CIS Critical Security Controls Navigator

Use this page to learn more about the Controls and Safeguards and see how they map to other security standards. Click on a row to see all related, applicable standards.


Mappings - (0)

Add Remove All

No mappings selected

CMMC 
0 / 117 selected   Deselect All Select All
Revert       Remove
Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).
Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Verify and control/limit connections to and use of external information systems.
Limit use of portable storage devices on external systems.
Employ the principle of least privilege, including for specific security functions and privileged accounts.
Use non-privileged accounts or roles when accessing nonsecurity functions.
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
Authorize wireless access prior to allowing such connections.
Monitor and control remote access sessions.
Route remote access via managed access control points.
Control the flow of CUI in accordance with approved authorizations.
Protect wireless access using authentication and encryption.
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
Terminate (automatically) user sessions after a defined condition.
Control connection of mobile devices.
Authorize remote execution of privileged commands and remote access to security-relevant information.
Encrypt CUI on mobile devices and mobile computing platforms.
Control information flows between security domains on connected systems.
Periodically review and update CUI program access permissions.
Restrict remote network access based on organizational defined risk factors such as time of day, location of access, physical location, network connection state and measured properties of the current user and role.
Identify and mitigate risk associated with unidentified wireless access points connected to the network.
Define procedures for the handling of CUI data.
Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
Ensure that managers, system administrators and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards and procedures related to the security of those systems.
Ensure that personnel are trained to carry out their assigned information security- related duties and responsibilities.
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training.
Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation and reporting of unlawful or unauthorized system activity.
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
Review audit logs.
Review and update logged events.
Alert in the event of an audit logging process failure.
Collect audit information (e.g., logs) into one or more central repositories.
Limit management of audit logging functionality to a subset of privileged users.
Correlate audit record review, analysis and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious or unusual activity.
Provide audit record reduction and report generation to support on-demand analysis and reporting.
Automate analysis of audit logs to identify and act on critical indicators (TTPs) and/or organizationally-defined suspicious activity.
Identify assets not reporting audit logs and assure appropriate organizationally defined systems are logging.
Develop, document and periodically update System Security Plans (SSPs) that describe system boundaries, system environments of operation, how security requirements are implemented and the relationships with or connections to other systems.
Employ a security assessment of enterprise software that has been developed internally, for internal use, and that has been organizationally-defined as an area of risk.
Conduct penetration testing periodically, leveraging automated scanning tools and ad hoc tests using human experts.
Periodically perform red teaming against organizational assets in order to validate defensive capabilities.
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware and documentation) throughout the respective system development life cycles.
Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
Control and monitor user-installed software.
Establish and enforce security configuration settings for information technology products employed in organizational systems.
Track, review, approve or disapprove and log changes to organizational systems.
Define, document, approve and enforce physical and logical access restrictions associated with changes to organizational systems.
Restrict, disable or prevent the use of nonessential programs, functions, ports, protocols and services.
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
Employ application whitelisting and an application vetting process for systems identified by the organization.
Identify information system users, processes acting on behalf of users or devices.
Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.
Enforce a minimum password complexity and change of characters when new passwords are created.
Prohibit password reuse for a specified number of generations.
Store and transmit only cryptographically- protected passwords.
Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Prevent the reuse of identifiers for a defined period.
Disable identifiers after a defined period of inactivity.
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery and user response activities.
Detect and report events.
Develop and implement responses to declared incidents according to pre- defined procedures.
Track, document and report incidents to designated officials and/or authorities both internal and external to the organization.
Test the organizational incident response capability.
Perform unannounced operational exercises to demonstrate technical and procedural responses.
Establish and enforce security configuration settings for information technology products employed in organizational systems.
Limit access to CUI on system media to authorized users.
Control the use of removable media on system components.
Prohibit the use of portable storage devices when such devices have no identifiable owner.
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Regularly perform and test data back-ups.
Protect the confidentiality of backup CUI at storage locations.
Regularly perform complete, comprehensive and resilient data backups as organizationally-defined.
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
Remediate vulnerabilities in accordance with risk assessments.
Periodically perform risk assessments to identify and prioritize risks according to the defined risk categories, risk sources and risk measurement criteria.
Manage non-vendor-supported products (e.g., end of life) separately and restrict as necessary to reduce risk.
Perform scans for unauthorized ports available across perimeter network boundaries, over the organization's Internet boundaries and other organization-defined boundaries.
Utilize an exception process for non-whitelisted software that includes mitigation techniques.
Monitor, control and protect organizational communications (e.g., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Use encrypted sessions for the management of network devices.
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Employ architectural designs, software development techniques and systems engineering principles that promote effective information security within organizational systems.
Separate user functionality from system management functionality.
Deny network communications traffic by default and allow network communications traffic by exception (e.g., deny all, permit by exception).
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (e.g., split tunneling).
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
Establish and manage cryptographic keys for cryptography employed in organizational systems.
Control and monitor the use of mobile code.
Protect the confidentiality of CUI at rest.
Implement Domain Name System (DNS) filtering services.
Implement a policy restricting the publication of CUI on externally-owned, publicly-accessible websites (e.g., forums, LinkedIn, Facebook, Twitter, etc.).
Employ physical and logical isolation techniques in the system and security architecture and/or and where deemed appropriate by the organization.
Utilize threat intelligence to proactively block DNS requests from reaching malicious domains.
Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries.
Isolate administration of organizationally-defined high-value critical network infrastructure components and servers.
Utilize a URL categorization service and implement techniques to enforce URL filtering of websites that are not approved by the organization.
Configure monitoring systems to record packets passing through the organization's Internet network boundaries and other organizational-defined boundaries.
Employ organizationally-defined and tailored boundary protections in addition to commercially-available solutions.
Enforce port and protocol compliance.
Identify, report and correct information and information system flaws in a timely manner.
Provide protection from malicious code at appropriate locations within organizational information systems.
Update malicious code protection mechanisms when new releases are available.
Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.
Monitor system security alerts and advisories and take action in response.
Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Identify unauthorized use of organizational systems.
Employ spam protection mechanisms at information system access entry and exit points.
Implement email forgery protections.
Utilize email sandboxing to detect or block potentially malicious email.
Analyze system behavior to detect and mitigate execution of normal system commands and scripts that indicate malicious actions.
Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
ISO 27001:2013 
0 / 37 selected   Deselect All Select All
Revert       Remove
Contact with authorities
Mobile device policy
Information security awareness education and training
Inventory of assets
Acceptable use of assets
Classification of information
Management of removable media
Access control policy
Access to networks and network services
User registration and de-registration
Management of privileged access rights
Removal or adjustment of access rights
Use of secret authentication information
Secure log-on procedures
Password management system
Policy on the use of cryptographic controls
Removal of assets
Change management
Separation of development test and operational environments
Controls against malware
Information backup
Event logging
Administrator and operator logs
Clock synchronization
Installation of software on operational systems
Management of technical vulnerabilities
Restrictions on software installation
Event logging
Network Controls
Security of network services
Segregation in networks
Electronic messaging
Secure development policy
System change control procedures
Secure system engineering principles
Responsibilities and procedures
Reporting information security events
MITRE ATT&CK V6 
0 / 201 selected   Deselect All Select All
Revert       Remove
Windows Management Instrumentation Event Subscription
Cloud Instance Metadata API
Application Access Token
Data Obfuscation
Data Compressed
Credential Dumping
Winlogon Helper DLL
Fallback Channels
Exfiltration Over Other Network Medium
Accessibility Features
Application Deployment Software
System Firmware
Remote Services
Shortcut Modification
Custom Cryptographic Protocol
Multiband Communication
Obfuscated Files or Information
Windows Remote Management
Scheduled Transfer
Data Transfer Size Limits
Modify Existing Service
Standard Cryptographic Protocol
