CIS Controls Assessment Specification

The CIS Critical Security Controls (CIS Controls) are a set of security best practices that can be used to strengthen an enterprise’s cybersecurity posture. During implementation of the CIS Controls, it’s important that enterprises have the means to appropriately measure the implementation of each Safeguard.

As a result, CIS provides the CIS Controls Assessment Specification that provides those measures and metrics for each Safeguard to verify that implementation has been done correctly. While this can be used by any Controls adopter, tool vendors can greatly benefit from the information within this tool to then build these data points into their own tooling so that CIS Controls can be measured uniformly.

Methodology

The CIS Controls are designed to help enterprises establish a robust foundation for their cybersecurity program. Since the CIS Controls cover a wide array of areas across many different asset types, measuring their implementation can be a complex task.

There are two different distinctions to make while implementing Safeguards from the CIS Controls. One way of measurement is to determine solely if the Safeguard has been implemented or not, while the other is to determine how well the Safeguard is implemented. The Controls Assessment Specification focuses on determining whether or not a Safeguard has been measured. For enterprises looking to measure how well a Safeguard has been implemented, the CIS Controls Self Assessment Tool (CSAT) can assist in this area. Both are important aspects of implementation for enterprises, just with a different way of measuring.

Additionally, it is important to note that the Controls Assessment Specification places a focus on what to measure and not how to measure. For example, details for a specific configuration setting are not specified in the Controls Assessment Specification, since each technology is different and there is no one way to identify those configuration settings across the various technology platforms. The goal is to be as generic enough as possible so that it can accommodate the variations while also providing the ability to measure. For specific configuration settings, refer to the CIS Benchmarks, which are secure configuration recommendations for more than 25+ vendor product families.

Controls Assessment Specification for Controls v8.1
Controls Assessment Specification for Controls v8
Controls Assessment Specification for Controls v7

Structure of a Safeguard Measurement

The Controls Assessment Specification is structured in a way that includes some standard elements for each Safeguard, including:

• CIS Safeguard – Information such as the Safeguard title, description, asset type, security function, and Implementation Group (IG).
• Assumptions – Where applicable, something that is accepted as true/understood prior to measuring the Safeguard.
• Inputs – Data that is needed to measure the Safeguard.
• Operations – The actions that need to be taken on the Inputs to generate a Safeguard’s measurement. The Operations are linked between Inputs and Measures.
• Measures – Describes information that needs to be measured after performing Operations on the Inputs. These measures, when combined, form metrics.
• Metrics – A calculation/formula of Measures that are provided and a description of the Metric being measured.
• Procedure Review – Where applicable, the manual review of a procedure that may need to occur in fulfilment of a Safeguard.