State Laws and Other Endorsements of the CIS Controls
Adoption and Endorsements of the CIS Critical Security Controls
Selected adoption and endorsements of the CIS Critical Security Controls (CIS Controls) include:
CERT – Paraguay
- Within the framework of the cybersecurity efforts promoted by the Paraguayan Government, a cybersecurity controls standard has been approved for all government institutions, through MITIC Resolution No. 277/2020, which updates the Critical Cybersecurity Controls Guide.
NIST, “Framework for Improving Critical Infrastructure Cybersecurity Framework,” Version 1.1, Apr 16, 2018.
- Cites and maps to “CIS CSC” throughout Appendix A, Framework Core at 22-44. The “CIS CSC” is shorthand for the CIS Critical Security Controls, also referred to as the CIS Controls throughout this paper.
Verizon, “DBIR Data Breach Investigations Report,” 2024.
- Recommends the CIS Controls and maps them to industry challenges and vulnerabilities.
U.S. Government Accountability Office, “Cybersecurity Program Audit Guide,” 2023.
- Cites CIS Critical Security Controls as an additional source to use in conducting cybersecurity audits.
National Aerospace Standard, NAS9933, Critical Security Controls for Effective Capability in Cyber Defense, Nov. 29, 2018.
- Recommends the Critical Security Controls as one of four specific tools. The FFIEC prescribes uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.
Federal Financial Institutions Examination Council, “FFIEC Encourages Standardized Approach to Assessing Cybersecurity Preparedness,” Aug. 28, 2019.
- Recommends the Critical Security Controls as one of four specific tools. The FFIEC prescribes uniform principles, standards, and report forms and to promote uniformity in the supervision of financial institutions.
Conference of State Bank Supervisors, “Cybersecurity 101, A Resource Guide for Bank Executives,” 2017.
- Recommends use of the Critical Security Controls at 8, 12, 24.
FCC Notice of Proposed Rule Making, Dec 2022-Jan 2023).
- FCC proposes measures to protect the nation’s critical communications systems from cyber threats by adopting the CISA Cybersecurity Baseline or the CIS Controls. FCC NPRM, No. 22-82, Appendix B, Section E, paragraph 66, page 52.
FCC, Communications Security, Reliability and Interoperability Council, CSRIC IV, Working Group 3, “Emergency Alert System (EAS) Initial Security Subcommittee Report,” May 2014.
- Recommending CIS Controls (then known as the “SANS 20 Critical Security Controls”) as part of its recommended Network and Operational Controls.
FCC, Communications Security, Reliability and Interoperability Council, CISRIC III, Working Group 11, “Consensus Cyber Security Controls Final Report,” March 2013.
- This report finds that the “user community within Working Group 11 would prefer for the FCC to encourage industry to use the 20 Controls because they believe that the 20 Controls will protect the network infrastructure directly. The user group also believes that the 20 Controls have been demonstrated to be effective in protecting critical infrastructure from attacks that are likely to come through the enterprise systems and therefore the 20 Controls should be used by the communications industry.” Report on page 8.
NIST, U.S. Resilience Project, “Best Practices in Cyber Supply Chain Risk Management.”
- Boeing’s IS team stated that its “primary standard is the Critical Security Controls.” See on page 4.
U.S. Department of Transportation, Federal Highway Administration, Transportation Management Center Information Technology Security, Final Report, Sep. 2019.
- Critical Security Controls cited throughout as insight into basic practices that serve as a starting point or baseline for organizations with limited resources and cybersecurity expertise, as well as guidelines for Traffic Management Centers looking to increase their system maturity.
State of California, “California Data Breach Report,” Feb. 2016.
- Then-Attorney General Kamala Harris’s report warns that failing to implement all relevant CIS Critical Security Controls in California “constitutes a lack of reasonable security.” The Report effectively constituted a ground-breaking minimum level of information security.
Report: Subsequent analysis cites the endorsement of the CIS Controls as reasonable security:
State of Colorado, Data Security Best Practices.
- The Colorado Attorney General Data Security Best Practices guide states that: “While each entity’s data security needs and practices may differ, there are some common best practices that most, if not all, covered entities can implement.” The guide recommends the CIS Critical Security Controls as part of Step 2, the written information security policy on page 3.
World Economic Forum (WEF), White Paper, Global Agenda Council on Cybersecurity, World Economic Forum, Apr. 2016.
- Listed CIS Controls as the first best practice on page 19, CIS cyber hygiene at Appendix A on page 26.
ENISA (European Union Agency for Network and Information Security), “Technical Guidelines for the implementation of minimum security measures for Digital Service Providers,” Dec. 2016.
- This document cited the CIS Controls as a means for meeting EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS). See page 10 and mapping throughout.
