Election Security Spotlight – CIS Controls
What it is
The CIS Controls™ are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The CIS Controls are developed by a consensus-based community of cybersecurity experts who apply their first-hand experience as cyber defenders to create these globally accepted security best practices. Within each of the 20 CIS Controls is a set of Sub-Controls focused on specific asset types and security functions. There are a total of 171 Sub-Controls. The CIS Controls fall into three categories:
- Basic - Contains controls that help an organization assess its current security and take simple steps to improve it.
- Foundational - Contains more advanced guidance to improve an organization's security.
- Organizational - Contains controls that make changes to an organization’s policies to improve and maintain their cybersecurity.
While these three categories provide a rough ordering of the best risk mitigations as an organization matures, resource limitations may make some of Sub-Controls in the Basic category infeasible for an organization. To address this CIS introduced the concept of Implementation Groups (IGs) into v7.1, which was released on April 4, 2019. IGs provide a simple and accessible way for an organization to prioritize implementation of the Sub-Controls for specific types of risk profiles and available resources. CIS also refers to IG1 as basic cyber hygiene.
There are three IGs, each building upon the previous one, that identify which Sub-Controls are reasonable for an organization to implement if, for instance, they hold critical or sensitive data. By following the IG methodology guide and IG classifications, an organization can narrow down the CIS Sub-Controls that are most prudent to their cyber defenses. This ensures that the CIS Controls are viable for organizations of all sizes and implemented in the most effective manner possible.
Why does it matter
The CIS Controls are an effective tool for prioritizing risk-based cybersecurity. They provide effective approaches to mitigating risk, in contrast to tools like the NIST Cybersecurity Framework (CSF), which focuses on assessing an organization’s risk posture without directly providing mitigations for those risks. The Controls are aligned to NIST (see the NIST CSF to CIS Controls mapping) and several other common cybersecurity frameworks to help organizations document their compliance with whichever larger framework they have adopted. The CIS resource, A Handbook for Elections Infrastructure Security, maps to the CIS Controls and can help election officials address the CIS Controls in an applied manner that considers the different ways elections infrastructure components are connected to each other and the internet. Election officials can use the 88 best practices as a vetted profile of the Controls to mitigate the risks and vulnerabilities to election infrastructure.
What you can do
Election officials should meet with their IT staff to review the CIS Controls and Implementation Groups to gain a better understanding and identify the risks and mitigations applicable to their organization. Implementation is a phased, step-by-step process that will take time and should be revisited regularly to address changes in the threat environment. CIS provides a number of tools to help organizations implement the Controls and assess their maturity. The Election Infrastructure Assessment Tool (EIAT), is a web-based platform geared towards the elections community that directly addresses the best practices outlined in A Handbook for Elections Infrastructure Security. Election officials can use the EIAT to identify opportunities to mitigate additional risk and prioritize next steps.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org.