What are CIS Critical Controls?
The CIS Critical Security Controls are a recommended set of cyber defense actions that provide specific and actionable ways to stop today’s attacks. The Critical controls were created by NSA Red and Blue teams, the US Department of Energy, and some of the top forensics and incident response organizations. The resulting controls’ primary goal is to identify what needs to be done to stop any known attacks.
The Controls take the best-in-class threat data and turn it into a form of actionable guidance, to improve security in cyberspace. Too often in Cybersecurity, the “attackers” are more organized than the “good guys.” These controls attempt to provide a means to change that outcome and provide maximum security for an organization.
The list of twenty controls is as follows, and each has its subset of guidance.
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
As of April 2019, the version of guidance introduced breaks these controls into “Implementation Groups,” dividing the Controls into three sections:
- Implementation Group 1: Applicable to all companies (small to large)
- Implementation Group 2: Additional Controls for storing sensitive information
- Implementation Group 3: Additional Controls for very sensitive information
With the advent of implementation groups, smaller companies do not need to comply with all CIS Controls; however, the maximum coverage is more easily achieved by implementing as many as possible.