CIS Controls and Sub Controls Mapping To NIST Special Publication 800 53 Rev 4 Low Final v1.1

This document contains mappings of the CIS Controls V7.
1 and Sub-Controls to the NIST 800-53 R4 LOW Ba

Mapping version 0.1.
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
controlsinfo@cisecurity.org
License for Use
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
subject to the prior approval of CIS® (Center for Internet Security, Inc.).
atives 4.0 International Public License (the link can be found at
you are authorized to copy and redistribute the content as a framework for use by you, within your
ed that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if
d materials. Users of the CIS Controls framework are also required to refer to
e that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is
Mapping Methodology
Mapping Methodology
This page describes the methodology used to map the CIS Critical Security Controls to NIST Special Publi
Reference link for NIST SP 800-53 R4: https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final
The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
Mappings are available from a variety of sources online, and different individuals will make their own decis
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item
CIS Control 10.1

Ensure that all system data is automatically backed up on a regular basis.
For a defensive mitigation to map to this CIS Sub-Control it must have the following features:
• Be able to back up information
• The backed up information must be system data
• Automated tools must be used to perform the back up
• The back ups must occur on a regular basis, meaning a time component must be involved
If the two concepts are equivalent, they are mapped with the relationship "equal". If they are not equal, the
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
• Equal: The defensive mitigation contains the exact same security concept within both standards.
• Small subset: The CIS Sub-Control is only tangentially related, and is subsumed within the defensive miti
• Small superset: The CIS Control is only slightly related to the defensive mitigation in question, and is a m
• Large subset: The CIS Sub-Control is highly related, yet is still subsumed within the defensive mitigation.
• Large superset: The CIS Control is very related to the defensive mitigation in question, yet is a broader co
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. CIS Sub-Control X is Equal to this NIST
Examples:
CIS Sub-Control 6.4 "Ensure adequate storage for logs" is EQUAL to NIST SP 800-53 AU-4 "Audit Storage
CIS Sub-Control 16.7 "Establish Process for Revoking Access" is a SMALL SUBSET of NIST SP 800-53 A
Many of the 800-53 Controls contain what could be considered multiple CIS Sub-Controls within the same
Finally, these relationships can also be read in a machine readable manner, for instance to graph relations
Additional Mapping Considerations

Many of the NIST 800-53 controls contain too much text to fit into a single cell within Excel. Therefore, the
The NIST 800-53 Rev 4 Low Baseline generally contains Controls, with very few Control Enhancements re
When specific technologies or policy documents from the US federal government are mentioned, the CIS C
Many of the 800-53 Controls will map to the CIS Controls, but they are not included within the mapping sin
CIS 19.7, but it's just not within the low baseline
If have comments, questions, or would like report an error, please join the CIS Controls Mappings commun
https://workbench.cisecurity.org/communities/94
Unique Mapping Considerations to NIST SP 800-53

Creating an Organization-wide Security Baseline
Specific settings or usages of technologies are mapped to Sub-Control 5.1, which generally contains a cyb
Audit Logging
Most of the applicable Controls and Control Enhancements have to do with Enabling audit logs for certain
Some types of "audit records" didn't fall into the "audit log" category, such as logging URL requests and we
Information System Monitoring

Many applicable Controls and Control Enhancements that are related to network monitoring are mapped to
CIS CIS Sub-
Title
Control Control
1 Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct) all hardware devices on the
given access, and unauthorized and unmanaged devices are found and pr
1 1.1 Utilize an Active Discovery Tool

Use a Passive Asset Discovery
1 1.2
Tool
Use DHCP Logging to Update
1 1.3
Asset Inventory
1 1.4 Maintain Detailed Asset Inventory
Maintain Asset Inventory

1 1.5
Information
1 1.6 Address Unauthorized Assets
1 1.7 Deploy Port Level Access Control
Utilize Client Certificates to

1 1.8
Authenticate Hardware Assets
Utilize Client Certificates to

1 1.8
Authenticate Hardware Assets
2 Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software on the network
and can execute, and that unauthorized and unmanaged software is found
Maintain Inventory of Authorized
2 2.1
Software
Ensure Software is Supported by

2 2.2
Vendor
2 2.3 Utilize Software Inventory Tools

Track Software Inventory
2 2.4
Information
Integrate Software and Hardware
2 2.5
Asset Inventories
2 2.6 Address unapproved software
2 2.7 Utilize Application Whitelisting

Implement Application Whitelisting
2 2.8
of Libraries
Implement Application Whitelisting

2 2.9
of Scripts
Physically or Logically Segregate

2 2.10
High Risk Applications
3 Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order

minimize the window of opportunity for attackers.
Run Automated Vulnerability

3 3.1
Scanning Tools
Perform Authenticated
3 3.2
Vulnerability Scanning
Protect Dedicated Assessment

3 3.3
Accounts
Deploy Automated Operating

3 3.4
System Patch Management Tools
Deploy Automated Software Patch
3 3.5
Management Tools
Compare Back-to-back
3 3.6
Vulnerability Scans
3 3.7 Utilize a Risk-rating Process
4 Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, ass

privileges on computers, networks, and applications.
Maintain Inventory of
4 4.1
Administrative Accounts
4 4.2 Change Default Passwords
Ensure the Use of Dedicated

4 4.3
Administrative Accounts
4 4.4 Use Unique Passwords

Use Multifactor Authentication For
4 4.5
All Administrative Access
Use of Dedicated Machines For All

4 4.6
Administrative Tasks
4 4.7 Limit Access to Script Tools
Log and Alert on Changes to

4 4.8
Administrative Group Membership
Log and Alert on Unsuccessful

4 4.9
Administrative Account Login
5 Secure Configuration for Hardware and Software on Mobile Devices, Lapto
Establish, implement, and actively manage (track, report on, correct) the s
laptops, servers, and workstations using a rigorous configuration manage
prevent attackers from exploiting vulnerable services and settings.
5 5.1 Establish Secure Configurations
5 5.2 Maintain Secure Images
5 5.3 Securely Store Master Images
Deploy System Configuration

5 5.4
Management Tools
Implement Automated
5 5.5
Configuration Monitoring Systems
6 Maintenance, Monitoring and Analysis of Audit Logs
Collect, manage, and analyze audit logs of events that could help detect, u
Utilize Three Synchronized Time

