CIS Controls v8 Change Log

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
controlsinfo@cisecurity.org
Editor
Valecia Stocchetti
Contributors
Ginger Anderson
License for Use
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivatives 4.0 International Public
(the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode)
To further clarify the Creative Commons license related to the CIS Controls® content, you are authorized to copy an
redistribute the content as a framework for use by you, within your organization and outside of your organization for
commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided
Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Us
CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS C
order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subje
prior approval of CIS® (Center for Internet Security, Inc.).
CIS Controls Navigator
Remember to download the CIS Controls Version 8 Guide where you can learn more about:
- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/
A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/
Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
Legend
Reordered in the Same CIS Control
Reordered in a Different CIS Control
New
Content Merged
IGs Expanded
IGs Reduced
IGs Remain Same
Worksheet Details
v8 > v7.1 - Unabridged
v8 > v7.1 - Abridged
v7.1 > v8
Legend
Indicates that a Safeguard has been moved within the same CIS Control. Note that this does not include major shifts
ordering of CIS Controls. For example, if the CIS Control 'Malware Defenses' moved to CIS Control 10 from CIS Con
v8, but all the CIS Safeguards are still within that same CIS Control, then they would just be marked as ‘Reordered i
CSC’.
Indicates that a CIS Safeguard has been moved to a different CIS Control. For example, if a CIS Safeguard in v7.1 w
previously in CIS Control 1, but has since been moved to CIS Control 11 in v8, then this column would be selected.
Indicates CIS Safeguards that are new to v8.

Content from a v7.1 CIS Safeguard has been merged with another CIS Safeguard in v8.
Indicates that IGs were expanded from v7.1. For example, an IG2 & IG3 in v7.1 is now an IG1 & IG2 & IG3 in v8.
Indicates that IGs were decreased from v7.1. For example, an IG2 & IG3 in v7.1 is now just an IG3 in v8.
Indicates that there have been no changes in IG from v7.1 to v8.
Worksheet Details
Full v8 to v7.1 with full filtering capabilities for items in the Legend
Similar to 'v8 > v7.1 - Unabridged', but with less detail and filtering capabilities for v7.1 mapping of CIS Safeguards
Same content as 'v8 > v7.1 - Unabridged' sheet, just put in order of v7.1 CIS Safeguards
CIS Controls v6
Control #1: Inventory of Authorized and Unauthorized Devices
Control #2: Inventory of Authorized and Unauthorized Software
Control #3: Secure Configurations for Hardware and Software
Control #4: Continuous Vulnerability Assessment and Remediation
Control #5: Controlled Use of Administrative Privileges
Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Control #7: Email and Web Browser Protections
Control #8: Malware Defenses
Control #9: Limitation and Control of Network Ports

Control #10: Data Recovery Capability
Control #11: Secure Configurations for Network Devices
Control #12: Boundary Defense
Control #13: Data Protection

Control #14: Controlled Access Based on the Need to Know
Control #15: Wireless Access Control
Control #16: Account Monitoring and Control
Control #17: Security Skills Assessment and Appropriate Training to Fill Gaps
Control #18: Application Software Security
Control #19: Incident Response and Management
Control #20: Penetration Tests and Red Team Exercises
CIS Controls v7, v7.1
Control 1: Inventory and Control of Hardware Assets
Control 2: Inventory and Control of Software Assets
Control 3: Continuous Vulnerability Management
Control 4: Controlled Use of Administrative Privileges

Control 5: Secure Configuration for Hardware and Software on Mobile
Devices, Laptops, Workstations and Servers
Control 6: Maintenance, Monitoring and Analysis of Audit Logs
Control 7: Email and Web Browser Protections
Control 8: Malware Defenses
Control 9: Limitation and Control of Network Ports, Protocols, and Services

Control 10: Data Recovery Capabilities
Control 11: Secure Configuration for Network Devices, such as Firewalls,
Routers and Switches
Control 12: Boundary Defense
Control 13: Data Protection

Control 14: Controlled Access Based on the Need to Know
Control 15: Wireless Access Control
Control 16: Account Monitoring and Control
Control 17: Implement a Security Awareness and Training Program

Control 18: Application Software Security
Control 19: Incident Response and Management
Control 20: Penetration Tests and Red Team Exercises
CIS Controls v8
Control 1: Inventory and Control of Enterprise Assets
Control 4: Secure Configuration of Enterprise Assets and Software
Control 5: Account Management
Control 6: Access Control Management
Control 8: Audit Log Management
Control 11: Data Recovery
Control 12: Network Infrastructure Management
Control 13: Network Monitoring and Defense
Control 14: Security Awareness and Skills Training

Control 15: Service Provider Management
Control 17: Incident Response Management
Control 18: Penetration Testing

Main CIS Controls v7.1 Mapping
Control 1: Inventory and Control of Hardware Assets
Control 13: Data Protection,

Control 14: Controlled Access Based on the Need to Know
Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops,
Workstations and Servers,
Control 9: Limitation and Control of Network Ports, Protocols, and Services
Control 16: Account Monitoring and Control,

Control 16: Account Monitoring and Control,

Control 6: Maintenance, Monitoring and Analysis of Audit Logs
Control 10: Data Recovery Capabilities
Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Control 17: Implement a Security Awareness and Training Program

NEW!
Control 19: Incident Response and Management

Also Includes v7.1 Safeguards from:
Control 9: Limitation and Control of Network Ports, Protocols, and Services, Control 15:
Wireless Access Control
Control 4: Controlled Use of Administrative Privileges,
Control 7: Email and Web Browser Protections,
Control 2: Inventory and Control of Software Assets,
Control 15: Wireless Access Control,

Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and
Switches,
Control 12: Boundary Defense,
Control 14: Controlled Access Based on the Need to Know,
Control 15: Wireless Access Control,
Control 3: Continuous Vulnerability Management,

Control 9: Limitation and Control of Network Ports, Protocols, and Services,

Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers and
Switches,

Control 7: Email and Web Browser Protections,
Control 8: Malware Defenses,


Control 1: Inventory and Control of Hardware Assets,

Control 6: Maintenance, Monitoring and Analysis of Audit Logs,
Control 9: Limitation and Control of Network Ports, Protocols, and Services,
Control 14: Controlled Access Based on the Need to Know,
NEW!

CIS Control CIS Safeguard Asset Type Security Function
1 1
1 1.1 Devices Identify
1 1.2 Devices Respond
1 1.3 Devices Detect

2 2
2 2.1 Applications Identify
2 2.3 Applications Respond
2 2.4 Applications Detect
2 2.5 Applications Protect
3 3
3 3.1 Data Identify
3 3.2 Data Identify
3 3.3 Data Protect
3 3.4 Data Protect
3 3.5 Data Protect
3 3.5 Data Protect
3 3.6 Devices Protect

3 3.7 Data Identify
3 3.8 Data Identify
3 3.9 Data Protect

3 3.9 Data Protect
3 3.10 Data Protect
3 3.10 Data Protect
3 3.10 Data Protect
3 3.11 Data Protect
3 3.11 Data Protect
3 3.12 Network Protect
3 3.13 Data Protect
3 3.13 Data Protect
3 3.13 Data Protect
3 3.14 Data Detect
4 4

4 4.3 Users Protect
4 4.7 Users Protect

5 5
5 5.1 Users Identify
5 5.2 Users Protect

5 5.3 Users Respond
5 5.3 Users Respond
5 5.3 Users Respond
5 5.4 Users Protect
5 5.6 Users Protect
6 6
6 6.1 Users Protect
6 6.2 Users Protect
6 6.3 Users Protect
6 6.3 Users Protect
6 6.4 Users Protect
6 6.5 Users Protect
6 6.7 Users Protect
6 6.8 Data Protect

7 7

8 8
8 8.2 Network Detect



8 8.12 Data Detect
9 9


10 10

11 11
11 11.1 Data Recover
11 11.3 Data Protect

12 12
12 12.4 Network Identify

13 13

14 14
14 14.1 N/A Protect
14 14.1 N/A Protect
14 14.2 N/A Protect
14 14.3 N/A Protect

14 14.4 N/A Protect
14 14.5 N/A Protect
14 14.6 N/A Protect
14 14.7 N/A Protect
14 14.8 N/A Protect
14 14.9 N/A Protect
15 15
15 15.1 N/A Identify
15 15.4 N/A Protect
15 15.6 Data Detect
16 16



17 17
17 17.1 N/A Respond
17 17.2 N/A Respond
17 17.3 N/A Respond
17 17.3 N/A Respond
17 17.4 N/A Respond
17 17.5 N/A Respond
17 17.6 N/A Respond
17 17.7 N/A
17 17.8 N/A Recover
17 17.9 N/A Recover
18 18


