CIS Logo
tagline: Confidence in the Connected World

CIS Controls Navigator

Help
  • The following page shows a dynamic list of CIS Sub-Controls that can be filtered according to Implementation Groups and specific Mappings.
  • To filter by Implementation Group, simply select the checkbox for the Implementation Group. The filter will be automatically applied.
  • To filter by specific mappings, select from the dropdown the mapping you'd like to filter by, select individual or all mapping values. Finally click "Apply {Mapping} Filter". More than one mapping can be applied concurrently.
  • Additional Sub-Controls can be added to or deselected from filtered results. To add more, scroll to the bottom of results and click "View Hidden Sub-Controls", then select. To remove, deselect the checkboxes of those you wish to remove, then hit "Remove Unchecked CIS Sub-Controls". This functionality will only become visible after an initial filter has been applied.
  • Filters for Mappings and Implementation Groups can be applied concurrently. However, once "Filter by Checked CIS Sub-Controls" is clicked, the results become dependent upon whether or not each Sub-Control is individually checked. To clear this, click "Reset Filters".
  • All Sub-Controls within IG (Implementation Group) 1 will also be a part of IG 2 and IG 3. All Sub-Controls within IG 2 will also be within IG 3. The IG's for each Sub-Control are signified by one or more colored dots.
CIS Control CIS
Sub-Control
Title Asset Type Implementation Groups
* Please select the mappings you'd like to apply, then hit the 'Apply...' button.
   
DE.AE-1 - A baseline of network operations and expected data flows for users and systems is established and managed
   
DE.AE-2 - Detected events are analyzed to understand attack targets and methods
   
DE.AE-3 - Event data are collected and correlated from multiple sources and sensors
   
DE.AE-5 - Incident alert thresholds are established
   
DE.CM-1 - The network is monitored to detect potential cybersecurity events
   
DE.CM-3 - Personnel activity is monitored to detect potential cybersecurity events
   
DE.CM-4 - Malicious code is detected
   
DE.CM-7 - Monitoring for unauthorized personnel, connections, devices, and software is performed
   
DE.CM-8 - Vulnerability scans are performed
   
DE.DP-1 - Roles and responsibilities for detection are well defined to ensure accountability
   
DE.DP-4 - Event detection information is communicated
   
ID.AM-1 - Physical devices and systems within the organization are inventoried
   
ID.AM-2 - Software platforms and applications within the organization are inventoried
   
ID.AM-3 - Organizational communication and data flows are mapped
   
ID.AM-4 - External information systems are catalogued
   
ID.AM-5 - Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
   
ID.AM-6 - Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
   
ID.GV-2 - Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
   
ID.RA-1 - Asset vulnerabilities are identified and documented
   
ID.RA-5 - Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
   
ID.SC-5 - Response and recovery planning and testing are conducted with suppliers and third-party providers
   
PR.AC-1 - Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
   
PR.AC-3 - Remote access is managed
   
PR.AC-4 - Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
   
PR.AC-5 - Network integrity is protected (e.g., network segregation, network segmentation)
   
PR.AC-6 - Identities are proofed and bound to credentials and asserted in interactions
   
PR.AC-7 - Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
   
PR.AT-1 - All users are informed and trained
   
PR.AT-2 - Privileged users understand their roles and responsibilities
   
PR.AT-3 - Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
   
PR.AT-4 - Senior executives understand their roles and responsibilities
   
PR.AT-5 - Physical and cybersecurity personnel understand their roles and responsibilities
   
PR.DS-1 - Data-at-rest is protected
   
PR.DS-2 - Data-in-transit is protected
   
PR.DS-3 - Assets are formally managed throughout removal, transfers, and disposition
   
PR.DS-4 - Adequate capacity to ensure availability is maintained
   
PR.DS-5 - Protections against data leaks are implemented
   
PR.DS-6 - Integrity checking mechanisms are used to verify software, firmware, and information integrity
   
PR.DS-7 - The development and testing environment(s) are separate from the production environment
   
PR.IP-1 - A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
   
PR.IP-10 - Response and recovery plans are tested
   
PR.IP-11 - Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
   
PR.IP-12 - A vulnerability management plan is developed and implemented
   
PR.IP-3 - Configuration change control processes are in place
   
PR.IP-4 - Backups of information are conducted, maintained, and tested
   
PR.IP-9 - Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
   
PR.MA-2 - Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
   
PR.PT-1 - Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
   
PR.PT-2 - Removable media is protected and its use restricted according to policy
   