6 6.1
Sources
6 6.2 Activate audit logging
6 6.3 Enable Detailed Logging
6 6.4 Ensure adequate storage for logs
6 6.5 Central Log Management
6 6.6 Deploy SIEM or Log Analytic tool
6 6.7 Regularly Review Logs
6 6.8 Regularly Tune SIEM
7 Email and Web Browser Protections
Minimize the attack surface and the opportunities for attackers to manipul
with web browsers and email systems.
Ensure Use of Only Fully
7 7.1 Supported Browsers and Email
Clients
Disable Unnecessary or
7 7.2 Unauthorized Browser or Email
Client Plugins
Limit Use of Scripting Languages

7 7.3
in Web Browsers and Email Clients
Maintain and Enforce Network-

7 7.4
Based URL Filters
Subscribe to URL-Categorization
7 7.5
Service
7 7.6 Log all URL requests
7 7.7 Use of DNS Filtering Services
Implement DMARC and Enable

7 7.8
Receiver-Side Verification
7 7.9 Block Unnecessary File Types
7 7.10 Sandbox All Email Attachments
8 Malware Defenses
Control the installation, spread, and execution of malicious code at multip

use of automation to enable rapid updating of defense, data gathering, and
Utilize Centrally Managed Anti-

8 8.1
malware Software
Ensure Anti-Malware Software and

8 8.2
Signatures are Updated
Enable Operating System Anti-

8 8.3 Exploitation Features/ Deploy Anti-
Exploit Technologies
Configure Anti-Malware Scanning
8 8.4
of Removable Devices
Configure Devices Not To Auto-

8 8.5
Run Content
8 8.6 Centralize Anti-Malware Logging
8 8.7 Enable DNS Query Logging
Enable Command-Line Audit

8 8.8
Logging
9 Limitation and Control of Network Ports, Protocols, and Services
Manage (track/control/correct) the ongoing operational use of ports, proto

order to minimize windows of vulnerability available to attackers.
Associate Active Ports, Services

9 9.1
and Protocols to Asset Inventory
Ensure Only Approved Ports,

9 9.2 Protocols and Services Are
Running
Perform Regular Automated Port

9 9.3
Scans
Apply Host-Based Firewalls or Port
9 9.4
Filtering
9 9.5 Implement Application Firewalls
10 Data Recovery Capabilities
The processes and tools used to properly back up critical information with
it.
Ensure Regular Automated

10 10.1
BackUps
Perform Complete System

10 10.2
Backups
10 10.3 Test Data on Backup Media
10 10.4 Ensure Protection of Backups
Ensure Backups Have At least

10 10.5 One Non-Continuously
Addressable Destination
11 Secure Configuration for Network Devices, such as Firewalls, Routers and
Establish, implement, and actively manage (track, report on, correct) the s
devices using a rigorous configuration management and change control p
exploiting vulnerable services and settings.
Maintain Standard Security
11 11.1 Configurations for Network
Devices
Document Traffic Configuration

11 11.2
Rules
Use Automated Tools to Verify
11 11.3 Standard Device Configurations
and Detect Changes
Install the Latest Stable Version of
11 11.4 Any Security-Related Updates on
All Network Devices
Manage Network Devices Using
11 11.5 Multi-Factor Authentication and
Encrypted Sessions
Use Dedicated Machines For All

11 11.6
Network Administrative Tasks
Manage Network Infrastructure

11 11.7
Through a Dedicated Network
12 Boundary Defense
Detect/prevent/correct the flow of information transferring networks of diff

damaging data.
Maintain an Inventory of Network

12 12.1
Boundaries
Scan for Unauthorized
12 12.2 Connections across Trusted
Network Boundaries
Deny Communications with Known

12 12.3
Malicious IP Addresses
Deny Communication over

12 12.4
Unauthorized Ports
Configure Monitoring Systems to

12 12.5
Record Network Packets
Deploy Network-Based IDS

12 12.6
Sensors
Deploy Network-Based Intrusion

12 12.7
Prevention Systems
Deploy NetFlow Collection on

12 12.8
Networking Boundary Devices
Deploy Application Layer Filtering

12 12.9
Proxy Server
12 12.10 Decrypt Network Traffic at Proxy
Require All Remote Login to Use

12 12.11
Multi-Factor Authentication
Manage All Devices Remotely

12 12.12
Logging into Internal Network
13 Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effe
and integrity of sensitive information.
Maintain an Inventory of Sensitive

13 13.1
Information
Remove Sensitive Data or

13 13.2 Systems Not Regularly Accessed
by Organization
Monitor and Block Unauthorized

13 13.3
Network Traffic
Only Allow Access to Authorized

13 13.4
Cloud Storage or Email Providers
Monitor and Detect Any

13 13.5
Unauthorized Use of Encryption
Encrypt the Hard Drive of All

13 13.6
Mobile Devices.
13 13.7 Manage USB Devices
Manage System's External

13 13.8 Removable Media's Read/Write
Configurations
Encrypt Data on USB Storage

13 13.9
Devices
14 Controlled Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure acce

resources, systems) according to the formal determination of which perso
and right to access these critical assets based on an approved classificati
Segment the Network Based on

14 14.1
Sensitivity
Enable Firewall Filtering Between

14 14.2
VLANs
Disable Workstation to Workstation

14 14.3
Communication
14 14.4 Encrypt All Sensitive Information in

Transit
Utilize an Active Discovery Tool to

14 14.5
Identify Sensitive Data
Protect Information through

14 14.6
Access Control Lists
Enforce Access Control to Data

14 14.7
through Automated Tools
Encrypt Sensitive Information at
14 14.8
Rest
Enforce Detail Logging for Access

14 14.9
or Changes to Sensitive Data
15 Wireless Access Control

The processes and tools used to track/control/prevent/correct the security
access points, and wireless client systems.
Maintain an Inventory of
15 15.1
Authorized Wireless Access Points
Detect Wireless Access Points

15 15.2
Connected to the Wired Network
Use a Wireless Intrusion Detection
15 15.3
System
Disable Wireless Access on

15 15.4
Devices if Not Required
Limit Wireless Access on Client

15 15.5
Devices
Disable Peer-to-Peer Wireless

15 15.6 Network Capabilities on Wireless
Clients
Leverage the Advanced Encryption

15 15.7 Standard (AES) to Encrypt
Wireless Data
Use Wireless Authentication

15 15.8 Protocols that Require Mutual,
Multi-Factor Authentication
Disable Wireless Peripheral