Path Interception
Service Execution
Masquerading
Logon Scripts
DLL Search Order Hijacking
Network Sniffing
Exfiltration Over Command and Control Channel
Commonly Used Port
File System Permissions Weakness
Software Packing
Network Service Scanning
Windows Management Instrumentation
Exfiltration Over Alternative Protoco
New Service
Shared Webroot
Exfiltration Over Physical Medium
Scheduled Task
Indicator Blocking
Process Injection
Service Registry Permissions Weakness
Command-Line Interface
Scripting
Uncommonly Used Port
Bootkit
Exploitation for Privilege Escalation
Indicator Removal on Host
Standard Application Layer Protocol
Third-party Software
DLL Side-Loading
Pass the Hash
Remote Desktop Protocol
Windows Admin Shares
Valid Accounts
Multilayer Encryption
Taint Shared Content
Credentials in Files
Rundll32
PowerShell
Account Discovery
Bypass User Account Control
Disabling Security Tools
Connection Proxy
Replication Through Removable Media
Communication Through Removable Media
Custom Command and Control Protocol
Standard Non-Application Layer Protocol
NTFS File Attributes
Pass the Ticket
Account Manipulation
Web Shell
Security Support Provider
Web Service
AppInit DLLs
Multi-Stage Channels
Remote File Copy
Execution through API
Redundant Access
Brute Force
Two-Factor Authentication Interception
Modify Registry
Email Collection
Regsvr32
InstallUtil
Automated Collection
Regsvcs/Regasm
Trusted Developer Utilities
Execution through Module Load
Install Root Certificate
Authentication Package
Data Encoding
External Remote Services
Access Token Manipulation
Create Account
Office Application Startup
Application Shimming
Bash History
Input Prompt
Keychain
Hidden Window
Gatekeeper Bypass
Private Keys
Clear Command History
Hidden Users
HISTCONTROL
LC_MAIN Hijacking
Plist Modification
Launchctl
AppleScript
.bash_profile and .bashrc
Dylib Hijacking
Launch Agent
Launch Daemon
LC_LOAD_DYLIB Addition
Login Item
Rc.common
Re-opened Applications
Startup Items
Setuid and Setgid
Local Job Scheduling
Sudo
Mshta
LLMNR/NBT-NS Poisoning and Relay
Domain Fronting
Dynamic Data Exchange
Password Filter DLL
Component Object Model and Distributed COM
Browser Extensions
LSASS Driver
SID-History Injection
Screensaver
AppCert DLLs
SSH Hijacking
Man in the Browser
Forced Authentication
Multi-hop Proxy
Drive-by Compromise
Exploit Public-Facing Application
CMSTP
Spearphishing Link
Spearphishing Attachment
Spearphishing via Service
Supply Chain Compromise
Control Panel Items
BITS Jobs
SIP and Trust Provider Hijacking
Trusted Relationship
Hardware Additions
Password Policy Discovery
Exploitation for Client Execution
User Execution
Port Knocking
Sudo Caching
Kerberoasting
Time Providers
Exploitation of Remote Services
Exploitation for Defense Evasion
Exploitation for Credential Access
Data from Information Repositories
Credentials in Registry
Kernel Modules and Extensions
Signed Script Proxy Execution
Signed Binary Proxy Execution
Remote Access Tools
XSL Script Processing
Template Injection
Compiled HTML File
Access Sensitive Data in Device Logs
Domain Trust Discovery
Domain Generation Algorithms
Group Policy Modification
Data Destruction
Data Encrypted for Impact
Disk Structure Wipe
Disk Content Wipe
Service Stop
Inhibit System Recovery
Defacement
Stored Data Manipulation
Transmitted Data Manipulation
Runtime Data Manipulation
Firmware Corruption
Network Denial of Service
Endpoint Denial of Service
Systemd Service
Credentials from Web Browsers
PowerShell Profile
Server Software Component
Web Session Cookie
Screen Capture
Elevated Execution with Prompt
Access Notifications
Emond
Implant Container Image
Steal Application Access Token
Data from Cloud Storage Object
Unused/Unsupported Cloud Regions
Transfer Data to Cloud Account
Cloud Service Dashboard
Steal Web Session Cookie
NIST CSF Version 1.1 
0 / 58 selected   Deselect All Select All
Revert       Remove
A baseline of network operations and expected data flows for users and systems is established and managed
Detected events are analyzed to understand attack targets and methods
Event data are collected and correlated from multiple sources and sensors
Incident alert thresholds are established
The network is monitored to detect potential cybersecurity events
Personnel activity is monitored to detect potential cybersecurity events
Malicious code is detected
Monitoring for unauthorized personnel, connections, devices, and software is performed
Vulnerability scans are performed
Roles and responsibilities for detection are well defined to ensure accountability
Event detection information is communicated
Physical devices and systems within the organization are inventoried
Software platforms and applications within the organization are inventoried
Organizational communication and data flows are mapped
External information systems are catalogued
Resources (e.g., hardware, devices, data, time, personnel, and software) are prioritized based on their classification, criticality, and business value
Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established
Cybersecurity roles and responsibilities are coordinated and aligned with internal roles and external partners
Asset vulnerabilities are identified and documented
Threats, vulnerabilities, likelihoods, and impacts are used to determine risk
Response and recovery planning and testing are conducted with suppliers and third-party providers
Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
Remote access is managed
Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
Network integrity is protected (e.g., network segregation, network segmentation)
Identities are proofed and bound to credentials and asserted in interactions
Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
All users are informed and trained
Privileged users understand their roles and responsibilities
