CIS CSAT Pro v1.7: CIS Controls v8 Assessment and More

The CIS Controls Self Assessment Tool (CIS CSAT) allows organizations to perform assessments on their implementation of the CIS Critical Security Controls (CIS Controls). You can track progress over time and identify areas for improvement. CIS CSAT Pro is the on-premises version of CSAT, and is available to CIS SecureSuite Members. This blog walks you through some of the new features that were added in the last three releases: v1.5, v1.6, and v1.7.

CIS Controls v8

Along with the release of CIS Controls v8 in May, CSAT Pro was updated to support assessments for Controls v8. When creating a new assessment, you can select between Controls v7.1 and v8 assessments. You can also import Controls v8 assessments that you’ve exported from CSAT. CIS Controls v8 assessments offer the same exports as other assessments – Board Level Slides and CSV spreadsheets of CIS Safeguards.

CIS Controls v8 Assessment in CSAT Pro

If your organization has started to move to CIS Controls v8 but hasn’t completed the transition, you’ll be glad to know CIS CSAT Pro offers multiple concurrent assessments. You can have both types of assessment open at the same time in each of your organizations/sub-organizations while you complete the transition. And remember, you can still scope v8 assessments by Implementation Group, or even down to the individual Safeguard level.CIS CSAT Pro also includes the CIS Controls v8 mappings to the NIST Cybersecurity Framework (CSF) v1.1 and to NIST 800-53 Revision 5. These mappings are available in the Safeguard View and can be expanded to provide more information by clicking on the mapping blocks:

Download the CIS Controls v8 mappings to these and other frameworks from CIS WorkBench.

Copy CIS CSAT Pro Assessments

Organization Admins can now make a full copy of an entire CIS CSAT Pro assessment using the Copy Assessment button on the Assessment Dashboard.  This includes all the scores, assignments, workflow status information, discussion comments, Safeguard history, Safeguard applicability, custom tags, and evidence files. The assessments are not linked after the copy – so changes to either the original or the copy are independent and will not affect the other assessment. The Copy Assessment functionality can be used in several ways:

  • An assessment can be closed at the end of an assessment period and a new assessment for the next assessment period can be started using the existing assessment’s data.
  • An assessment template can be created that is used to generate other assessments. For instance, an organization may want to assess against IG1 plus a few additional Safeguards, and minus a few other Safeguards. A template can be created with the desired Safeguards set to Applicable (set to Closed to lock it in an unscored state), and then the working assessments can be created as copies of that template assessment.

Bulk Actions on the Assessment Summary Page

Bulk actions are now available on the Assessment Summary page, allowing you to modify multiple Safeguards at once. On the left side of this page, there are checkboxes to select Safeguards, a drop down menu to select a bulk action, and a Bulk Edit button to perform the chosen action on the selected Safeguards. There are three bulk actions available:

  • Assign User – assigns a user and due date to the selected Safeguards
  • Toggle Applicability – sets the applicability of the selected Safeguards
  • Unassign User – removes the assigned user from the selected Safeguards

Export Filtered CSV

Another new addition to the Assessment Summary page is the Export Filtered CSV button. Using the existing filtering capability on this page, you can filter the assessment’s Safeguards based on your chosen criteria and then export a spreadsheet containing just that set of Safeguards.

Graph Descriptions

Descriptions for the graphs are now available from inside CIS CSAT Pro, by clicking on the blue information icon after the graph’s title:

These descriptions are available for the graphs on the Assessment Dashboard, as well as for the Assessment History graph on the Organization Info page.

Evidence File Updates

We’ve made a couple of improvements for evidence files. First, we’ve increased the maximum allowable size for evidence file uploads from 5MB to 15MB:

Second, we made sure that you can still download your uploaded evidence files even when the Safeguard is in the validated workflow state, marked as Not Applicable, or when the assessment containing the Safeguard is closed:

While you still won’t be able to upload additional evidence files or delete evidence files in those cases, you will still have access to those files that were already uploaded to the Safeguard.

Security, Performance, User Experience, and Bug Fixes

Additionally, we’ve made other changes to improve security, performance, user experience, and to fix bugs, including:

  • Important security updates including updating outdated third-party library dependencies
  • Performance improvements to decrease the time for certain long running actions
  • Installer updates including a warning if it appears you’re using the wrong version of Neo4j
  • Bug fix for the Implementation Group dropdown action so it only applies to the current assessment (see the Troubleshooting page for more details)
  • Bug fix to correct an issue with the Monthly Assessment Average graph that had prevented it from displaying in certain cases
  • Bug fix to correct the Implementation Group Average graph calculations

Check out the change log to see the full list of changes for this release and previous CIS CSAT Pro releases.  Blogs that walk through some of the features added in previous releases are also available:

Getting Started with CIS CSAT Pro v1.7.0

Interested in trying out the new version?  It’s available to CIS SecureSuite Members.  Join the CSAT Pro Community in CIS WorkBench, and download the appropriate installer for your environment (Windows or Unix).  If you’ve installed a previous version of CIS CSAT Pro, the installer will upgrade your existing installation.  If you’re new to CIS CSAT Pro, see the Deployment Guide to walk you through installation.