15 15.9
Access of Devices
Create Separate Wireless Network

15 15.10 for Personal and Untrusted
Devices
16 Account Monitoring and Control
Actively manage the life cycle of system and application accounts - their c
minimize opportunities for attackers to leverage them.
Maintain an Inventory of
16 16.1
Authentication Systems
Configure Centralized Point of
16 16.2
Authentication
Require Multi-Factor
16 16.3
Authentication
Encrypt or Hash all Authentication

16 16.4
Credentials
Encrypt Transmittal of Username

16 16.5
and Authentication Credentials
16 16.6 Maintain an Inventory of Accounts
Establish Process for Revoking

16 16.7
Access
Disable Any Unassociated

16 16.8
Accounts
16 16.9 Disable Dormant Accounts
Ensure All Accounts Have An

16 16.10
Expiration Date
Lock Workstation Sessions After
16 16.11
Inactivity
Monitor Attempts to Access
16 16.12
Deactivated Accounts
Alert on Account Login Behavior
16 16.13
Deviation
17 Implement a Security Awareness and Training Program
For all functional roles in the organization (prioritizing those mission-critic

specific knowledge, skills and abilities needed to support defense of the e
plan to assess, identify gaps, and remediate through policy, organizationa
17 17.1 Perform a Skills Gap Analysis
Deliver Training to Fill the Skills

17 17.2
Gap
Implement a Security Awareness

17 17.3
Program
Implement a Security Awareness
17 17.3
Program
Update Awareness Content

17 17.4
Frequently
Train Workforce on Secure

17 17.5
Authentication
Train Workforce on Identifying
17 17.6
Social Engineering Attacks
Train Workforce on Sensitive Data
17 17.7
Handling
Train Workforce on Causes of
17 17.8
Unintentional Data Exposure
Train Workforce Members on

17 17.9
Identifying and Reporting Incidents
18 Application Software Security
Manage the security life cycle of all in-house developed and acquired softw
security weaknesses.
18 18.1 Establish Secure Coding Practices
Ensure Explicit Error Checking is

18 18.2 Performed for All In-House
Developed Software
Verify That Acquired Software is

18 18.3
Still Supported
Only Use Up-to-Date And Trusted

18 18.4
Third-Party Components
Use Only Standardized and
18 18.5 Extensively Reviewed Encryption
Algorithms
Ensure Software Development
18 18.6 Personnel are Trained in Secure
Coding
Apply Static and Dynamic Code
18 18.7
Analysis Tools
Establish a Process to Accept and
18 18.8 Address Reports of Software
Vulnerabilities
Separate Production and Non-
18 18.9
Production Systems
Deploy Web Application Firewalls

18 18.10
(WAFs)
Use Standard Hardening

18 18.11 Configuration Templates for
Databases
19 Incident Response and Management
Protect the organization's information, as well as its reputation, by develop

infrastructure (e.g., plans, defined roles, training, communications, manag
attack and then effectively containing the damage, eradicating the attacker
network and systems.
Document Incident Response

19 19.1
Procedures
Assign Job Titles and Duties for

19 19.2
Incident Response
Designate Management Personnel

19 19.3
to Support Incident Handling
Devise Organization-wide
19 19.4
Standards for Reporting Incidents
Maintain Contact Information For

19 19.5
Reporting Security Incidents
Publish Information Regarding

19 19.6 Reporting Computer Anomalies
and Incidents
Conduct Periodic Incident Scenario
19 19.7
Sessions for Personnel
Create Incident Scoring and

19 19.8
Prioritization Schema
20 Penetration Tests and Red Team Exercises
Test the overall strength of an organization's defense (the technology, the

objectives and actions of an attacker.
Establish a Penetration Testing

20 20.1
Program
Conduct Regular External and
20 20.2
Internal Penetration Tests
Perform Periodic Red Team
20 20.3
Exercises
Include Tests for Presence of

20 20.4 Unprotected System Information
and Artifacts
Create Test Bed for Elements Not

20 20.5
Typically Tested in Production
Use Vulnerability Scanning and

20 20.6 Penetration Testing Tools in
Concert
Ensure Results from Penetration

20 20.7 Test are Documented Using Open,
Machine-readable Standards
Control and Monitor Accounts

20 20.8 Associated with Penetration
Testing
Description
of Hardware Assets
tory, track, and correct) all hardware devices on the network so that only authorized devices are
uthorized and unmanaged devices are found and prevented from gaining access.
Utilize an active discovery tool to identify devices connected to the organization's network and
update the hardware asset inventory.
Utilize a passive discovery tool to identify devices connected to the organization's network and
automatically update the organization's hardware asset inventory.
Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address
management tools to update the organization's hardware asset inventory.
Maintain an accurate and up-to-date inventory of all technology assets with the potential to
store or process information. This inventory shall include all hardware assets, whether
connected to the organization's network or not.
Ensure that the hardware asset inventory records the network address, hardware address,
machine name, data asset owner, and department for each asset and whether the hardware
asset has been approved to connect to the network.
Ensure that unauthorized assets are either removed from the network, quarantined or the
inventory is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices can
authenticate to the network. The authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to the network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
Use client certificates to authenticate hardware assets connecting to the organization's trusted
network.
of Software Assets
tory, track, and correct) all software on the network so that only authorized software is installed
hat unauthorized and unmanaged software is found and prevented from installation or execution.
Maintain an up-to-date list of all authorized software that is required in the enterprise for any
business purpose on any business system.
Ensure that only software applications or operating systems currently supported by the
software's vendor are added to the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory system.
Utilize software inventory tools throughout the organization to automate the documentation of
all software on business systems.
The software inventory system should track the name, version, publisher, and install date for all
software, including operating systems authorized by the organization.
The software inventory system should be tied into the hardware asset inventory so all devices
and associated software are tracked from a single location.
Ensure that unauthorized software is either removed or the inventory is updated in a timely
manner
Utilize application whitelisting technology on all assets to ensure that only authorized software
executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized software
libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
The organization's application whitelisting software must ensure that only authorized, digitally
signed scripts (such as *.ps1,
*.py, macros, etc.) are allowed to run on a system.
Physically or logically segregated systems should be used to isolate and run software that is
required for business operations but incur higher risk for the organization.
ty Management
assess, and take action on new information in order to identify vulnerabilities, remediate, and
f opportunity for attackers.
Utilize an up-to-date SCAP-compliant vulnerability scanning tool to automatically scan all

