CIS CSAT FAQ

What is CIS CSAT?

CIS Controls™ Self-Assessment Tool, also known as CIS CSAT, is a free online platform that organizations can use to conduct, track and assess their implementation of the CIS Controls. The CIS Controls are a prioritized set of consensus-developed security best practices used by organizations around the world to defend against cyber threats.

Download the CIS Controls

How does CIS CSAT work?

CIS CSAT is based on the popular AuditScripts CIS Controls Manual Assessment Tool, which helps organizations document the implementation, automation, reporting and formalization of the best practices found in the CIS Controls. CIS CSAT builds on this work, enabling organizations to collaborate on assessments and scale their tracking over time through an online platform.

CIS CSAT supports cross-departmental collaboration by allowing users to delegate questions to others, validate the responses, create sub-organizations and more. At any point in the assessment, you can export your results into various formats such as Excel, PowerPoint, and PDF. With CIS CSAT, you can create a new assessment, view historical assessments and compare your results to an anonymized “peer group” within the same industry.

How do I register for the CIS CSAT tool?

Please register at https://csat.cisecurity.org/. Note that you will still need to register on CSAT even if you already have account for WorkBench.

How was the tool developed?

The CSAT platform is a generous contribution of intellectual property donated by EthicalHat and is now maintained by CIS.

How can I access and utilize CIS CSAT?

Please register at https://csat.cisecurity.org/. Note that you will still need to register on CSAT even if you already have account for WorkBench.

Where is my data stored? How is it used?

Assessment data is stored on our secured CIS infrastructure (AWS East region) and will not be shared with any third parties. The data is encrypted and follows our established best practices for AWS https://www.cisecurity.org/benchmark/amazon_web_services/ Data may be used to help us enhance the CIS Controls security best practices.

We provided CIS CSAT both to support the community that has helped create the CIS Controls and to provide insight into some of the gaps that exist so that we can work together to improve everyone's security posture. Our content is consensus-developed and community-driven, and we are truly indebted to the amazing folks that offer their time and expertise in our communities. The data from CIS CSAT will be aimed at improving the CIS Controls for the benefit of organizations everywhere.

If you prefer not to use CIS CSAT, you can use the Audit Scripts excel sheet, accessible here: https://www.auditscripts.com/free-resources/critical-security-controls/ 

What frameworks is CIS CSAT cross-mapped to?

CIS CSAT maps the CIS Controls to NIST SP800-53 and PCI DSS. In addition, you can create your own unique tags for each Sub-Control which can be filtered to help organizations manage all the complex moving pieces and stakeholders involved in a cybersecurity program.

What if my CIS CSAT report is not 100% compliant?

That’s okay! It’s quite common for organizations not to be completely compliant with the recommendations found in the CIS Controls and this isn’t necessarily a devastating thing. Some controls may be unreasonable for your organization to deploy or you have compensating controls put in place. To help accommodate these nuanced issues, you have the option of identifying the Control as “not-applicable” which means the Control doesn’t count against you.  In addition, there is an old adage that says, “You cannot manage what you cannot measure.” You may want to consider your first assessment as the starting point for your journey implementing the CIS Controls.

I have run CIS CSAT and identified my areas of improvement. Now what?

There are multiple things you can do with your CIS CSAT results. Some ways to get started:

  • Export results to share with your team and management
  • Schedule another assessment in the future for continuous evaluation
  • Assign specific sub-controls to different team members for follow-up

CIS CSAT results can also help prioritize your organization’s security spending. Watch your security posture grow by monitoring its progress through CIS CSAT and keep track of your progress implementing the Controls over time.

I have not received confirmation that my registration was approved.

There is no approval process per se. You should have received an email with the subject "Activate your account" and the From Address is no-reply@cisecurity.org. Please check to see if the email was filtered by your spam tool.

I cannot see a way to edit a CIS Control once it is validated.

We’ve built our platform to help enable auditing and evidence collection associated with implementing the CIS Controls. As such we allow organizations to either maintain one assessment and simply not validate the responses, or create an entirely new assessment by using the drop-down “Current Assessment” at the top right on the main dashboard. Or you can always start over by using the delete current assessment functionality.

I am unable to add users to my CIS CSAT online dashboard.

Please open a support ticket by email support@cisecurity.org and let us know which domain you need to be updated and we can modify that for you.

The only option for 'Industry Type' is "Networking". 

This is a known issue and is being addressed by the engineering team.

I accidentally put "Not Applicable" in CIS CSAT and I can’t seem to change it back.

This is a known issue and is being addressed by the engineering team.

Is the assessment data encrypted in transit and at rest?

The data is both encrypted in transit and also at-rest.

Can you give more usage and security-related information?

Comprehensive documentation will be available shortly.

Who can I contact for CIS CSAT support?

Reach out to us for help anytime at support@cisecurity.org.

Other than CIS system administrators assigned to the CSAT platform, what other users have access to data supplied to the system?

Only CIS system administrators have access to the platform, users have access to their own records and access to an anonymized average of the scores of organizations that are have registered as the type of organization.

How can I change who the assigned to is for each task and how can I change the due date for each task?

Once a control task is assigned you can update the assignee and date. Note that the assignee would also need to be validated before they are visible on the drop-down list.

How is the Overall Score calculated?

The overall score is calculated first by averaging the questions per control and then doing an average across the controls. We’ll be working on some additional guidance that will detail the scoring

I noticed that the website for the new CSAT Tool does not have a timeout due to inactivity.

This has been logged as a feature enhancement request for the CSAT tool. The current workaround would be to log out of the session.

CIS-CSAT

Access CIS CSAT