Mapping and Compliance

Some of the world’s biggest retailers use resources included in CIS SecureSuite to help meet Payment Card Industry Data Security Standard (PCI DSS) requirements. PCI DSS Requirement 2.2 points directly to the CIS Benchmarks, for example:

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to: Center for Internet Security (CIS) International Organization for Standardization (ISO) SysAdmin Audit Network Security (SANS) Institute National Institute of Standards Technology (NIST).

The CIS Benchmarks and CIS Controls can help with multiple aspects of PCI DSS compliance, including:

• 1 Firewall and Router Configurations
• 6.1 Patch Management
• 6.4 Change Control
• 7.1 Access Control

The National Institute of Standards and Technology (NIST) is a leading agency in technical compliance. The CIS Controls have been recognized by users as a robust on-ramp to meeting NIST cybersecurity standards within their organization.

CIS Controls V7.1 Mapping to NIST CSF

NIST OLIR Submission V1

NIST SP 800-53 R4 Low Baseline

NIST SP 800-171 r2

The Federal Information Security Modernization Act (FISMA), which is a component of NIST, also points to CIS resources for cybersecurity compliance.

• The National Checklist Program Repository recommends the CIS Benchmarks to federal agencies and other organizations trying to meet FISMA.
• CIS-CAT Pro, our automated configuration assessment tool, has been validated by the NIST Security Content Automation Protocol (SCAP) to audit systems subject to FISMA requirements in the FDCC Scanner and Authenticated Configuration Scanner.

The Health Insurance Portability and Accountability Act (HIPAA) security rule establishes the baseline for protecting the security of patient information within the healthcare industry.The CIS Controls complement the HIPAA security rule and contain many of the same provisions. Since the CIS Controls and Sub-Controls are regularly updated based on real-world attack patterns, the CIS Controls can help healthcare organizations “round out” their cybersecurity program to address risks outside the HIPAA security rule. Additionally, the CIS Benchmarks can be used to securely configure workstations used to manage electronic protected health information. This means that CIS Controls, CIS Benchmarks, and HIPAA can work together to help improve cyber hygiene. The CIS Controls Implementation Group is defined as cyber hygiene.

The European Union (E.U.) Regulation 2016/679 GDPR (General Data Protection Regulation) was put into effect on May 25, 2018. Any organization which holds E.U. citizen data, regardless of its location, is responsible for following these new guidelines.

The International Organization for Standardization (ISO) provides independent, globally-recognized standards for securing technologies. ISO/IEC 27001 helps organizations defend against cyber threats and information security risks. Because the CIS Controls and CIS Benchmarks provide guidance addressing major cybersecurity needs such as asset classification, authentication methods and privileges, event logging, and encryption, they are also frequently used by organizations seeking ISO compliance. View a detailed mapping of the relationship between the CIS Controls and ISO 27001 below.

Critical Security Controls for Effective Capability in Cyber Defense, Nov. 29, 2018. Based on the CIS Controls.

• Report: https://global.ihs.com/images/SUPPLEMENTAL_DOCUMENTS/21/AIA-NAS9933_overview.pdf

The California Data Breach Report published by the California Attorney General in 2016 concluded that the CIS Critical Security Controls “identify a minimum level of information security that all organizations that collect or maintain personal information should meet.” The report warns that failing to implement all relevant Controls "constitutes a lack of reasonable security.” (California Data Breach Report at Recommendation 1.)

• Report: https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf

Colorado’s cybersecurity team also follows the 20 CIS Controls & Resources as a framework for the state’s security program, as well as NIST SP 800-53, a National Institute of Standards and Technology document which serves as the basis for the agency’s policies. The 20 CIS Controls & Resources “are a good way to operationalize the NIST cybersecurity framework, which is how many states, including Colorado, are explaining their programs and Wyatt, of Deloitte, agrees. “When talking to legislators and asking for budget, you need a cybersecurity roadmap, and it’s helpful to have a straightforward way to explain what you’re going to do, like CIS 20,” he says. “Colorado has done this successfully. Ongoing communication with key stakeholders makes it twice as likely an agency will get security funding. You’re not just talking to the legislature when something bad happens.”

