Mapping and Compliance
Collaboration Enhances Cybersecurity Compliance
At CIS, we believe in collaboration – by working together, we find real solutions for real cybersecurity threats. Our cybersecurity best practices grow more integrated every day through discussions taking place in our international communities and in the development of CIS SecureSuite Membership resources.
CIS’s cybersecurity best practices and tools can assist organizations who are working towards compliance.
CIS Critical Security Controls (CIS Controls) – Prescriptive, prioritized, and simplified set of cybersecurity best practices. The are the definition of an effective cybersecurity program.
CIS Benchmarks – Consensus-developed secure configuration guidelines for hardening operating systems, servers, cloud environments, and more. There are more than 100 CIS Benchmarks covering 25+ vendor product families. The CIS Benchmarks provide mapping as applicable to the CIS Controls. As we release new and updated content we will map the CIS Benchmark recommendations to the latest version of the CIS Controls at the time of release.
CIS-CAT Pro – Combines the powerful security guidance of the CIS Controls and CIS Benchmarks into an assessment tool. Leveraging the CIS-CAT Pro Assessor and Dashboard components, users can view conformance to best practices and improve compliance scores over time.
Industry Frameworks Recognition
We are in a multi-framework era where organizations large and small, public and private, are tasked with complying with multiple cybersecurity policy, regulatory and legal frameworks . From the organizational policies and workflows laid out in the CIS Controls to the most detailed configuration checks in a CIS Benchmark, our resources are developed to work well as stand-alone resources or as companions to additional frameworks. See how the CIS Controls map to popular industry frameworks with the CIS Controls Navigator.
Some of the world’s biggest retailers use resources included in CIS SecureSuite to help meet Payment Card Industry Data Security Standard (PCI DSS) requirements. PCI DSS Requirement 2.2 points directly to the CIS Benchmarks, for example:
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: Center for Internet Security (CIS) International Organization for Standardization (ISO) SysAdmin Audit Network Security (SANS) Institute National Institute of Standards Technology (NIST).
The CIS Benchmarks and CIS Controls can help with multiple aspects of PCI DSS compliance, including:
- 1 Firewall and Router Configurations
- 6.1 Patch Management
- 6.4 Change Control
- 7.1 Access Control
NIST and FISMA
The National Institute of Standards and Technology (NIST) is a leading agency in technical compliance. The CIS Controls have been recognized by users as a robust on-ramp to meeting NIST cybersecurity standards within their organization.
The Federal Information Security Modernization Act (FISMA), which is a component of NIST, also points to CIS resources for cybersecurity compliance.
- The National Checklist Program Repository recommends the CIS Benchmarks to federal agencies and other organizations trying to meet FISMA.
- CIS-CAT Pro, our automated configuration assessment tool, has been validated by the NIST Security Content Automation Protocol (SCAP) to audit systems subject to FISMA requirements in the FDCC Scanner and Authenticated Configuration Scanner.
The Health Insurance Portability and Accountability Act (HIPAA) security rule establishes the baseline for protecting the security of patient information within the healthcare industry.The CIS Controls complement the HIPAA security rule and contain many of the same provisions. Since the CIS Controls and Sub-Controls are regularly updated based on real-world attack patterns, the CIS Controls can help healthcare organizations “round out” their cybersecurity program to address risks outside the HIPAA security rule. Additionally, the CIS Benchmarks can be used to securely configure workstations used to manage electronic protected health information. This means that CIS Controls, CIS Benchmarks, and HIPAA can work together to help improve cyber hygiene. The CIS Controls Implementation Group is defined as cyber hygiene.
The European Union (E.U.) Regulation 2016/679 GDPR (General Data Protection Regulation) was put into effect on May 25, 2018. Any organization which holds E.U. citizen data, regardless of its location, is responsible for following these new guidelines.
The International Organization for Standardization (ISO) provides independent, globally-recognized standards for securing technologies. ISO/IEC 27001 helps organizations defend against cyber threats and information security risks. Because the CIS Controls and CIS Benchmarks provide guidance addressing major cybersecurity needs such as asset classification, authentication methods and privileges, event logging, and encryption, they are also frequently used by organizations seeking ISO compliance. View a detailed mapping of the relationship between the CIS Controls and ISO 27001 below.
State Legislation Leveraging the CIS Controls
- Article, State Tech Magazine (March 3, 2021): https://statetechmagazine.com/article/2021/03/colorado-focuses-privileged-access-management-cybersecurity
Idaho Executive Order No. 2017-02
- The statute’s effective date was August 24, 2017, and the text is available at: https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3806&ChapterID=17
- A short blog entry about the use of the CIS Controls is available at: https://ltcillinois.org/blog/achieving-soppa-compliance-with-reasonable-security-practices/
- Request for Proposal No. 200000002352 (September 25, 2020).
- Nevada Senate Bill 302 as signed by the Governor, Chapter 412: https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6534/Overview
Ohio Data Protection Act
- Senate Bill 220, codified at O.R.C. §§ 1354.01-1354.05: http://codes.ohio.gov/orc/1354
National Governor’s Association
Cybersecurity Resources Referencing CIS’s Best Practices
CIS resources are also referenced in various cybersecurity guides and programs. Below are a few independent cyber defense and resource guides which mention CIS resources:
- Verizon 2020 Data Breach Investigations Report
- DoD Cloud Computing Security Requirements Guide
- Version 1 Release 3 of the guide references CIS Benchmarks as an acceptable alternative to the STIGs and SRGs, Section 5.5.1.
- FFIEC Cybersecurity Resource Guide for Financial Institutions
- References the CIS Benchmarks and CIS-CAT Lite as assessment resources to assist in financial sector resilience.
- FFIEC is now referencing CIS Controls as a tool that financial institutions can use to assess their cybersecurity preparedness.
- Singapore’s Digital Media and Information Literacy Framework
- The Cybersecurity Maturity Model Certification (CMMC) is a certification process that helps organizations working with the DoD protect shared unclassified data. The CMMC points to the CIS Controls as a pathway to compliance by requiring the use of encrypted sessions for network devices and comprehensive off-site data backups
- ETSI TR 103305-1, TR 103305-2, TR 103305-3, TR 103305-4, TR 103305-5
- The Republic of Paraguay