Episode 8: CIS Controls v8…First Impressions


CIS Controls v8…First Impressions

Part 2 of a 2-part series on the CIS Controls v8 update

In this edition of Cybersecurity Where You Are, host and CIS Senior Vice President and Chief Evangelist, Tony Sager welcomes guests Phyllis Lee, Senior Director of the CIS Controls, and CIS Controls Community Adopter and Volunteer, Rick Doten.

Picking up where Part 1 of the series left off, Lee highlights the guiding principles that helped the development of v8 start off strong:

  • Everything has to be measurable
  • Everything has to be achievable
  • CIS Controls v8 must have a peaceful coexistence with cybersecurity frameworks
  • The Controls need to be backed by data and able to defend against real-world threats


First Impressions Matter

The CIS Controls team and volunteers pretty much rewrote every word of v8 in an effort to modernize and consolidate the document. CIS Controls v8 is a lot more focused and less redundant than previous versions.

Find out what people are saying about:

  • Changes in the number of Controls…18 is the new 20!
  • Consolidated mappings
  • Infrastructure as code
  • Basic, Foundational, and Organizational Controls (the lack of these labels)
  • Move of Data Protection Control from 13 to 3
  • Implementation Groups (IGs)

Feedback: Request, Manage, Gather, & Use for the Greater Good

Organizations big and small rely on the CIS Controls to defend against the most prevalent cyber-attacks against systems and networks. And, they count on the Controls team to do the best job they can for the greater good of the cybersecurity community.

Feedback for updates to the Controls comes in many different forms; sometimes it comes in via outreach to state, local, tribal, and territorial (SLTT) entities, or through the Multi-State Information Sharing and Analysis Center (MS-ISAC). Partnerships play a big role in the gathering of feedback as is reflected through SANS, SAFECode, and Cloud Security Alliance’s (CSA) involvement in v8 of the CIS Controls. Changes in social conditions and changes in industry also prompt feedback.

Perhaps the biggest avenue of feedback comes in the form of Controls communities within CIS WorkBench. There, you’ll find volunteer communities around tooling such as the CIS Controls Self Assessment Tool (CIS CSAT), companion guides, mappings, and more. There are hundreds of IT security professionals in the CIS Controls communities. Creating and updating the guidance and security best practices of the CIS Controls requires a wide variety of skills such as expertise in risk, security, compliance, and technology.

The CIS Controls community was tasked with producing a document that is impactful, useful, and adds value to the cybersecurity community. Did the team accomplish the mission? Tune in to this episode to find out!

Episode Resources: