CIS Critical Security Controls Version 8 is Coming Spring 2021


We strive to keep the CIS Critical Security Controls (CIS Controls) relevant by updating them based on your feedback, evolving technology, and the ever-changing threat landscape. As we saw more organizations move towards cloud services and remote work, we felt it was time to revisit the CIS Controls and supporting Safeguards (which you knew as Sub-Controls in previous versions) to make sure our recommendations still provide an effective cyber defense. The result is CIS Controls Version 8. In CIS Controls v8 you will see updated recommendations for:

  • Cloud-based computing
  • Mobile environments
  • Changing attacker tactics

CIS Controls v8 combines and consolidates the Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards. The result is a decrease of Controls and Safeguards to 18 Controls (from 20) composed of 153 Safeguards (from 171).

Each Safeguard asks for “one thing,” wherever possible, in a way that is clear and requires minimal interpretation. Additionally, each Safeguard is focused on measurable actions, and defines the measurement as part of the process. We know that it’s important for enterprises to keep track of CIS Controls implementation. Towards this end, we will be updating the CIS Controls Self Assessment Tool (CSAT) to support v8. We also realize that many of you will still be on Controls v7.1 so we will support both versions to give you time to migrate to v8.

CIS Controls v8 will be released mid-May of 2021. Please keep coming back to get updates and more information on upcoming webinars, podcasts, and blogs about CIS Controls v8 and supporting tools.