ETSI (European Telecommunications Standards Institute).
- The ETSI transposed all of the CIS Critical Security Controls and Safeguards and associated facilitation mechanisms into formal international specifications for global citation and normative use within the European Union. The CIS Controls were also designated as the means of implementing most of the provisions of the original and recently adopted European Union (EU) Revised Network and Information Security (NIS2).
ETSI TR 103 456: “CYBER; Implementation of the Network and Information Security (NIS) Directive,”
State Data Privacy Statutes
State Comprehensive Data Privacy Statutes
The following U.S. states have adopted comprehensive data privacy statutes. Comprehensive data privacy laws provide rights to consumers such as the right to access, correct inaccuracies in, delete, obtain a copy of, and opt out of the processing of their personal data held by entities not covered under specific sectorial laws. They also make requirements of the controller such as requiring reasonable protection of data and reasonable purpose in processing.
Kentucky: H. B. 15, Kentucky Consumer Data Protection Act
- This is a comprehensive data privacy law. This act does not provide a private right of action.
New Hampshire: S. B. 255, Consumer Expectation of Privacy
- This is a comprehensive data privacy law. This act does not provide a private right of action.
New Jersey: S. 332, An Act Concerning Commercial Internet Websites, Consumers, and Personally Identifiable Information
- This is a comprehensive data privacy law. This act does not provide a private right of action.
- This is a comprehensive data privacy law. This act does not provide a private right of action.
Oregon: S. B. 619, Relating to Protections for the Personal Data of Consumers
- This is a comprehensive data privacy law. This act does not provide a private right of action.
Texas: H. B. 4, Texas Data Privacy and Security Act
- This is a comprehensive data privacy law. This act does not provide a private right of action.
Florida: S. B. 262, Florida Digital Bill of Rights
- Some do not consider this a comprehensive data privacy law because its scope is limited by its definition of “controller”; however, this act provides the same rights to consumers and responsibilities for controllers. For the act to apply, a controller must be a for-profit entity that generates more than $1 billion in annual revenue and either make at least 50% of that revenue from the sale of online advertisements, “[o]perate[] a consumer smart speaker and voice command component service with an integrated virtual assistant connected to a cloud computing service that uses hands-free verbal activation,” or operate an app store or similar platform with at least 250,000 apps. This act does not provide a private right of action.
Montana: S. B. 384, Consumer Data Privacy Act
- This is a comprehensive data privacy law. This act does not provide a private right of action.
Tennessee: H. B. 1181, Tennessee Information Protection Act
- This is a comprehensive data privacy law. This act does not provide a private right of action.
Indiana: S. B. 5, Consumer Data Protection
- This is a comprehensive data privacy law. This act does not provide a private right of action.
Iowa: S. F. 262, Consumer Data Protection Act
- This is a comprehensive data privacy law. This act does not provide a private right of action.
Connecticut: S. B. 6: Act Concerning Personal Data Privacy and Online Monitoring
- Before this law came into effect, Connecticut already had a comprehensive data privacy law providing consumers with certain rights and imposing responsibilities on controllers with respect to health data.
Utah: S. B. 227, the Consumer Privacy Act
- This is a comprehensive data privacy law. This act does not provide a private right of action.
Colorado: S. B. 21-190, Colorado Privacy Act
- This is a comprehensive data privacy law. This act does not provide a private right of action.
Virginia: Consumer Data Protection Act
- This is a comprehensive data privacy law. This act does not provide a private right of action.
California: California Consumer Privacy Act as amended by the California Privacy Rights Act
- This is a comprehensive data privacy law. The California Consumer Privacy Act provided many of the rights and requirements of a comprehensive data privacy law and was amended by the California Privacy Rights Act to become fully comprehensive with provisions such as the right to correct inaccuracies in collected personal data. This act does not provide a private right of action.
State Health Data Privacy Statutes
In addition to the state comprehensive data privacy statutes referenced above, the following states have passed data privacy laws that only apply to health data. These laws provide similar rights to consumers and similar responsibilities for controllers as the comprehensive data privacy laws; however, they only apply to the health sector. These laws also prohibit controllers from selling health data and require them to obtain consent to collect data.
Connecticut: S. B. 3, An Act Concerning Online Privacy, Data and Safety Protections
- Before this law came into effect, Connecticut already had a comprehensive data privacy law providing consumers with certain rights and imposing responsibilities on controllers with respect to health data. As such, this law only adds the provisions of a health data privacy law that are not already included in a comprehensive data privacy law, such as prohibiting controllers from selling health data and requiring them to obtain consent to collect data.
Nevada: S. B. 370, Health Data Privacy Law
- This is a health data privacy law.
Washington: H. B. 1155, Washington My Health, My Data Act
- This is a health data privacy law.
