CIS CSAT FAQ
What is CIS CSAT?
The CIS Controls® Self-Assessment Tool, also known as CIS CSAT, enables organizations to assess and track their implementation of the CIS Critical Security Controls. The CIS Controls are a prioritized set of consensus-developed security best practices used by organizations around the world to defend against cyber threats.
How does CIS CSAT help with CIS Controls assessments?
CIS CSAT supports cross-departmental collaboration by allowing users to delegate questions to others, validate the responses, create sub-organizations and more. At any point in the assessment, you can export your results into various formats. With CIS CSAT, you can create a new assessment, view historical assessments and compare your results to an anonymized “peer group” within the same industry.
Which versions of CIS CSAT are available?
There are two versions of CIS CSAT: a CIS-hosted version and an on-premises version for CIS SecureSuite Members called CIS CSAT Pro.
Is CIS CSAT free?
The CIS-hosted version of CIS CSAT is free to every organization for use in a non-commercial capacity to conduct CIS Controls assessments of their organization. If you’d like to use CSAT in a commercial capacity to assess other organizations (consulting, etc.), you will need to become a CIS SecureSuite Member.
What if my CIS CSAT report is not 100% compliant?
That’s okay! It’s quite common for organizations not to be completely compliant with the recommendations found in the CIS Controls, and this isn’t necessarily a bad thing. Some controls may be unreasonable for your organization to deploy, or you may already have compensating controls put in place. To help accommodate these nuanced issues, you have the option of identifying the Control as “not-applicable” which means the Control doesn’t count against you. In addition, there is an old adage that says, “you cannot manage what you cannot measure.” You may want to consider your first assessment as the starting point for your journey implementing the CIS Controls.
I have performed an assessment with CIS CSAT and identified areas for improvement. Now what?
There are multiple things you can do with your CIS CSAT results. Some ways to get started:
- Export results to share with your team and management
- Schedule another assessment in the future for continuous evaluation
- Assign specific safeguards to different team members for follow-up
CIS CSAT results can also help prioritize your organization’s security spending. Watch your security posture grow by monitoring its progress through CIS CSAT and keep track of your progress implementing the Controls over time.
What frameworks is CIS CSAT cross-mapped to?
CIS CSAT includes the CIS Controls mappings to several external frameworks including NIST CSF and NIST SP800-53. In addition, you can create your own unique tags for each Safeguard which can be filtered to help organizations manage all the complex moving pieces and stakeholders involved in a cybersecurity program.
How do I get support for CIS CSAT?
Reach out to us for help anytime by submitting a support ticket at CIS Product Technical Support.
How does CIS-Hosted CSAT work?
CIS-Hosted CSAT is based on the popular AuditScripts CIS Controls Manual Assessment Tool, which helps organizations document the implementation, automation, reporting, and formalization of the best practices found in the CIS Controls. CIS CSAT builds on this work, enabling organizations to collaborate on assessments and scale their tracking over time through an online platform.
How do I register for the CIS-Hosted CSAT tool?
Please register at https://csat.cisecurity.org/. You will still need to register on CSAT even if you already have an account for CIS WorkBench. After registering, you can access and use CIS-Hosted CSAT by visiting https://csat.cisecurity.org/.
How was the tool developed?
The CIS-Hosted CSAT platform is a generous contribution of intellectual property donated by EthicalHat and is now maintained by CIS.
Where is my data stored? How is it used?
Assessment data is stored on our secured CIS infrastructure (AWS East region) and will not be shared with any third parties. The data is encrypted and follows our established CIS Benchmarks best practices for AWS. Data may be used to help us enhance the CIS Controls security best practices. We developed CIS CSAT both to support the community that has helped create the CIS Controls and to provide insight into some of the gaps that exist so that we can work together to improve everyone's security posture. Our content is consensus-developed and community-driven, and we are truly indebted to the amazing folks that offer their time and expertise in our communities. The data from CIS CSAT will help improve the CIS Controls for the benefit of organizations everywhere.
If you prefer not to share your data with CIS, consider using CSAT Pro instead (see the CIS CSAT Pro section below).
I have not received confirmation that my registration was approved.
There is no approval process. You should have received an email with the subject "Activate your account" and the from address is [email protected]. Please check to see if the email was filtered by your spam tool.
I cannot see a way to edit a CIS Control once it is validated.
We’ve built our platform to help enable auditing and evidence collection associated with implementing the CIS Controls. As such, we allow organizations to either maintain one assessment and simply not validate the responses, or create a new assessment by using the drop-down menu at the top right of the main Assessment Dashboard. There, you can start a new blank assessment, create a new assessment using your current assessment data, or import a previously exported assessment.
Is the assessment data encrypted in transit and at rest?
The data is both encrypted in transit and at-rest.
Is there a CIS-Hosted CSAT WorkBench Community?
Yes, we welcome your feedback in our public community on the CIS WorkBench platform. It's free to join - sign up and access the CIS CSAT Feedback Community.
Other than CIS system administrators assigned to the CSAT platform, what other users have access to data supplied to the system?
Only CIS system administrators have access to the platform as a whole. Users only have access to their own records and to anonymized averages by industry.
How can I change the "Assigned to" user and due date for each task?
Once a Safeguard task is assigned, you can update the assignee and date. Note that the assignee would also need to be validated before they are visible on the drop-down list.
How is the Overall Score calculated?
Information on score calculations is available at: How are individual organization assessment and industry average scores calculated in CSAT?
What do the four Scoring Categories in CIS-Hosted CSAT mean?
Information on the scoring categories is available at: How are CIS CSAT scoring categories defined?
What types of user roles are available in CIS-Hosted CSAT?
Information on the user roles is available at: Users and Permission for CIS CSAT tool
Where can I find information about CIS-Hosted CSAT v1.3.0?
Information about v1.3.0 is available at:
Release Notes: CSAT v1.3.0 Release Notes
Blog: CIS Controls Self Assessment Tool (CSAT) Update v1.3.0
Is a demo of CIS-Hosted CSAT available?
Yes, a recorded demo is available in the CIS WorkBench Support Center Webinars/Training section: Leveraging the Controls Self Assessment Tool (CSAT). Please note that this recording took place prior to the release of v1.3.0.
I noticed that the website for the CIS-Hosted CSAT Tool does not have a timeout due to inactivity.
This has been logged as a feature enhancement request for the CSAT tool. The current workaround would be to log out of the session.
CIS CSAT Pro
How do I get started with CSAT Pro?
If you’re already a CIS SecureSuite Member, join the CSAT Pro WorkBench community. You can download the appropriate CSAT Pro installer (Microsoft Windows or Unix) from the Files section of that community.
If you’re not already a CIS SecureSuite Member, visit https://www.cisecurity.org/cis-securesuite/ to learn more.
Where can I find more information on CIS CSAT Pro?
User documentation is available at https://csat.readthedocs.io. This includes a Deployment Guide for installation/setup, a User Guide describing how to use CSAT Pro, and a Change Log.
Blogs describing previous releases are available at:
- CIS CSAT Pro v1.3.0/v1.4.0 blog
- CIS CSAT Pro v1.2.0 blog
- CIS CSAT Pro v1.1.0 blog
- CIS CSAT Pro v1.0.0 blog
A recorded demo is available in the CIS WorkBench Support Center Webinars/Training section: Introducing CIS Controls Self Assessment Tool (CSAT Pro). Please note that this recording describes v1.0.0.
Transitioning from CIS Controls v7.1 to v8?
When transitioning from CIS Controls v7.1 to v8, enterprises will need to perform new assessments. It is important to note that automated migration is not available due to the substantial differences between CIS Controls v7.1 and v8. We recognize that transitioning to CIS Controls v8 assessments for many enterprises may take time due to the significant changes and assessment cycles. There is assurance for enterprises that there are currently no plans to remove CIS Controls v7.1 support from CSAT.