CIS Critical Security Controls FAQ

The CIS Critical Security Controls (CIS Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks. The CIS Controls are a relatively short list of high-priority, highly effective defensive actions that provide a “must-do, do-first” starting point for every enterprise seeking to improve their cyber defense.

Want to learn more about the CIS Controls? Check out our video below.

The CIS Controls were developed starting in 2008 by an international, grass-roots consortium bringing together companies, government agencies, institutions, and individuals from every part of the ecosystem (cyber analysts, vulnerability-finders, solution providers, users, consultants, policy-makers, executives, academia, auditors, etc.) who banded together to create, adopt, and support the CIS Controls. The expert volunteers who develop the Controls apply their first-hand experience to develop the most effective actions for cyber defense.

The CIS Controls are updated and reviewed through an informal community process. Practitioners from government, industry, and academia each bring deep technical understanding from across multiple viewpoints (e.g., vulnerability, threat, defensive technology, tool vendors, enterprise management) and pool their knowledge to identify the most effective technical security controls needed to stop the attacks they are observing.

Prioritization is a key benefit to the CIS Controls. They were designed to help organizations rapidly define the starting point for their defenses, direct their scarce resources on actions with immediate and high-value payoff, and then focus their attention and resources on additional risk issues that are unique to their business or mission.

There is no magic to the number 18. We’d like to tell you that deep analysis of all the data about attacks and intrusions tells us that just 18 Controls will give you an optimized trade-off between defense against attacks and cost-effective, manageable systems – but that would not be quite true, and is not even possible today.

We can tell you that a community of highly knowledgeable practitioners from across every sector and aspect of the business have agreed that these eighteen actions stop the vast majority of the attacks seen today, and provide the framework for automation and systems management that will serve cyber defense well into the future.

The CIS Controls are not a replacement for any existing regulatory, compliance, or authorization scheme. The CIS Controls map to most major compliance frameworks such as the NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series and regulations such as PCI DSS, HIPAA, NERC CIP, and FISMA. Mappings from the CIS Controls have been defined for these other frameworks to give a starting point for action.

The NIST Framework for Improving Critical Infrastructure Cybersecurity calls out the CIS Controls as one of the “informative references” – a way to help users implement the Framework using an existing, supported methodology. Survey data shows that most users of the NIST Cybersecurity Framework also use the CIS Controls.

The CIS Controls are a general set of recommended practices for securing a wide range of systems and devices, whereas CIS Benchmarks are guidelines for hardening specific operating systems, middleware, software applications, and network devices. The need for secure configurations is referenced throughout the CIS Controls. In fact, CIS Control 4 specifically recommends secure configurations for hardware and software on mobile devices, laptops, workstations, and servers.

Both the CIS Controls and the CIS Benchmarks are developed by communities of experts using a consensus-based approach. We have also integrated some of the CIS Controls into the CIS-CAT configuration assessment tool to show alignment between some of the CIS Controls and Benchmarks settings.

• The CIS Controls are referenced by the U.S. Government in the National Institute of Standards and Technology (NIST) Cybersecurity Framework as a recommended implementation approach for the Framework.
• The European Telecommunications Standards Institute (ETSI) has adopted and published the CIS Controls and several of the Controls companion guides.
• In 2016 in her state’s Data Breach Report, Kamala D. Harris, then California Attorney General, said: “The set of 20 Controls constitutes a minimum level of security – a floor – that any organization that collects or maintains personal information should meet.”
• The CIS Controls are recommended by organizations as diverse as the National Governors Association (NGA) and the U.K.’s Centre for the Protection of National Infrastructure (CPNI).
• The National Highway Traffic Safety Administration (NHTSA) recommended the CIS Controls in its draft security guidance to automotive manufacturers.

• The CIS Controls have been adopted by thousands of global enterprises, large and small, and are supported by numerous security solution vendors, integrators, and consultants, such as Rapid7, Softbank and Tenable. Some users of the CIS Controls include: the Federal Reserve Bank of Richmond; Corden Pharma; Boeing; Citizens Property Insurance; Butler Health System; University of Massachusetts; the states of Idaho, Colorado, and Arizona; the cities of Oklahoma, Portland, and San Diego; and many others.
• EXOSTAR offers a supply-chain cyber assessment based on the CIS Controls.
• As of May 2021, the CIS Controls have been downloaded more than 200,000 times.

We have set up a sign in process as part of the CIS Controls download in which we ask for some basic information about the downloader, and to offer the opportunity to sign up to be informed of developments on the CIS Controls. We use the information to better understand how the CIS Controls are being used and who is using them; this information is extremely helpful to us as we update the CIS Controls and develop associated documents like our guides.

Yes, the CIS Controls are free to use by anyone to improve their own cybersecurity. If you are using the CIS Controls as a vendor or consultant, or provide services in a related cybersecurity field, enroll in CIS SecureSuite Product Vendor or Consulting Membership or become an authorized Supporter to use the Controls in tools or services that benefit your customers.

The SANS Institute offers a number of classes on implementing the CIS Controls. See SANS for more information.

Questions can be sent to [email protected].

• Learn about the CIS Controls Assessment Module: https://www.cisecurity.org/blog/a-close-look-at-the-cis-controls-assessment-module/
• Read more on the CIS-CAT Pro Assessor FAQ: https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro/cis-cat-faq/
• Join the community via CIS WorkBench: https://workbench.cisecurity.org/communities/92

• Read more on our blog: https://www.cisecurity.org/blog/cis-csat-free-tool-assessing-implementation-of-cis-controls/
• Access CIS CSAT: https://csat.cisecurity.org/
• CSAT FAQ: https://www.cisecurity.org/controls/cis-csat-faq/
• Join the community via CIS WorkBench: https://workbench.cisecurity.org/communities/91

Released in 2020, the CIS Controls Assessment Specification provides a common understanding of what should be measured in order to verify that CIS Safeguards are properly implemented. Those developing related tools can build CAS into their tools, thus ensuring  the CIS Controls are measured in a uniform way.

We have created the Critical Security Controls (CIS Controls) Open Security Controls Assessment Language (OSCAL) Repository in GitHub. The repository contains OSCAL serializations of the CIS Controls, and it will include a variety of OSCAL Catalogs for the main CIS Controls Version 8 document, Controls Assessment Specification, and mapping documents.

Download the available XML and JSON files: Community Files

The Center for Internet Security understands the importance of using policies to implement the CIS Critical Security Controls (CIS Controls). We also know how difficult to create a policy on your own, especially when you're working to establish essential cyber hygiene as a foundation using Implementation Group 1 (IG1). That's why we're excited to announce several new policy templates to help you enact IG1 in your enterprise!

Here's a resource to help you get started: 6 New Policy Templates to Help You Enact CIS Controls IG1

Want to see how the CIS Critical Security Controls fit into your broader security program? Use our CIS Critical Security Controls Navigator to explore how they map to other security standards, frameworks, and regulations.

CIS Controls Accreditation offers CIS SecureSuite Product Vendor, Consulting & Services, and Controls Members the ability to provide CIS Critical Security Controls implementation, auditing, and/or assessment with the assurance that they have met the consistent and rigorous standards of CREST certification. This program offers eligible Members a “stamp of approval” at the organization level, assuring their customers they are doing business with a reputable and reliable CIS Controls assessment organization.