Title
Inventory and Control of Enterprise

Assets
Establish and Maintain Detailed Enterprise

Asset Inventory

Asset Inventory

Asset Inventory

Asset Inventory
Address Unauthorized Assets
Utilize an Active Discovery Tool
Use Dynamic Host Configuration Protocol

(DHCP) Logging to Update Enterprise
Asset Inventory
Use a Passive Asset Discovery Tool

Inventory and Control of Software
Assets
Establish and Maintain a Software

Inventory

Inventory
Ensure Authorized Software is Currently

Supported
Address Unauthorized Software

Utilize Automated Software Inventory
Tools
Allowlist Authorized Software
Allowlist Authorized Libraries
Allowlist Authorized Scripts
Data Protection
Establish and Maintain a Data
Management Process
Establish and Maintain a Data Inventory
Configure Data Access Control Lists
Enforce Data Retention
Securely Dispose of Data
Encrypt Data on End-User Devices

Classification Scheme
Document Data Flows
Encrypt Data on Removable Media

Encrypt Sensitive Data in Transit
Encrypt Sensitive Data at Rest
Segment Data Processing and Storage

Based on Sensitivity
Deploy a Data Loss Prevention Solution
Log Sensitive Data Access
Secure Configuration of Enterprise

Assets and Software
Establish and Maintain a Secure

Configuration Process



Configuration Process for Network
Infrastructure
Infrastructure
Configure Automatic Session Locking on
Enterprise Assets
Implement and Manage a Firewall on
Servers
Servers
Servers
Servers
Implement and Manage a Firewall on End-
User Devices
User Devices
User Devices
User Devices
Securely Manage Enterprise Assets and

Software
Manage Default Accounts on Enterprise

Assets and Software
Uninstall or Disable Unnecessary Services

on Enterprise Assets and Software




Configure Trusted DNS Servers on

Enterprise Assets
Enforce Automatic Device Lockout on

Portable End-User Devices
Enforce Remote Wipe Capability on

Separate Enterprise Workspaces on

Mobile End-User Devices
Account Management
Establish and Maintain an Inventory of

Accounts

Accounts
Use Unique Passwords

Disable Dormant Accounts
Restrict Administrator Privileges to
Dedicated Administrator Accounts

Service Accounts

Service Accounts

Service Accounts
Centralize Account Management
Access Control Management
Establish an Access Granting Process
Establish an Access Revoking Process
Require MFA for Externally-Exposed

Applications
Applications
Require MFA for Remote Network Access
Require MFA for Administrative Access

Authentication and Authorization Systems
Centralize Access Control
Define and Maintain Role-Based Access
Control
Continuous Vulnerability Management
Establish and Maintain a Vulnerability

Management Process
Establish and Maintain a Remediation
Process
Process
Process
Perform Automated Operating System
Patch Management
Perform Automated Application Patch
Management

Management
Perform Automated Vulnerability Scans of

Internal Enterprise Assets

Externally-Exposed Enterprise Assets


Remediate Detected Vulnerabilities

Audit Log Management
Establish and Maintain an Audit Log
Management Process
Collect Audit Logs
Collect Audit Logs

Ensure Adequate Audit Log Storage
Standardize Time Synchronization
Collect Detailed Audit Logs

Collect DNS Query Audit Logs

Collect URL Request Audit Logs
Collect Command-Line Audit Logs
Centralize Audit Logs
Retain Audit Logs
Conduct Audit Log Reviews
Collect Service Provider Logs
Email and Web Browser Protections

Ensure Use of Only Fully Supported
Browsers and Email Clients
Use DNS Filtering Services
Maintain and Enforce Network-Based URL

Filters

Filters

Filters
Restrict Unnecessary or Unauthorized

Browser and Email Client Extensions
Implement DMARC
Block Unnecessary File Types
Deploy and Maintain Email Server Anti-
Malware Protections
Malware Protections
Malware Defenses
Deploy and Maintain Anti-Malware
Software
Configure Automatic Anti-Malware
Signature Updates
Disable Autorun and Autoplay for
Removable Media
Scanning of Removable Media
Enable Anti-Exploitation Features
Centrally Manage Anti-Malware Software

Use Behavior-Based Anti-Malware
Software
Data Recovery
Establish and Maintain a Data Recovery

Process
Perform Automated Backups
Protect Recovery Data

Establish and Maintain an Isolated
Instance of Recovery Data
Test Data Recovery
Network Infrastructure Management
Ensure Network Infrastructure is Up-to-

Date
Establish and Maintain a Secure Network

Architecture
Architecture
Securely Manage Network Infrastructure
Establish and Maintain Architecture
Diagram(s)
Centralize Network Authentication,
Authorization, and Auditing (AAA)
Use of Secure Network Management and
Communication Protocols
Ensure Remote Devices Utilize a VPN and
are Connecting to an Enterprise’s AAA
Infrastructure
Establish and Maintain Dedicated
Computing Resources For all
Administrative Work
Administrative Work
Administrative Work
Network Monitoring and Defense
Centralize Security Event Alerting
Deploy a Host-Based Intrusion Detection

Solution
Deploy a Network Intrusion Detection
Solution
Perform Traffic Filtering Between Network
Segments
Manage Access Control for Remote

Assets

Assets
Collect Network Traffic Flow Logs

Deploy a Host-Based Intrusion Prevention
Solution
Deploy a Network Intrusion Prevention
Solution
Solution
Deploy Port-Level Access Control

Perform Application Layer Filtering
Tune Security Event Alerting Thresholds
Security Awareness and Skills Training
Establish and Maintain a Security

Awareness Program

Awareness Program
Train Workforce Members to Recognize

Social Engineering Attacks
Train Workforce Members on
Authentication Best Practices
Train Workforce on Data Handling Best
Practices
Train Workforce Members on Causes of

Unintentional Data Exposure
Train Workforce Members on Recognizing

and Reporting Security Incidents
Train Workforce on How to Identify and

Report if Their Enterprise Assets are
Missing Security Updates
Train Workforce on the Dangers of
Connecting to and Transmitting Enterprise
Data Over Insecure Networks
Conduct Role-Specific Security Awareness

and Skills Training
Service Provider Management

Service Providers
Establish and Maintain a Service Provider

Management Policy
Classify Service Providers
Ensure Service Provider Contracts Include

Security Requirements
Assess Service Providers
Monitor Service Providers
Securely Decommission Service Providers
Application Software Security

Application Development Process
Establish and Maintain a Process to
Accept and Address Software
Vulnerabilities
Perform Root Cause Analysis on Security

Vulnerabilities
Establish and Manage an Inventory of

Third-Party Software Components

Use Up-to-Date and Trusted Third-Party

Software Components
Establish and Maintain a Severity Rating

System and Process for Application
Vulnerabilities

Vulnerabilities
Use Standard Hardening Configuration

Templates for Application Infrastructure
Separate Production and Non-Production

Systems
Train Developers in Application Security

Concepts and Secure Coding
Apply Secure Design Principles in

Application Architectures

Leverage Vetted Modules or Services for
Application Security Components

Implement Code-Level Security Checks

Conduct Application Penetration Testing
Conduct Threat Modeling
Incident Response Management
Designate Personnel to Manage Incident

Handling
Establish and Maintain Contact Information

for Reporting Security Incidents
Establish and Maintain an Enterprise

Process for Reporting Incidents

Establish and Maintain an Incident

Response Process
Assign Key Roles and Responsibilities
Define Mechanisms for Communicating

During Incident Response
Conduct Routine Incident Response

Exercises
Conduct Post-Incident Reviews
Establish and Maintain Security Incident

Thresholds
Penetration Testing
Establish and Maintain a Penetration

Testing Program
Perform Periodic External Penetration

Tests

Tests

Tests
Remediate Penetration Test Findings

Validate Security Measures
Perform Periodic Internal Penetration
Tests
Tests
Description
Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile;
network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physica
virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be
monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets
remove or remediate.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or proc
data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers.
Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, departm
for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type to
can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually,
remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s
network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise ass
bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asse
from the network, deny the asset from connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to
execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset
inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the
enterprise’s asset inventory at least weekly, or more frequently.
Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so th
only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and
prevented from installation or execution.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must
document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Unifor
Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the
software inventory bi-annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If soft
is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls
residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Revie
the software list to verify software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Revie
monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of insta
software.
Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed.
Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to
into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequen
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as
specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more
frequently.
frequently.
frequently.
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, dat
retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a
minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as access
permissions, to local and remote file systems, databases, and applications.
Retain data according to the enterprise’s data management process. Data retention must include both minimum and maximum
timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method ar
commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker ®, Apple
FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,
“Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annu
or when significant enterprise changes occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s da
management process. Review and update documentation annually, or when significant enterprise changes occur that could imp
this Safeguard.
Encrypt data on removable media.
Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell
(OpenSSH).
(OpenSSH).
(OpenSSH).
Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also
known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may includ
application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit
access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets
intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, proce
or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterpri
sensitive data inventory.
Log sensitive data access, including modification and disposal.
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile
network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; n
computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review and update documentation annually, or whe
significant enterprise changes occur that could impact this Safeguard.
Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating sys
the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating sy
firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all tra
except those services and ports that are explicitly allowed.
Securely manage enterprise assets and software. Example implementations include managing configuration through version-
controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell
(SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype
Network) and HTTP, unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor acco
Example implementations can include: disabling default accounts or making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web
application module, or service function.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-
controlled DNS servers and/or reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-us
devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, n
more than 10 failed authentication attempts. Example implementations include Microsoft ® InTune Device Lock and Apple®
Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stol
devices, or when an individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations incl
using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator
accounts, as well as service accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and
administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequentl
Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password
accounts using MFA and a 14-character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities
such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review
and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrat
and service accounts for enterprise assets and software.
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or ro
change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts
immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, ma
necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a
directory service or SSO provider is a satisfactory implementation of this Safeguard.
Require MFA for remote network access.
Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or thr
a third-party provider.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site
at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Define and maintain role-based access control, through determining and documenting the access rights necessary for each role
within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validat
that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private
industry sources for new threat and vulnerability information.
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentat
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent
reviews.
reviews.
reviews.
Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent
basis.
Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both
authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning t
Perform scans on a monthly, or more frequent, basis.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on t
remediation process.
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, ad
the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise
assets.
assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestam
source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remo
administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on
weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting authentication and authorization ev
data creation and disposal events, and user management events.
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to
manipulate human behavior through direct engagement.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of
browsers and email clients provided through the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapprove
websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists
Enforce filters for all enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, a
add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with
implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise asse
Deploy and maintain anti-malware software on all enterprise assets.
Configure automatic updates for anti-malware signature files on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Preven
(DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and
trusted state.
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritiz
and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of
data.
data.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirem
Establish and maintain an isolated instance of recovery data. Example implementations include version controlling backup
destinations through offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from
exploiting vulnerable network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software
and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently,
verify software support.
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege
and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code, and the u
secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or
greater).
greater).
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources
end-user devices.
Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or ta
requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not
allowed internet access.
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against sec
threats across the enterprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation require
use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant
correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the us
a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise reso
based on: up-to-date anti-malware software installed; configuration compliance with the enterprise’s secure configuration proce
and ensuring the operating system and applications are up-to-date.
based on: up-to-date anti-malware software installed, configuration compliance with the enterprise’s secure configuration proce
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example
implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intru
Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as
certificates, and may incorporate user and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
Tune security event alerting thresholds monthly, or more frequently.
Establish and maintain a security awareness program to influence behavior among the workforce to be security consc
and properly skilled to reduce cybersecurity risks to the enterprise.
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterpri
workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum,
annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential
management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes
training workforce members on clear screen and desk best practices, such as locking their screen when they step away from th
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensiti
data, losing a portable end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and
tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activitie
the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home netwo
infrastructure.
Conduct role-specific security awareness and skills training. Example implementations include secure system administration
courses for IT professionals, (OWASP® Top 10 vulnerability awareness and prevention training for web application developers
advanced social engineering awareness training for high-profile roles.
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical
platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classificatio
and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant
enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory,
assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant
Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data
volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications
Ensure service provider contracts include security requirements. Example requirements may include minimum security program
requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal
commitments. These security requirements must be consistent with the enterprise’s service provider management policy. Revie
service provider contracts annually to ensure contracts are not missing security requirements.
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope may vary ba
on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous
processes. Reassess service providers annually, at a minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include periodic
reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account deactivation, termination o
data flows, and secure disposal of enterprise data within service provider systems.
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate
security weaknesses before they can impact the enterprise.
Establish and maintain a secure application development process. In the process, address such items as: secure application de
standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application
security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that cou
impact this Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for exte
entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process,
responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing.
part of the process, use a vulnerability tracking system that includes severity ratings, and metrics for measuring timing for
identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant ente
changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside
stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evalua
underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual
vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development, often referred to as a “bill of mate
as well as components slated for future use. This inventory is to include any risks that each third-party component could
pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the compone
still supported.
pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the compone
still supported.
Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and
libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabil
before use.
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in
which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing c
or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ens
the most severe bugs are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application infrastructure components. This include
underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, an
SaaS components. Do not allow in-house developed software to weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific development environme
and responsibilities. Training can include general security principles and application security standard practices. Conduct trainin
least annually and design in a way to promote security within the development team, and build a culture of security among the
developers.
Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and
enforcing mediation to validate every operation that the user makes, promoting the concept of "never trust user input." Example
include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and accept
ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off
unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity management, encryption, and auditi
and logging. Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood o
design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and
authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensivel
reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding bus
logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to
manually manipulate an application as an authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a
design, before code is created. It is conducted through specially trained individuals who evaluate the application design and ga
security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a
structured way to understand its weaknesses.
Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined
roles, training, and communications) to prepare, detect, and quickly respond to an attack.
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management
personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least
person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occu
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include inter
staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and
Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes reporting
timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is
publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirements, and a
communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public
relations, human resources, incident responders, and analysts, as applicable. Review annually, or when significant enterprise
Determine which primary and secondary mechanisms will be used to communicate and report during a security incident.
Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected
during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response proces
prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows
Conduct testing on an annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and
follow-up action.
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event.
Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls
(people, processes, and technology), and simulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetr
testing program characteristics include scope, such as network, web application, Application Programming Interface (API), host
services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of
contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing
must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires
specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the
techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear bo
opaque box.
opaque box.
v7.1 CIS
IG1 IG2 IG3 v7.1 CIS Safeguard Title
Safeguard
x x x 1.4 Maintain Detailed Asset Inventory
x x x 1.5 Maintain Asset Inventory Information
Maintain an Inventory of Authorized Wireless

x x x 15.1
Access Points
Associate Active Ports, Services, and Protocols

x x x 9.1
to Asset Inventory
x x x 1.6 Address Unauthorized Assets
x x 1.1 Utilize an Active Discovery Tool
x x 1.3 Use DHCP Logging to Update Asset Inventory
x 1.2 Use a Passive Asset Discovery Tool

Detect Wireless Access Points Connected to the
x 15.2
Wired Network
x x x 2.1 Maintain Inventory of Authorized Software
x x x 2.4 Track Software Inventory Information
x x x 2.2 Ensure Software is Supported by Vendor
x x x 2.6 Address Unapproved Software

Only Allow Access to Authorized Cloud Storage
x x x 13.4
or Email Providers
x x 2.3 Utilize Software Inventory Tools
x x 2.7 Utilize Application Whitelisting
x x 2.8 Implement Application Whitelisting of Libraries
x 2.9 Implement Application Whitelisting of Scripts
x 4.7 Limit Access to Scripting Tools
Limit Use of Scripting Languages in Web

x 7.3
x x x New
x x x 13.1 Maintain an Inventory of Sensitive Information

Protect Information Through Access Control
x x x 14.6
Lists
x x x New
x x x New
Remove Sensitive Data or Systems Not
x x x 13.2
Regularly Accessed by Organization
x x x 13.6 Encrypt Mobile Device Data

x x New
x x New
x x 13.7 Manage USB Devices

x x 13.9 Encrypt Data on USB Storage Devices
x x 14.4 Encrypt All Sensitive Information in Transit
Encrypt Transmittal of Username and
x x 16.5
Authentication Credentials
Leverage the Advanced Encryption Standard
x x 15.7
(AES) to Encrypt Wireless Data
x x 14.8 Encrypt Sensitive Information at Rest
x x 16.4 Encrypt or Hash All Authentication Credentials
Physically or Logically Segregate High Risk

x x 2.10
Applications
x x 14.1 Segment the Network Based on Sensitivity
Utilize an Active Discovery Tool to Identify

x 14.5
Sensitive Data
Enforce Access Control to Data Through

x 14.7
Automated Tools
x 13.3 Monitor and Block Unauthorized Network Traffic
Enforce Detail Logging for Access or Changes

x 14.9
to Sensitive Data
x x x 5.1 Establish Secure Configurations
x x x 5.4 Deploy System Configuration Management Tool
Disable workstation-to-workstation
x x x 14.3
communication
Maintain Standard Security Configurations for

x x x 11.1
Network Devices
Use Automated Tools to Verify Standard Device
x x x 11.3
Configurations and Detect Changes
x x x 16.11 Lock Workstation Sessions After Inactivity

