CIS Controls FAQ
Have a question not featured in the FAQ? Want to learn more about the CIS Controls? Contact the Center for Internet Security at firstname.lastname@example.org.
The Center for Internet Security CIS Critical Security Controls for Effective Cyber Defense (CIS Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that provide a "must-do, do-first" starting point for every enterprise seeking to improve their cyber defense.
Prioritization is a key benefit to the CIS Controls. They were designed to help organizations rapidly define the starting point for their defenses, direct their scarce resources on actions with immediate and high-value payoff, and then focus their attention and resources on additional risk issues that are unique to their business or mission.
The CIS Controls provide a focus on the most important actions to be monitored because many of the CIS Controls include a primary emphasis on automation and continuous assessment. Since the CIS Controls were derived from the most common attack patterns and were vetted across a very broad community of government and industry, they serve as the basis for immediate high-value action.
There is no magic to the number 20.
We’d like to tell you that deep analysis of all the data about attacks and intrusions tells us that just 20 Controls will give you an optimized trade-off between defense against attacks and cost-effective, manageable systems - but that would not be quite true, and is not even possible today.We *can* tell you that a community of highly knowledgeable practitioners from across every sector and aspect of the business have agreed that these twenty actions stop the vast majority of the attacks seen today, and provide the framework for automation and systems management that will serve cyber defense well into the future.
The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices. The CIS Benchmarks are guidelines for hardening specific operating systems, middleware, software applications, and network devices. The need for secure configurations is referenced throughout the CIS Controls. In fact, Critical Control #3 specifically recommends secure configurations for hardware and software on mobile devices, laptops, workstations, and servers. Both the CIS Controls and the Benchmarks are developed by communities of experts using a consensus-based approach.Shrink Answer
The National Campaign for Cyber Hygiene was developed to provide a plain-language, accessible, and low-cost foundation for implementation of the CIS Controls. Although the CIS Controls already simplify the daunting challenges of cyber defense by creating community priorities and action, many enterprises are starting from a very basic level of security.
The Campaign is also designed to align with the first 5 of the CIS Critical Security Controls, the Australian Signals Directorate’s (ASD) “Top Four Strategies to Mitigate Targeted Intrusions, and the DHS Continuous Diagnostic and Mitigation (CDM) Program. This provides a strong and defendable basis for the Campaign Priorities, a growth path for maturity beyond these basic actions, and the benefits of a large community of experts, users, and vendors.The National Campaign for Cyber Hygiene has been jointly adopted by the Center for Internet Security (home of the Multi-State Information Sharing and Analysis Center) and the National Governor’s Association Homeland Security Advisory Council (GHSAC) as a foundational cybersecurity program across many State, Local, Tribal, and Territorial governments. Shrink Answer
The CIS Critical Security Controls are not a replacement for any existing regulatory, compliance, or authorization schemes. Instead, they bring priority and focus to a complex problem and provide a basis for rapid, large-scale community action. Shrink Answer
NIST 800-53 is a "catalog of security controls;” a very comprehensive and broadly applicable set of "management, operational, and technical safeguards or countermeasures.” It is part of a comprehensive risk management framework for USG Agencies, which specifies a full life cycle of security categorization, design and implementation, assessment, authorization, and monitoring. NIST 800-53 is then the starting point for an Agency to select the CIS Controls needed to manage the assessed risk to their information systems.
Although the CIS Controls have no official standing or relationship to the NIST 800-53 catalog (or other frameworks), the CIS Controls are in fact a proper subset of the CIS Controls listed in all of those frameworks. A number of enterprises that are either required to, or choose to, use NIST 800-53 as their controls catalog also use the CIS Controls as their baseline for both controls selection and implementation.
ISO 27001 is another broad security framework used widely in private industry. The Payment Card Industry Data Security Standards (PCI DSS) is another framework that focuses on online credit cards payments, while HIPAA is targeted at electronic personal health information security requirements. All of these frameworks have many common elements and some security requirements that are unique to their particular focus.
What is the relationship between the Australian Signals Directorate "Top 35 Strategies to Mitigate Targeted Cyber Intrusions" and the CIS Controls?
