The CIS Critical Security Controls for Effective Cyber Defense

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

The CIS Controls (formerly called the Center for Internet Security Critical Security Controls for Effective Cyber Defense) is a publication of best practice guidelines for computer security. The project was initiated early in 2008 in response to extreme data losses experienced by organizations in the US defense industrial base.[1] The publication was initially developed by the SANS Institute. Ownership was then transferred to the Council on Cyber Security (CCS) in 2013, and then transferred to Center for Internet Security (CIS) in 2015. It was originally known as the Consensus Audit Guidelines and it is also known as the CIS CSC, CIS 20, CCS CSC, SANS Top 20 or CAG 20.


The guidelines consist of 18 (originally 20) key actions, called critical security controls (CSC), that organizations should implement to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them.[2] The security controls give no-nonsense, actionable recommendations for cyber security, written in language that’s easily understood by IT personnel.[3] Goals of the Consensus Audit Guidelines include

  • Leveraging cyber offense to inform cyber defense, focusing on high payoff areas
  • Ensuring that security investments are focused to counter highest threats
  • Maximizing the use of automation to enforce security controls, thereby negating human errors
  • Using consensus process to collect best ideas[4]


Version 8 was released May 18, 2021

Implementation Groups (IGs) are the recommended guidance to prioritize implementation of the CIS Controls.

CIS Controls v8 defines Implementation Group 1 (IG1) as basic cyber hygiene and represents an emerging minimum standard of information security for all enterprises.

IG1 is the on-ramp to the CIS Controls and consists of a foundational set of 56 cyber defense Safeguards. The Safeguards included in IG1 are what every enterprise should apply to defend against the most common attacks.

IG2 comprises 74 additional Safeguards and builds upon the 56 Safeguards identified in IG1.

The 74 Safeguards selected for IG2 can help security teams cope with increased operational complexity. Some Safeguards will depend on enterprise-grade technology and specialized expertise to properly install and configure.

An IG2 enterprise employs individuals who are responsible for managing and protecting IT infrastructure. These enterprises typically support multiple departments with differing risk profiles based on job function and mission. Small enterprise units may have regulatory compliance burdens. IG2 enterprises often store and process sensitive client or enterprise information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs.

Implementation Groups (IGs) are the recommended guidance to prioritize implementation of the CIS Controls.

IG3 comprises 23 additional Safeguards. It builds upon the Safeguards identified in IG1 (56) and IG2 (74) totaling the 153 Safeguards in CIS Controls v8.

An IG3 enterprise commonly employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 assets and data contain sensitive information or functions that are subject to regulatory and compliance oversight. An IG3 enterprise must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare.

Safeguards selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.

Below is a list of the CIS Controls in v8

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email Web Browser and Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense

CIS Control 14: Security Awareness and Skills Training

CIS Control 15: Service Provider Management

CIS Control 16: Application Software Security

CIS Control 17: Incident Response Management

CIS Control 18: Penetration Testing


With the release of Version 8, CIS also released the CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8 in October 2021. The most recent release is CIS RAM v2.1. CIS RAM is a "risk assessment method designed to help enterprises justify investments for implementing the CIS Critical Security Controls (CIS Controls)."[5] CIS RAM v2.1 "offers three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups (IGs)". CIS developed a series of webinars to guide users to the new versions as each were released. The CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 2 (IG2) Workshop[6] was conducted in February 2022, with the recording available. In June 2022, CIS will be conducting another webinar which reviews "how to conduct a risk assessment using CIS RAM v2.1 for IG3."[7] This series of webinars was moderated and conducted by CIS and principal CIS RAM author Chris Cronin.

Version 7.1 was released April 4, 2019.[8]

CSC 1: Inventory and control of Hardware Assets CSC 2: Inventory and control of Software Assets CSC 3: Continuous Vulnerability Assessment and Remediation CSC 4: Controlled Use of Administrative Privileges CSC 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capabilities CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Implement a Security Awareness and Training Program CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises

Implementation Groups[edit]

Version 7.1 introduced the Implementation Groups,[9] dividing the Controls into 3 sections:

  • Implementation Group 1: Applicable to all companies (small to large)
  • Implementation Group 2: Additional Controls for storing sensitive information
  • Implementation Group 3: Additional Controls for very sensitive information

With the implementation groups, smaller companies do not need to comply with all CIS Controls.