systems on the network on a weekly or more frequent basis to identify all potential
vulnerabilities on the organization's systems.
Perform authenticated vulnerability scanning with agents running locally on each system or
with remote scanners that are configured with elevated rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans, which should not be used for
any other administrative activities and should be tied to specific machines at specific IP
addresses.
Deploy automated software update tools in order to ensure that the operating systems are
running the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software on all
systems is running the most recent security updates provided by the software vendor.
Regularly compare the results from back-to-back vulnerability scans to verify that vulnerabilities
have been remediated in a timely manner.
Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.
nistrative Privileges
ls used to track/control/prevent/correct the use, assignment, and configuration of administrative

s, networks, and applications.
Use automated tools to inventory all administrative accounts, including domain and local
accounts, to ensure that only authorized individuals have elevated privileges.
Before deploying any new asset, change all default passwords to have values consistent with
administrative level accounts.
Ensure that all users with administrative account access use a dedicated or secondary account
for elevated activities. This account should only be used for administrative activities and not
internet browsing, email, or similar activities.
Where multi-factor authentication is not supported (such as local administrator, root, or service
accounts), accounts will use passwords that are unique to that system.
Use multi-factor authentication and encrypted channels for all administrative account access.
Ensure administrators use a dedicated machine for all administrative tasks or tasks requiring
administrative access. This machine will be segmented from the organization's primary network
and not be allowed Internet access. This machine will not be used for reading e-mail,
composing documents, or browsing the Internet.
Limit access to scripting tools (such as Microsoft PowerShell and Python) to only administrative
or development users with the need to access those capabilities.
Configure systems to issue a log entry and alert when an account is added to or removed from
any group assigned administrative privileges.
Configure systems to issue a log entry and alert on unsuccessful logins to an administrative
account.
or Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
and actively manage (track, report on, correct) the security configuration of mobile devices,
orkstations using a rigorous configuration management and change control process in order to
exploiting vulnerable services and settings.
Maintain documented, standard security configuration standards for all authorized operating
systems and software.
Maintain secure images or templates for all systems in the enterprise based on the
organization's approved configuration standards. Any new system deployment or existing
system that becomes compromised should be imaged using one of those images or templates.
Store the master images and templates on securely configured servers, validated with integrity
monitoring tools, to ensure that only authorized changes to the images are possible.
Deploy system configuration management tools that will automatically enforce and redeploy
configuration settings to systems at regularly scheduled intervals.
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring
system to verify all security configuration elements, catalog approved exceptions, and alert
when unauthorized changes occur.
ng and Analysis of Audit Logs
nalyze audit logs of events that could help detect, understand, or recover from an attack.
Use at least three synchronized time sources from which all servers and network devices
retrieve time information on a regular basis so that timestamps in logs are consistent.
Ensure that local logging has been enabled on all systems and networking devices.
Enable system logging to include detailed information such as a event source, date, user,
timestamp, source addresses, destination addresses, and other useful elements.
Ensure that all systems that store logs have adequate storage space for the logs generated.
Ensure that appropriate logs are being aggregated to a central log management system for
analysis and review.
Deploy Security Information and Event Management (SIEM) or log analytic tool for log
correlation and analysis.
On a regular basis, review logs to identify anomalies or abnormal events.
On a regular basis, tune your SIEM system to better identify actionable events and decrease
event noise.
r Protections
face and the opportunities for attackers to manipulate human behavior though their interaction
email systems.
Ensure that only fully supported web browsers and email clients are allowed to execute in the
organization, ideally only using the latest version of the browsers and email clients provided by
the vendor.
Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
Ensure that only authorized scripting languages are able to run in all web browsers and email
clients.
Enforce network-based URL filters that limit a system's ability to connect to websites not
approved by the organization. This filtering shall be enforced for each of the organization's
systems, whether they are physically at an organization's facilities or not.
Subscribe to URL categorization services to ensure that they are up-to-date with the most
recent website category definitions available. Uncategorized sites shall be blocked by default.
Log all URL requests from each of the organization's systems, whether on-site or a mobile
device, in order to identify potentially malicious activity and assist incident handlers with
identifying potentially compromised systems.
Use DNS filtering services to help block access to known malicious domains.
To lower the chance of spoofed or modified emails from valid domains, implement Domain-
based Message Authentication, Reporting and Conformance (DMARC) policy and verification,
starting by implementing the Sender Policy Framework (SPF) and the Domain Keys Identified
Mail(DKIM) standards.
Block all e-mail attachments entering the organization's email gateway if the file types are
unnecessary for the organization's business.
Use sandboxing to analyze and block inbound email attachments with malicious behavior.
, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the
nable rapid updating of defense, data gathering, and corrective action.
Utilize centrally managed anti-malware software to continuously monitor and defend each of
the organization's workstations and servers.
Ensure that the organization's anti-malware software updates its scanning engine and
signature database on a regular basis.
Enable anti-exploitation features such as Data Execution Prevention (DEP) or Address Space
Layout Randomization (ASLR) that are available in an operating system or deploy appropriate
toolkits that can be configured to apply protection to a broader set of applications and
executables.
Configure devices so that they automatically conduct an anti-malware scan of removable
media when inserted or connected.
Configure devices to not auto-run content from removable media.
Send all malware detection events to enterprise anti-malware administration tools and event
log servers for analysis and alerting.
Enable Domain Name System (DNS) query logging to detect hostname lookups for known
malicious domains.
Enable command-line audit logging for command shells, such as Microsoft PowerShell and
Bash.
of Network Ports, Protocols, and Services
correct) the ongoing operational use of ports, protocols, and services on networked devices in
ows of vulnerability available to attackers.
Associate active ports, services and protocols to the hardware assets in the asset inventory.
Ensure that only network ports, protocols, and services listening on a system with validated
business needs are running on each system.
Perform automated port scans on a regular basis against all systems and alert if unauthorized
ports are detected on a system.
Apply host-based firewalls or port filtering tools on end systems, with a default-deny rule that
drops all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic going to
the server. Any unauthorized traffic should be blocked and logged.
ls used to properly back up critical information with a proven methodology for timely recovery of
Ensure that all system data is automatically backed up on a regular basis.
Ensure that all of the organization's key systems are backed up as a complete system, through
processes such as imaging, to enable the quick recovery of an entire system.
Test data integrity on backup media on a regular basis by performing a data restoration
process to ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when they are
stored, as well as when they are moved across the network. This includes remote backups and
cloud services.
Ensure that all backups have at least one backup destination that is not continuously
addressable through operating system calls.
or Network Devices, such as Firewalls, Routers and Switches
and actively manage (track, report on, correct) the security configuration of network infrastructure
us configuration management and change control process in order to prevent attackers from
ervices and settings.
Maintain standard, documented security configuration standards for all authorized network
devices.
All configuration rules that allow traffic to flow through network devices should be documented
in a configuration management system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an expected duration of the need.
Compare all network device configuration against approved security configurations defined for
each network device in use and alert when any deviations are discovered.
Install the latest stable version of any security-related updates on all network devices.
Manage all network devices using multi-factor authentication and encrypted sessions.
Ensure network engineers use a dedicated machine for all administrative tasks or tasks
requiring elevated access. This machine shall be segmented from the organization's primary
network and not be allowed Internet access. This machine shall not be used for reading e-mail,
composing documents, or surfing the Internet.
Manage the network infrastructure across network connections that are separated from the
business use of that network, relying on separate VLANs or, preferably, on entirely different
physical connectivity for management sessions for network devices.
the flow of information transferring networks of different trust levels with a focus on security-
Maintain an up-to-date inventory of all of the organization's network boundaries.
Perform regular scans from outside each trusted network boundary to detect any unauthorized
connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit access
only to trusted and necessary IP address ranges at each of the organization's network
boundaries,.
Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that
only authorized protocols are allowed to cross the network boundary in or out of the network at
each of the organization's network boundaries.
Configure monitoring systems to record network packets passing through the boundary at each
of the organization's network boundaries.
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack
mechanisms and detect compromise of these systems at each of the organization's network
boundaries.
Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at
each of the organization's network boundaries.
Enable the collection of NetFlow and logging data on all network boundary devices.
Ensure that all network traffic to or from the Internet passes through an authenticated
application layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content.
However, the organization may use whitelists of allowed sites that can be accessed through
the proxy without decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit and use
multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to accessing
the network to ensure that each of the organization's security policies has been enforced in the
same manner as local network devices.
ls used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy
ve information.
Maintain an inventory of all sensitive information stored, processed, or transmitted by the