PR.PT-3 - The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
   
PR.PT-5 - Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
   
RS.AN-1 - Notifications from detection systems are investigated 
   
RS.AN-4 - Incidents are categorized consistent with response plans
   
RS.AN-5 - Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
   
RS.CO-1 - Personnel know their roles and order of operations when a response is needed
   
RS.CO-2 - Incidents are reported consistent with established criteria
   
RS.CO-4 - Coordination with stakeholders occurs consistent with response plans
   
RS.MI-3 - Newly identified vulnerabilities are mitigated or documented as accepted risks
* Please select the mappings you'd like to apply, then hit the 'Apply...' button.
   
A.6.1.3 - Contact with authorities
   
A.6.2.1 - Mobile device policy
   
A.7.2.2 - Information security awareness, education and training
   
A.8.1.1 - Inventory of assets
   
A.8.1.3 - Acceptable use of assets
   
A.8.2.1 - Classification of information
   
A.8.3.1 - Management of removable media
   
A.9.1.1 - Access control policy
   
A.9.1.2 - Access to networks and network services
   
A.9.2.1 - User registration and deregistration
   
A.9.2.3 - Management of privileged access rights
   
A.9.2.6 - Removal or adjustment of access rights
   
A.9.3.1 - Use of secret authentication information
   
A.9.4.2 - Secure log-on procedures
   
A.9.4.3 - Password management system
   
A.10.1.1 - Policy on the use of cryptographic controls
   
A.11.2.5 - Removal of assets
   
A.12.1.2 - Change management
   
A.12.1.4 - Separation of development, test and operational environments
   
A.12.2.1 - Controls against malware
   
A.12.3.1 - Information backup
   
A.12.4.1 - Event logging
   
A.12.4.3 - Administrator and operator logs
   
A.12.4.4 - Clock synchronization
   
A.12.5.1 - Installation of software on operational systems
   
A.12.6.1 - Management of technical vulnerabilities
   
A.12.6.2 - Restrictions on software installation
   
A.12.14.1 - Event logging
   
A.13.1.1 - Network Controls
   
A.13.1.2 - Security of network services
   
A.13.1.3 - Segregation in networks
   
A.13.2.3 - Electronic messaging
   
A.14.2.1 - Secure development policy
   
A.14.2.5 - Secure system engineering principles
   
A.16.1.1 - Responsibilities and procedures
   
A.16.1.3 - Reporting information security events
* Please select the mappings you'd like to apply, then hit the 'Apply...' button.
   
3.1.1 - Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
   
3.1.10 - Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
   
3.1.11 - Terminate (automatically) a user session after a defined condition.
   
3.1.12 - Monitor and control remote access sessions.
   
3.1.13 - Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
   
3.1.14 - Route remote access via managed access control points.
   
3.1.16 - Authorize wireless access prior to allowing such connections.
   
3.1.17 - Protect wireless access using authentication and encryption.
   
3.1.18 - Control connection of mobile devices.
   
3.1.19 - Encrypt CUI on mobile devices and mobile computing platforms.
   
3.1.2 - Limit system access to the types of transactions and functions that authorized users are permitted to execute.
   
3.1.20 - Verify and control/limit connections to and use of external systems.
   
3.1.2e - Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
   
3.1.3 - Control the flow of CUI in accordance with approved authorizations.
   
3.1.3e - Employ secure information transfer solutions to control information flows between security domains on connected systems.
   
3.1.5 - Employ the principle of least privilege, including for specific security functions and privileged accounts.
   
3.1.7 - Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
   
3.1.8 - Limit unsuccessful logon attempts.
   
3.10.2 - Protect and monitor the physical facility and support infrastructure for organizational systems.
   
3.11.2 - Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
   
3.11.3 - Remediate vulnerabilities in accordance with risk assessments.
   
3.12.1 - Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
   
3.12.2 - Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
   
3.12.3 - Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
   
3.12.4 - Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
   
3.13.1 - Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
   
3.13.11 - Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
   
3.13.12 - Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
   
3.13.13 - Control and monitor the use of mobile code.
   