Ensure Only Approved Ports, Protocols, and
x x x 9.2
Services Are Running
x x x 9.4 Apply Host-Based Firewalls or Port-Filtering
x x x 12.4 Deny Communication Over Unauthorized Ports
x x x 11.2 Document Traffic Configuration Rules

x x x 9.2
x x x New
x x x 4.2 Change Default Passwords
x x New

x x 9.2
Disable Peer-to-Peer Wireless Network

x x 15.6
Capabilities on Wireless Clients
x x 15.9 Disable Wireless Peripheral Access of Devices
Disable Wireless Access on Devices if Not

x x 15.4
Required
x x New
x x New
x x New
x New
x x x 4.1 Maintain Inventory of Administrative Accounts
x x x 16.6 Maintain an Inventory of Accounts
x x x 4.4 Use Unique Passwords

x x x 16.8 Disable Any Unassociated Accounts
x x x 16.9 Disable Dormant Accounts
x x x 16.10 Ensure All Accounts Have An Expiration Date
Ensure the Use of Dedicated Administrative
x x x 4.3
Accounts
x x New
x x 3.3 Protect Dedicated Assessment Accounts
Control and Monitor Accounts Associated With

x x 20.8
Penetration Testing
x x 16.2 Configure Centralized Point of Authentication
x x x New
x x x 16.7 Establish Process for Revoking Access
x x x New
x x x 16.3 Require Multi-Factor Authentication

Require All Remote Logins to Use Multi-Factor
x x x 12.11
Authentication
Use Multi-Factor Authentication for All
x x x 4.5
Administrative Access
x x 16.1 Maintain an Inventory of Authentication Systems
x x New
x New
x x x New
x x x New
x x x 3.7 Utilize a Risk-Rating Process
x x x 3.6 Compare Back-to-Back Vulnerability Scans

Deploy Automated Operating System Patch
x x x 3.4
Management Tools
Deploy Automated Software Patch Management
x x x 3.5
Tools
Install the Latest Stable Version of Any Security-

x x x 11.4
Related Updates on All Network Devices
x x 3.1 Run Automated Vulnerability Scanning Tools
x x 3.2 Perform Authenticated Vulnerability Scanning
x x 9.3 Perform Regular Automated Port Scans

Scan for Unauthorized Connections Across
x x 12.2
Trusted Network Boundaries

x x 12.2
x x New
x x x New
x x x 6.2 Activate Audit Logging
x x x 8.6 Centralize Anti-Malware Logging

x x x 6.4 Ensure Adequate Storage for Logs
x x 6.1 Utilize Three Synchronized Time Sources
x x 6.3 Enable Detailed Logging

Log and Alert on Changes to Administrative
x x 4.8
Group Membership
Log and Alert on Unsuccessful Administrative

x x 4.9
Account Login
Monitor Attempts to Access Deactivated

x x 16.12
Accounts
x x 8.7 Enable DNS Query Logging
x x 7.6 Log All URL Requests
x x 8.8 Enable Command-Line Audit Logging
x x 6.5 Central Log Management
x x New
x x 6.7 Regularly Review Logs
x New
Ensure Use of Only Fully Supported Browsers

x x x 7.1
and Email Clients
x x x 7.7 Use of DNS Filtering Services
Deny Communications With Known Malicious IP
x x x 12.3
Addresses
x x 7.4 Maintain and Enforce Network-Based URL Filters
x x 7.5 Subscribe to URL Categorization Service

x x 13.4
or Email Providers
Disable Unnecessary or Unauthorized Browser

x x 7.2
or Email Client Plugins
Implement DMARC and Enable Receiver-Side
x x 7.8
Verification
x x 7.9 Block Unnecessary File Types
x New
x 7.10 Sandbox All Email Attachments
x x x New
Ensure Anti-Malware Software and Signatures
x x x 8.2
Are Updated
x x x 8.5 Configure Devices to Not Auto-Run Content
Configure Anti-Malware Scanning of Removable
x x 8.4
Media
Enable Operating System Anti-Exploitation

x x 8.3
Features/ Deploy Anti-Exploit Technologies
x x 8.1 Utilize Centrally Managed Anti-Malware Software
x x New
x x x New
x x x 10.1 Ensure Regular Automated Backups
x x x 10.2 Perform Complete System Backups
x x x 10.4 Protect Backups

Ensure All Backups Have at Least One Offline
x x x 10.5
Backup Destination
x x 10.3 Test Data on Backup Media

x x x 11.4
x x New
Create Separate Wireless Network for Personal
x x 15.10
and Untrusted Devices
Manage Network Devices Using Multi-Factor
x x 11.5
Authentication and Encrypted Sessions
x x 12.1 Maintain an Inventory of Network Boundaries
x x New
x x New
Use Wireless Authentication Protocols That
x x 15.8
Require Mutual, Multi-Factor Authentication
x x New
Use Dedicated Workstations For All

x 4.6
Administrative Tasks
Use Dedicated Workstations for All Network

x 11.6
Manage Network Infrastructure Through a
x 11.7
Dedicated Network
x x 6.6 Deploy SIEM or Log Analytic Tools
x x New
x x 12.6 Deploy Network-Based IDS Sensors
x x 14.2 Enable Firewall Filtering Between VLANs
Manage All Devices Remotely Logging Into

x x 12.12
Internal Network

x x 12.2
Deploy NetFlow Collection on Networking

x x 12.8
Boundary Devices
x New
Deploy Network-Based Intrusion Prevention
x 12.7
Systems
x 15.3 Use a Wireless Intrusion Detection System
x 1.7 Deploy Port Level Access Control

Utilize Client Certificates to Authenticate
x 1.8
Hardware Assets
x 9.5 Implement Application Firewalls
x 12.9 Deploy Application Layer Filtering Proxy Server
x 18.10 Deploy Web Application Firewalls
x 6.8 Regularly Tune SIEM
x x x 17.3 Implement a Security Awareness Program
x x x 17.4 Update Awareness Content Frequently
Train Workforce on Identifying Social

x x x 17.6
Engineering Attacks
x x x 17.5 Train Workforce on Secure Authentication
x x x 17.7 Train Workforce on Sensitive Data Handling
Train Workforce on Causes of Unintentional

x x x 17.8
Data Exposure
Train Workforce Members on Identifying and

x x x 17.9
Reporting Incidents
x x x New
x x x New
x x 17.2 Deliver Training to Fill the Skills Gap
x x x New
x x New
x x New
x x New
x New
x New
x New
x x 18.1 Establish Secure Coding Practices

Establish a Process to Accept and Address
x x 18.8
Reports of Software Vulnerabilities
x x New
x x New
x x 18.3 Verify That Acquired Software Is Still Supported
Only Use Up-to-Date and Trusted Third-Party

x x 18.4
Components
x x New
x x 3.7 Utilize a Risk-Rating Process

x x 18.11
Templates for Databases

x x 18.9
Systems
Ensure Software Development Personnel Are

x x 18.6
Trained in Secure Coding
x x New
Ensure That Explicit Error Checking Is

x x 18.2
Performed for All In-House Developed Software
x x New
Use only Standardized and Extensively

x x 18.5
Reviewed Encryption Algorithms
x New
x 18.7 Apply Static and Dynamic Code Analysis Tools
x New
x New
Designate Management Personnel to Support

x x x 19.3
Incident Handling
Maintain Contact Information For Reporting

x x x 19.5
Security Incidents
Devise Organization-wide Standards For

x x x 19.4
Reporting Incidents
Publish Information Regarding Reporting

x x x 19.6
Computer Anomalies and Incidents
x x 19.1 Document Incident Response Procedures
Assign Job Titles and Duties for Incident

x x 19.2
Response
x x New
Conduct Periodic Incident Scenario Sessions for

x x 19.7
Personnel
x x New
Create Incident Scoring and Prioritization

x 19.8
Schema
x x 20.1 Establish a Penetration Testing Program
Conduct Regular External and Internal

x x 20.2
Penetration Tests
x x 20.3 Perform Periodic Red Team Exercises
Include Tests for Presence of Unprotected

x x 20.4
System Information and Artifacts
x x New
x New
x 20.2
Penetration Tests
x 20.3 Perform Periodic Red Team Exercises
Reordered in Reordered in a IGs Expanded IGs Reduced
New Content Merged
the Same CSC Different CSC from v7.1 from v7.1
x x x
x x x
x x x
x x x
x x
x x x
x x x
x x x
x x x
x x
x x
x x
x x x
x x x
x x
x
x x
x x x
x x
x x
x x x
x x x
x x
x x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x
x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x x
x
x x x
x x x
x x
x x
x x
x x x
x x
x x
x x x
x
x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x x
x
x
x
x x x
x x x
x x
x
x
x
x
x
x
x
x x
x x x
x x
x x
x x x
x
x
x
x x
x
x x
x x
x x
x
x
x x
x x
x x x
x x
x x x
x x x
x x x
x x
x x
x x x
x x x
x x
x x x
x x
x x x
x
x x
x x x
x
x
x
x
x x
x x
x x
x
x x
x
x x x
x x
x x x
x x
x
x
x x
x x x
x x
x
x
x
x x x
x x
IGs Remain
Same from v7.1
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
3 3.1 Data Identify
3 3.2 Data Identify

