A Close Look at the CIS Controls Assessment Module
Introducing the CIS Controls Assessment Module
In cybersecurity, it can be challenging to identify what you should be doing to protect your organization and measure if you’re actually doing it - but it doesn’t have to be. The CIS Controls Assessment Module was released to the community to help your organization assess its adherence to established best practices. The CIS Controls Assessment Module is a new, semi-automated way to measure your organization’s application of CIS Controls Implementation Group 1 in Windows 10 environments. The 43 CIS Sub-Controls in Implementation Group 1 are assessed using a combination of scripts and survey questions.
The CIS Controls Assessment Module runs inside of CIS-CAT® Pro Assessor v4, leveraging the tool’s ability to conduct both local and remote assessments. The results are compatible with CIS-CAT Pro Dashboard. This allows CIS SecureSuite® Members to use the familiar CIS-CAT Pro Dashboard features such as viewing individual assessment results and generating graphs to show compliance over time.
In addition to being available to CIS SecureSuite Members in CIS-CAT Pro Assessor v4, the CIS Controls Assessment Module for Implementation Group 1 in Windows 10 environments is also available for free in CIS-CAT Lite v4.
How does the module work?
PowerShell scripts are used to automate 13 of the CIS Sub-Controls in Implementation Group 1: 3.4, 4.2, 6.2, 8.2, 8.5, 9.4, 10.1, 10.2, 10.4 13.6, 15.7, 16.9, and 16.11. Some have customizable values that can be configured to better fit your organization. (Note: these values can be set in the Assessor Properties file, which is different than tailoring in CIS WorkBench.) These values include minimum password length, days allowed since the last system image backup, days of inactivity before an account is considered dormant, and maximum allowable seconds for the screen timeout.
Some Sub-Controls are more procedural in nature and don’t really lend themselves to automation. For instance, many of the Organizational Sub-Controls (CIS Controls 17-20) fall into this category. Survey questions are used to address these Sub-Controls. Self-assessed answers can be saved in the Assessor Properties file and will be applied to any CIS Controls Assessment Module scans. Then, when something changes (i.e., when your organization implements a new Sub-Control), these answers can be updated for future assessments. Alternatively, questions can be set to be answered interactively by modifying the Assessor Properties file. Any interactive questions will be asked on the command line in CIS-CAT Pro Assessor for each of the machines in the assessment.
There are three profiles available using the CIS Controls Assessment Module, allowing you to run:
- Just the automated checks
- Just the survey questions
- Both the automated checks and the survey questions for full coverage of Implementation Group 1
At CIS, we believe in collaboration. Working with a global community to develop, validate, and promote cybersecurity best practices is what we’re all about. So, where will the CIS Controls Assessment Module go next? We’d love to hear your thoughts! Join the CIS Controls Assessment Module community and help us grow this new feature. It’s all taking place on our collaborative CIS WorkBench forums.
Get started with the CIS Controls Assessment Module for free using CIS-CAT Lite:
Already a Member? Login to CIS WorkBench to download the latest version.
Access full reporting features via CIS-CAT Pro Dashboard and more with CIS SecureSuite Membership.