3.13.15 - Protect the authenticity of communications sessions.
   
3.13.16 - Protect the confidentiality of CUI at rest.
   
3.13.3 - Separate user functionality from system management functionality.
   
3.13.4 - Prevent unauthorized and unintended information transfer via shared system resources.
   
3.13.5 - Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
   
3.13.6 - Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
   
3.13.8 - Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
   
3.14.1 - Identify, report, and correct system flaws in a timely manner.
   
3.14.2 - Provide protection from malicious code at designated locations within organizational systems.
   
3.14.4 - Update malicious code protection mechanisms when new releases are available.
   
3.14.5 - Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
   
3.14.7 - Identify unauthorized use of organizational systems.
   
3.2.1 - Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
   
3.2.1e - Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
   
3.2.2 - Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
   
3.2.2e - Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
   
3.2.3 - Provide security awareness training on recognizing and reporting potential indicators of insider threat.
   
3.3.1 - Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
   
3.3.2 - Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
   
3.3.3 - Review and update logged events.
   
3.3.5 - Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
   
3.3.7 - Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
   
3.3.9 - Limit management of audit logging functionality to a subset of privileged users.
   
3.4.1 - Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
   
3.4.1e - Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
   
3.4.2 - Establish and enforce security configuration settings for information technology products employed in organizational systems.
   
3.4.3 - Track, review, approve or disapprove, and log changes to organizational systems.
   
3.4.5 - Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
   
3.4.7 - Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
   
3.4.8 - Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
   
3.4.9 - Control and monitor user-installed software.
   
3.5.1 - Identify system users, processes acting on behalf of users, and devices.
   
3.5.10 - Store and transmit only cryptographically-protected passwords.
   
3.5.2 - Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
   
3.5.3 - Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
   
3.5.6 - Disable identifiers after a defined period of inactivity.
   
3.5.7 - Enforce a minimum password complexity and change of characters when new passwords are created.
   
3.5.8 - Prohibit password reuse for a specified number of generations.
   
3.6.1 - Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
   
3.6.2 - Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
   
3.6.3 - Test the organizational incident response capability.
   
3.7.3 - Ensure equipment removed for off-site maintenance is sanitized of any CUI.
   
3.7.4 - Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
   
3.7.5 - Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
   
3.8.1 - Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
   
3.8.2 - Limit access to CUI on system media to authorized users.
   
3.8.5 - Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
   
3.8.6 - Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
   
3.8.7 - Control the use of removable media on system components.
   
3.8.9 - Protect the confidentiality of backup CUI at storage locations.
   
3.9.2 - Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
* Please select the mappings you'd like to apply, then hit the 'Apply...' button.
   
AC-17 - Remote Access
   
AC-18 - Wireless Access
   
AC-2 - Account Management
   
AC-20 - Use of External Information Systems
   
AC-3 - Access Enforcement
   
AT-1 - Security Awareness and Training Policy and Procedures
   
AT-2 - Security Awareness Training
   
AU-12 - Audit Generation
   
AU-2 - Audit Events
   
AU-3 - Content of Audit Records
   
AU-4 - Audit Storage Capacity
   
AU-6 - Audit Review, Analysis, and Reporting
   
AU-8 - Time Stamps
   
CA-3 - System Interconnections
   
CA-7 - Continuous Monitoring
   
CA-9 - Internal System Connections
   
CM-1 - Configuration Management Policy and Procedures
   
CM-10 - Software Usage Restrictions
   
CM-11 - User-Installed Software
   
CM-2 - Baseline Configurations
   
CM-6 - Configuration Settings
   
CM-7 - Least Functionality
   
CM-8 - Information System Component Inventory
   
CP-9 - Information system Backup
   
IA-02 (1) - Identification and Authentication (Organizational Users)
   
IA-4 - Identifier Management
   
IA-5 - Authenticator Management
   
IA-5 (1) - Authenticator Management
   
IA-6 - Authenticator Feedback
   
IR-1 - Incident Response Policy and Procedures
   
IR-2 - Incident Response Training
   
IR-6 - Incident Reporting
   
IR-8 - Incident Response Plan
   
MP-2 - Media Access
   
MP-7 - Media Use
   
RA-5 - Vulnerability Scanning
   
SA-9 - External Information System Services
   
SC-20 - Secure Name / Address Resolution Service (Authoritative Source)
   