3 3.3 Data Protect
3 3.4 Data Protect
3 3.5 Data Identify
3 3.7 Data Identify
3 3.8 Data Identify
3 3.9 Data Protect
3 3.10 Data Protect
3 3.11 Data Protect
3 3.13 Data Protect
3 3.14 Data Detect
4 4.3 Users Protect

4 4.7 Users Protect
5 5.2 Users Protect
5 5.3 Users Respond
5 5.4 Users Protect
5 5.6 Users Protect

6
6 6.1 Users Protect
6 6.2 Users Protect
6 6.3 Users Protect
6 6.4 Users Protect
6 6.5 Users Protect
6 6.7 Users Protect

6 6.8 Data Protect

8


8 8.12 Data Detect


10
11

12

13


14
14 14.1 N/A Protect
14 14.2 N/A Protect
14 14.3 N/A Protect
14 14.4 N/A Protect
14 14.5 N/A Protect

14 14.6 N/A Protect
14 14.7 N/A Protect
14 14.8 N/A Protect
14 14.9 N/A Protect
15
15 15.4 N/A Protect
15 15.6 Data Detect
16

17
17 17.1 N/A Respond
17 17.2 N/A Respond

17 17.3 N/A Respond
17 17.4 N/A Respond
17 17.5 N/A Respond
17 17.6 N/A Respond
17 17.7 N/A Recover
17 17.8 N/A Recover
17 17.9 N/A Recover
18

Title

Assets+E2:E218

Asset Inventory

Asset Inventory

Assets

Inventory

Supported

Tools
Data Protection
Management Process


Document Data Flows


Assets and Software


Infrastructure
Enterprise Assets

Servers

User Devices

Software
Assets and Software


Enterprise Assets



Account Management

Accounts


Service Accounts

Applications

Control

Management Process

Process

Patch Management

Management



Management Process
Collect Audit Logs


Retain Audit Logs


Filters

Implement DMARC
Malware Protections
Malware Defenses
Software
Signature Updates
Removable Media

Software
Data Recovery

Process

Test Data Recovery

Date

Architecture
Diagram(s)


Infrastructure
Computing Resources for All
Administrative Work

Solution
Solution
Segments

Assets
Solution
Solution


Awareness Program


Practices



and Skills Training

Service Providers

Management Policy



Vulnerabilities

Vulnerabilities

Software Components

Vulnerabilities


Systems




Handling


Response Process


Exercises

Thresholds
Penetration Testing

Testing Program

Tests

Tests
Description
software.
frequently.
timelines.
Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple
this Safeguard.
(OpenSSH).
more than 10 failed authentication attempts. Example implementations include Microsoft ® InTune Device Lock and Apple®
The processes and tools used to assign and manage authorization to credentials for user accounts, including
administrator accounts, as well as service accounts, to enterprise assets and software.
The processes and tools used to create, assign, manage, and revoke access credentials and privileges for user,
administrator, and service accounts for enterprise assets and software.
change of a user.
reviews.
basis.
assets.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell ®, BASH™, and remote

trusted state.
data.
greater).
end-user devices.

management.
infrastructure.
stakeholders.
as well as components slated for future use. This inventory is to include any risks that each third-party component could pose.
Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is s
supported.
before use.
developers.
Safeguard.
follow-up action.
opaque box.
IG1 IG2 IG3
x x x
x x x
x x
x x
x x x
x x x
x x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x x
x x x
x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x
x x
x x x
x x x
X x x
x x x
x x x
x x
x x
x
x x x
x x x
x x x
x x x
x x
x x
x x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x
x x
x x
x x
x
x x x
x x x
x x x
x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x
x x x
x x x
x x x
x x x
x x x
x x x
x x x
x x x
x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x
x
v7.1 CIS Safeguard
1.4 Maintain Detailed Asset Inventory,

1.5 Maintain Asset Inventory Information,
15.1 Maintain an Inventory of Authorized Wireless Access Points,
9.1 Associate Active Ports, Services, and Protocols to Asset Inventory
1.6 Address Unauthorized Assets
1.1 Utilize an Active Discovery Tool
1.3 Use DHCP Logging to Update Asset Inventory
1.2 Use a Passive Asset Discovery Tool,

15.2 Detect Wireless Access Points Connected to the Wired Network
2.1 Maintain Inventory of Authorized Software,

2.4 Track Software Inventory Information
2.2 Ensure Software is Supported by Vendor
2.6 Address Unapproved Software,

13.4 Only Allow Access to Authorized Cloud Storage or Email Providers
2.3 Utilize Software Inventory Tools
2.7 Utilize Application Whitelisting
2.8 Implement Application Whitelisting of Libraries
2.9 Implement Application Whitelisting of Scripts,

4.7 Limit Access to Scripting Tools,
7.3 Limit Use of Scripting Languages in Web Browsers and Email Clients
New
13.1 Maintain an Inventory of Sensitive Information

14.6 Protect Information Through Access Control Lists
New
New,
13.2 Remove Sensitive Data or Systems Not Regularly Accessed by Organization
13.6 Encrypt Mobile Device Data
New
New
13.7 Manage USB Devices,

13.9 Encrypt Data on USB Storage Devices
14.4 Encrypt All Sensitive Information in Transit,
16.5 Encrypt Transmittal of Username and Authentication Credentials,
15.7 Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
14.8 Encrypt Sensitive Information at Rest,

16.4 Encrypt or Hash All Authentication Credentials
2.10 Physically or Logically Segregate High Risk Applications,

14.1 Segment the Network Based on Sensitivity
14.5 Utilize an Active Discovery Tool to Identify Sensitive Data,
14.7 Enforce Access Control to Data Through Automated Tools,
13.3 Monitor and Block Unauthorized Network Traffic
14.9 Enforce Detail Logging for Access or Changes to Sensitive Data
5.1 Establish Secure Configurations,

5.4 Deploy System Configuration Management Tool,
14.3 Disable workstation-to-workstation communication
11.1 Maintain Standard Security Configurations for Network Devices,

11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
16.11 Lock Workstation Sessions After Inactivity
9.2 Ensure Only Approved Ports, Protocols, and Services Are Running,
9.4 Apply Host-Based Firewalls or Port-Filtering,
12.4 Deny Communication Over Unauthorized Ports,
11.2 Document Traffic Configuration Rules
9.4 Apply Host-Based Firewalls or Port-Filtering,
12.4 Deny Communication Over Unauthorized Ports,
11.2 Document Traffic Configuration Rules
New
4.2 Change Default Passwords
New,
15.6 Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients,
15.9 Disable Wireless Peripheral Access of Devices,
15.4 Disable Wireless Access on Devices if Not Required
New
New
New
New
4.1 Maintain Inventory of Administrative Accounts,

16.6 Maintain an Inventory of Accounts
4.4 Use Unique Passwords
16.8 Disable Any Unassociated Accounts,

16.9 Disable Dormant Accounts,
16.10 Ensure All Accounts Have An Expiration Date
4.3 Ensure the Use of Dedicated Administrative Accounts
New,
3.3 Protect Dedicated Assessment Accounts,
20.8 Control and Monitor Accounts Associated With Penetration Testing
16.2 Configure Centralized Point of Authentication
New
16.7 Establish Process for Revoking Access
New,
16.3 Require Multi-Factor Authentication
12.11 Require All Remote Logins to Use Multi-Factor Authentication
4.5 Use Multi-Factor Authentication for All Administrative Access
16.1 Maintain an Inventory of Authentication Systems
New
New
New
New,
3.7 Utilize a Risk-Rating Process,
3.6 Compare Back-to-Back Vulnerability Scans
3.4 Deploy Automated Operating System Patch Management Tools
3.5 Deploy Automated Software Patch Management Tools,

11.4 Install the Latest Stable Version of Any Security-Related Updates on All Network
Devices
3.1 Run Automated Vulnerability Scanning Tools,
3.2 Perform Authenticated Vulnerability Scanning,
9.3 Perform Regular Automated Port Scans,
12.2 Scan for Unauthorized Connections Across Trusted Network Boundaries
3.1 Run Automated Vulnerability Scanning Tools,
9.3 Perform Regular Automated Port Scans,
New
New
6.2 Activate Audit Logging,

