach Investigations Report (DBIR) mentioned CIS Controls v8 by name, calling out the implementation groups. Through a combination of mappings to Verizon’s revamped incident classification patterns, IGs, and security functions of the CIS Controls, they identified a core set of Controls that every enterprise should implement regardless of size and budget:
  • Control 4: Secure Configuration of Enterprise Assets and Software
  • Control 5: Account Management
  • Control 6: Access Control Management
  • Control 14: Security Awareness and Skills Training

The CIS Controls Ecosystem: It’s Not About the List

The v8 release is not just an update to the Controls; the whole ecosystem surrounding the Controls has been (or soon will be) updated as well. This includes:

  • CIS Controls Self Assessment Tool (CSAT) (Hosted & Pro) – a way for enterprises to conduct, track, and assess their implementation of the CIS Controls over time, and measure implementation against industry peers; CIS CSAT hosted is free for use in a non-commercial capacity
    • Updated CIS CSAT Pro – on-premises, data sharing optional, different user roles for different organizations, separation of administrative function, different look and feel
  • Community Defense Model (CDM) – data-driven, rigorous, transparent approach that helps prioritize the Controls based on the evolving threat; CDM v1.0 utilized the 2019 Verizon Data Breach Investigations Report (DBIR) to determine top attacks and the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework v6.3
    • CDM v2.0 – Maps Safeguards as mitigations down to the ATT&CK Technique and Sub-Technique level (MITRE ATT&CK Framework v8.2), uses well-known industry threat reporting to determine the top attack types
  • CIS Risk Assessment Method (CIS RAM) – helps an enterprise justify investments for reasonable implementation of the CIS Controls, define their acceptable level of risk, prioritize and implement the CIS Controls reasonably, and help demonstrate “due care”
    • CIS RAM 2.0 – includes a simplified CIS RAM worksheet for IG1, and additional modules tailored to developing key risk indicators using quantitative analysis
  • CIS Controls Mobile Companion Guide – helps enterprises implement the consensus-developed best practices using CIS Controls v8 for phones, tablets, and mobile application
  • CIS Controls Cloud Companion Guide – guidance on how to apply the security best practices found in CIS Controls v8 to any cloud environment from the consumer/customer perspective
  • Mappings to other regulatory frameworks – enterprises that implement the CIS Controls can show compliance to other frameworks

CIS Controls v8 and some of these tools and resources are available today! As additional resources are updated, they’ll be added to the v8 page, so be sure to watch that space.

Just as technology and the threat landscape evolved, so did the CIS Controls. v8 is the direct representation of adaptability, simplification, and consistency that you’ve come to expect from the CIS Controls.