The Ongoing Evolution of the CIS Critical Security Controls
For decades, the CIS Critical Security Controls® (CIS Controls®) have simplified enterprises' efforts to strengthen their cybersecurity posture by prescribing prioritized security measures for defending against common cyber threats.
In this blog post, we'll review the story of the CIS Controls before taking a closer look at the current version.
A Brief History of the CIS Controls
The Early Days
They were first introduced as the SANS Critical Security Controls (SANS Top 20) in 2008 by an international, grassroots consortium bringing together companies, government agencies, institutions, and individuals from every part of the ecosystem who banded together to create, adopt, and support the Controls. In 2015, the Center for Internet Security, Inc. (CIS) officially took ownership of the CIS Controls with Version 6.The idea behind the CIS Controls was to provide enterprises with actionable guidance to enhance their cyber defense capabilities meaningfully.
Over time, several updates have been introduced to keep pace with evolving cyber threat and organizational needs. The CIS Controls are updated and reviewed through a consensus-based process. Practitioners from government, industry, and academia each bring deep technical understanding from across multiple viewpoints (e.g., vulnerability, threat, defensive technology, tool vendors, enterprise management) and pool their knowledge to identify the most effective technical security controls needed to stop the attacks they are observing.
Version 7.1: A Focus on Prioritization
One of the biggest shifts in the CIS Controls took place in Version 7.1 when CIS introduced the concept of Implementation Groups (IGs) — IG1, IG2, and IG3 — as a new way to prioritize the CIS Controls. These IGs provide a simple and accessible way for enterprises of different sizes to focus their scarce security resources while still leveraging the value of the CIS Controls program, community, and complementary tools and working aids.
Version 8: 18 Is the New 20
In May 2021, CIS introduced Version 8 of the Controls, offering a simplified and more focused approach toward cybersecurity than its predecessor. Version 8 combined and consolidated the CIS Controls by activities rather than by who managed the devices, dropping the number of Controls from 20 to 18 and introducing CIS Safeguards (rather than Sub-Controls). This significant change made it easier for enterprises to strategize and implement security measures effectively. Version 8 also shifted its approach from device-centric defensive strategies to data-centric strategies aimed at protecting data regardless of its location, including public and private clouds along with on-premises systems. This version also officially defined IG1 as essential cyber hygiene, the starting point and minimum standard of information security for all enterprises.
Want to learn more about what's changed in Version 8? Check out our video below.
Version 8.1: Governance and Compliance
Fast forward three years to the release of Controls v8.1 in June 2024. This new iterative update seeks to streamline operations further and enhance context, coexistence, and consistency.
The Current Version of the CIS Critical Security Controls
CIS Controls v8.1 is an iterative update to Version 8. As part of our process to evolve the CIS Controls, we establish "design principles" that guide us through any minor or major updates to the document. Our design principles for this revision are context, clarity, and consistency. Context enhances the scope and practical applicability of CIS Safeguards by incorporating specific examples and additional explanations. Clarity aligns with other major security frameworks to the extent practical while preserving the unique features of the CIS Controls. Consistency maintains continuity for existing CIS Controls users, ensuring little to no change due to this update.
Here are the broad changes we’ve made for each design principle:
Context
We've updated the CIS Controls with new asset classes to better match the specific parts of an enterprise's infrastructure to which each CIS Safeguard applies. New classes require new definitions, so we've also enhanced the descriptions of several CIS Safeguards for greater detail, practicality, and clarity.
Coexistence
The CIS Controls have always aligned to evolving industry standards and frameworks, and they will continue to do so. This is a core principle of how the Controls operate; it assists all users of the Controls. The release of National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 necessitated updated mappings and updated security functions.
Consistency
Traditionally, any iterative update to the CIS Controls should minimize disruption to Controls users. This means that no IGs were modified in this update, and the spirit of any given CIS Safeguard remains the same. Additionally, the new asset classes and definitions needed to be consistently applied throughout the Controls, and in doing so, some minor updates were added.
With these principles in mind, we’ve scoped the CIS Controls v8.1 to the following updates:
- Realigned NIST CSF security function mappings to match NIST CSF 2.0
- Included new and expanded glossary definitions for reserved words used throughout the Controls (e.g., plan, process, sensitive data)
- Revised asset classes alongside new mappings to CIS Safeguards
- Fixed minor typos in CIS Safeguard descriptions
- Added clarification to a few anemic CIS Safeguard descriptions
We've also added the “Governance” security function. Enterprises can't steer their cybersecurity program toward achieving their goals without the structure provided by effective governance. CIS Controls v8.1 specifically identifies governance topics as recommendations that enterprises can implement to enhance their governance of their cybersecurity program.
The CIS Controls aim to streamline the process of designing, implementing, measuring, and managing enterprise security. This involves simplifying language to reduce duplication, focusing on measurable actions with defined metrics, and ensuring each CIS Safeguard is clear and concise. CIS continues to balance the need to address current cybersecurity challenges and maintain a stable, foundational cyber defense strategy, all the while steering clear of overly complex or inaccessible technologies. Technology is constantly shifting, and the CIS Controls team is aware of the developments in artificial Intelligence, augmented reality, and ambient computing working to reshape our enterprise infrastructure in subtle and radical ways. We’re keeping both eyes open and already working on ideas for Version 9 of the CIS Controls.
The CIS Controls Ecosystem
As the CIS Controls updates to future versions, we are always keeping our resources and tools updated in parallel. Below is a listing of what we’ve updated so far, and there’s more to come as we move forward. Be sure to check out these resources as well as others on our website: https://www.cisecurity.org/controls.
Version 8.1 Releases
Guides
- Controls v8.1 PDF
- Controls v8.1 Excel
- Controls v8.1 Change Log
- Controls v8.1 Implementation Group 4-pager
- Industrial Control Systems Guide
- Establishing Essential Cyber Hygiene
- Guide to Asset Class
- Guide to Implementation Groups (IG)
- A Roadmap to the CIS Critical Security Controls
Mappings
- CIS Critical Security Controls Navigator: Want to see how the CIS Controls fit into your broader security program? Use this tool to explore how they map to other security standards.
- HPH CPGs
- CSA Cloud Controls Matrix v4
- PCI DSS v4.0
- NYDFS 23 NYCRR Part 500
- NIST SP 800-53 Rev 5 Moderate and Low Baselines
- ISO/IEC 27001:2022
- CMMC 2.0
- CISA's Cross-Sector CPGs v1.0.1
- NIST SP 800-171 Rev 2
- NIST CSF 2.0
Tool Updates
Cybersecurity isn't a one-time endeavor — it's an ongoing process of adaptation and improvement. Updating your organization to CIS Controls v8.1 will not only help meet the current challenges but also lay a robust foundation for future upgrades to your cybersecurity strategies.