8.6 Centralize Anti-Malware Logging
6.4 Ensure Adequate Storage for Logs
6.1 Utilize Three Synchronized Time Sources
6.3 Enable Detailed Logging,

4.8 Log and Alert on Changes to Administrative Group Membership,
4.9 Log and Alert on Unsuccessful Administrative Account Login,
16.12 Monitor Attempts to Access Deactivated Accounts
8.7 Enable DNS Query Logging
7.6 Log All URL Requests
8.8 Enable Command-Line Audit Logging
6.5 Central Log Management
New
6.7 Regularly Review Logs
New
7.1 Ensure Use of Only Fully Supported Browsers and Email Clients
7.7 Use of DNS Filtering Services,
12.3 Deny Communications With Known Malicious IP Addresses
7.4 Maintain and Enforce Network-Based URL Filters,
7.5 Subscribe to URL Categorization Service,
13.4 Only Allow Access to Authorized Cloud Storage or Email Providers
7.2 Disable Unnecessary or Unauthorized Browser or Email Client Plugins
7.8 Implement DMARC and Enable Receiver-Side Verification

7.9 Block Unnecessary File Types
New,
7.10 Sandbox All Email Attachments
New
8.2 Ensure Anti-Malware Software and Signatures Are Updated
8.5 Configure Devices to Not Auto-Run Content
8.4 Configure Anti-Malware Scanning of Removable Media
8.3 Enable Operating System Anti-Exploitation Features/ Deploy Anti-Exploit Technologies
8.1 Utilize Centrally Managed Anti-Malware Software
New
New
10.1 Ensure Regular Automated Backups,

10.2 Perform Complete System Backups
10.4 Protect Backups
10.5 Ensure All Backups Have at Least One Offline Backup Destination
10.3 Test Data on Backup Media
11.4 Install the Latest Stable Version of Any Security-Related Updates on All Network
Devices
New,
15.10 Create Separate Wireless Network for Personal and Untrusted Devices
11.5 Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
12.1 Maintain an Inventory of Network Boundaries

New
New,
15.8 Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication
New
4.6 Use Dedicated Workstations For All Administrative Tasks,

11.6 Use Dedicated Workstations for All Network Administrative Tasks,
11.7 Manage Network Infrastructure Through a Dedicated Network
6.6 Deploy SIEM or Log Analytic Tools
New
12.6 Deploy Network-Based IDS Sensors
14.2 Enable Firewall Filtering Between VLANs
12.12 Manage All Devices Remotely Logging Into Internal Network,

12.8 Deploy NetFlow Collection on Networking Boundary Devices
New
12.7 Deploy Network-Based Intrusion Prevention Systems,
15.3 Use a Wireless Intrusion Detection System
1.7 Deploy Port Level Access Control,
1.8 Utilize Client Certificates to Authenticate Hardware Assets
9.5 Implement Application Firewalls,
12.9 Deploy Application Layer Filtering Proxy Server,
18.10 Deploy Web Application Firewalls
6.8 Regularly Tune SIEM
17.3 Implement a Security Awareness Program,

17.4 Update Awareness Content Frequently
17.6 Train Workforce on Identifying Social Engineering Attacks
17.5 Train Workforce on Secure Authentication
17.7 Train Workforce on Sensitive Data Handling
17.8 Train Workforce on Causes of Unintentional Data Exposure

17.9 Train Workforce Members on Identifying and Reporting Incidents
New
New
17.2 Deliver Training to Fill the Skills Gap
New
New
New
New
New
New
New
18.1 Establish Secure Coding Practices
18.8 Establish a Process to Accept and Address Reports of Software Vulnerabilities
New
New,
18.3 Verify That Acquired Software Is Still Supported
18.4 Only Use Up-to-Date and Trusted Third-Party Components
New,
3.7 Utilize a Risk-Rating Process
18.11 Use Standard Hardening Configuration Templates for Databases
18.9 Separate Production and Non-Production Systems
18.6 Ensure Software Development Personnel Are Trained in Secure Coding
New,
18.2 Ensure That Explicit Error Checking Is Performed for All In-House Developed Software
New,
18.5 Use only Standardized and Extensively Reviewed Encryption Algorithms
New,
18.7 Apply Static and Dynamic Code Analysis Tools
New
New
19.3 Designate Management Personnel to Support Incident Handling
19.5 Maintain Contact Information For Reporting Security Incidents

19.4 Devise Organization-wide Standards For Reporting Incidents,
19.6 Publish Information Regarding Reporting Computer Anomalies and Incidents
19.1 Document Incident Response Procedures
19.2 Assign Job Titles and Duties for Incident Response
New
19.7 Conduct Periodic Incident Scenario Sessions for Personnel
New
19.8 Create Incident Scoring and Prioritization Schema
20.1 Establish a Penetration Testing Program
20.2 Conduct Regular External and Internal Penetration Tests,

20.3 Perform Periodic Red Team Exercises,
20.4 Include Tests for Presence of Unprotected System Information and Artifacts
New,
3.7 Utilize a Risk-Rating Process
New
20.2 Conduct Regular External and Internal Penetration Tests,
20.3 Perform Periodic Red Team Exercises

4 4.7 Users Protect
5 5.4 Users Protect
5 5.2 Users Protect
6 6.5 Users Protect







6 6.4 Users Protect
3 3.2 Data Identify
3 3.5 Data Protect
3 3.13 Data Protect


3 3.9 Data Protect
3 3.9 Data Protect
3 3.10 Data Protect
3 3.13 Data Protect
3 3.3 Data Protect
3 3.13 Data Protect
3 3.11 Data Protect
3 3.14 Data Detect
3 3.10 Data Protect

5 5.6 Users Protect
6 6.3 Users Protect
3 3.11 Data Protect
3 3.10 Data Protect
6 6.2 Users Protect
5 5.3 Users Respond

5 5.3 Users Respond
5 5.3 Users Respond
4 4.3 Users Protect
14 14.9 N/A Protect
14 14.1 N/A Protect
14 14.1 N/A Protect
14 14.3 N/A Protect
14 14.2 N/A Protect
14 14.4 N/A Protect

14 14.5 N/A Protect
14 14.6 N/A Protect

17 17.4 N/A Respond

17 17.5 N/A Respond
17 17.1 N/A Respond
17 17.3 N/A Respond
17 17.2 N/A Respond
17 17.3 N/A Respond
17 17.7 N/A Recover
17 17.9 N/A Recover
3 3.1 Data Identify

3 3.4 Data Protect
3 3.5 Data Protect
3 3.7 Data Identify
3 3.8 Data Identify
6 6.1 Users Protect
6 6.3 Users Protect

6 6.7 Users Protect
6 6.8 Data Protect

8 8.12 Data Detect

14 14.7 N/A Protect
14 14.8 N/A Protect
15 15.4 N/A Protect
15 15.6 Data Detect

17 17.6 N/A Respond
17 17.8 N/A Recover

1 1
2 2
3 3
4 4
5 5
6 6
7 7
8 8
9 9
10 10
11 11
12 12
13 13
14 14
15 15
16 16
17 17
18 18
Title

Asset Inventory

Asset Inventory

Asset Inventory

Inventory

Supported

Tools

Inventory





Service Accounts

Patch Management
Management
Process
Process

Vulnerabilities

Accounts

Assets and Software

Computing Resources for All
Administrative Work


Collect Audit Logs



Filters

Filters
Implement DMARC
Malware Protections
Signature Updates

Removable Media
Collect Audit Logs

Asset Inventory

Servers
User Devices




Servers
User Devices

Test Data Recovery


Infrastructure
Servers
User Devices
Infrastructure
Management

Date

Computing Resources For All
Administrative Work
Computing Resources For All
Administrative Work
Diagram(s)


Assets

Servers
User Devices
Solution
Solution

Assets

Filters

Segments


Asset Inventory

Solution

on Enterprise Assets and Applications



Architecture


Applications
Encrypt Sensitive Data At Rest

Accounts

Enterprise Assets

and Skills Training

Awareness Program

Awareness Program


Practices





Software Components



Vulnerabilities

Systems

Response Process

Handling




Exercises

Thresholds

Testing Program

Tests

Tests

Tests

Tests

Tests

Service Accounts

Management Process

Document Data Flows

Software


Enterprise Assets




Service Accounts

Applications
Control

Management Process
Process

Management Process
Retain Audit Logs
Malware Protections
Software
Software

Process

Architecture
Infrastructure
Solution
Solution

Service Providers

Management Policy


Vulnerabilities

Vulnerabilities





Assets

Assets
Data Protection
Assets and Software
Account Management

Malware Defenses
Data Recovery
Penetration Testing
Description
software.
frequently.
and purpose. Perform service account reviews to validate all active accounts are authorized, on a recurring schedule at a minim
quarterly, or more frequently.
basis.
reviews.
reviews.
specific .ps1, .py, etc. files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more
frequently.
assets.
specific .ps1, .py, etc. files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more
frequently.

assets.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remo
Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department f
each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools
support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, rem
and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-
annually, or more frequently.
(OpenSSH).
data.
data.
based on: up-to-date anti-malware software installed; configuration compliance with the enterprise’s secure configuration proce
Encrypt data on end-user devices containing sensitive data. Example implementations can include, Windows BitLocker®, Apple
Segment data processing and storage, based on the sensitivity of the data. Do not process sensitive data on enterprise assets
Encrypt sensitive data in transit. Example implementations can include, Transport Layer Security (TLS) and Open Secure Shell
(OpenSSH).
Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department f
each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools
support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, rem
and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network
infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-
annually, or more frequently.
(OpenSSH).
greater).

