The CIS Critical Security Controls for Effective Cyber Defense
The Center for Internet Security Critical Security Controls for Effective Cyber Defense is a publication of best practice guidelines for computer security. The project was initiated early in 2008 as a response to extreme data losses experienced by organizations in the US defense industrial base and recently. The publication was initially developed by the SANS Institute, ownership was transferred to the Council on Cyber Security (CCS) in 2013 and then transferred to Center for Internet Security (CIS) in 2015. It was earlier known as the Consensus Audit Guidelines and it is also known as the CIS CSC, CIS 20, CCS CSC, SANS Top 20 or CAG 20.
The guidelines consist of 20 key actions, called critical security controls (CSC), that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give no-nonsense, actionable recommendations for cyber security, written in language that’s easily understood by IT personnel. Goals of the Consensus Audit Guidelines include to:
- Leverage cyber offense to inform cyber defense, focusing on high payoff areas,
- Ensure that security investments are focused to counter highest threats,
- Maximize use of automation to enforce security controls, thereby negating human errors, and
- Use consensus process to collect best ideas.
Version 3.0 was released on April 13, 2011. Version 5.0 was released on February 2, 2014 by the Council on Cyber Security (CCS). Version 6.0 was released on October 15, 2015 and consists of the security controls below. Version 6.1 was released on August 31, 2016 and has the same priorization as version 6. Version 7 has been released March 19 2018. Compared to version 5, version 6/6.1 has re-prioritized the controls and changed these two controls:
- 'Secure Network Engineering' was CSC 19 in version 5 but has been deleted in version 6/6.1.
- 'CSC 7: Email and Web Browser Protections' has been added in version 6/6.1.
CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises
In Version 7, controls 3, 4, and 5 were reshuffled. Controls 1-6 are considered "Basic", 7-16 are "Foundational" and 17-20 are "Organizational".
The Consensus Audit Guidelines (CAG) were compiled by a consortium of more than 100 contributors from US government agencies, commercial forensics experts and pen testers. Authors of the initial draft include members of:
- US National Security Agency Red Team and Blue Team
- US Department of Homeland Security, US-CERT
- US DoD Computer Network Defense Architecture Group
- US DoD Joint Task Force – Global Network Operations (JTF-GNO)
- US DoD Defense Cyber Crime Center (DC3)
- US Department of Energy Los Alamos National Lab, and three other National Labs.
- US Department of State, Office of the CISO
- US Air Force
- US Army Research Laboratory
- US Department of Transportation, Office of the CIO
- US Department of Health and Human Services, Office of the CISO
- US Government Accountability Office (GAO)
- MITRE Corporation
- The SANS Institute
Starting in 2009, the US Department of State began supplementing its risk scoring program in part using the Consensus Audit Guidelines. According to the Department's measurements, in the first year of site scoring using this approach the department reduced overall risk on its key unclassified network by nearly 90 percent in overseas sites, and by 89 percent in domestic sites.
- “Twenty Critical Security Controls for Effective Cyber Defense” Website (Center for Internet Security)
- Direct link to CIS CSC version 6 pdf (Center for Internet Security)
- Direct link to CIS CSC version 6.1 pdf (Center for Internet Security)
- “Addressing the Consensus Audit Guidelines (CAG) with the Symantec™ Risk Automation Suite” Whitepaper (whitepaper from Symantec Corporation)
- "Fast Track to Consensus Audit Guidelines #8 (CAG 8) Compliance" Article (article published on a Blog sponsored by Lieberman Software Corporation)
- "nCircle Solutions for Automating the Consensus Audit Guidelines Critical Security Controls" Whitepaper (whitepaper from nCircle Network Security, Inc.)
- "Why Agencies Snub 20 Critical Controls"
- "The 20 Controls That Aren't"
- "Gilligan Group Inc., CAG Background and Participants"
- “Understanding Technology Stakeholders: Their Progress and Challenges” by John M. Gilligan, Software Assurance Forum, November 4, 2009
- “Consensus Audit Guidelines: Overview” by Lieberman Software Corporation[permanent dead link]
- “Consensus Audit Guidelines: Time to ‘Stop The Bleeding’” by John M. Gilligan, 10th Semi-Annual Software Assurance Forum, March 12, 2009
- "Archived copy". Archived from the original on 2014-03-22. Retrieved 2014-03-21.
- Version 7 on cisecurity.org
- James Tarala and Jennifer Adams, "The Consensus Audit Guidelines: Drastically Improve Security of HIT Systems"[permanent dead link]
- SANS Website, "20 Critical Security Controls"
- "Hearing Before the Subcommittee on Government Management, Organization, and Procurement of the Committee on Oversight and Government Reform, House of Representatives, One Hundred Eleventh Congress, Second Session, March 24, 2010, 'Federal Information Security: Current Challenges and Future Policy Considerations'"