Skip to content ↓ | Skip to navigation ↓

We are very proud to announce the release of Version 6 of the Center for Internet Security Critical Security Controls for Effective Cyber Defense. This is a set of security practices developed and supported by a large volunteer community of cybersecurity experts.

Based on an ongoing analysis of attacks, vulnerabilities and defensive options, the CIS Controls specify the primary actions of cyber hygiene that every organization should implement to manage the vast majority of problems that they face today.

The CIS Controls are used by a very wide variety of adopters, and they are called out in the comprehensive schemes like the NIST Cybersecurity Framework. They are also consistent with many other formal frameworks, offering a way to prioritize and focus your actions for greatest defensive payoff.

So what’s new in Version 6 of the CIS Critical Security Controls?

Here are some of the most notable changes:

  • We moved “Controlled Use of Administrative Privilege” from CSC 12 to CSC 5. This area deserved more emphasis; now CSCs 1-5 represent a more complete set to describe “foundational cyber hygiene” (with a new explanatory Appendix).
  • We added a new Control, CSC 7 “Email and Browser Protections”, to bring more attention to these very common attack vectors.
  • CSC 19 “Secure Network Engineering” was deleted. Engineering tasks are implied throughout the Controls, and we decided it was more effective to move some of the sub-controls directly to other Controls. We also plan to address this topic in more detail later.
  • “Maintenance, Monitoring, and Analysis of Audit Logs” moved from CSC 14 to CSC 6 to emphasize the importance of collecting information to for allow detection, analysis, and recovery.

There were some other changes in the ordering, reflecting both prioritization as well as more natural groupings of the CIS Controls. The details can be found in a Change Log that was released with Version 6.

In addition to changes within the set of Controls, we created some very exciting complementary pieces:

  • There are new Appendices that describe the following: the relationship between the CIS Critical Security Controls and the NIST Cybersecurity Framework, the National Cyber Hygiene Campaign (based on CSC 1 thru CSC 5), and a list of critical governance controls to be considered during implementation.
  • There is a new Appendix dedicated to privacy considerations with regards to any implementation of the CIS Controls. Privacy is now a topic of worldwide importance, and it deserves attention in every defensive framework or discussion.
  • We also created a new document, “A Measurement Companion to the CIS Critical Security Controls”, a much more specific and detailed treatment of security metrics.

Furthermore, over the next few weeks and months, we will be sharing many new working aids, tools and companion documents for the CIS Controls.

So what’s not new in Version 6?

As we have often said about the CIS Critical Security Controls, “it’s not about the list.” You can find an excellent list of things to do on every virtual street corner of IT security.

The real value of this movement comes from the large voluntary community that bands together to understand the vast range of attacks that plague us all, identifies the most important actions to manage those problems, and then creates the knowledge, products, and support community that helps enterprises get to work improving their cybersecurity.

This spirit of common cause is an essential element of the CIS Controls model – and we are proud to continue the tradition with Version 6.


Tony Sager PhotoAbout the Author: Tony Sager is a Senior Vice President & Chief Evangelist for the Center for Internet Security – an independent, international, non-profit organization whose mission is to identify, validate, promote and sustain best practices in cybersecurity. He leads the development of the CIS Critical Security Controls, a worldwide volunteer project to find and support technical practices that stop the vast majority of today’s cybersecurity attacks. Tony retired from the National Security Agency in June 2012 after 34 years as an Information Assurance professional: mathematical cryptographer, software vulnerability analyst and executive manager of the premier cyberdefense organizations at NSA.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock