CIS Critical Security Controls Self Assessment Tool (CSAT) Update v1.3.0

At CIS, we believe in cultivating a trusted and collaborative environment for information sharing. Through our Community, we develop industry-leading tools and resources to enhance the cyber defense programs of organizations in every industry.

The CIS Critical Security Controls are a prescriptive, prioritized, and simplified set of best practices that define an effective cybersecurity program. Implementing the CIS Controls is a team effort, which is why we worked with our partners at EthicalHat to develop the CIS Controls Self Assessment Tool, or CIS CSAT. This tool was released last year. Now, in v1.3.0, we’ve released new features based on community feedback.

Using CIS CSAT to Track Your Cyber Defense Program

The CIS Controls Self Assessment Tool (CSAT) is a companion tool that helps IT security teams track their implementation of every CIS Control and Sub-Control. Organizations can collaborate across teams with a built-in workflow to answer a set of questions based on the selected Implementation Group. These answers are used to generate an overall score that shows how well an organization has implemented the CIS Controls. This web-based application enables users to track documentation, implementation, automation, and reporting. CIS CSAT can create a report at any point during an assessment to see the progress an organization has made.

CIS Community Involvement Drives the Development Process

By listening to the experiences of our community members and adopting their feedback, we are able to continuously grow and improve our resources. We gathered feedback from the CIS CSAT Feedback Community to determine which changes were most important to users as we created the new CIS Controls Self Assessment Tool v1.3.0 update.

This release includes new features to make the tool easier to use, as well as some bug fixes.

CIS CSAT v1.3.0 Updates

  1. Import Previous Results – In addition to being able to start fresh with a blank assessment, you can also start a new assessment using a copy of your data from your current assessment, or you can import data from a previous assessment (either one stored in your Assessment History, or from a spreadsheet that you previously exported from CIS CSAT).
  2. Name/Rename Assessments – Keep better track of your current and previous assessments with the ability to name and rename them.
  3. New Functionality on the All Controls page – The All Controls page has been overhauled with some great new features including bulk CIS Sub-Control Assignment, Unassignment, and Applicability Changes. This time-saving new feature allows you to select multiple CIS Sub-Controls and assign/unassign them or mark them applicable/not applicable all at once. Additionally, the All Controls page now allows you to update scores for individual CIS Sub-Controls.
  4. Ability to Unassign (rather than reassign) Sub-Controls – CIS Sub-Controls that are currently assigned to a user can now be unassigned.
  5. New Notes Field – There is a new Notes feature for each CIS Sub-Control in which the text can be edited by multiple members of the team.
  6. Allow Organizations to Add Users with Other Email Domains – An organization’s Primary Owner can now add users to the organization who have an email domain that differs from the organization’s domain.
  7. Display Number of Organizations Used to Generate the Industry Average – Overall industry averages and Control-level industry averages now display the number of organizations used to generate that average both in the tool and on related charts in the Board Level Slides.
  8. Resend Validation Email – Users can now send a reminder email to the validator of a task that is pending for validation, similar to the existing ability to remind an assigned user to complete a task.
  9. “Controls 1 – 5” Updated to “Controls 1 – 6” – The label and scoring calculation on the Controls 1 – 5 Implemented bar in the Maturity Level Average Scores Chart on the Assessment Dashboard has now been updated to reflect the Implementation Score for CIS Controls 1 – 6 instead.
  10. CIS Sub-Control Number Displayed in the Control View – CIS Sub-Control numbers can now be viewed to the left of each CIS Sub-Control title in the Control view.
  11. CIS Sub-Control Titles and Descriptions Updated – The CIS Sub-Control titles and descriptions have been updated to reflect the CIS Controls V7.1 wordings.

Bug Fixes

  • PDF Report Generation – The Control Status Report (PDF) link in the Reports menu now successfully generates and downloads the PDF report.
  • Dashboard Maturity Index Mismatch – The Maturity Index tables at the bottom of the Assessment Dashboard page now report the correct number of CIS Sub-Controls for each of the maturity indexes, and the numbers link to the properly filtered list.
  • Uploaded File Access – Uploaded files (policy/evidence documents, organization logos, and user profile pictures) can now be successfully accessed after uploading.
  • Uploaded File Size Increased – The allowable file upload size is now 5MB rather than 1MB.