SC-21 - Secure Name / Address Resolution Service (Recursive or Caching Resolver)
   
SC-39 - Process Isolation
   
SC-7 - Boundary Protection
   
SI-16 - Memory Protection
   
SI-3 - Malicious Code Protection
   
SI-4 - Information System Monitoring
   
SI-5 - Security Alerts, Advisories, and Directives

CIS Control 1 - Inventory and Control of Hardware Assets

  • Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
1 Devices
1.1

Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-53 Groups:

SI-4
Information System Monitoring
1 Devices
1.2

Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-53 Groups:

SI-4
Information System Monitoring
1 Devices
1.3

Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-53 Groups:

SI-4
Information System Monitoring
1 Devices
1.4

Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.

NIST CSF Groups:

ID.AM-1
Physical devices and systems within the organization are inventoried
PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-171 Groups:

3.4.1
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.5.1
Identify system users, processes acting on behalf of users, and devices.

NIST SP 800-53 Groups:

CM-8
Information System Component Inventory
1 Devices
1.5

Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.

NIST CSF Groups:

PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-171 Groups:

3.5.1
Identify system users, processes acting on behalf of users, and devices.

NIST SP 800-53 Groups:

CM-8
Information System Component Inventory
IA-4
Identifier Management
1 Devices
1.6

Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.

NIST CSF Groups:

PR.DS-3
Assets are formally managed throughout removal, transfers, and disposition

ISO 27001 Groups:

A.11.2.5
Removal of assets

NIST SP 800-171 Groups:

3.1.2e
Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
1 Devices
1.7

Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.

NIST CSF Groups:

PR.AC-1
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

ISO 27001 Groups:

A.9.1.2
Access to networks and network services
A.13.1.1
Network Controls

NIST SP 800-171 Groups:

3.1.1
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.16
Authorize wireless access prior to allowing such connections.
1 Devices
1.8

Use client certificates to authenticate hardware assets connecting to the organization's trusted network.

NIST CSF Groups:

PR.AC-6
Identities are proofed and bound to credentials and asserted in interactions

ISO 27001 Groups:

A.13.1.1
Network Controls

NIST SP 800-171 Groups:

3.1.1
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
3.1.16
Authorize wireless access prior to allowing such connections.

CIS Control 2 - Inventory and Control of Software Assets

  • Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
2 Applications
2.1

Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.

NIST CSF Groups:

ID.AM-2
Software platforms and applications within the organization are inventoried

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-171 Groups:

3.4.1
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.4.9
Control and monitor user-installed software.

NIST SP 800-53 Groups:

CM-11
User-Installed Software
CM-8
Information System Component Inventory
2 Applications
2.2

Ensure that only software applications or operating systems currently supported by the software's vendor are added to the organization's authorized software inventory. Unsupported software should be tagged as unsupported in the inventory system.

NIST CSF Groups:

ID.AM-2
Software platforms and applications within the organization are inventoried
2 Applications
2.3

Utilize software inventory tools throughout the organization to automate the documentation of all software on business systems.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
2 Applications
2.4

The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.

NIST CSF Groups:

ID.AM-2
Software platforms and applications within the organization are inventoried

ISO 27001 Groups:

A.8.1.1
Inventory of assets

NIST SP 800-53 Groups:

IA-4
Identifier Management
2 Applications
2.5

The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.

NIST CSF Groups:

ID.AM-1
Physical devices and systems within the organization are inventoried
ID.AM-2
Software platforms and applications within the organization are inventoried
2 Applications
2.6

Ensure that unauthorized software is either removed or the inventory is updated in a timely manner

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.12.5.1
Installation of software on operational systems
A.12.6.2
Restrictions on software installation

NIST SP 800-171 Groups:

3.1.2e
Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
3.4.7
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
3.4.9
Control and monitor user-installed software.

