Blog

What’s New in CIS Controls v8?

Ted Gruenloh
CEO @ Nomic Networks
June 30, 2021

Organizations have been using the Center for Internet Security’s Critical Security Controls (the CIS Controls) to secure their systems for more than a decade. The Center for Internet Security (CIS) is a non-profit entity that works with the global IT community to help organizations secure themselves against digital threats. It fulfills its mission in part by maintaining the CIS Controls, security measures designed to help organizations improve their security hygiene in a way that aligns with their business priorities.

Fresh Content Given to the CIS Controls

What gives the CIS Controls their staying power is the fact that they are not a static set of principles. As noted on its FAQs page, the Center for Internet Security routinely uses an informal community process in which it requests actors from government, industry, and academia to share their understanding of the digital threat landscape. Those individuals then pool their knowledge to update the CIS Controls so that organizations can better defend themselves against attacks.

This review and update process accounts for the release of CIS Controls v8 in May 2021. Version 8 specifically reflects organizations’ experience of having weathered a year under lockdown. As such, it comes with some important changes over previous versions. Two are worthy of mention.

Change #1: Fewer Controls and Safeguards

First, CIS moved away from organizing the Controls around activity and towards how things are managed. It made that change to recognize today’s “basically borderless” networks, as CIS noted in a blog post. In the process, the Center for Internet Security ended up reducing the number of CIS Controls from 20 down to 18. Those top-level security measures come with 153 Safeguards (formerly called “Sub-Controls”), a number which is also less than in previous versions.

Change #2: A Broadened Focus

Second, the content of the CIS Controls itself changed. The Center for Internet Security updated its Controls so that organizations can now use them to better secure their cloud and mobile technologies. Some of those updates involved introducing new language to existing controls. Others involved creating entirely new Controls such as CIS Control 15 to address the expanding market for service providers.

These changes, among others, build on efforts of helping organizations to maximize their implementation of the CIS Controls. In a previous version, for instance, CIS organized its Controls and Safeguards into Implementation Groups (IG). The IGs consist of three groups as of this writing, with each IG reflecting a certain risk profile and a certain number of resources that an enterprise might have available for implementing the Controls.

The first Implementation Group, IG1, consists of basic cyber hygiene that all organizations can implement. It’s important to note that IG1 isn’t a rebranding of the “basic” CIS Controls. Previous versions of the Controls singled out five security measures as actions that organizations could take to block upwards of 85% of vulnerabilities, per Dark Reading. (By comparison, LIFARS noted in 2020 that organizations could protect themselves from 97% of digital attacks by incorporating all the then-20 CIS Controls into their environments.)

This fundamental understanding of security changed when the Center for Internet Security began grouping CIS Controls not by activity but by how things are managed. As such, basic cyber hygiene didn’t stay rooted in organizations’ adoption of five CIS Controls and all their respective Safeguards. In Version 8, it evolved to include at least one Safeguard from 15 out of the 18 revised top-level Controls.

Organizations don’t need to stop at basic cyber hygiene when implementing CIS Controls v8, either. Indeed, those with more resources can consider focusing on IG2. This IG consists of all the Safeguards identified in IG1 along with additional measures for strengthening their security posture. The final Implementation Group, IG3, covers all 153 Safeguards.

How Sentinel Can Help

It’s obvious that organizations with smaller security teams – or no security team at all – can lean on the CIS Controls as a solid guide for their network security strategy. Sentinel checks several of the CIS Controls boxes, but we also act as a safety net for other CIS Controls Safeguards you might not expect. Let us know if we can help you get started with the CIS Controls.

Not sure where to start? Read our guide.

Get practical, sound advice from our COO and Scott Smith, CSO at the City of Bryan, Texas. Recently updated for CIS Controls V8!
Download

CIS Controls v8 Summary

  • CIS Control 1: Inventory and Control of Enterprise Assets – Organizations need to know which hardware assets are connected to the network. They also need to determine if they need to remove any unauthorized or unmanaged hardware assets.
  • CIS Control 2: Inventory and Control of Software Assets – This Control carries the same security function as CIS Control 1. Instead of hardware assets, however, it applies to all software including operating systems and apps.
  • CIS Control 3: Data Protection – All organizations need processes for the purpose of protecting their data over its entire lifetime from identification to disposal.
  • CIS Control 4: Secure Configuration of Enterprise Assets and Software – By establishing a secure configuration for their assets, organizations can monitor for configuration drift and quickly return their assets to their desired state.
  • CIS Control 5: Account Management – Assigning and managing authorization to account credentials isn’t something that organizations can do on an ad hoc basis. They need formal processes to help them manage their user, admin, and service accounts.
  • CIS Control 6: Access Control Management – Building off CIS Control 5, organizations need a way to create, assign, manage, and revoke access credentials and privileges for their authorized accounts.
  • CIS Control 7: Continuous Vulnerability Management – No two security weaknesses are equal. Organizations need a vulnerability management plan to track known security issues on their assets, prioritize those bugs, and take remediation action.
  • CIS Control 8: Audit Log Management – Evading detection is a critical component of many modern attack chains. With the means to collect, alert, and review logs, organizations can strengthen their ability to detect and respond to an evasive attack.
  • CIS Control 9: Email and Web Browser Protections – Email and web browsers are some of the most common types of attack vectors employed by threat actors today. Through these protections, organizations can try to make attackers’ lives more difficult.
  • CIS Control 10: Malware Defenses – Being able to prevent the installation of malware is an important security measure for any organization. So too is the ability to control where malicious code spreads and executes if it succeeds in infecting a system.
  • CIS Control 11: Data Recovery – Ransomware is just one of the types of events that could end up deleting an organization’s data. In response, organizations need a way to restore their data to a trusted state pre-incident.
  • CIS Control 12: Network Infrastructure Management – Many malicious actors now try to exploit vulnerable network services and access points as part of their attack chains. That’s why it’s important for organizations to actively manage their network devices.
  • CIS Control 13: Network Monitoring and Defense – Along the same lines as CIS Control 13, organizations need a way to maintain visibility of the network. Doing so will help them to spot and address anomalous activity that could be indicative of an attack.
  • CIS Control 14: Security Awareness and Skills Training – Most digital attacks today involve social engineering. In response, organizations need to create a security awareness training program that educates their employees about common threats.
  • CIS Control 15: Service Provider Management – The network has evolved to encompass service providers who often hold sensitive data or support IT platforms. Organizations need a way to evaluate those service providers’ security efforts.
  • CIS Control 16: Application Software Security – Whether software is developed internally or acquired, it needs to be protected. Organizations specifically need a way to prevent, detect, and remediate security issues before they affect the business.
  • CIS Control 17: Incident Response Management – At some point, organizations will likely find themselves the victim of a security incident. They need a formal plan including defined roles and procedures for mounting an effective response.
  • CIS Control 18: Penetration Testing – Last but not least, organizations need to evaluate the efficiency of the digital security measures they’ve implemented. They can use a penetration test towards that end.

Ted Gruenloh
CEO @ Nomic Networks

Ted has worked with network security and web technologies for almost 30 years, beginning his career as a full-stack web engineer and transitioning to network security. He now guides Nomic and its supporting initiatives, including CINS Active Threat Intelligence.

Subscribe to our newsletter
By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.