Laws, Regulations, and Other Endorsements of the CIS Controls
Adoption and Endorsements of the CIS Critical Security Controls
Selected adoption and endorsements of the CIS Critical Security Controls (CIS Controls) include:
NIST, “Framework for Improving Critical Infrastructure Cybersecurity Framework”, Version 1.1., Apr 16, 2018, and other iterations.
- Cites and maps to “CIS CSC” throughout Appendix A, Framework Core at 22-44. The “CIS CSC” is shorthand for the CIS Critical Security Controls, also referred to as the CIS Controls throughout this paper.
Verizon, “Verizon, DBIR Data Breach Investigations Report".
- Recommends the CIS Controls and maps them to industry challenges and vulnerability, CIS has been collaborating with Verizon and contributing to the DBIR since 2013.
U.S. Government Accountability Office, “Cybersecurity Program Audit Guide,” 2023.
- GAO cites CIS Critical Security Controls as an additional source to use in conduction cybersecurity audits.
National Aerospace Standard, NAS9933, Critical Security Controls for Effective Capability in Cyber Defense, Nov. 29, 2018.
- Recommends the Critical Security Controls as one of four specific tools. The FFIEC prescribes uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.
Federal Financial Institutions Examination Council, “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness,” Aug. 28, 2019.
- Recommends the Critical Security Controls as one of four specific tools. The FFIEC prescribes uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.
Conference of State Bank Supervisors, “Cybersecurity 101, A Resource Guide for Bank Executives,” 2017.
- Recommends use of the Critical Security Controls at 8, 12, 24.
FCC Notice of Proposed Rule Making, Dec 2022-Jan 2023).
- FCC proposes measures to protect the nation’s critical communications systems from cyber threats by adopting the CISA Cybersecurity Baseline or the CIS Controls. FCC NPRM, No. 22-82, Appendix B, Section E, paragraph 66, page 52.
FCC, Communications Security, Reliability and Interoperability Council, CSRIC IV, Working Group 3, “Emergency Alert System (EAS) Initial Security Subcommittee Report,” May 2014.
- Recommending CIS Controls (then known as the “SANS 20 Critical Security Controls”) as part of its recommended Network and Operational Controls.
FCC, Communications Security, Reliability and Interoperability Council, CISRIC III, Working Group 11, “Consensus Cyber Security Controls Final Report,” March 2013.
- This report finds that the “user community within Working Group 11 would prefer for the FCC to encourage industry to use the 20 Controls because they believe that the 20 Controls will protect the network infrastructure directly. The user group also believes that the 20 Controls have been demonstrated to be effective in protecting critical infrastructure from attacks that are likely to come through the enterprise systems and therefore the 20 Controls should be used by the communications industry.” Report on page 8.
NIST, U.S. Resilience Project, “Best Practices in Cyber Supply Chain Risk Management.”
- Boeing’s IS team stated that its “primary standard is the Critical Security Controls.” See on page 4.
U.S. Department of Transportation, Federal Highway Administration, Transportation Management Center Information Technology Security, Final Report, Sep. 2019.
- Critical Security Controls cited throughout as insight into basic practices that serve as a starting point or baseline for organizations with limited resources and cybersecurity expertise, as well as guidelines for Traffic Management Centers looking to increase their system maturity.
The NSTAC Report to the President on Information Technology and Operational Technology Convergence (August 23, 2022)
- Appendix D: Existing Best Practices for Converged Operational Technology (OT) Networks
State of California, “California Data Breach Report,” Feb. 2016.
- Then-Attorney General Kamala Harris’s report warns that failing to implement all relevant CIS Critical Security Controls in California “constitutes a lack of reasonable security.” The Report effectively constituted a ground-breaking minimum level of information security.
Report: Subsequent analysis cites the endorsement of the CIS Controls as reasonable security:
State of Colorado, Data Security Best Practices.
- The Colorado Attorney General Data Security Best Practices guide states that: “While each entity’s data security needs and practices may differ, there are some common best practices that most, if not all, covered entities can implement.” The guide recommends the CIS Critical Security Controls as part of Step 2, the written information security policy on page 3.
World Economic Forum (WEF), White Paper, Global Agenda Council on Cybersecurity, World Economic Forum, Apr. 2016.
- Listed CIS Controls as the first best practice on page 19, CIS cyber hygiene at Appendix A on page 26.
ENISA (European Union Agency for Network and Information Security), “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers,” Dec. 2016.
- This document cited the CIS Controls as a means for meeting EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS). See page 10 and mapping throughout.
ETSI (European Telecommunications Standards Institute).
- The ETSI transposed all of the CIS Critical Security Controls and Safeguards and associated facilitation mechanisms into formal international specifications for global citation and normative use within the European Union. The CIS Controls were also designated as the means of implementing most of the provisions of the original and recently adopted European Union (EU) Revised Network and Information Security (NIS2).
ETSI TR 103 456: “CYBER; Implementation of the Network and Information Security (NIS) Directive,”
CERT – Paraguay
- Within the framework of the cybersecurity efforts promoted by the Paraguayan Government, a cybersecurity controls standard has been approved for all government institutions, through MITIC Resolution No. 277/2020, which updates the Critical Cybersecurity Controls Guide.
States Leading the Way to Achieve Reasonable Cybersecurity
State Safe Harbor Statutes
Several states have passed laws that provide a way to identify reasonable security. The following five states have enacted statutes that incentivize the voluntary adoption of cyber best practices by creating a safe harbor for organizations that adopt one of several industry standards, like the CIS Critical Security Controls. These states include:
Texas: An act relating to a limitation on civil liability of business entities in connection with a breach of system security
- Incentivizes voluntary adoption of cybersecurity best practices by providing protection from exemplary damages in a lawsuit resulting from a data breach. For companies with at least 20 employees and fewer than 100, “moderate requirements, including the requirements of the Center for Internet Security Controls Implementation Group 1” apply.
- Effective date: September 1, 2025
Iowa: Affirmative Defenses for Entities Using Cybersecurity Programs
- Incentivizes voluntary adoption of cybersecurity best practices, including the CIS Critical Security Controls, by creating affirmative defenses in a lawsuit resulting from a data breach.
- Effective date: July 1, 2023.
Iowa Code Title XIII (Commerce), Chapter 554G (Tort Liability—Cybersecurity Programs.
Connecticut: An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses
- Incentivizes voluntary adoption of cybersecurity best practices, including the CIS Critical Security Controls, by creating a cap against punitive damages in a lawsuit resulting from a data breach.
- Effective date: October 1, 2021.
States Leading the Way to Achieve Reasonable Cybersecurity Appendix C 27
Utah: The Cybersecurity Affirmative Defense Act
- Incentivizes voluntary adoption of cybersecurity best practices, including the CIS Critical Security Controls, by creating an affirmative defense against lawsuits resulting from a data breach.
- Effective date: May 5, 2021.
Nevada: State use of “reasonable security measures” to protect PII
- Requires that state data collectors comply with the CIS Critical Security Controls or the NIST Cybersecurity Framework concerning the collection, dissemination, and maintenance of records containing personal information of a resident of Nevada.
- Effective date: January 1, 2021.
Ohio: The Data Protection Act
- Incentivizes voluntary adoption of cybersecurity best practices, including the CIS Critical Security Controls, by creating an affirmative defense against lawsuits resulting from a data breach.
- Effective date: November 1, 2018.