Third-party stakeholders (e.g., suppliers, customers, partners) understand their roles and responsibilities
Senior executives understand their roles and responsibilities
Physical and cybersecurity personnel understand their roles and responsibilities
Data-at-rest is protected
Data-in-transit is protected
Assets are formally managed throughout removal, transfers, and disposition
Adequate capacity to ensure availability is maintained
Protections against data leaks are implemented
Integrity checking mechanisms are used to verify software, firmware, and information integrity
The development and testing environment(s) are separate from the production environment
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
Response and recovery plans are tested
Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel screening)
A vulnerability management plan is developed and implemented
Configuration change control processes are in place
Backups of information are conducted, maintained, and tested
Response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) are in place and managed
Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
Audit/log records are determined, documented, implemented, and reviewed in accordance with policy
Removable media is protected and its use restricted according to policy
The principle of least functionality is incorporated by configuring systems to provide only essential capabilities
Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
Notifications from detection systems are investigated 
Incidents are categorized consistent with response plans
Processes are established to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
Personnel know their roles and order of operations when a response is needed
Incidents are reported consistent with established criteria
Coordination with stakeholders occurs consistent with response plans
Newly identified vulnerabilities are mitigated or documented as accepted risks
NIST SP 800-53 Revision 4 Low Baseline 
0 / 45 selected   Deselect All Select All
Revert       Remove
Account Management
Access Enforcement
Remote Access
Wireless Access
Use of External Information Systems
Security Awareness and Training Policy and Procedures
Security Awareness Training
Audit Events
Content of Audit Records
Audit Storage Capacity
Audit Review, Analysis, and Reporting
Time Stamps
Audit Generation
System Interconnections
Continuous Monitoring
Internal System Connections
Configuration Management Policy and Procedures
Baseline Configurations
Configuration Settings
Least Functionality
Information System Component Inventory
Software Usage Restrictions
User-Installed Software
Information system Backup
Identification and Authentication (Organizational Users)
Identifier Management
Authenticator Management
Authenticator Management
Authenticator Feedback
Incident Response Policy and Procedures
Incident Response Training
Incident Reporting
Incident Response Plan
Media Access
Media Use
Vulnerability Scanning
External Information System Services
Boundary Protection
Secure Name / Address Resolution Service (Authoritative Source)
Secure Name / Address Resolution Service (Recursive or Caching Resolver)
Process Isolation
Malicious Code Protection
Information System Monitoring
Security Alerts, Advisories, and Directives
Memory Protection
NIST SP 800-171 Revision 2 
0 / 81 selected   Deselect All Select All
Revert       Remove
Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
Limit system access to the types of transactions and functions that authorized users are permitted to execute.
Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
Control the flow of CUI in accordance with approved authorizations.
Employ secure information transfer solutions to control information flows between security domains on connected systems.
Employ the principle of least privilege, including for specific security functions and privileged accounts.
Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
Limit unsuccessful logon attempts.
Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity.
Terminate (automatically) a user session after a defined condition.
Monitor and control remote access sessions.
Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Route remote access via managed access control points.
Authorize wireless access prior to allowing such connections.
Protect wireless access using authentication and encryption.
Control connection of mobile devices.
Encrypt CUI on mobile devices and mobile computing platforms.
Verify and control/limit connections to and use of external systems.
Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
Provide awareness training focused on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.
Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
Include practical exercises in awareness training that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
Review and update logged events.
Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
Limit management of audit logging functionality to a subset of privileged users.
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
Establish and enforce security configuration settings for information technology products employed in organizational systems.
Track, review, approve or disapprove, and log changes to organizational systems.
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
Control and monitor user-installed software.
Identify system users, processes acting on behalf of users, and devices.
Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.
Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Disable identifiers after a defined period of inactivity.
Enforce a minimum password complexity and change of characters when new passwords are created.
Prohibit password reuse for a specified number of generations.