NIST SP 800-53 Groups:

CM-11
User-Installed Software
2 Applications
2.7

Utilize application whitelisting technology on all assets to ensure that only authorized software executes and all unauthorized software is blocked from executing on assets.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
PR.DS-6
Integrity checking mechanisms are used to verify software, firmware, and information integrity

NIST SP 800-171 Groups:

3.4.8
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
2 Applications
2.8

The organization's application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
PR.DS-6
Integrity checking mechanisms are used to verify software, firmware, and information integrity

NIST SP 800-171 Groups:

3.4.8
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
2 Applications
2.9

The organization's application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1, *.py, macros, etc.) are allowed to run on a system.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed
PR.DS-6
Integrity checking mechanisms are used to verify software, firmware, and information integrity

NIST SP 800-171 Groups:

3.4.8
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
2 Applications
2.10

Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incur higher risk for the organization.

CIS Control 3 - Continuous Vulnerability Management

  • Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
3 Applications
3.1

Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems.

NIST CSF Groups:

DE.CM-8
Vulnerability scans are performed
ID.RA-1
Asset vulnerabilities are identified and documented

NIST SP 800-171 Groups:

3.11.2
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.

NIST SP 800-53 Groups:

RA-5
Vulnerability Scanning
3 Applications
3.2

Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.

NIST CSF Groups:

DE.CM-8
Vulnerability scans are performed
3 Users
3.3

Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.

3 Applications
3.4

Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.

NIST SP 800-171 Groups:

3.14.1
Identify, report, and correct system flaws in a timely manner.
3 Applications
3.5

Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.

NIST SP 800-171 Groups:

3.14.1
Identify, report, and correct system flaws in a timely manner.
3 Applications
3.6

Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities have been remediated in a timely manner.

3 Applications
3.7

Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

NIST CSF Groups:

ID.RA-5
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
PR.IP-12
A vulnerability management plan is developed and implemented
RS.MI-3
Newly identified vulnerabilities are mitigated or documented as accepted risks

ISO 27001 Groups:

A.12.6.1
Management of technical vulnerabilities

NIST SP 800-171 Groups:

3.11.3
Remediate vulnerabilities in accordance with risk assessments.
3.12.2
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.

NIST SP 800-53 Groups:

RA-5
Vulnerability Scanning

CIS Control 4 - Controlled Use of Administrative Privileges

  • The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
4 Users
4.1

Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.

NIST CSF Groups:

PR.AC-1
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
4 Users
4.2

Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.

NIST CSF Groups:

PR.AC-1
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

ISO 27001 Groups:

A.9.4.3
Password management system

NIST SP 800-171 Groups:

3.5.7
Enforce a minimum password complexity and change of characters when new passwords are created.

NIST SP 800-53 Groups:

IA-5
Authenticator Management
4 Users
4.3

Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. This account should only be used for administrative activities and not internet browsing, email, or similar activities.

NIST CSF Groups:

PR.AC-4
Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

ISO 27001 Groups:

A.9.2.3
Management of privileged access rights

NIST SP 800-171 Groups:

3.1.5
Employ the principle of least privilege, including for specific security functions and privileged accounts.
3.13.3
Separate user functionality from system management functionality.
4 Users
4.4

Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.

ISO 27001 Groups:

A.9.4.3
Password management system

NIST SP 800-171 Groups:

3.5.8
Prohibit password reuse for a specified number of generations.

NIST SP 800-53 Groups:

IA-5 (1)
Authenticator Management
4 Users
4.5

Use multi-factor authentication and encrypted channels for all administrative account access.

NIST CSF Groups:

PR.AC-7
Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

NIST SP 800-171 Groups:

3.5.3
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

NIST SP 800-53 Groups:

IA-02 (1)
Identification and Authentication (Organizational Users)
4 Users
4.6

Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring administrative access. This machine will be segmented from the organization's primary network and not be allowed Internet access. This machine will not be used for reading e-mail, composing documents, or browsing the Internet.

NIST SP 800-171 Groups:

3.1.5
Employ the principle of least privilege, including for specific security functions and privileged accounts.
4 Users
4.7

Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative or development users with the need to access those capabilities.

NIST CSF Groups:

PR.PT-3
The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
4 Users
4.8

Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.12.4.3
Administrator and operator logs

NIST SP 800-171 Groups:

3.1.7
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
3.3.9
Limit management of audit logging functionality to a subset of privileged users.

NIST SP 800-53 Groups:

AU-3
Content of Audit Records
4 Users
4.9

Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.