(OpenSSH).
management.
pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate the component is
supported.
before use.
developers.
Apply static and dynamic analysis tools within the application lifecycle to verify that secure coding practices are being followed.
stakeholders.

Safeguard.
Safeguard.
opaque box.
opaque box.
timelines.
this Safeguard.
more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple®
and purpose. Perform service account reviews to validate all active accounts are authorized, on a recurring schedule at a minim
quarterly, or more frequently.
change of a user.
reviews.
Use secure network management and communication protocols (e.g. 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or
greater).
end-user devices.
infrastructure.
as well as components slated for future use. This inventory is to include any risks that each third-party component could pose.
Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is s
supported.
follow-up action.
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator
accounts, as well as service accounts, to enterprise assets and software.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrat
and service accounts for enterprise assets and software.
trusted state.
v7.1 CIS
IG1 IG2 IG3 v7.1 CIS Safeguard Title
Safeguard
x x 1.1 Utilize an Active Discovery Tool
x 1.2 Use a Passive Asset Discovery Tool
x x 1.3 Use DHCP Logging to Update Asset Inventory
x x x 1.4 Maintain Detailed Asset Inventory
x x x 1.5 Maintain Asset Inventory Information
x x x 1.6 Address Unauthorized Assets
x 1.7 Deploy Port Level Access Control

Utilize Client Certificates to Authenticate
x 1.8
Hardware Assets
x x x 2.1 Maintain Inventory of Authorized Software
x x x 2.2 Ensure Software is Supported by Vendor
x x 2.3 Utilize Software Inventory Tools
x x x 2.4 Track Software Inventory Information
x x x 2.6 Address Unapproved Software
x x 2.7 Utilize Application Whitelisting
x x 2.8 Implement Application Whitelisting of Libraries

x 2.9 Implement Application Whitelisting of Scripts
Physically or Logically Segregate High Risk

x x 2.10
Applications
x x 3.2 Perform Authenticated Vulnerability Scanning
x x 3.3 Protect Dedicated Assessment Accounts
Deploy Automated Operating System Patch

x x x 3.4
Management Tools
Deploy Automated Software Patch Management
x x x 3.5
Tools
x x x 3.6 Compare Back-to-Back Vulnerability Scans
x x x 3.7 Utilize a Risk-Rating Process
x x x 4.1 Maintain Inventory of Administrative Accounts
x x x 4.2 Change Default Passwords

Ensure the Use of Dedicated Administrative
x x x 4.3
Accounts
x x x 4.4 Use Unique Passwords
Use Multi-Factor Authentication for All
x x x 4.5
Administrative Access
Use Dedicated Workstations For All

x 4.6
x 4.7 Limit Access to Scripting Tools
Log and Alert on Changes to Administrative

x x 4.8
Group Membership
Log and Alert on Unsuccessful Administrative

x x 4.9
Account Login
x x x 5.1 Establish Secure Configurations
x x x 5.4 Deploy System Configuration Management Tool
x x 6.1 Utilize Three Synchronized Time Sources
x x x 6.2 Activate Audit Logging
x x 6.3 Enable Detailed Logging
x x x 6.4 Ensure Adequate Storage for Logs

x x 6.5 Central Log Management
x x 6.6 Deploy SIEM or Log Analytic Tools
x x 6.7 Regularly Review Logs

x 6.8 Regularly Tune SIEM
Ensure Use of Only Fully Supported Browsers
x x x 7.1
and Email Clients
Disable Unnecessary or Unauthorized Browser
x x 7.2
or Email Client Plugins
Limit Use of Scripting Languages in Web

x 7.3
x x 7.4 Maintain and Enforce Network-Based URL Filters
x x 7.5 Subscribe to URL Categorization Service
x x 7.6 Log All URL Requests

x x x 7.7 Use of DNS Filtering Services
Implement DMARC and Enable Receiver-Side
x x 7.8
Verification
x x 7.9 Block Unnecessary File Types
x 7.10 Sandbox All Email Attachments
x x 8.1 Utilize Centrally Managed Anti-Malware Software

Ensure Anti-Malware Software and Signatures
x x x 8.2
Are Updated
Enable Operating System Anti-Exploitation

x x 8.3
Features/ Deploy Anti-Exploit Technologies
Configure Anti-Malware Scanning of Removable

x x 8.4
Media
x x x 8.5 Configure Devices to Not Auto-Run Content
x x x 8.6 Centralize Anti-Malware Logging
x x 8.7 Enable DNS Query Logging
x x 8.8 Enable Command-Line Audit Logging
Associate Active Ports, Services, and Protocols

x x x 9.1
to Asset Inventory

x x x 9.2
x x x 9.2

x x 9.2
x 9.5 Implement Application Firewalls
x x x 10.1 Ensure Regular Automated Backups
x x x 10.2 Perform Complete System Backups

x x 10.3 Test Data on Backup Media
x x x 10.4 Protect Backups
Ensure All Backups Have at Least One Offline

x x x 10.5
Backup Destination
Maintain Standard Security Configurations for

x x x 11.1
Network Devices
Use Automated Tools to Verify Standard Device

x x x 11.3
Configurations and Detect Changes
x x x 11.4

x x x 11.4
Manage Network Devices Using Multi-Factor

x x 11.5
Authentication and Encrypted Sessions
Use Dedicated Workstations for All Network

x 11.6
Manage Network Infrastructure Through a

x 11.7
Dedicated Network
x x 12.1 Maintain an Inventory of Network Boundaries

x x 12.2

x x 12.2

x x 12.2
Deny Communications With Known Malicious IP

x x x 12.3
Addresses
x x 12.6 Deploy Network-Based IDS Sensors

Deploy Network-Based Intrusion Prevention
x 12.7
Systems
Deploy NetFlow Collection on Networking
x x 12.8
Boundary Devices
x 12.9 Deploy Application Layer Filtering Proxy Server
Require All Remote Logins to Use Multi-Factor
x x x 12.11
Authentication
Manage All Devices Remotely Logging Into

x x 12.12
Internal Network
x x x 13.1 Maintain an Inventory of Sensitive Information

Remove Sensitive Data or Systems Not
x x x 13.2
Regularly Accessed by Organization
x 13.3 Monitor and Block Unauthorized Network Traffic

x x x 13.4
or Email Providers
x x 13.4
or Email Providers
x x x 13.6 Encrypt Mobile Device Data

x x 13.7 Manage USB Devices
x x 13.9 Encrypt Data on USB Storage Devices
x x 14.1 Segment the Network Based on Sensitivity
x x 14.2 Enable Firewall Filtering Between VLANs
Disable workstation-to-workstation
x x x 14.3
communication
x x 14.4 Encrypt All Sensitive Information in Transit
Utilize an Active Discovery Tool to Identify

x 14.5
Sensitive Data
Protect Information Through Access Control

x x x 14.6
Lists
Enforce Access Control to Data Through

x 14.7
Automated Tools
x x 14.8 Encrypt Sensitive Information at Rest
Enforce Detail Logging for Access or Changes

x 14.9
to Sensitive Data
Maintain an Inventory of Authorized Wireless

x x x 15.1
Access Points
Detect Wireless Access Points Connected to the

x 15.2
Wired Network
x 15.3 Use a Wireless Intrusion Detection System
Disable Wireless Access on Devices if Not

x x 15.4
Required
Disable Peer-to-Peer Wireless Network

x x 15.6
Capabilities on Wireless Clients
Leverage the Advanced Encryption Standard

x x 15.7
(AES) to Encrypt Wireless Data
Use Wireless Authentication Protocols That
x x 15.8
Require Mutual, Multi-Factor Authentication
x x 15.9 Disable Wireless Peripheral Access of Devices
Create Separate Wireless Network for Personal

x x 15.10
and Untrusted Devices
x x 16.1 Maintain an Inventory of Authentication Systems
x x 16.2 Configure Centralized Point of Authentication
x x x 16.3 Require Multi-Factor Authentication
x x 16.4 Encrypt or Hash All Authentication Credentials
Encrypt Transmittal of Username and

x x 16.5
Authentication Credentials
x x x 16.6 Maintain an Inventory of Accounts
x x x 16.7 Establish Process for Revoking Access
x x x 16.8 Disable Any Unassociated Accounts

x x x 16.9 Disable Dormant Accounts
x x x 16.10 Ensure All Accounts Have An Expiration Date
x x x 16.11 Lock Workstation Sessions After Inactivity
Monitor Attempts to Access Deactivated

x x 16.12
Accounts
x x 17.2 Deliver Training to Fill the Skills Gap
x x x 17.3 Implement a Security Awareness Program
x x x 17.4 Update Awareness Content Frequently
x x x 17.5 Train Workforce on Secure Authentication