Store and transmit only cryptographically- protected passwords.
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
Test the organizational incident response capability.
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital.
Limit access to CUI on system media to authorized users.
Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
Control the use of removable media on system components.
Protect the confidentiality of backup CUI at storage locations.
Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Protect and monitor the physical facility and support infrastructure for organizational systems.
Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
Remediate vulnerabilities in accordance with risk assessments.
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
Separate user functionality from system management functionality.
Prevent unauthorized and unintended information transfer via shared system resources.
Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
Control and monitor the use of mobile code.
Protect the authenticity of communications sessions.
Protect the confidentiality of CUI at rest.
Identify, report, and correct system flaws in a timely manner.
Provide protection from malicious code at designated locations within organizational systems.
Update malicious code protection mechanisms when new releases are available.
Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
Identify unauthorized use of organizational systems.
PCI DSS 
0 / 99 selected   Deselect All Select All
Revert       Remove
A formal process for approving and testing all network connections and changes to the firewall and router configurations
Current network diagram that identifies all connections between the cardholder data environment and other networks including any wireless networks.
Current diagram that shows all cardholder data flows across systems and networks.
Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone
Documentation of business justification and approval for use of all services protocols and ports allowed including documentation of security features implemented for those protocols considered to be insecure.
Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment and specifically deny all other traffic.
Secure and synchronize router configuration files.
Install perimeter firewalls between all wireless networks and the cardholder data environment and configure these firewalls to deny or if traffic is necessary for business purposes permit only authorized traffic between the wireless environment and the cardholder data environment.
Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services protocols and ports.
Limit inbound Internet traffic to IP addresses within the DMZ.
Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network.
Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
Permit only “established” connections into the network.
Install personal firewall software or equivalent functionality on any portable computing devices (including company and/or employee-owned) that connect to the Internet when outside the network (for example laptops used by employees) and which are also used to access the CDE. Firewall (or equivalent) configurations include: • Specific configuration settings are defined. • Personal firewall (or equivalent functionality) is actively running. • Personal firewall (or equivalent functionality) is not alterable by users of the portable computing devices.
Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.
For wireless environments connected to the cardholder data environment or transmitting cardholder data change ALL wireless vendor defaults at installation including but not limited to default wireless encryption keys passwords and SNMP community strings.
Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include but are not limited to: • Center for Internet Security (CIS) • International Organization for Standardization (ISO) • SysAdmin Audit Network Security (SANS) Institute • National Institute of Standards Technology (NIST).
Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example web servers database servers and DNS should be implemented on separate servers.)
Enable only necessary services protocols daemons etc. as required for the function of the system.
Remove all unnecessary functionality such as scripts drivers features subsystems file systems and unnecessary web servers.
Encrypt all non-console administrative access using strong cryptography.
Maintain an inventory of system components that are in scope for PCI DSS.
Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received render all data unrecoverable upon completion of the authorization process. Sensitive authentication data includes the data as cited in the following Requirements 3.2.1 through 3.2.3:
Render PAN unreadable anywhere it is stored (including on portable digital media backup media and in logs) by using any of the following approaches: • One-way hashes based on strong cryptography (hash must be of the entire PAN) • Truncation (hashing cannot be used to replace the truncated segment of PAN) • Index tokens and pads (pads must be securely stored) • Strong cryptography with associated key-management processes and procedures.
If disk encryption is used (rather than file- or column-level database encryption) logical access must be managed separately and independently of native operating system authentication and access control mechanisms (for example by not using local user account databases or general network login credentials). Decryption keys must not be associated with user accounts.
Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open public networks including the following: • Only trusted keys and certificates are accepted. • The protocol in use only supports secure versions or configurations. • The encryption strength is appropriate for the encryption methodology in use.
Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment use industry best practices to implement strong encryption for authentication and transmission.
Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Ensure that anti-virus programs are capable of detecting removing and protecting against all known types of malicious software.
Ensure that all anti-virus mechanisms are maintained as follows: • Are kept current • Perform periodic scans • Generate audit logs which are retained per PCI DSS Requirement 10.7.
Establish a process to identify security vulnerabilities using reputable outside sources for security vulnerability information and assign a risk ranking (for example as “high” “medium” or “low”) to newly discovered security vulnerabilities.
Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Develop internal and external software applications (including web-based administrative access to applications) securely as follows: • In accordance with PCI DSS (for example secure authentication and logging) • Based on industry standards and/or best practices. • Incorporating information security throughout the software-development life cycle
Review custom code prior to release to production or customers in order to identify any potential coding vulnerability (using either manual or automated processes) to include at least the following: • Code changes are reviewed by individuals other than the originating code author and by individuals knowledgeable about code-review techniques and secure coding practices. • Code reviews ensure code is developed according to secure coding guidelines • Appropriate corrections are implemented prior to release. • Code-review results are reviewed and approved by management prior to release.
Separate development/test environments from production environments and enforce the separation with access controls.
Separation of duties between development/test and production environments.
Address common coding vulnerabilities in software-development processes as follows: • Train developers at least annually in up-to-date secure coding techniques including how to avoid common coding vulnerabilities. • Develop applications based on secure coding guidelines.
Injection flaws particularly SQL injection. Also consider OS Command Injection LDAP and XPath injection flaws as well as other injection flaws.
Buffer overflows.
Insecure cryptographic storage.
Insecure communications.
Improper error handling.
All “high risk” vulnerabilities identified in the vulnerability identification process (as defined in PCI DSS Requirement 6.1).
Cross-site scripting (XSS).
Improper access control (such as insecure direct object references failure to restrict URL access directory traversal and failure to restrict user access to functions).
Cross-site request forgery (CSRF).
Broken authentication and session management.
For public-facing web applications address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: • Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods at least annually and after any changes • Installing an automated technical solution that detects and prevents web-based attacks (for example a web-application firewall) in front of public-facing web applications to continually check all traffic.
Limit access to system components and cardholder data to only those individuals whose job requires such access.
Define access needs for each role including: • System components and data resources that each role needs to access for their job function • Level of privilege required (for example user administrator etc.) for accessing resources.
Restrict access to privileged user IDs to least privileges necessary to perform job responsibilities.
Assign access based on individual personnel’s job classification and function.
Define and implement policies and procedures to ensure proper user identification management for non-consumer users and administrators on all system components as follows:
Assign all users a unique ID before allowing them to access system components or cardholder data.
Immediately revoke access for any terminated users.
Remove/disable inactive user accounts within 90 days.
If a session has been idle for more than 15 minutes require the user to re-authenticate to re-activate the terminal or session.
Using strong cryptography render all authentication credentials (such as passwords/phrases) unreadable during transmission and storage on all system components.
Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.
Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
Incorporate multi-factor authentication for all remote network access (both user and administrator and including third-party access for support or maintenance) originating from outside the entity’s network.
Physically secure all media.
Store media backups in a secure location preferably an off-site facility such as an alternate or backup site or a commercial storage facility. Review the location’s security at least annually.
Classify media so the sensitivity of the data can be determined.
Properly maintain inventory logs of all media and conduct media inventories at least annually.
Maintain an up-to-date list of devices. The list should include the following: • Make model of device • Location of device (for example the address of the site or facility where the device is located) • Device serial number or other method of unique identification.
Provide training for personnel to be aware of attempted tampering or replacement of devices. Training should include the following: • Verify the identity of any third-party persons claiming to be repair or maintenance personnel prior to granting them access to modify or troubleshoot devices. • Do not install replace or return devices without verification. • Be aware of suspicious behavior around devices (for example attempts by unknown persons to unplug or open devices). • Report suspicious behavior and indications of device tampering or substitution to appropriate personnel (for example to a manager or security officer).