NIST CSF Groups:

DE.CM-7
Monitoring for unauthorized personnel, connections, devices, and software is performed

ISO 27001 Groups:

A.9.4.2
Secure log-on procedures

NIST SP 800-171 Groups:

3.1.7
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.

NIST SP 800-53 Groups:

AU-3
Content of Audit Records

CIS Control 5 - Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

  • Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
5 Applications
5.1

Maintain documented, standard security configuration standards for all authorized operating systems and software.

NIST CSF Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

ISO 27001 Groups:

A.8.1.3
Acceptable use of assets
A.14.2.5
Secure system engineering principles

NIST SP 800-171 Groups:

3.4.1
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.4.2
Establish and enforce security configuration settings for information technology products employed in organizational systems.
3.4.5
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
3.1.18
Control connection of mobile devices.

NIST SP 800-53 Groups:

CM-1
Configuration Management Policy and Procedures
CM-2
Baseline Configurations
CM-6
Configuration Settings
CM-7
Least Functionality
IA-5
Authenticator Management
IA-6
Authenticator Feedback
SC-20
Secure Name / Address Resolution Service (Authoritative Source)
SC-21
Secure Name / Address Resolution Service (Recursive or Caching Resolver)
AU-2
Audit Events
5 Applications
5.2

Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.

NIST CSF Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)

NIST SP 800-171 Groups:

3.4.2
Establish and enforce security configuration settings for information technology products employed in organizational systems.
5 Applications
5.3

Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.

NIST CSF Groups:

PR.IP-1
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
5 Applications
5.4

Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.

NIST SP 800-171 Groups:

3.4.1e
Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
3.4.3
Track, review, approve or disapprove, and log changes to organizational systems.
5 Applications
5.5

Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.

NIST CSF Groups:

DE.CM-8
Vulnerability scans are performed

NIST SP 800-171 Groups:

3.12.3
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.

NIST SP 800-53 Groups:

CM-6
Configuration Settings

CIS Control 6 - Maintenance, Monitoring and Analysis of Audit Logs

  • Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
6 Network
6.1

Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.

ISO 27001 Groups:

A.12.4.4
Clock synchronization

NIST SP 800-171 Groups:

3.3.7
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.

NIST SP 800-53 Groups:

AU-8
Time Stamps
6 Network
6.2

Ensure that local logging has been enabled on all systems and networking devices.

NIST CSF Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors
PR.PT-1
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

ISO 27001 Groups:

A.12.4.1
Event logging

NIST SP 800-171 Groups:

3.3.1
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

NIST SP 800-53 Groups:

AU-3
Content of Audit Records
AU-12
Audit Generation
6 Network
6.3

Enable system logging to include detailed information such as a event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

NIST CSF Groups:

PR.PT-1
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy

NIST SP 800-171 Groups:

3.3.2
Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.

NIST SP 800-53 Groups:

AU-12
Audit Generation
6 Network
6.4

Ensure that all systems that store logs have adequate storage space for the logs generated.

NIST CSF Groups:

PR.DS-4
Adequate capacity to ensure availability is maintained

NIST SP 800-171 Groups:

3.3.1
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

NIST SP 800-53 Groups:

AU-4
Audit Storage Capacity
6 Network
6.5

Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.

NIST CSF Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors
PR.PT-1
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
6 Network
6.6

Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.

NIST CSF Groups:

DE.AE-3
Event data are collected and correlated from multiple sources and sensors
6 Network
6.7

On a regular basis, review logs to identify anomalies or abnormal events.

NIST CSF Groups:

DE.AE-2
Detected events are analyzed to understand attack targets and methods
DE.AE-3
Event data are collected and correlated from multiple sources and sensors
PR.PT-1
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
RS.AN-1
Notifications from detection systems are investigated 

ISO 27001 Groups:

A.12.4.3
Administrator and operator logs

NIST SP 800-171 Groups:

3.3.3
Review and update logged events.
3.3.5
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

NIST SP 800-53 Groups:

AU-6
Audit Review, Analysis, and Reporting
6 Network
6.8

On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.

NIST CSF Groups:

DE.AE-5
Incident alert thresholds are established

CIS Control 7 - Email and Web Browser Protections

  • Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems.
7 Applications
7.1

Ensure that only fully supported web browsers and email clients are allowed to execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.