The CIS Controls are a set of recommendations comprised of controls and benchmarks. They are intended to serve as a cybersecurity “best practice” for preventing damaging attacks. The recommendations are meant to provide a holistic approach to cybersecurity and to be effective across all industries. Adhering to them serves as an effective foundation for any organization’s security and compliance programs.
Not to be confused with regulations such as PCI and HIPAA or frameworks such as NIST, compliance with CIS controls is not enforced within audits. However, the CIS Controls are considered to be the building blocks to nearly all major compliance frameworks. They map to frameworks such as the NIST 800-53, ISO 27000 series and regulations such as PCI-DSS, HIPAA, NERC CIP, and FISMA.
The Controls were developed in 2008 by an international conglomerate of cybersecurity professionals representing a broad array of organizations, from small companies to government agencies. Since then, the Controls have been periodically updated to keep pace with the evolution of technology ecosystems and emerging threat vectors.
The CIS Benchmarks
The CIS Benchmarks are similar to the Controls, except the benchmarks provide prescriptive guidelines for ensuring that operating systems, hardware, and devices are securely configured. There are more than 100 CIS Benchmarks, covering more than 25 vendor product families.
CIS Benchmarks have been adopted by a number of industry frameworks, such as PCI DSS, FISMA, and FFIEC. CIS Benchmarks exist for a variety of platforms, cloud providers, mobile devices, and more. Some examples include AWS, Google Cloud Computing, and Zoom. Adhering to these benchmarks is your best chance at ensuring that the data you relay to third parties is secure.
How the CIS Controls Map to Other Policies
PCI DSS
PCI DSS (Payment Card Industry Data Security Standard) is the standard responsible for protecting the credit card industry from digital fraud. The standard ensures that cardholder’s information remains in the right hands and limits the liability of card issuers and banks in the event that a merchant is breached.
The CIS Benchmarks and CIS Controls address a variety of aspects of PCI-DSS compliance, including:
- 1 – Firewall and Router Configurations
- 6.1 – Patch Management
- 6.4 – Change Control
- 7.1 – Access Control
NIST
NIST is the framework that guides federal information systems in the United States. The framework offers guidance on producing positive cybersecurity outcomes and on the protection of privacy and civil liberties in a cybersecurity context. The CIS Benchmarks and Controls address many different portions of NIST compliance, including:
- NIST SP 800-53 R4 Low Baseline
- NIST SP 800-171 r2
It is also important to note that the Federal Information Security Modernization Act (FISMA) regulatory standard, which serves as a portion of NIST, references CIS Controls and Benchmarks as acceptable compliance resources.
Other Standards and Frameworks
NIST and PCI DSS both use CIS Controls and Benchmarks as integral components of their compliance, but CIS’ coverage does not stop there. It extends into a multitude of other standards and frameworks such as HIPAA, NERC CIP, and GDPR. Each of these recognizes the controls and benchmarks as excellent digital hygiene and endorses their effectiveness through the role they play in their respective compliance requirements.
Summary
No matter the industry you are in, the framework that you must adhere to, or even the size of your organization, adopting and upholding the CIS controls and benchmarks is an essential element to any compliance or network hardening program. These controls are by and for cybersecurity professionals of all roles and industries, making them the most well rounded path to defense and compliance imaginable. Heed the advice of the global cybersecurity community and fully embrace the CIS controls.