Implement audit trails to link all access to system components to each individual user.
Implement automated audit trails for all system components to reconstruct the following events:
Implement automated audit trails for all system components to reconstruct the following events: All individual user accesses to cardholder data
Verify all actions taken by any individual with root or administrative privileges are logged.
Implement automated audit trails for all system components to reconstruct the following events: Invalid logical access attempts.
Use of and changes to identification and authentication mechanisms—including but not limited to creation of new accounts and elevation of privileges—and all changes additions or deletions to accounts with root or administrative privileges.
Record at least the following audit trail entries for all system components for each event:
Using time-synchronization technology synchronize all critical system clocks and times and ensure that the following is implemented for acquiring distributing and storing time.
Promptly back up audit trail files to a centralized log server or media that is difficult to alter.
Write logs for external-facing technologies onto a secure centralized internal log server or media device.
Review logs and security events for all system components to identify anomalies or suspicious activity.
Review the following at least daily: • All security events • Logs of all system components that store process or transmit CHD and/or SAD • Logs of all critical system components • Logs of all servers and system components that perform security functions (for example firewalls intrusion-detection systems/intrusion-prevention systems (IDS/IPS) authentication servers e-commerce redirection servers etc.).
Review logs of all other system components periodically based on the organization’s policies and risk management strategy as determined by the organization’s annual risk assessment.
Retain audit trail history for at least one year with a minimum of three months immediately available for analysis (for example online archived or restorable from backup).
Implement processes to test for the presence of wireless access points (802.11) and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.
Maintain an inventory of authorized wireless access points including a documented business justification.
Implement incident response procedures in the event unauthorized wireless access points are detected.
Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations changes in network topology firewall rule modifications product upgrades).
Perform quarterly internal vulnerability scans. Address vulnerabilities and perform rescans to verify all “high risk” vulnerabilities are resolved in accordance with the entity’s vulnerability ranking (per Requirement 6.1). Scans must be performed by qualified personnel.
Implement a methodology for penetration testing that includes the following: • Is based on industry-accepted penetration testing approaches (for example NIST SP800-115) • Includes coverage for the entire CDE perimeter and critical systems • Includes testing from both inside and outside the network • Includes testing to validate any segmentation and scope-reduction controls • Defines application-layer penetration tests to include at a minimum the vulnerabilities listed in Requirement 6.5 • Defines network-layer penetration tests to include components that support network functions as well as operating systems • Includes review and consideration of threats and vulnerabilities experienced in the last 12 months • Specifies retention of penetration testing results and remediation activities results.
Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade a sub-network added to the environment or a web server added to the environment).
Perform internal penetration testing at least annually and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade a sub-network added to the environment or a web server added to the environment).
Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment and alert personnel to suspected compromises. • Keep all intrusion-detection and prevention engines baselines and signatures up to date.
Deploy a change-detection mechanism (for example file-integrity monitoring tools) to alert personnel to unauthorized modification (including changes additions and deletions) of critical system files configuration files or content files; and configure the software to perform critical file comparisons at least weekly.
Implement an incident response plan. Be prepared to respond immediately to a system breach.
Implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures.
Educate personnel upon hire and at least annually.
Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
Create the incident response plan to be implemented in the event of system breach. Ensure the plan addresses the following at a minimum: • Roles responsibilities and communication and contact strategies in the event of a compromise including notification of the payment brands at a minimum • Specific incident response procedures • Business recovery and continuity procedures • Data backup processes • Analysis of legal requirements for reporting compromises • Coverage and responses of all critical system components • Reference or inclusion of incident response procedures from the payment brands.
Designate specific personnel to be available on a 24/7 basis to respond to alerts.
Provide appropriate training to staff with security breach response responsibilities.

