CIS Controls FAQ

What are the CIS Controls?

The Center for Internet Security’s Critical Security Controls for Effective Cyber Defense V 6.1 (CIS Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that provide a "must-do, do-first" starting point for every enterprise seeking to improve their cyber defense.

Who created the CIS Controls and when were they developed?

The CIS Controls were developed starting in 2008 by an international, grass-roots consortium bringing together companies, government agencies, institutions, and individuals from every part of the ecosystem (cyber analysts, vulnerability-finders, solution providers, users, consultants, policy-makers, executives, academia, auditors, etc.) who banded together to create, adopt, and support the CIS Controls. The expert volunteers who develop the Controls apply their first-hand experience to develop the most effective actions for cyber defense.

How are they updated?

The CIS Controls are updated and reviewed through an informal community process. Practitioners from government, industry, and academia each bring deep technical understanding from across multiple viewpoints (e.g., vulnerability, threat, defensive technology, tool vendors, enterprise management) and pool their knowledge to identify the most effective technical security controls needed to stop the attacks they are observing.

What is the benefit of the CIS Controls?

Prioritization is a key benefit to the CIS Controls. They were designed to help organizations rapidly define the starting point for their defenses, direct their scarce resources on actions with immediate and high-value payoff, and then focus their attention and resources on additional risk issues that are unique to their business or mission.

Why are there 20?

There is no magic to the number 20. We’d like to tell you that deep analysis of all the data about attacks and intrusions tells us that just 20 Controls will give you an optimized trade-off between defense against attacks and cost-effective, manageable systems – but that would not be quite true, and is not even possible today.

We can tell you that a community of highly knowledgeable practitioners from across every sector and aspect of the business have agreed that these twenty actions stop the vast majority of the attacks seen today, and provide the framework for automation and systems management that will serve cyber defense well into the future.

Are the CIS Controls a replacement for the other frameworks?

The CIS Controls are not a replacement for any existing regulatory, compliance, or authorization scheme. The CIS Controls map to most major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA. Mappings from the CIS Controls have been defined for these other frameworks to give a starting point for action.

What is the relationship between the CIS Controls and the NIST Cybersecurity Framework?

The NIST Framework for Improving Critical Infrastructure Cybersecurity calls out the CIS Controls as one of the “informative references” – a way to help users implement the Framework using an existing, supported methodology. Survey data shows that most users of the NIST Cybersecurity Framework also use the CIS Controls.

What is the relationship between the CIS Controls and the CIS Benchmarks?

The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices, whereas CIS Benchmarks are guidelines for hardening specific operating systems, middleware, software applications, and network devices. The need for secure configurations is referenced throughout the CIS Controls. In fact, CIS Control 3 specifically recommends secure configurations for hardware and software on mobile devices, laptops, workstations, and servers.
Both the CIS Controls and the CIS Benchmarks are developed by communities of experts using a consensus-based approach. We have also integrated some of the CIS Controls into the CIS-CAT configuration assessment tool to show alignment between some of the CIS Controls and Benchmarks settings.

Who has endorsed the CIS Controls?

  • The CIS Controls are referenced by the U.S. Government in the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a recommended implementation approach for the Framework.
  • The European Telecommunications Standards Institute (ETSI) has adopted and published the CIS Controls and several of the Controls companion guides.
  • In 2016 in her state’s Data Breach Report, Kamala D. Harris, then California Attorney General, said: “The set of 20 Controls constitutes a minimum level of security – a floor – that any organization that collects or maintains personal information should meet.”
  • The CIS Controls are recommended by organizations as diverse as the National Governors Association (NGA) and the U.K.’s Centre for the Protection of National Infrastructure (CPNI).
  • The National Highway Traffic Safety Administration (NHTSA) recommended the CIS Controls in its draft security guidance to automotive manufacturers.

Who is using the CIS Controls?

  • The CIS Controls have been adopted by thousands of global enterprises, large and small, and are supported by numerous security solution vendors, integrators, and consultants, such as Rapid7, Softbank and Tenable. Some users of the CIS Controls include: the Federal Reserve Bank of Richmond; Corden Pharma; Boeing; Citizens Property Insurance; Butler Health System; University of Massachusetts; the states of Idaho, Colorado, and Arizona; the cities of Oklahoma, Portland, and San Diego; and many others.
  • EXOSTAR offers a supply-chain cyber assessment based on the CIS Controls.
  • As of May 1, 2017, the CIS Controls have been downloaded more than 70,000 times.

Why use the CIS Controls Download Link?

We have set up a sign in process as part of the CIS Controls download in which we ask for some basic information about the downloader, and to offer the opportunity to sign up to be informed of developments on the CIS Controls.  We use the information to better understand how the CIS Controls are being used and who is using them; this information is extremely helpful to us as we update the CIS Controls and develop associated documents like our guides.

Are the CIS Controls free?

Yes, the CIS Controls are free to use by anyone to improve their own cybersecurity. If you are using the CIS Controls as a vendor or consultant, or provide services in a related cybersecurity field, enroll in CIS SecureSuite Product Vendor or Consulting Membership or become an authorized Supporter to use the Controls in tools or services that benefit your customers.

What training is available on the CIS Controls?

The SANS Institute offers a number of classes on implementing the CIS Controls. See SANS for more information.

Where can I get more information?

Questions can be sent to controlsinfo@cisecurity.org.