Train Workforce on Identifying Social
x x x 17.6
Engineering Attacks
x x x 17.7 Train Workforce on Sensitive Data Handling

Train Workforce on Causes of Unintentional
x x x 17.8
Data Exposure
Train Workforce Members on Identifying and

x x x 17.9
Reporting Incidents
x x 18.1 Establish Secure Coding Practices
Ensure That Explicit Error Checking Is

x x 18.2
Performed for All In-House Developed Software
x x 18.3 Verify That Acquired Software Is Still Supported
Only Use Up-to-Date and Trusted Third-Party

x x 18.4
Components
Use only Standardized and Extensively

x x 18.5
Reviewed Encryption Algorithms
Ensure Software Development Personnel Are

x x 18.6
Trained in Secure Coding
x 18.7 Apply Static and Dynamic Code Analysis Tools
Establish a Process to Accept and Address

x x 18.8
Reports of Software Vulnerabilities

x x 18.9
Systems
x 18.10 Deploy Web Application Firewalls
x x 18.11
Templates for Databases
x x 19.1 Document Incident Response Procedures

Assign Job Titles and Duties for Incident
x x 19.2
Response
Designate Management Personnel to Support

x x x 19.3
Incident Handling
Devise Organization-wide Standards For

x x x 19.4
Reporting Incidents
Maintain Contact Information For Reporting

x x x 19.5
Security Incidents
Publish Information Regarding Reporting

x x x 19.6
Computer Anomalies and Incidents
Conduct Periodic Incident Scenario Sessions for

x x 19.7
Personnel
Create Incident Scoring and Prioritization

x 19.8
Schema
x x 20.1 Establish a Penetration Testing Program

x x 20.2
Penetration Tests

x 20.2
Penetration Tests
x x 20.3 Perform Periodic Red Team Exercises
x 20.3 Perform Periodic Red Team Exercises
Include Tests for Presence of Unprotected

x x 20.4
System Information and Artifacts
Control and Monitor Accounts Associated With

x x 20.8
Penetration Testing
x x x New
x x x New
x x x New
x x New
x x New
x x x New
x x New
x x New
x x New
x x New
x New
x x New
x x x New
x x x New
x x New
x New
x x x New
x x x New
x x New
x x x New
x x New
x New
x New
x x x New
x x New
x x x New
x x New
x x New
x x New
x x New
x x New
x New
x x x New
x x x New
x x x New
x x New
x x New
x x New
x New
x New
x New
x x New
x x New
x x New
x x New
x x New
x New
x New
x New
x x New
x x New
x x New
x New
Reordered in Reordered in a IGs Expanded IGs Reduced
New Content Merged
the Same CSC Different CSC from v7.1 from v7.1
x x
x x x
x x x
x x x
x x
x x x
x x x
x x
x x
x x
x x x
x x
x x
x x
x x
x x
x x
x x
x x x
x x
x x
x x x
x x x
x x x
x x
x x
x x
x
x
x
x
x
x x x
x x
x x
x
x x
x
x
x x
x x
x
x x x
x
x
x x x
x x x
x x x
x x
x x
x x
x x
x x
x x x
x x
x x
x
x
x x x
x x x
x x
x x x
x x
x x x
x x x
x x
x x
x x
x x
x x x
x x
x x
x x
x x
x x x
x x
x x x
x x x
x x
x x
x x x
x x
x x x
x x
x x
x x
x x x
x x x
x x x
x x x
x x x
x x
x x x
x x x
x x
x x
x x x
x x
x x
x x x
x x
x x
x x x
x x
x x
x x x
x
x
x x
x x
x x
x x
x x x
x
x x x
x x
x
x x
x x x
x x
x x x
x x x
x x
x x
x x
x
x
x
x
x
x
x
x
x
x
x
x
x
IGs Remain
Same from v7.1
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
v7.1 CIS Control v7.1 CIS Safeguard
2 2.5
5 5.2
5 5.3
5 5.5
12 12.5
12 12.10
13 13.5
13 13.8
15 15.5
16 16.13
17 17.1
20 20.5
20 20.6
20 20.7
Title
Integrate Software and Hardware Asset Inventories
Maintain Secure Images
Securely Store Master Images
Implement Automated Configuration Monitoring Systems
Configure Monitoring Systems to Record Network Packets
Decrypt Network Traffic at Proxy
Monitor and Detect Any Unauthorized Use of Encryption
Manage System's External Removable Media's Read/Write Configurations
Limit Wireless Access on Client Devices
Alert on Account Login Behavior Deviation
Perform a Skills Gap Analysis
Create Test Bed for Elements Not Typically Tested in Production
Use Vulnerability Scanning and Penetration Testing Tools in Concert
Ensure Results from Penetration Test are Documented Using Open, Machine-
readable Standards

CIS Controls v8 Change Log

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CIS Controls v8 Change Log

Uploaded by

Copyright:

Available Formats

Contact Information

- This Version of the CIS Controls

Reordered in a Different CIS Control

Indicates CIS Safeguards that are new to v8.

Control #1: Inventory of Authorized and Unauthorized Devices

Control #2: Inventory of Authorized and Unauthorized Software

Control #3: Secure Configurations for Hardware and Software

Control #4: Continuous Vulnerability Assessment and Remediation

Control #5: Controlled Use of Administrative Privileges

Control #6: Maintenance, Monitoring, and Analysis of Audit Logs

Control #7: Email and Web Browser Protections

Control #8: Malware Defenses

Control #9: Limitation and Control of Network Ports

Control #11: Secure Configurations for Network Devices

Control #12: Boundary Defense

Control #13: Data Protection

Control 1: Inventory and Control of Hardware Assets

Control 2: Inventory and Control of Software Assets

Control 3: Continuous Vulnerability Management

Control 4: Controlled Use of Administrative Privileges

Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Control 7: Email and Web Browser Protections

Control 8: Malware Defenses

Control 9: Limitation and Control of Network Ports, Protocols, and Services

Control 12: Boundary Defense

Control 13: Data Protection

Control 17: Implement a Security Awareness and Training Program

Control 2: Inventory and Control of Software Assets

Control 3: Data Protection

Control 4: Secure Configuration of Enterprise Assets and Software

Control 5: Account Management

Control 6: Access Control Management

Control 7: Continuous Vulnerability Management

Control 8: Audit Log Management

Control 9: Email and Web Browser Protections

Control 10: Malware Defenses

Control 11: Data Recovery

Control 12: Network Infrastructure Management

Control 13: Network Monitoring and Defense

Control 14: Security Awareness and Skills Training

Control 17: Incident Response Management

Control 18: Penetration Testing

Control 1: Inventory and Control of Hardware Assets

Control 2: Inventory and Control of Software Assets

Control 13: Data Protection,

Control 16: Account Monitoring and Control,

Control 16: Account Monitoring and Control,

Control 3: Continuous Vulnerability Management

Control 6: Maintenance, Monitoring and Analysis of Audit Logs

Control 7: Email and Web Browser Protections

Control 8: Malware Defenses

Control 10: Data Recovery Capabilities

Control 12: Boundary Defense

Control 17: Implement a Security Awareness and Training Program

Control 19: Incident Response and Management

Control 20: Penetration Tests and Red Team Exercises

Control 4: Controlled Use of Administrative Privileges,

Control 3: Continuous Vulnerability Management,

Control 12: Boundary Defense

Control 9: Limitation and Control of Network Ports, Protocols, and Services,

Control 4: Controlled Use of Administrative Privileges,

Control 12: Boundary Defense,

Control 4: Controlled Use of Administrative Privileges,

Control 1: Inventory and Control of Hardware Assets,