Previous versions[edit]

Version 2.1 was released August 10, 2009. Version 3.0 was released on April 13, 2011. Version 5.0 was released on February 2, 2014 by the Council on Cyber Security (CCS).[10] Version 6.0 was released on October 15, 2015. Version 6.1 was released on August 31, 2016 and has the same priorization as version 6. Version 7 was released March 19, 2018.[11] Version 7.1 was released April 4, 2019.

Compared to version 5, version 6/6.1 has re-prioritized the controls and changed these two controls:

  • 'Secure Network Engineering' was CSC 19 in version 5 but has been deleted in version 6/6.1.
  • 'CSC 7: Email and Web Browser Protections' has been added in version 6/6.1.

In Version 7,[12] controls 3, 4, and 5 were reshuffled. Controls 1-6 are considered "Basic", 7-16 are "Foundational" and 17-20 are "Organizational". It also released CIS RAM,[13] an information security risk assessment method to help implement CIS Controls reasonably.


The Consensus Audit Guidelines (CAG) were compiled by a consortium of more than 100 contributors[14] from US government agencies, commercial forensics experts and pen testers.[15] Authors of the initial draft include members of:

  • US National Security Agency Red Team and Blue Team
  • US Department of Homeland Security, US-CERT
  • US DoD Computer Network Defense Architecture Group
  • US DoD Joint Task Force – Global Network Operations (JTF-GNO)
  • US DoD Defense Cyber Crime Center (DC3)
  • US Department of Energy Los Alamos National Lab, and three other National Labs.
  • US Department of State, Office of the CISO
  • US Air Force
  • US Army Research Laboratory
  • US Department of Transportation, Office of the CIO
  • US Department of Health and Human Services, Office of the CISO
  • US Government Accountability Office (GAO)
  • MITRE Corporation
  • The SANS Institute[1]

Notable results[edit]

Starting in 2009, the US Department of State began supplementing its risk scoring program in part using the Consensus Audit Guidelines. According to the Department's measurements, in the first year of site scoring using this approach the department reduced overall risk on its key unclassified network by nearly 90 percent in overseas sites, and by 89 percent in domestic sites.[16]

External links[edit]


  1. ^ a b "Gilligan Group Inc., CAG Background and Participants"
  2. ^ “Understanding Technology Stakeholders: Their Progress and Challenges” by John M. Gilligan, Software Assurance Forum, November 4, 2009
  3. ^ “Consensus Audit Guidelines: Overview” by Lieberman Software Corporation
  4. ^ “Consensus Audit Guidelines: Time to ‘Stop The Bleeding’” by John M. Gilligan, 10th Semi-Annual Software Assurance Forum, March 12, 2009
  5. ^ "CIS Risk Assessment Method (RAM) v2.1 for CIS Controls v8". The Center for Internet Security, Inc. (CIS®). January 19, 2022.
  6. ^ "CIS Risk Assessment Method (RAM) v2.1 for Implementation Group 2 (IG2) Workshop". The Center for Internet Security, Inc. (CIS®). February 2022.
  7. ^ "CIS RAM v2.1 for Implementation Group 3 (IG3) Workshop". The Center for Internet Security, Inc. (CIS®). May 2022.
  8. ^ Version 7.1 on
  9. ^
  10. ^ "Archived copy". Archived from the original on March 22, 2014. Retrieved March 21, 2014.{{cite web}}: CS1 maint: archived copy as title (link)
  11. ^ Version 7 on
  12. ^ "CIS Controls Version 7 – What's Old, What's New". CIS® (Center for Internet Security, Inc.). March 19, 2018.
  13. ^ "CIS RAM FAQ". CIS® (Center for Internet Security, Inc.).
  14. ^ James Tarala and Jennifer Adams, "The Consensus Audit Guidelines: Drastically Improve Security of HIT Systems"[permanent dead link]
  15. ^ SANS Website, "20 Critical Security Controls"
  16. ^ "Hearing Before the Subcommittee on Government Management, Organization, and Procurement of the Committee on Oversight and Government Reform, House of Representatives, One Hundred Eleventh Congress, Second Session, March 24, 2010, 'Federal Information Security: Current Challenges and Future Policy Considerations'"
  17. ^ "HALOCK Security Labs: CIS RAM". CIS RAM.