• Article, State Tech Magazine (March 3, 2021): https://statetechmagazine.com/article/2021/03/colorado-focuses-privileged-access-management-cybersecurity

"Cybersecurity 101, A Resource Guide for Bank Executives,” 2017. Recommends use of the Critical Security Controls at 8, 12, 24.

• Report: https://www.csbs.org/sites/default/files/2017-11/CSBS%20Cybersecurity%20101%20Resource%20Guide%20FINAL.pdf

"Cybersecurity 101, A Resource Guide for Bank Executives,” 2017. Recommends use of the Critical Security Controls at 8, 12, 24.

• Report: https://www.csbs.org/sites/default/files/2017-11/CSBS%20Cybersecurity%20101%20Resource%20Guide%20FINAL.pdf

In 2017, Governor Butch Otter issued an executive order requiring all executive branch agencies to implement the first five Center for Internet Security Critical Security Controls for evaluation of existing state systems.

• Idaho Executive Order 2017-02

House File 553, “An Act Relating to Affirmative Defenses for Entities Using Cybersecurity Programs,” provides that any “covered entity that satisfies all requirements...is entitled to an affirmative defense to any” tort lawsuit brought against the organization for a cyber breach. The new law states that a cybersecurity program must conform to an industry-recognized cybersecurity framework such as the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, NIST SP 800-53 and 800-53a, FedRAMP, ISO 27000, and the CIS Controls.

• Statute: https://www.legis.iowa.gov/legislation/BillBook?ga=90&ba=HF553

In 2017, Illinois passed a privacy law, the Student Online Personal Protection Act (SOPPA). The Illinois K12 technology staff are looking to Implementation Group 1 as a framework to comply with the “reasonable security” required by the law.

• The statute’s effective date was August 24, 2017, and the text is available at: https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3806&ChapterID=17
• A short blog entry about the use of the CIS Controls is available at: https://ltcillinois.org/blog/achieving-soppa-compliance-with-reasonable-security-practices/

The State of Michigan issued a request for proposals to “deliver comprehensive security awareness and training to various local government entities using the industry recognized Center for Internet Security (CIS) Top 20 Security Controls.” Target audience will include counties in the Detroit Southeastern UASI Region (6 Counties) as well as select counties throughout Michigan.”

• Request for Proposal No. 200000002352 (September 25, 2020).

Ohio Department of Administrative Services (DAS) Director Matt Damschroder said full implementation of six controls outlined by the Center for Internet Security will stop 85 percent of threats.

An existing Nevada statute relating to personal information collected by governmental agencies requires the state data collectors to implement and maintain "reasonable security measures" to protect such records. (NRS 603A.210.) A new Nevada statute, which became effective on January 1, 2021, requires that the state data collectors comply with the CIS Critical Security Controls or the NIST Cybersecurity Framework, thus defining what constitutes reasonable security for the state as a PII collector.

• Nevada Senate Bill 302 as signed by the Governor, Chapter 412: https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6534/Overview

In 2018, the Ohio Data Protection Act became the nation’s first law that incentivizes organizations to develop a strong data protection and cybersecurity program. The statute establishes legal protections for organizations that voluntarily adopt certain recognized cybersecurity best practices (e.g., NIST CSF & the CIS Critical Security Controls) and implement a written information security program.

• Senate Bill 220, codified at O.R.C. §§ 1354.01-1354.05: http://codes.ohio.gov/orc/1354

The Oregon Secretary of State, Audit Division, performed a cybersecurity controls audit of the Oregon State Police in May, 2020, using the CIS Controls as its audit standard. “The Audits Division conducts cybersecurity audits to evaluate IT security risks and provide a high-level view of an agency’s current state. We chose to use the Center for Internet Security’s CIS Controls, version 7.1. The CIS Controls are a prioritized list of 20 high-priority defensive actions that provide a starting point for enterprises to improve cyber defense. The controls are divided into three categories: basic, foundational, and organizational. This review includes the first six, the basic controls, which the Center for Internet Security, along with other security practitioners, defined as key controls that every organization should implement for essential cyber defense readiness.”

• Report: https://sos.oregon.gov/audits/Documents/2020-17.pdf

Federal Highway Administration, Transportation Management Center Information Technology Security, Final Report, Sep. 2019. Critical Security Controls cited throughout as insight into basic practices that serve as a starting point or baseline for organizations with limited resources and cybersecurity expertise, as well as guidelines for Traffic Management Centers looking to increase their system maturity.

• Report: https://ops.fhwa.dot.gov/publications/fhwahop19059/fhwahop19059.pdf

The Utah Cybersecurity Affirmative Defense Act similarly incentivizes the voluntary adoption of cyber best practices by creating affirmative defenses to certain lawsuits stemming from a security breach. Specifically, the Act provides that a person or organization that “creates, maintains, and reasonably complies with a written cybersecurity program meeting certain requirements, and which is in place at the time of a breach of system security, has an affirmative defense to a claim brought under the laws of Utah alleging that the person failed to implement reasonable information security controls that resulted in the breach of system security.”

• Statute: https://le.utah.gov/~2021/bills/static/HB0080.html

CIS resources are also referenced in various cybersecurity guides and programs. Below are a few independent cyber defense and resource guides which mention CIS resources:

• Verizon Data Breach Investigations Report Key Findings & Actionable Takeaways
• DoD Cloud Computing Security Requirements Guide
  • Version 1 Release 3 of the guide references CIS Benchmarks as an acceptable alternative to the STIGs and SRGs, Section 5.5.1.
• ENISA (European Union Agency for Network and Information Security), "Technical Guidelines for the implementation of minimum security measures for Digital Service Providers,” Dec. 2016. Cited the CIS Controls as a means for meeting EU Directive 2016/1148 concerning measures for a high common level of security of network and information systems across the Union (NIS). See page 10 and mapping throughout. https://www.enisa.europa.eu/publications/minimum-security-measures-for-digital-service-providers/at_download/fullReport
• FCC, Communications Security, Reliability and Interoperability Council, CISRIC III, Working Group 11, “Consensus Cyber Security Controls Final Report,” March 2013. Finds that the “user community within Working Group 11 would prefer for the FCC to encourage industry to use the 20 Controls because they believe that the 20 Controls will protect the network infrastructure directly. The user group also believes that the 20 Controls have been demonstrated to be effective in protecting critical infrastructure from attacks that are likely to come through the enterprise systems and therefore the 20 Controls should be used by the communications industry.” Report at 8. https://transition.fcc.gov/bureaus/pshs/advisory/csric3/CSRIC_III_WG11_Report_March_%202013Final.pdf
• FFIEC Cybersecurity Resource Guide for Financial Institutions
  • References the CIS Benchmarks and CIS-CAT Lite as assessment resources to assist in financial sector resilience.
  • FFIEC is now referencing CIS Controls as a tool that financial institutions can use to assess their cybersecurity preparedness.
• NIST, “Framework for Improving Critical Infrastructure Cybersecurity Framework,” Version 1.1, Apr 16, 2018. Cites and maps to "CIS CSC" throughout Appendix A, Framework Core at 22-44. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
• NIST, U.S. Resilience Project, “Best Practices in Cyber Supply Chain Risk Management.” Boeing’s IS team stated that its “primary standard is the Critical Security Controls.” See at 4. https://www.nist.gov/system/files/documents/itl/csd/NIST_USRP-Boeing-Exostar-Case-Study.pdf
• Singapore’s Digital Media and Information Literacy Framework
• The Cybersecurity Maturity Model Certification (CMMC) is a certification process that helps organizations working with the DoD protect shared unclassified data. The CMMC points to the CIS Controls as a pathway to compliance by requiring the use of encrypted sessions for network devices and comprehensive off-site data backups
• ETSI TR 103305-1, TR 103305-2, TR 103305-3, TR 103305-4, TR 103305-5
• The Republic of Paraguay
• World Economic Forum (WEF), White Paper, Global Agenda Council on Cybersecurity, World Economic Forum, Apr. 2016. Listed CIS Controls as the first best practice at 19, CIS cyber hygiene at Appendix A at page 26. http://www3.weforum.org/docs/GAC16_Cybersecurity_WhitePaper_.pdf