New CIS Critical Security Controls Mapping to the NIST CSF in a Standardized Data Format

In August 2019, a report was released by the National Institute of Standards and Technology (NIST). NIST Interagency Report 8204 is a Cybersecurity Framework Online Informative References (OLIR) Submissions document that lays out steps for comparing multiple frameworks. The aim of this initiative is to clarify cybersecurity standards. The NIST OLIR effort is working to develop a mutually intelligible lexicon. Think of it as Rosetta Stone for cybersecurity guidelines. The NIST OLIR effort is meant to ease the development and structure of other cybersecurity frameworks to map to the NIST Cybersecurity Framework (CSF). It can conceptually be used to map any set of standards together. At its core, the OLIR format provides a standard way to compare two sets of best practices.

Laying the groundwork for mapping

CIS acted as an early adopter of the NIST OLIR specification by providing a mapping of the CIS Critical Security Controls (CIS Controls) Version 7.1 to version 1.1 of the NIST CSF. NIST CSF provides a variety of references to other standards. The NIST OLIR specification allows the relationship between two separate elements to be described by authors in the Excel template provided by NIST. The specification also lays the foundation for automated control comparison.

Multiple mappings to cybersecurity standards

CIS provides mappings to multiple cybersecurity standards, such as NIST CSF and ISO 210071. Our CIS Controls team has created mappings to NIST SP 800-171 and NIST SP 800-53 . CIS has begun to leverage the types of relationships described by the NIST OLIR specification within our mappings to other security best practices. These mappings are available on our website and in CIS WorkBench, a site for cybersecurity professionals to network and collaborate. Community members work together to develop and map security best practices.

Interested in meeting your compliance obligations with the CIS Controls? Here’s a video with more information.



Flexibility for the future

CIS views the NIST OLIR specification as another way to support users of the CIS Controls. In May 2021, CIS Controls team launched the NIST CSF Mapping for CIS Controls v8. Cybersecurity professionals who leverage the CIS Controls may have unique missions or be concurrently subject to multiple security frameworks. Accordingly, providing mappings to the CSF in this format helps to ensure that the CIS Controls continue to be flexible and easy to use. The NIST OLIR specification is another tool in the information security tool belt to achieve that goal.