CIS CSAT FAQ
What is CIS CSAT
The CIS Controls Self Assessment Tool (CIS CSAT) enables organizations to assess and track their implementation of the CIS Critical Security Controls (CIS Controls) – a prioritized set of consensus-developed security best practices used by enterprises around the world to defend against cyber threats. Download the CIS Controls.
How does CIS CSAT help with CIS Controls assessments?
CIS CSAT supports cross-departmental collaboration by enabling users to delegate questions to others, validate the responses, create sub-organizations, and more. At any point in the assessment, you can export your results into various formats. With CIS CSAT, you can create a new assessment, view historical assessments, and compare your results to an anonymized “peer group” within your industry.
Which versions of CIS CSAT are available?
There are two versions of CIS CSAT. The CIS-hosted CSAT is free to every organization for use in a non-commercial capacity. CIS CSAT Pro is an on-premises version that offers additional features and benefits and is only available to CIS SecureSuite Members.
What frameworks is CIS CSAT cross-mapped to?
CIS CSAT includes the CIS Controls mappings to several external frameworks, including NIST CSF and NIST SP 800-53. In addition, you can create your own unique tags for each Safeguard. Organizations can filter these tags, which enables them to manage all the complex moving pieces and stakeholders involved in a cybersecurity program.
How do I transition from CIS Controls v7.1 to v8?
When transitioning from CIS Controls v7.1 to v8, enterprises will need to perform new assessments. It is important to note that automated migration is not available due to the substantial differences between v7.1 and v8. We recognize that transitioning to CIS Controls v8 assessments for many enterprises may take time due to the significant changes and assessment cycles. We expect to maintain support for CIS Controls v7.1 in CIS CSAT for the time being as enterprises make their transition.
What if my CIS CSAT report is not 100% compliant?
It’s quite common for enterprises not to be completely compliant with the recommendations found in the CIS Controls. This isn’t necessarily a bad thing. Some Safeguards may be unreasonable for your organization to deploy, or you may already have compensating controls put in place. To help accommodate these nuanced issues, you have the option to identify a Safeguard as “not applicable.” This means that non-compliance with the Safeguard doesn’t count against you. You may want to consider your first assessment as the starting point for your journey in implementing the CIS Controls.
I have performed an assessment with CIS CSAT and identified some opportunities for improvement. Now what?
There are several potential next steps to take with your CIS CSAT results. Some ways to get started:
- Export results to share with your team and management
- Schedule another assessment in the future for continuous evaluation
- Assign specific Safeguards to team members for follow-up action
- Consider assessing your organization with the CIS Risk Assessment Method (CIS RAM) to determine the appropriate implementation levels for various Safeguards for your enterprise
CIS CSAT results can also help prioritize your organization’s security investments. Watch your security posture grow by monitoring its progress through CIS CSAT and keep track of your progress implementing the CIS Controls over time.
CIS CSAT Pro
How do I get started with CIS CSAT Pro?
Where can I find more information on CIS CSAT Pro?
User documentation is available at CIS CSAT Document Library. This includes a Deployment Guide for installation/setup, a User Guide describing how to use CIS CSAT Pro, and a Changelog.
Blogs describing previous releases
- CIS CSAT Pro v1.5.0/v1.6.0/v1.7.0 blog
- CIS CSAT Pro v1.3.0/v1.4.0 blog
- CIS CSAT Pro v1.2.0 blog
- CIS CSAT Pro v1.1.0 blog
- CIS CSAT Pro v1.0.0 blog
A recorded demo is available in the CIS WorkBench Support Center Webinars/Training section: Introducing CIS Controls Self Assessment Tool (CSAT Pro). Please note that this recording describes v1.0.0.
How does CIS-hosted CSAT work?
CIS-hosted CSAT is based on the popular AuditScripts CIS Controls Manual Assessment Tool, which helps organizations document the implementation, automation, reporting, and formalization of the best practices found in the CIS Controls. CIS-hosted CSAT builds on this work, enabling organizations to collaborate on assessments and scale their tracking over time through an online platform.
How do I register for the CIS-hosted CSAT tool?
How was the tool developed?
The CIS-hosted CSAT platform is a generous contribution of intellectual property donated by EthicalHat. CIS now maintains it.
Where is my data stored? How is it used?
