The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today's most pervasive and dangerous attacks. SANS supports the CIS Controls with training, research, and certification. On May 18, 2021, CIS launched version 8 of the controls, released at the global RSA Conference 2021.
Here's a glimpse at the notable changes.
Updated to Keep up with the Ever-Changing Cyber Ecosystem: CIS Controls v8 has been enhanced to keep up with modern systems and software. Movement to cloud-based computing, virtualization, mobility, outsourcing, Work-from-Home, and changing attacker tactics prompted the update and supports an enterprise's security as they move to both fully cloud and hybrid environments.
Defines Implementation Group 1 (IG1): IG1 is the definition of basic cyber hygiene and represents an emerging minimum standard of information security for all enterprises. IG1 is a foundational set of cyber defense Safeguards that every enterprise should apply to guard against the most common attacks. IG2 and IG3 build upon previous IGs, with IG1 being the on-ramp to the Controls.
Consistent and Simplified: Each Safeguard asks for “one thing,” wherever possible, in a way that is clear and requires minimal interpretation. Each Safeguard is focused on measurable actions, and defines the measurement as part of the process. The language is simplified to avoid duplication.
Task-Based Focus Regardless of Who's Executing the Control: Version 8 combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important; this is reflected in v8 through revised terminology and grouping of Safeguards, resulting in a decrease of the number of Controls from 20 to 18.
Along with Simplifying the Controls in v8, We've Simplified the Name to the “CIS Controls”: Formerly the SANS Critical Security Controls (SANS Top 20) and the CIS Critical Security Controls, the consolidated Controls are now officially called the CIS Controls. SANS served on the editorial panel of Controls v8.
Leverages Other Best Practice Guidance: The updated CIS Controls cooperate with and point to existing independent standards and security recommendations where they exist. SAFECode was a key contributor to the application software security Control.
The CIS Controls Ecosystem...It's Not About the List: Whether you use the CIS Controls, and/or another way to guide your security improvement program, you should recognize that “it’s not about the list.” You can get a credible list of security recommendations from many sources –think of the list as a starting point. It is important to look for the ecosystem that grows up around the list. To support this, CIS acts as a catalyst and clearinghouse to help us all learn from each other. Since Version 6, there has been an explosion of complementary information, products, and services available from CIS, and from the industry at-large. Some examples include:
- CIS CSAT Hosted: CIS CSAT is a free web application that enterprises can use to conduct, track, and assess their implementation of the CIS Controls; it supports cross-departmental collaboration by allowing users to delegate questions to others, validate the responses, create sub-organizations, and more.
- Community Defense Model (CDM): The CDM is an analytical model to bring a more data-driven and rigorous approach in CIS Controls and corresponding Safeguards selection and prioritization. CDM v1.0 showed that the CIS Controls mitigate approximately 83% of all attack techniques found in the MITRE ATT&CK Framework.
- CIS Controls Mobile Companion Guide: The CIS Controls Mobile Companion Guide helps enterprises implement the consensus-developed best practices using CIS Controls v8 for phones, tablets, and mobile applications.
- CIS Controls Cloud Companion Guide: CIS provides guidance on how to apply the security best practices found in CIS Controls v8 to any cloud environment from the consumer/customer perspective.
CIS Provides Enterprises with Supporting Tools and Documents to Help with v8 Implementation: CIS Controls v8 provides backwards compatibility with previous versions and a migration path for users of prior versions to move to v8.
SANS Training and Certification
With two courses and one certification focused on the CIS Controls, each has undergoing major updates to be in line with the new CIS Controls v8. Learn more about them here:
- SEC440: CIS Critical Controls: A Practical Introduction
- SEC566: Implementing and Auditing CIS Critical Controls
- GCCC: GIAC Critical Controls Certification
Additional Resources
What's New with the CIS Controls v8?, Randy Marchany
Measuring Risk Using the Open, Collective Risk Model (CRM) , James Tarala, June 10, SANS webcast
