Mapping and Compliance

Some of the world’s biggest retailers use resources included in CIS SecureSuite to help meet Payment Card Industry Data Security Standard (PCI DSS) requirements. PCI DSS Requirement 2.2 points directly to the CIS Benchmarks, for example:

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: Center for Internet Security (CIS) International Organization for Standardization (ISO) SysAdmin Audit Network Security (SANS) Institute National Institute of Standards Technology (NIST).

The CIS Benchmarks and CIS Controls can help with multiple aspects of PCI DSS compliance, including:

• 1 Firewall and Router Configurations
• 6.1 Patch Management
• 6.4 Change Control
• 7.1 Access Control

The National Institute of Standards and Technology (NIST) is a leading agency in technical compliance. The CIS Controls have been recognized by users as a robust on-ramp to meeting NIST cybersecurity standards within their organization.

CIS Controls V7.1 Mapping to NIST CSF

NIST OLIR Submission V1

NIST SP 800-53 R4 Low Baseline

NIST SP 800-171 r2

The Federal Information Security Modernization Act (FISMA), which is a component of NIST, also points to CIS resources for cybersecurity compliance.

• The National Checklist Program Repository recommends the CIS Benchmarks to federal agencies and other organizations trying to meet FISMA.
• CIS-CAT Pro, our automated configuration assessment tool, has been validated by the NIST Security Content Automation Protocol (SCAP) to audit systems subject to FISMA requirements in the FDCC Scanner and Authenticated Configuration Scanner.

See our SCAP validation

The Health Insurance Portability and Accountability Act (HIPAA) security rule establishes the baseline for protecting the security of patient information within the healthcare industry.The CIS Controls complement the HIPAA security rule and contain many of the same provisions. Since the CIS Controls and Sub-Controls are regularly updated based on real-world attack patterns, the CIS Controls can help healthcare organizations “round out” their cybersecurity program to address risks outside the HIPAA security rule. Additionally, the CIS Benchmarks can be used to securely configure workstations used to manage electronic protected health information. This means that CIS Controls, CIS Benchmarks, and HIPAA can work together to help improve cyber hygiene. The CIS Controls Implementation Group is defined as cyber hygiene.

Take a look at Implementation Group Methodology

The European Union (E.U.) Regulation 2016/679 GDPR (General Data Protection Regulation) was put into effect on May 25, 2018. Any organization which holds E.U. citizen data, regardless of its location, is responsible for following these new guidelines.

Learn how CIS can help with GDPR Compliance

The International Organization for Standardization (ISO) provides independent, globally-recognized standards for securing technologies. ISO/IEC 27001 helps organizations defend against cyber threats and information security risks. Because the CIS Controls and CIS Benchmarks provide guidance addressing major cybersecurity needs such as asset classification, authentication methods and privileges, event logging, and encryption, they are also frequently used by organizations seeking ISO compliance. View a detailed mapping of the relationship between the CIS Controls and ISO 27001 below.

CIS Controls and Sub-Controls Mapping to ISO 27001

First state to pass a law that incentivizes organizations to develop a strong data protection and cybersecurity program. The statute establishes legal protections for organizations that voluntarily adopt certain recognized cybersecurity best practices and implement a written information security program.

Kamala D. Harris, former California Attorney General, said: “The set of 20 Controls constitutes a minimum level of security – a floor – that any organization that collects or maintains personal information should meet.” The California Data Breach Report, expressly warned that any organization that collects personally identifiable information and fails to implement all relevant Controls “constitutes a lack of reasonable security” (California Data Breach Report at Recommendation 1).

An existing Nevada statute relating to personal information collected by governmental agencies requires the state data collectors to implement and maintain “reasonable security measures” to protect such records (NRS 603A.210). A new Nevada statute requires that the state data collectors comply with the CIS Controls or the NIST Cybersecurity Framework, thus defining what constitutes reasonable security (Nevada Senate Bill 302, as signed by the Governor (Chapter 412)). The new law went into effect on January 1, 2021.

In 2017, Governor Butch Otter issued an executive order requiring all executive branch agencies to implement the first five Center for Internet Security Critical Security Controls for evaluation of existing state systems (Idaho Executive Order 2017-02).

Ohio Department of Administrative Services (DAS) Director Matt Damschroder said full implementation of six controls outlined by the Center for Internet Security will stop 85 percent of threats.

Connecticut became the third state to incentivize cybersecurity best practices for businesses. The bill, “An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses,” was introduced by Connecticut Representative Caroline Simmons. It prohibits the Superior Court from assessing punitive damages against an organization that implements reasonable cybersecurity controls, including industry recognized cybersecurity frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the CIS Critical Security Controls. The bill becomes law on October 1, 2021.