Assessment data is stored on our secured CIS infrastructure (AWS East Region) and will not be shared with any third parties. The data is encrypted and follows the recommendations outlined in the CIS Amazon Web Services Foundations Benchmark. Some of the data collected may be used to enhance the continuous development of the CIS Controls. We developed CIS CSAT to support the community that has helped create the CIS Controls, and to provide insight into some of the gaps that exist so that we can work together to improve everyone’s security posture. Our content is consensus-developed and community-driven, and we are truly indebted to the amazing volunteers who offer their time and expertise in our communities. The data from CIS CSAT will help improve the CIS Controls for the benefit of organizations everywhere.
If you prefer not to share your data with CIS, consider using CIS CSAT Pro instead. (See the CIS CSAT Pro section.)
I have not received confirmation that my registration was approved.
When registering a new account, you should have received an email with the subject “Activate your account” from the email address [email protected]. Please check to see if the email was filtered by your spam tool. If someone has already registered your domain, the Primary Owner for that account will need to log in to the tool and approve your request to join. See How Does User Verification and Creation Work in CIS-hosted CSAT?
I cannot see a way to edit a CIS Safeguard once it is validated.
We’ve built our platform to help enable auditing and evidence collection associated with implementing the CIS Controls. As such, we allow organizations to either maintain one assessment and simply not validate the responses, or to create a new assessment by using the drop-down menu at the top right of the main Assessment Dashboard. There, you can start a blank assessment, create a new assessment using your current assessment data, or import a previously exported assessment. A user with the appropriate permissions can revert validated Safeguards if needed.
Is the assessment data encrypted in transit or at rest?
The data is encrypted both in transit and at rest.
Is there a CIS-hosted CSAT WorkBench Community?
Yes, we welcome your feedback in our public community on the CIS WorkBench platform. It’s free to join. Sign up and access the CIS CSAT Feedback Community.
Other than CIS system administrators assigned to the CIS CSAT platform, what other users have access to data supplied to the system?
Only CIS system administrators have access to the platform as a whole. Users only have access to their own records and to anonymized averages by industry.
How can I change the “Assigned to” user and the due date for each task?
Once a Safeguard task is assigned, you can update the assignee and date. Note that the assignee would also need to be validated before they are visible on the dropdown list.
How is the Overall Score calculated?
Information on score calculations is available at: How are individual organization assessment and industry average scores calculated in CIS CSAT?
What do the four Scoring Categories in CIS-hosted CSAT mean?
Information on the scoring categories is available at: How are CIS CSAT scoring categories defined?
What types of user roles are available in CIS-hosted CSAT?
Information on the user roles is available at: Users and Permission for CIS CSAT tool.
Are there other Knowledge Base (KB) articles about CIS-hosted CSAT?
Yes, these other KB articles on CIS-hosted CSAT may be of interest:
- How can I run a new assessment using CIS Controls v8 in CSAThosted?
- How can I transfer ownership of our CIS-hosted CSAT environment to another member of our organization?
- Why is my CIS CSAT Industry Average so low?
- Will the "Start New Assessment with Current Data" option automatically send emails to each assignee?
- PDF vs PowerPoint Scoring Discrepancy in CSAT
Where can I find information about CIS-hosted CSAT v1.3.0?
Information about v1.3.0 is available at:
- Release Notes: CIS CSAT v1.3.0 Release Notes
- Blog: CIS Controls Self Assessment Tool (CSAT) Update v1.3.0
Is a demo of CIS-hosted CSAT available?
Yes, a recorded demo is available in the CIS WorkBench Support Center Webinars/Training section: Leveraging the CIS Controls Self Assessment Tool (CSAT). Please note that this recording took place prior to the release of v1.3.0.
I noticed that the website for the CIS-Hosted CSAT Tool does not have a timeout due to inactivity.
This has been logged as a feature enhancement request for the CSAT tool. The current workaround would be to log out of the session.
CIS CSAT Ransomware Business Impact Analysis Tool
Organizations can evaluate their likelihood of experiencing a ransomware attack and its potential impacts by using the CIS CSAT Ransomware Business Impact Analysis (BIA) tool. This utility has been created by CIS in partnership with Foresight Resilience Strategies (4RS). The BIA tool applies scores for ransomware-related Safeguards to estimate an enterprise’s likelihood of being affected by a ransomware attack; those who have already started an assessment using CIS-Hosted CSAT can import the scores from that assessment. Get started assessing your ransomware risks today!