CIS Controls v7.1 - (171) Show Version 8

Reset All Show Unchecked Safeguards
Sub Title
Implementation Group:

CIS Control 1 - Inventory and Control of Hardware Assets

Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
1.1

Utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory.

MAPPINGS

CMMC Groups

AM.4.226


Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
 

ISO 27001:2013 Groups

A.8.1.1


Inventory of assets
 

NIST CSF Version 1.1 Groups

DE.CM-7


Monitoring for unauthorized personnel, connections, devices, and software is performed
 

NIST SP 800-53 Revision 4 Low Baseline Groups

SI-4


Information System Monitoring
 
1.2

Utilize a passive discovery tool to identify devices connected to the organization's network and automatically update the organization's hardware asset inventory.

MAPPINGS

CMMC Groups

AM.4.226


Employ automated capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.
 

ISO 27001:2013 Groups

A.8.1.1


Inventory of assets
 

NIST CSF Version 1.1 Groups

DE.CM-7


Monitoring for unauthorized personnel, connections, devices, and software is performed
 

NIST SP 800-53 Revision 4 Low Baseline Groups

SI-4


Information System Monitoring
 
1.3

Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization's hardware asset inventory.

MAPPINGS

ISO 27001:2013 Groups

A.8.1.1


Inventory of assets
 

NIST CSF Version 1.1 Groups

DE.CM-7


Monitoring for unauthorized personnel, connections, devices, and software is performed
 

NIST SP 800-53 Revision 4 Low Baseline Groups

SI-4


Information System Monitoring
 
1.4

Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization's network or not.

MAPPINGS

CMMC Groups

AC.1.001


Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).

AC.1.002


Limit information system access to the types of transactions and functions that authorized users are permitted to execute.

CM.2.064


Establish and enforce security configuration settings for information technology products employed in organizational systems.
 

ISO 27001:2013 Groups

A.8.1.1


Inventory of assets
 

NIST CSF Version 1.1 Groups

ID.AM-1


Physical devices and systems within the organization are inventoried

PR.DS-3


Assets are formally managed throughout removal, transfers, and disposition
 

NIST SP 800-53 Revision 4 Low Baseline Groups

CM-8


Information System Component Inventory
 

NIST SP 800-171 Revision 2 Groups

3.4.1


Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

3.5.1


Identify system users, processes acting on behalf of users, and devices.
 

PCI DSS Groups

2.4


Maintain an inventory of system components that are in scope for PCI DSS.

9.9.1


Maintain an up-to-date list of devices. The list should include the following: • Make model of device • Location of device (for example the address of the site or facility where the device is located) • Device serial number or other method of unique identification.
 
1.5

Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.

MAPPINGS

CMMC Groups

CM.2.064


Establish and enforce security configuration settings for information technology products employed in organizational systems.
 

ISO 27001:2013 Groups

A.8.1.1


Inventory of assets
 

NIST CSF Version 1.1 Groups

PR.DS-3


Assets are formally managed throughout removal, transfers, and disposition
 

NIST SP 800-53 Revision 4 Low Baseline Groups

CM-8


Information System Component Inventory

IA-4


Identifier Management
 

NIST SP 800-171 Revision 2 Groups

3.5.1


Identify system users, processes acting on behalf of users, and devices.
 
1.6

Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.

MAPPINGS

CMMC Groups

AC.1.001


Limit information system access to authorized users, processes acting on behalf of authorized users or devices (including other information systems).

AC.1.002


Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
 

ISO 27001:2013 Groups

A.11.2.5


Removal of assets
 

MITRE ATT&CK V6 Groups

T1200


Hardware Additions

T1091


Replication Through Removable Media
 

NIST CSF Version 1.1 Groups

PR.DS-3


Assets are formally managed throughout removal, transfers, and disposition
 

NIST SP 800-171 Revision 2 Groups

3.1.2e


Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.
 
1.7

Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.

MAPPINGS

CMMC Groups

IA.1.077


Authenticate (or verify) the identities of those users, processes or devices, as a prerequisite to allowing access to organizational information systems.
 

ISO 27001:2013 Groups

A.13.1.1


Network Controls

A.9.1.2


Access to networks and network services
 

NIST CSF Version 1.1 Groups

PR.AC-1


Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes
 

NIST SP 800-171 Revision 2 Groups

3.1.1


Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).

3.1.16


Authorize wireless access prior to allowing such connections.
 

PCI DSS Groups

1.1.6


Documentation of business justification and approval for use of all services protocols and ports allowed including documentation of security features implemented for those protocols considered to be insecure.

1.2


Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
 
1.8

Use client certificates to authenticate hardware assets connecting to the organization's trusted network.

MAPPINGS

ISO 27001:2013 Groups

A.13.1.1


Network Controls