CIS CSAT FAQ

The CIS Controls Self Assessment Tool (CIS CSAT) enables organizations to assess and track their implementation of the CIS Critical Security Controls (CIS Controls) – a prioritized set of consensus-developed security best practices used by enterprises around the world to defend against cyber threats. Download the CIS Controls.

CIS CSAT supports cross-departmental collaboration by enabling users to delegate questions to others, validate the responses, create sub-organizations, and more. At any point in the assessment, you can export your results into various formats. With CIS CSAT, you can create a new assessment, view historical assessments, and compare your results to an anonymized “peer group” within your industry.

There are two versions of CIS CSAT. The CIS-hosted CSAT is free to every organization for use in a non-commercial capacity. CIS CSAT Pro is an on-premises version that offers additional features and benefits and is only available to CIS SecureSuite Members.

CIS CSAT includes the CIS Controls mappings to several external frameworks, including NIST CSF and NIST SP 800-53. In addition, you can create your own unique tags for each Safeguard. Organizations can filter these tags, which enables them to manage all the complex moving pieces and stakeholders involved in a cybersecurity program.

When transitioning from CIS Controls v7.1 to v8, enterprises will need to perform new assessments. It is important to note that automated migration is not available due to the substantial differences between v7.1 and v8. We recognize that transitioning to CIS Controls v8 assessments for many enterprises may take time due to the significant changes and assessment cycles. We expect to maintain support for CIS Controls v7.1 in CIS CSAT for the time being as enterprises make their transition.

It’s quite common for enterprises not to be completely compliant with the recommendations found in the CIS Controls. This isn’t necessarily a bad thing. Some Safeguards may be unreasonable for your organization to deploy, or you may already have compensating controls put in place. To help accommodate these nuanced issues, you have the option to identify a Safeguard as “not applicable.” This means that non-compliance with the Safeguard doesn’t count against you. You may want to consider your first assessment as the starting point for your journey in implementing the CIS Controls.

There are several potential next steps to take with your CIS CSAT results. Some ways to get started:

• Export results to share with your team and management
• Schedule another assessment in the future for continuous evaluation
• Assign specific Safeguards to team members for follow-up action
• Consider assessing your organization with the CIS Risk Assessment Method (CIS RAM) to determine the appropriate implementation levels for various Safeguards for your enterprise

CIS CSAT results can also help prioritize your organization’s security investments. Watch your security posture grow by monitoring its progress through CIS CSAT and keep track of your progress implementing the CIS Controls over time.

Reach out to us anytime by submitting a support ticket at CIS Product Technical Support.

If you’re already a CIS SecureSuite Member, join the CIS CSAT Pro WorkBench community. You can download the appropriate CIS CSAT Pro installer (Microsoft Windows or Unix) from the Files section of that community.

If you’re not already a Member, sign up for CIS SecureSuite.

User documentation is available at CIS CSAT Document Library. This includes a Deployment Guide for installation/setup, a User Guide describing how to use CIS CSAT Pro, and a Changelog.

Blogs describing previous releases

• CIS CSAT Pro v1.5.0/v1.6.0/v1.7.0 blog
• CIS CSAT Pro v1.3.0/v1.4.0 blog
• CIS CSAT Pro v1.2.0 blog
• CIS CSAT Pro v1.1.0 blog
• CIS CSAT Pro v1.0.0 blog

A recorded demo is available in the CIS WorkBench Support Center Webinars/Training section: Introducing CIS Controls Self Assessment Tool (CSAT Pro). Please note that this recording describes v1.0.0.

CIS-hosted CSAT is based on the popular AuditScripts CIS Controls Manual Assessment Tool, which helps organizations document the implementation, automation, reporting, and formalization of the best practices found in the CIS Controls. CIS-hosted CSAT builds on this work, enabling organizations to collaborate on assessments and scale their tracking over time through an online platform.

Please register at https://csat.cisecurity.org/. You will still need to register for CIS-hosted CSAT even if you already have an account for CIS WorkBench. After registering, you can access and use CIS-hosted CSAT by visiting https://csat.cisecurity.org/.

The CIS-hosted CSAT platform is a generous contribution of intellectual property donated by EthicalHat. CIS now maintains it.

Assessment data is stored on our secured CIS infrastructure (AWS East Region) and will not be shared with any third parties. The data is encrypted and follows the recommendations outlined in the CIS Amazon Web Services Foundations Benchmark. Some of the data collected may be used to enhance the continuous development of the CIS Controls. We developed CIS CSAT to support the community that has helped create the CIS Controls, and to provide insight into some of the gaps that exist so that we can work together to improve everyone’s security posture. Our content is consensus-developed and community-driven, and we are truly indebted to the amazing volunteers who offer their time and expertise in our communities. The data from CIS CSAT will help improve the CIS Controls for the benefit of organizations everywhere.

If you prefer not to share your data with CIS, consider using CIS CSAT Pro instead. (See the CIS CSAT Pro section.)

When registering a new account, you should have received an email with the subject “Activate your account” from the email address [email protected]. Please check to see if the email was filtered by your spam tool. If someone has already registered your domain, the Primary Owner for that account will need to log in to the tool and approve your request to join. See How Does User Verification and Creation Work in CIS-hosted CSAT?

We’ve built our platform to help enable auditing and evidence collection associated with implementing the CIS Controls. As such, we allow organizations to either maintain one assessment and simply not validate the responses, or to create a new assessment by using the drop-down menu at the top right of the main Assessment Dashboard. There, you can start a blank assessment, create a new assessment using your current assessment data, or import a previously exported assessment. A user with the appropriate permissions can revert validated Safeguards if needed.

The data is encrypted both in transit and at rest.

Yes, we welcome your feedback in our public community on the CIS WorkBench platform. It’s free to join. Sign up and access the CIS CSAT Feedback Community.

Only CIS system administrators have access to the platform as a whole. Users only have access to their own records and to anonymized averages by industry.

Once a Safeguard task is assigned, you can update the assignee and date. Note that the assignee would also need to be validated before they are visible on the dropdown list.

Information on score calculations is available at: How are individual organization assessment and industry average scores calculated in CIS CSAT?

Information on the scoring categories is available at: How are CIS CSAT scoring categories defined?

Information on the user roles is available at: Users and Permission for CIS CSAT tool.

Yes, these other KB articles on CIS-hosted CSAT may be of interest:

• How can I run a new assessment using CIS Controls v8 in CSAThosted?
• How can I transfer ownership of our CIS-hosted CSAT environment to another member of our organization?
• Why is my CIS CSAT Industry Average so low?
• Will the "Start New Assessment with Current Data" option automatically send emails to each assignee?
• PDF vs PowerPoint Scoring Discrepancy in CSAT

Information about v1.3.0 is available at:

• Release Notes: CIS CSAT v1.3.0 Release Notes
• Blog: CIS Controls Self Assessment Tool (CSAT) Update v1.3.0

Yes, a recorded demo is available in the CIS WorkBench Support Center Webinars/Training section: Leveraging the CIS Controls Self Assessment Tool (CSAT). Please note that this recording took place prior to the release of v1.3.0.

This has been logged as a feature enhancement request for the CSAT tool. The current workaround would be to log out of the session.