CIS CSAT: A Free Tool for Assessing Implementation of CIS Critical Security Controls

CIS-CSATThe CIS Critical Security Controls are a community-built set of prioritized cybersecurity guidance. They have been growing in popularity over the past 10 years. The CIS Controls are being used and developed by thousands of cybersecurity experts around the world. To help organizations with their adoption of the CIS Controls, CIS has developed a new web application.  This tool makes the powerful security guidance of the CIS Controls easier for teams to implement, track, and document.

ArrowIf you haven’t yet downloaded the CIS Controls, start here

Introducing CIS CSAT

The hosted version of our CIS Controls Self Assessment Tool, or CIS-Hosted CSAT, is a free web application that enables security leaders to track and prioritize their implementation of the CIS Controls. CIS CSAT’s questions are based off the popular Critical Security Manual Assessment Tool excel document and the platform was developed by our partners at EthicalHat. For each CIS Control and sub-control, CSAT helps organizations track its documentation, implementation, automation, and reporting.


Cybersecurity is a team sport

CIS CSAT is a self-assessment platform which allows teams to join and collaborate on questions related to the CIS Controls. With CIS CSAT, the first person to register from your organization will be designated the “Owner.” Owners can add additional team members to the platform, so you can work on an implementation of the CIS Controls together. Owners using CIS CSAT can also:

  • Delegate questions to other team members
  • Set deadlines for each CIS Control and sub-control
  • Collect documentation related to your findings
  • Capture team discussion about each assessment question

Reporting you can use

Data is most useful if you can access it – which is why we’ve made it easy to share reports from CIS CSAT. Leverage your results with automatic reporting features, historical tracking, and access to raw data formats. You’ll be able to export assessment charts and other results directly into PowerPoint, Excel, and PDF.


Assessment results from CIS CSAT can be exported per department or organizational unit, or you can take a more holistic view of the entire organization’s security. With cross-mappings to additional security frameworks like NIST SP800-53 and PCI DSS, you can also track your alignment between other best practices and the CIS Controls. This free tool, along with its on-premises counterpart (CIS CSAT Pro), also allows you to anonymously compare your results to the average of your industry or other peer groups to help drive the direction of your security program.

Want to learn more about how to strengthen your cyber defenses with CIS CSAT? Check out our video below.




Security for every organization

CIS CSAT is a free tool that can help organizations regardless of size or resources to improve their security posture. With multiple reporting formats, collaboration functionality, and cross-mappings, it’s a powerful place to start understanding and implementing the CIS Controls. We’re excited to give back to the community that has helped us foster and grow the CIS Controls. If there are any features you’d like to see, don’t hesitate to reach out to our CIS Controls team. For more information on CIS CSAT, please visit the CIS CSAT FAQ.