The CIS Controls and the Australian Signals Directorate’s (ASD) "Top 4 Strategies to Mitigate Targeted Cyber Intrusions" map very closely to each other. This is not surprising since the ASD is also part of the process that creates the CIS Controls. The ASD Strategies are based on their direct experience finding and stopping attacks on their government agencies. They have done an excellent job of analyzing attacks in order to identify the most effective defenses, and have developed cost-effective techniques for implementation. One difference between the two approaches is that the Top 4 were developed for the ASD government IT operational environment, whereas the CIS Controls are more general.
The CIS Controls were developed by an international, grass-roots consortium that included a broad range of companies, government agencies, institutions, and individuals from every part of the ecosystem (threat responders and analysts, security technologists, vulnerability-finders, tool builders, solution providers, front-line defenders, users, consultants, policy-makers, executives, academia, auditors, etc.) who banded together to create, adopt, and support the CIS Controls.
In 2008 the Office of the Secretary of Defense asked the National Security Agency to help prioritize the many controls available, and began to take action with an 'offense must inform defense' approach.
While initially a project among government entities led by NSA, the effort expanded through a public-private consortium with the SANS Institute and the Center for Internet Security. The consortium soon expanded to include government entities from the United States and abroad, law enforcement agencies, security service providers, national laboratories, academic institutions, and others.
Later in 2008, the Center for Strategic and International Studies (CSIS) published the CIS Controls for the first time, based in part on the expertise gained through its convening of the Commission on Cybersecurity for the 44th Presidency.
The initial draft of the CIS Controls was shared with over 50 IT and security organizations for additional input in 2009. Since that time, the consortium has grown, and the CIS Controls are refined through active involvement of members.
The Center for Internet Security will continue the work of the consortium through stewardship of the CIS Controls. This includes the regular convening of experts to refine, update and validate the CIS Controls, as well as collaboration with public and private partners globally to promote their adoption and implementation.
The CIS Controls are updated and reviewed through an informal community process. Practitioners from governments, industry, and academia, each bring deep technical understanding from across multiple viewpoints (e.g., vulnerability, threat, defensive technology, tool vendors, enterprise management) and pool their knowledge to identify the most effective technical security controls needed to stop the attacks they are observing.
The SANS Institute is the founding member and strategic partner of Council on CyberSecurity and has been involved with the CIS Controls since its inception as a contributor to the Controls and as an advocate. After the Consortium for Cybersecurity Action (CCA) was formed to take over development of the CIS Controls, SANS continues to provide a level of sponsorship, including web hosting, editing, and advocacy.
In addition, The SANS Institute teaches classes on how to implement the CIS Controls, and sponsors commercial events to bring together practitioners.
The U.S. Department of State determined that among the 3,085 cyber attacks it had experienced over fiscal year 2009, the CIS Controls showed remarkable alignment with actual attacks.
Subsequent implementation of the CIS Controls by every system administrator across 24 time zones in which the Department operates, achieved an 88% reduction in vulnerability-based risks across 85,000 systems.
In December of 2011, the Centre for the Protection of National Infrastructure (CPNI) announced that the government of the United Kingdom would be adopting the CIS Critical Security Controls as the framework for securing their critical infrastructure.
In May of 2012, the NSA Director fully endorsed the adoption of the CIS Controls as a foundation for effective network security.
The Australian Department of Defense tested the Top 4 Controls against 1700 types known malware and found that implementation of just the Top 4 Controls effectively stopped every one of the 1700 types of malware tested.
Consumer Energy, a Fortune 500 combined Gas and Electric Utility, officially adopted the CIS Controls in June 2011. Consumer Energy started by using the CIS Controls as an assessment tool with a small team of cyber security and IT staff conducting an internal assessment covering the corporate IT environment in less than a week.
It provides the following:
- Grants permission to use the CIS Controls for commercial purposes
- Provides a logo for individuals and companies to use as part of their marketing materials and on their websites, signifying they are a CIS Critical Security Controls Champion
- Offers participation in a semi-annual webcast by leading security experts on the CIS Controls and cyber hygiene.
- Opportunity to be listed on the CIS Champion’s Website
The CIS Controls have a Creative Commons Attribution Non-Commercial, Non-Derivatives License, which requires everyone who uses the CIS Controls to attribute them to CIS when using and does not allow changes to the CIS Controls. It also does not allow commercial uses of the CIS Controls without asking permission. Click the link above to read more.