organization's technology systems, including those located on-site or at a remote service
provider.
Remove sensitive data or systems not regularly accessed by the organization from the
network. These systems shall only be used as stand alone systems (disconnected from the
network) by the business unit needing to occasionally use the system or completely virtualized
and powered off until needed.
Deploy an automated tool on network perimeters that monitors for unauthorized transfer of
sensitive information and blocks such transfers while alerting information security
professionals.
Only allow access to authorized cloud storage or email providers.
Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
Utilize approved whole disk encryption software to encrypt the hard drive of all mobile devices.
If USB storage devices are required, enterprise software should be used that can configure
systems to allow the use of specific devices. An inventory of such devices should be
maintained.
Configure systems not to write data to external removable media, if there is no business need
for supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted while
at rest.
ed on the Need to Know
ls used to track/control/prevent/correct secure access to critical assets (e.g., information,

cording to the formal determination of which persons, computers, and applications have a need
se critical assets based on an approved classification.
Segment the network based on the label or classification level of the information stored on the
servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
Enable firewall filtering between VLANs to ensure that only authorized systems are able to
communicate with other systems necessary to fulfill their specific responsibilities.
Disable all workstation to workstation communication to limit an attacker's ability to move

laterally and compromise neighboring systems, through technologies such as Private VLANs or
micro segmentation.
Encrypt all sensitive information in transit.
Utilize an active discovery tool to identify all sensitive information stored, processed, or
transmitted by the organization's technology systems, including those located on-site or at a
remote service provider, and update the organization's sensitive information inventory.
Protect all information stored on systems with file system, network share, claims, application,
or database specific access control lists. These controls will enforce the principle that only
authorized individuals should have access to the information based on their need to access the
information as a part of their responsibilities.
Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls
to data even when data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary authentication
mechanism not integrated into the operating system, in order to access the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data
(utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).
ls used to track/control/prevent/correct the security use of wireless local area networks (WLANs),
eless client systems.
Maintain an inventory of authorized wireless access points connected to the wired network.
Configure network vulnerability scanning tools to detect and alert on unauthorized wireless
access points connected to the wired network.
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized wireless
access points connected to the network.
Disable wireless access on devices that do not have a business purpose for wireless access.
Configure wireless access on client machines that do have an essential wireless business
purpose, to allow access only to authorized wireless networks and to restrict access to other
wireless networks.
Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
Ensure that wireless networks use authentication protocols such as Extensible Authentication
Protocol-Transport Layer Security (EAP/TLS), which requires mutual, multi-factor
authentication.
Disable wireless peripheral access of devices (such as Bluetooth and NFC), unless such
access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access from
this network should be treated as untrusted and filtered and audited accordingly.
d Control
e cycle of system and application accounts - their creation, use, dormancy, deletion - in order to
for attackers to leverage them.
Maintain an inventory of each of the organization's authentication systems, including those

located on-site or at a remote service provider.
Configure access for all accounts through as few centralized points of authentication as
possible, including network, security, and cloud systems.
Require multi-factor authentication for all user accounts, on all systems, whether managed on-
site or by a third-party provider.
Encrypt or hash with a salt all authentication credentials when stored.
Ensure that all account usernames and authentication credentials are transmitted across
networks using encrypted channels.
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling accounts
immediately upon termination or change of responsibilities of an employee or contractor .
Disabling these accounts, instead of deleting accounts, allows preservation of audit trails.
Disable any account that cannot be associated with a business process or business owner.
Automatically disable dormant accounts after a set period of inactivity.
Ensure that all accounts have an expiration date that is monitored and enforced.
Automatically lock workstation sessions after a standard period of inactivity.
Monitor attempts to access deactivated accounts through audit logging.
Alert when users deviate from normal login behavior, such as time-of-day, workstation location
and duration.
wareness and Training Program
in the organization (prioritizing those mission-critical to the business and its security), identify the
lls and abilities needed to support defense of the enterprise; develop and execute an integrated
gaps, and remediate through policy, organizational planning, training, and awareness programs.
Perform a skills gap analysis to understand the skills and behaviors workforce members are
not adhering to, using this information to build a baseline education roadmap.
Deliver training to address the skills gap identified to positively impact workforce members'
security behavior.
Create a security awareness program for all workforce members to complete on a regular
basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure
the security of the organization. The organization's security awareness program should be
communicated in a continuous and engaging manner.
Create a security awareness program for all workforce members to complete on a regular
basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure
the security of the organization. The organization's security awareness program should be
communicated in a continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at least
annually) to address new technologies, threats, standards and business requirements.
Train workforce members on the importance of enabling and utilizing secure authentication.
Train the workforce on how to identify different forms of social engineering attacks, such as
phishing, phone scams and impersonation calls.
Train workforce on how to identify and properly store, transfer, archive and destroy sensitive
information.
Train workforce members to be aware of causes for unintentional data exposures, such as
losing their mobile devices or emailing the wrong person due to autocomplete in email.
Train employees to be able to identify the most common indicators of an incident and be able
to report such an incident.
ecurity
e cycle of all in-house developed and acquired software in order to prevent, detect, and correct
Establish secure coding practices appropriate to the programming language and development
environment being used.
For in-house developed software, ensure that explicit error checking is performed and
documented for all input, including for size, data type, and acceptable ranges or formats.
Verify that the version of all software acquired from outside your organization is still supported
by the developer or appropriately hardened based on developer security recommendations.
Only use up-to-date and trusted third-party components for the software developed by the
organization.
Use only standardized and extensively reviewed encryption algorithms.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being
adhered to for internally developed software.
Establish a process to accept and address reports of software vulnerabilities, including

