Skip to content ↓ | Skip to navigation ↓

Back in 2018, the State of Security spent a lot of time going over v7 of the Center for Internet Security’s Critical Security Controls (CIS Controls). We noted at the time how the Center for Internet Security shuffled the order of requirements for many of the existing controls in that version. It also cleaned up the language of the CIS Controls, simplified some working, removed duplicate requirements, and created an abstract for each of the security measures.

Wait, What Are the CIS Controls Again?

Just as a reminder, the CIS Controls are a set of recommended actions that organizations can use to defend themselves against some of the most pervasive attacks in the threat landscape today. They serve as a starting point for organizations in that effort. As noted on the Center for Internet Security’s website, the Critical Security Controls use prioritization to help organizations to figure out where their digital defenses begin, focus their resources on actions that can provide protection against high-risk items, and then invest their remaining time and energy in tackling additional sources of digital risk for the business.

The Constant Flow of Change

The CIS Controls are not a static entity. On the contrary, they regularly undergo an informal community process in which industry, government, and academic actors review the CIS Controls. Those individuals can then issue updates based upon organizations’ changing network environments and on the evolving digital threat landscape.

Those factors help to explain the release of CIS Controls v8. This updated version of the security measures now includes requirements pertaining to cloud and mobile technologies. (Regarding the former, the Center for Internet Security even created an entirely new control designed to help organizations manage their cloud service providers.)

These changes reflect just how organizations altered the way they do business as part of the shift to remote work. The Center for Internet Security expanded upon that reality in a blog post:

Since networks are basically borderless — meaning there is no longer an enclosed, centralized network where all the endpoints reside — the Controls are now organized by activity vs. how things are managed.

As part of this transition, the internal community process reduced the number of CIS Controls from 20 to 18. These Controls are as follows:

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets

CIS Control 3: Data Protection

CIS Control 4: Secure Configuration of Enterprise Assets and Software

CIS Control 5: Account Management

CIS Control 6: Access Control Management

CIS Control 7: Continuous Vulnerability Management

CIS Control 8: Audit Log Management

CIS Control 9: Email and Web Browser Protections

CIS Control 10: Malware Defenses

CIS Control 11: Data Recovery

CIS Control 12: Network Infrastructure Management

CIS Control 13: Network Monitoring and Defense

CIS Control 14: Security Awareness and Skill Training

CIS Control 15: Service Provider Management

CIS Control 16: Application Software Security

CIS Control 17: Incident Response Management

CIS Control 18: Penetration Testing

The Center for Internet Security also grouped the Controls and a fewer number of corresponding Safeguards (formerly known as “Sub-Controls”) into three Implementation Groups (IGs). These designations help organizations to prioritize their implementation of the CIS Controls. To illustrate, the first implementation group (IG1) consists of basic hygiene that all organizations can use to lay the groundwork for defending themselves against digital threats. IG2 builds upon the practices of IG1, while IG3 encapsulates all the Controls and Safeguards.

Examining CIS Controls v8 in Detail

Researchers at Tripwire are working on a new blog series that examines each of the 18 security measures contained within CIS Controls v8. Stay tuned for the first few installments of this series over the coming weeks.

In the meantime, readers can learn more about how Tripwire’s solutions align with version 7 of the CIS Controls by clicking here.