The Center for Internet Security (CIS) has released its new version 7.1 of the top 20 Critical Security Controls. The updated version includes new Implementation Groups designed to identify relevant CIS controls that are reasonable for an organization with a similar risk profile and available cybersecurity resources.
The CIS controls are a recommended set of cyber defense actions that provide detailed and actionable ways to thwart the most pervasive cyber attacks. The top 20 CIS controls includes a good list of highly effective defensive actions that can be used to help organizations prioritize the implementation of controls.
A study of the previous release says that if organizations implemented just the first five CIS controls, 85% of cyber attacks could have been prevented. If organizations adopted all 20 controls, nearly 97% of attacks could have been prevented as well.
CIS categories
In the original CIS version 7 (now updated to version 7.1), CIS has broken up the list into three main categories: basic, foundational and organizational. CIS also updated the sub-control language to be more clear and precise.
CIS outlined the categories below:
- “Basic (CIS Controls 1-6): Key controls which should be implemented in every organization for essential cyber defense readiness.
- Foundational (CIS Controls 7-16): The next step up from basic – these technical best practices provide clear security benefits and are a smart move for any organization to implement.
- Organizational (CIS Controls 17-20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 17-20 are more focused on people and processes involved in cybersecurity.”
Key Principles
CIS also provided 7 key principles used in enhancing the top 20 controls, to include:
- “Address current attacks, emerging technology, and changing mission/business requirements for IT.”
- “Bring more focus to key topics like authentication, encryptions, and application whitelisting.”
- “Better align with other frameworks” (e.g., mapping to NIST Cybersecurity Framework).
- “Improve the consistency and simplify the wording of each sub-control” (i.e., added one “ask” per sub-control, to help make the CIS controls easier to measure, monitor and implement).
- “Set the foundation for a rapidly growing ‘ecosystem’ of related products and services from both CIS and the marketplace” (e.g., make it easier to understand or import/integrate CIS controls into vendor products or services).
- “Make some structural changes in layout and format” (Make some structural changes in layout and format” (restructured CIS content to be more flexible, relevant and adaptive than before).
- “Reflect the feedback of a world-side community of volunteers, adopters, and supporters.”
Implementation Groups
CIS more recently updated the CIS Controls with Implementation Groups (IGs) in version 7.1.
According to CIS, the “IGs are self-assessed categories for organizations based on relevant cybersecurity attributes. Each IG identifies which CIS Controls, at the Sub-Control level, are reasonable for an organization with a similar risk profile and resources to implement.”
CIS added that organizations can leverage the IGs to help classify themselves and focus resources in particular areas to improve maturity of controls.
The three IG types include:
- Implementation Group 1: organizations that have limited resources and cybersecurity resources to implement CIS sub-controls.
- Implementation Group 2: organizations that have moderate resources and cybersecurity resources to implement CIS sub-controls.
- Implementation Group 3: organizations that have significant resources and cybersecurity resources to implement CIS sub-controls.
Examples of IG1 would be small or home office environments. In IG2, emphasis would be to assist security teams in safeguarding sensitive client and company data.
For IG3, organizations would be expected to meet all of the IG1 and IG2 sub-controls, but also implement sub-controls to reduce impact of zero-day attacks and “sophisticated attacks from sophisticated adversaries.”
Are the CIS Controls a replacement for the other frameworks?
According to CIS, the top 20 controls are not intended as a replacement of existing regulatory or compliance standards/requirements.
However, the CIS controls can help map controls to other compliance frameworks (e.g., NIST Cybersecurity Framework, NIST 800-53, ISO 27000 series) and regulations (e.g., PCI DSS, HIPAA, NERC CIP, and FISMA). The CIS Controls can be used as a starting point for action.
See the CIS summary of what’s changed in the latest version and also CIS Controls FAQs. The SANS Institute also offers a number of good security classes on implementing the CIS Controls.
Update April 4, 2019: this article has been updated to include CIS version 7.1 update.