providing a means for external entities to contact your security group.
Maintain separate environments for production and non-production systems. Developers
should not have unmonitored access to production environments.
Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic
flowing to the web application for common web application attacks. For applications that are
not web-based, specific application firewalls should be deployed if such tools are available for
the given application type. If the traffic is encrypted, the device should either sit behind the
encryption or be capable of decrypting the traffic prior to analysis. If neither option is
appropriate, a host-based web application firewall should be deployed.
For applications that rely on a database, use standard hardening configuration templates. All
systems that are part of critical business processes should also be tested.
Management
n's information, as well as its reputation, by developing and implementing an incident response
ns, defined roles, training, communications, management oversight) for quickly discovering an
vely containing the damage, eradicating the attacker's presence, and restoring the integrity of the
Ensure that there are written incident response plans that define roles of personnel as well as
phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific individuals
and ensure tracking and documentation throughout the incident through resolution.
Designate management personnel, as well as backups, who will support the incident handling
process by acting in key decision-making roles.
Devise organization-wide standards for the time required for system administrators and other
workforce members to report anomalous events to the incident handling team, the mechanisms
for such reporting, and the kind of information that should be included in the incident
notification.
Assemble and maintain information on third-party contact information to be used to report a
security incident, such as Law Enforcement, relevant government departments, vendors, and
ISAC partners.
Publish information for all workforce members, regarding reporting computer anomalies and
incidents to the incident handling team. Such information should be included in routine
employee awareness activities.
Plan and conduct routine incident, response exercises and scenarios for the workforce involved
in the incident response to maintain awareness and comfort in responding to real world threats.
Exercises should test communication channels, decision making, and incident responders
technical capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact to your
organization. Utilize score to define frequency of status updates and escalation procedures.
Red Team Exercises
h of an organization's defense (the technology, the processes, and the people) by simulating the
of an attacker.
Establish a program for penetration tests that includes a full scope of blended attacks, such as
wireless, client-based, and web application attacks.
Conduct regular external and internal penetration tests to identify vulnerabilities and attack
vectors that can be used to exploit enterprise systems successfully.
Perform periodic Red Team exercises to test organizational readiness to identify and stop
attacks or to respond quickly and effectively.
Include tests for the presence of unprotected system information and artifacts that would be
useful to attackers, including network diagrams, configuration files, older penetration test
reports, e-mails or documents containing passwords or other information critical to system
operation.
Create a test bed that mimics a production environment for specific penetration tests and Red
Team attacks against elements that are not typically tested in production, such as attacks
against supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability
scanning assessments should be used as a starting point to guide and focus penetration
testing efforts.
Wherever possible, ensure that Red Team results are documented using open, machine-
readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red
Team exercises so that results can be compared over time.
Any user or system accounts used to perform penetration testing should be controlled and
monitored to make sure they are only being used for legitimate purposes, and are removed or
restored to normal function after testing is over.
NIST
Relationship Control Control Name
Num
small subset SI-4 Information System Monitoring
large subset CM-8 Information System Component Invento
large superset IA-4 Identifier Management
small subset
small subset
small subset
small subset
large subset CM-11 User-Installed Software
small subset CM-11 User-Installed Software
large subset RA-5 Vulnerability Scanning

small subset RA-5 Vulnerability Scanning
small subset IA-5 Authenticator Management
small superset IA-5 (1) Authenticator Management
small superset IA-02 (1) Identification and Authentication (Organi
small subset AU-3 Content of Audit Records
small subset AU-2 Audit Events

small subset CM-1 Configuration Management Policy and P
small subset CM-2 Baseline Configurations
small subset CM-6 Configuration Settings
small subset CM-7 Least Functionality
small subset IA-5 Authenticator Management
small subset IA-6 Authenticator Feedback
small subset SC-20 Secure Name / Address Resolution Servi
small subset SC-21 Secure Name / Address Resolution Servi

small subset CM-6 Configuration Settings
small subset AU-8 Time Stamps
large superset AU-12 Audit Generation
large superset AU-12 Audit Generation
equal AU-4 Audit Storage Capacity
Audit Review, Analysis, and Reporting

large subset SI-3 Malicious Code Protection
small superset SI-3 Malicious Code Protection
large superset SC-39 Process Isolation
large superset SI-16 Memory Protection

small superset SI-3 Malicious Code Protection
small subset SI-5 Security Alerts, Advisories, and Directiv

small superset CP-9 Information system Backup
large subset CP-9 Information system Backup
large subset CA-3 System Interconnections
small subset CA-9 Internal System Connections

large subset CA-3 System Interconnections
large subset SC-7 Boundary Protection

large subset AC-17 Remote Access
large subset SC-7 Boundary Protection
large subset CA-7 Continuous Monitoring
small subset AC-20 Use of External Information Systems
large subset SA-9 External Information System Services
large subset CA-7 Continuous Monitoring

small subset MP-2 Media Access
small subset MP-7 Media Use
small subset CA-9 Internal System Connections
small subset AC-3 Access Enforcement

small subset CM-10 Software Usage Restrictions
large superset AC-18 Wireless Access

large subset IA-5 Authenticator Management
small subset IA-5 (1) Authenticator Management
large subset IA-5 Authenticator Management
small subset AC-2 Account Management
large subset AT-1 Security Awareness and Training Policy

large subset AT-2 Security Awareness Training
small superset IR-2 Incident Response Training

large subset IR-1 Incident Response Policy and Procedur
large subset IR-8 Incident Response Plan
large subset IR-1 Incident Response Policy and Procedur
equal IR-8 Incident Response Plan
large superset IR-6 Incident Reporting
small superset IR-8 Incident Response Plan
large superset IR-6 Incident Reporting
large subset SI-5 Security Alerts, Advisories, and Directiv

small superset IR-8 Incident Response Plan
NIST Control Description
b. Identifies unauthorized use of the information system through [Assignment: organization-

defined techniques and methods]
Develops and documents an inventory of information system components that:

1. Accurately reflects the current information system
2. Includes all components within the authorization boundary of the information system
3. Is at the level of granularity deemed necessary for tracking and reporting and
4. Includes [Assignment: organization-defined information deemed necessary to achieve
effective information system component accountability] and
b. Reviews and updates the information system component inventory [Assignment:

organization-defined frequency]
b. Selecting an identifier that identifies an individual, group, role, or device
c. Assigning the identifier to the intended individual, group, role, or device
b. Reviews and updates the information system component inventory [Assignment:
organization-defined frequency]
a. Establishes [Assignment: organization-defined policies] governing the installation of

software by users
b. Enforces software installation policies through [Assignment: organization-defined methods]

b. Enforces software installation policies through [Assignment: organization-defined methods]

c. Monitors policy compliance at [Assignment: organization-defined frequency]
b. Employs vulnerability scanning tools and techniques that facilitate interoperability among
tools and automate parts of the vulnerability management process by using standards
d. Remediates legitimate vulnerabilities [Assignment: organization-defined response times] in
accordance with an organizational assessment of risk
e. Changing default content of authenticators prior to information system installation
(e) Prohibits password reuse for [Assignment: organization-defined number] generations

The information system implements multifactor authentication for network access to privileged
accounts
The information system generates audit records containing information that establishes what
type of event occurred, when the event occurred, where the event occurred, the source of the
event, the outcome of the event, and the identity of any individuals or subjects associated with
the event
the event
a. Determines that the information system is capable of auditing the following events
[Assignment: organization-defined auditable events]
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. A configuration management policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance and
2. Procedures to facilitate the implementation of the configuration management policy and
associated configuration management controls
The organization develops, documents, and maintains under configuration control, a current
baseline configuration of the information system
a. Establishes and documents configuration settings for information technology products
employed within the information system using [Assignment: organization-defined security
configuration checklists] that reflect the most restrictive mode consistent with operational
requirements
b. Implements the configuration settings
a. Configures the information system to provide only essential capabilities and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services:
[Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or
services]
e. Changing default content of authenticators prior to information system installation
f. Establishing minimum and maximum lifetime restrictions and reuse conditions for
authenticators
Theinformationsystemobscuresfeedbackofauthenticationinformationduringthe authentication
process to protect the information from possible exploitation/use by unauthorized individuals.
a. Provides additional data origin authentication and integrity verification artifacts along with
the authoritative name resolution data the system returns in response to external
name/address resolution queries and
b. Provides the means to indicate the security status of child zones and (if the child supports
secure resolution services) to enable verification of a chain of trust among parent and child
domains, when operating as part of a distributed, hierarchical namespace
The information system requests and performs data origin authentication and data integrity
verification on the name/address resolution responses the system receives from authoritative
sources.
Identifies, documents, and approves any deviations from established configuration settings for
[Assignment: organization-defined information system components] based on [Assignment:
organization-defined operational requirements] and
d. Monitors and controls changes to the configuration settings in accordance with
organizational policies and procedures.
a. Uses internal system clocks to generate time stamps for audit records
the event.
a. Provides audit record generation capability for the auditable events defined in AU-2 a. at
[Assignment: organization-defined information system components] b. Allows [Assignment:
organization-defined personnel or roles] to select which auditable events are to be audited by
specific components of the information system
a. Provides audit record generation capability for the auditable events defined in AU-2 a. at
[Assignment: organization-defined information system components] b. Allows [Assignment:
organization-defined personnel or roles] to select which auditable events are to be audited by
specific components of the information system
The organization allocates audit record storage capacity in accordance with [Assignment:
organization-defined audit record storage requirements].
a. Reviews and analyzes information system audit records [Assignment: organization-defined

frequency] for indications of [Assignment: organization-defined inappropriate or unusual
activity]
a. Employs malicious code protection mechanisms at information system entry and exit points
to detect and eradicate malicious code
Updates malicious code protection mechanisms whenever new releases are available in
accordance with organizational configuration management policy and procedures
The information system maintains a separate execution domain for each executing process.
The information system implements [Assignment: organization-defined security safeguards] to
protect its memory from unauthorized code execution.
c. Configures malicious code protection mechanisms to:
1. Perform periodic scans of the information system [Assignment: organization-defined
frequency] and real-time scans of files from external sources at [Selection (one or more)
endpoint network entry/exit points] as the files are downloaded, opened, or executed in
accordance with organizational security policy
the event.
b. Generates internal security alerts, advisories, and directives as deemed necessary

c. Disseminates security alerts, advisories, and directives to: [Selection (one or more):
[Assignment: organization-defined personnel or roles] [Assignment: organization-defined
elements within the organization] [Assignment: organization-defined external organizations]]
the event.

the event.
Identifies unauthorized use of the information system through [Assignment: organization-

a. Monitors the information system to detect:

1. Attacks and indicators of potential attacks in accordance with [Assignment: organization-
defined monitoring objectives]
a. Conducts backups of user-level information contained in the information system
[Assignment:
organization-defined frequency consistent with recovery time and recovery point objectives]
b. Conducts backups of system-level information contained in the information system
[Assignment: organization-defined frequency consistent with recovery time and recovery point
objectives]
d. Protects the confidentiality, integrity, and availability of backup information at storage

locations.
b. Documents, for each interconnection, the interface characteristics, security requirements,

and the nature of the information communicated
b. Documents, for each internal connection, the interface characteristics, security

requirements, and the nature of the information communicated
b. Documents, for each interconnection, the interface characteristics, security requirements,
and the nature of the information communicated
a. Monitors the information system to detect:2. Unauthorized local, network, and remote
connections
a. Monitors and controls communications at the external boundary of the system and at key
internal boundaries within the system
c. Deploys monitoring devices:

