How to Build Cybersecurity Compliance with Free CIS Resources

There are a multitude of standards, tools, and resources available on the market today. Such a variety can make cybersecurity compliance seem overwhelming.

But it doesn't have to be. Enterprises can use best practices to build a cybersecurity compliance plan that works for them. To discuss how, we sat down with Adam Montville, Chief Product Architect of the Security Best Practices team at the Center for Internet Security (CIS).

How do I find legitimate vendors?

If any vendor tells you that using their tool guarantees compliance with a given regime, consider them suspect. When you speak with a vendor, ask them to explain how their products’ capabilities support a larger information security program.

For example, a tool might contribute to cybersecurity asset management by integrating with a configuration management database (CMDB). However, it doesn’t provide total compliance unless there is 100% conformance to certain Safeguards in the CIS Critical Security Controls (CIS Controls) v8, particularly those of CIS Control 1 and CIS Control 2. Another tool might automatically assess endpoints against an enterprise-standard configuration. But it’s important to ensure endpoints are being tested against a robust standard such as a consensus-developed CIS Benchmark.

Which free CIS resources can help me build a cybersecurity compliance plan?

CIS offers multiple resources at no cost to help organizations get started with a compliance plan and improve their cybersecurity posture:

  • The CIS Controls provide prioritized security guidance to help defend against common cyber threats
  • The CIS Risk Assessment Method (CIS RAM) helps businesses organize the CIS Controls and Safeguards based on a customized assessment of risk
  • Track implementation of the CIS Controls in our self-assessment tool, CIS-hosted CSAT
  • The CIS Benchmarks  provide specific configuration guidelines for securing more than 100 technologies including servers, operating systems, and software

All of these resources are the result of a community-driven, consensus-based process facilitated by CIS. Through it, cybersecurity specialists and subject matter experts volunteer their time to ensure these resources are robust and secure.

How do these resources map to each other?

As part of the CIS Benchmark development process, each recommendation is reviewed for applicability to the CIS Controls. CIS Benchmark guidelines may be mapped to one or more:

  • Top-level CIS Controls (such as CIS Control 18)
  • Specific Safeguards (such as CIS Safeguard 3.3)

The mapping doesn’t guarantee that your security program is compliant with the CIS Controls, but it does supply organizations with the supporting evidence they need to bolster their CIS Controls conformance.

CIS RAM maps each question in the Risk Assessment Method to a specific CIS Control or Safeguard. It helps organizations put the CIS Controls into action in a customized, risk-informed way.

Our resources are also referenced by PCI DSS, NIST CSF, and other compliance frameworks.

View Mappings and Compliance

With so many risk management methods out there, what makes CIS RAM different?

The three principles and 10 practices of CIS RAM lend themselves to supporting the legal concept of duty of care. In fact, CIS RAM is the first risk assessment method to provide very specific instructions for analyzing information security risk in a way that regulators define as “reasonable” and that court cases in the United States have deemed to be “due care.”

By implementing CIS RAM, organizations will follow a method that takes into consideration legal ramifications of risk management, as interpreted by courts of law in the United States. CIS RAM highlights the balance between the harm a security incident might cause and the burden of safeguards – the foundation of “reasonableness.”

Is achieving the “spirit of compliance” enough?

It’s hard to say. In our experience, some auditors are more concerned with following the letter of whatever framework they work with (such as PCI DSS, NIST CSF, or HIPAA) than with the spirit of that framework.

Our best advice? Document your method. For example, if the CIS Controls are your security roadmap, use CIS RAM as your risk assessment method. CIS RAM will help you determine which CIS Controls make business sense and then prioritize accordingly. In this example, the CIS Controls plus CIS RAM would help you document (and demonstrate) due care.

Compliance is a journey

Achieving full compliance to any cybersecurity standard is a challenge, but it’s a goal well worth striving for. With free, consensus-developed resources, CIS helps make the challenge a little easier.

Adam Montville

Chief Product Architect, Center for Internet Security (CIS)



Adam Montville is Chief Architect for Security Best Practices at CIS, where he helps lead a diverse team responsible for developing products and services supporting information security best practices and automation. Adam brings more than two decades of information security experience to his team, and actively participates in several standards organizations, including the Internet Engineering Task Force, OASIS, and the Center for Threat-Informed Defense. He also serves as a member of the Project Governing Board for the Open Cybersecurity Alliance. Adam began his career in the Information Security Laboratory of Oregon State University, his alma mater, working on cryptographic primitives and algorithms. He has held a variety of technical and executive-level IT and security positions in both the public and private sectors, including the Department of Defense.