1. Strategically within the information system to collect organization-determined essential
information and
information and
information and
information and
a. Establishes and documents usage restrictions, configuration/connection requirements, and
implementation guidance for each type of remote access allowed
a. Monitors and controls communications at the external boundary of the system and at key
internal boundaries within the system
The organization develops a continuous monitoring strategy and implement s a continuous

monitoring program that includes: e. Correlation and analysis of security-related information
generated by assessments and monitoring
f. Response actions to address results of the analysis of security-related information
The organization establishes terms and conditions, consistent with any trust relationships
established with other organizations owning, operating, and/or maintaining external
information systems, allowing authorized individuals to:
a. Access the information system from external information systems and
b. Process, store, or transmit organization-controlled information using external information
systems.
c. Employs [Assignment: organization-defined processes, methods, and techniques] to

monitor security control compliance by external service providers on an ongoing basis.
The organization develops a continuous monitoring strategy and implement s a continuous

monitoring program that includes: e. Correlation and analysis of security-related information
generated by assessments and monitoring
f. Response actions to address results of the analysis of security-related information

The organization restricts access to [Assignment: organization-defined types of digital and/or
non-digital media] to [Assignment: organization-defined personnel or roles].
Control: The organization [Selection: restricts prohibits] the use of [Assignment: organization-
defined types of information system media] on [Assignment: organization-defined information
systems or system components] using [Assignment: organization-defined security
safeguards].

b. Documents, for each internal connection, the interface characteristics, security
requirements, and the nature of the information communicated.
The information system enforces approved authorizations for logical access to information and
system resources in accordance with applicable access control policies.
the event.
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this
capability is not used for the unauthorized distribution, display, performance, or reproduction of
copyrighted work.
b. Authorizes wireless access to the information system prior to allowing such connections.
h. Protecting authenticator content from unauthorized disclosure and modification
(c) Stores and transmits only cryptographically-protected passwords
h. Protecting authenticator content from unauthorized disclosure and modification

f. Creates, enables, modifies, disables, and removes information system accounts in

accordance with [Assignment: organization-defined procedures or conditions]
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or

roles]:
1. A security awareness and training policy that addresses purpose, scope, roles,
responsibilities, management commitment, coordination among organizational entities, and
compliance
The organization provides basic security awareness training to information system users
(including managers, senior executives, and contractors)
The organization provides incident response training to information system users consistent
with assigned roles and responsibilities:
a. Within [Assignment: organization-defined time period] of assuming an incident response
role or responsibility
Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance and
a. Develops an incident response plan that: 1. Provides the organization with a roadmap for
implementing its incident response capability
Develops, documents, and disseminates to [Assignment: organization-defined personnel or
roles]:
1. An incident response policy that addresses purpose, scope, roles, responsibilities,
management commitment, coordination among organizational entities, and compliance
a. Develops an incident response plan that:7. Defines the resources and management support
needed to effectively maintain and mature an incident response capability
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident
response capability within [Assignment: organization-defined time period]
a. Develops an incident response plan that:5. Defines reportable incidents
The organization:
a. Requires personnel to report suspected security incidents to the organizational incident
response capability within [Assignment: organization-defined time period]
c. Disseminates security alerts, advisories, and directives to: [Selection (one or more):
[Assignment: organization-defined personnel or roles] [Assignment: organization-defined
elements within the organization] [Assignment: organization-defined external organizations]]
a. Develops an incident response plan that:6. Provides metrics for measuring the incident
response capability within the organization

CIS Controls and Sub Controls Mapping To NIST Special Publication 800 53 Rev 4 Low Final v1.1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Controls and Sub Controls Mapping To NIST Special Publication 800 53 Rev 4 Low Final v1.1

Uploaded by

Copyright:

Available Formats

This document contains mappings of the CIS Controls V7.

1 and Sub-Controls to the NIST 800-53 R4 LOW Ba

CIS Control 10.1

Additional Mapping Considerations

Unique Mapping Considerations to NIST SP 800-53

Information System Monitoring

1 Inventory and Control of Hardware Assets

1 1.1 Utilize an Active Discovery Tool

1 1.4 Maintain Detailed Asset Inventory

Maintain Asset Inventory

1 1.6 Address Unauthorized Assets

1 1.7 Deploy Port Level Access Control

Utilize Client Certificates to

Utilize Client Certificates to

2 Inventory and Control of Software Assets

Ensure Software is Supported by

2 2.3 Utilize Software Inventory Tools

2 2.6 Address unapproved software

2 2.7 Utilize Application Whitelisting

Implement Application Whitelisting

Physically or Logically Segregate

3 Continuous Vulnerability Management

Continuously acquire, assess, and take action on new information in order

Run Automated Vulnerability

Protect Dedicated Assessment

Deploy Automated Operating

3 3.7 Utilize a Risk-rating Process

4 Controlled Use of Administrative Privileges

The processes and tools used to track/control/prevent/correct the use, ass

Ensure the Use of Dedicated

4 4.4 Use Unique Passwords

Use of Dedicated Machines For All

4 4.7 Limit Access to Script Tools

Log and Alert on Changes to

Log and Alert on Unsuccessful

5 Secure Configuration for Hardware and Software on Mobile Devices, Lapto

5 5.2 Maintain Secure Images

5 5.3 Securely Store Master Images

Deploy System Configuration

6 Maintenance, Monitoring and Analysis of Audit Logs

Utilize Three Synchronized Time

6 6.2 Activate audit logging

6 6.3 Enable Detailed Logging

6 6.4 Ensure adequate storage for logs

6 6.5 Central Log Management

6 6.6 Deploy SIEM or Log Analytic tool

6 6.7 Regularly Review Logs

6 6.8 Regularly Tune SIEM

7 Email and Web Browser Protections

Limit Use of Scripting Languages

Maintain and Enforce Network-

7 7.6 Log all URL requests

7 7.7 Use of DNS Filtering Services

Implement DMARC and Enable

7 7.9 Block Unnecessary File Types

7 7.10 Sandbox All Email Attachments

Control the installation, spread, and execution of malicious code at multip

Utilize Centrally Managed Anti-

Ensure Anti-Malware Software and

Enable Operating System Anti-

Configure Devices Not To Auto-

8 8.6 Centralize Anti-Malware Logging

8 8.7 Enable DNS Query Logging