List of 18 CIS Critical Security Controls: Updated V8 Complete Checklist

A research conducted by Ponemon Institute in 2022 found that an organization’s cloud security maturity levels impact the cost of a data breach – higher the maturity, lower the cost. Using CIS controls you can build a strong security posture to bring down the cost of a potential data breach for your business. 

But what are the requirements of the CIS control framework? What are their functions? And what does it protect? Let’s understand each safeguard better.

What is CIS control framework?

The CIS Critical Security Controls (CIS Controls) are a set of prescriptive, prioritized, and simplified security practices that help organizations strengthen their cyber security posture.

The guidelines consist of 18 critical cybersecurity controls (CSC). These controls aim to simplify defense approach against threats, comply with industry regulations, abide by government law, align security efforts with business goals, and achieve basic security hygiene.

List of CIS controls

There are 18 control requirements divided into 153 safeguards. Each safeguard falls into either of three groups – IG1, IG2, and IG3. 

IG1 builds essential cyber hygiene for enterprises with limited cybersecurity expertise. 

IG2 assists enterprises handling multiple departments and risk profiles to manage their increasing operational complexity. 

IG3 empowers enterprises with IT professionals and experts to manage their sensitive or confidential data. It aims to minimize the impact of sophisticated cyber attacks. 

Not all controls may apply to your enterprise, you can choose the controls based on your IG level. 

CIS Control 1: Inventory and Control of Enterprise Assets

Helps you manage enterprise assets like portable or mobile devices, networks, and servers connected to your infrastructure remotely, virtually, or physically. Use this control to protect and monitor assets as well as identify and remove unauthorized or unmanaged assets. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
1.1	Establish and maintain a detailed and updated inventory of enterprise assets that store or process data. The assets can be connected to the infrastructure remotely, physically, or virtually.	Identify	Devices
1.2	Implement processes to remove, deny, or quarantine unauthorized assets.	Respond	Devices
1.3	Use an active discovery tool to identify assets connected to the network and configure it to execute as often as needed.	Detect	Devices
1.4	Use Dynamic Host Configuration Protocol (DHCP) logging or Internet Protocol (IP) address management tools to update the inventory.	Identify	Devices
1.5	Use a passive asset directory tool to identify assets connected to the network	Detect	Devices

CIS Control 2: Inventory and Control of Software Assets

Manage software operating systems and applications deployed on the network to prevent unauthorized software from being installed and operated. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
2.1	Establish and maintain a detailed inventory of software installed on assets	Identify	Applications
2.2	Ensure that only supported software is authorized in the inventory	Identify	Applications
2.3	Remove unauthorized software from the system or document its necessity	Respond	Applications
2.4	Automate the process of discovering and documenting installed software using software inventory tools	Detect	Applications
2.5	Ensure that only authorized software can be accessed or executed using technical controls like application allowlisting	Protect	Applications
2.6	Ensure that only authorized software libraries are loaded into system processes using technical controls	Protect	Applications
2.7	Ensure that only authorized scripts can be executed using technical controls like digital signatures and version control	Protect	Applications

CIS Control 3: Data Protection

Protects critical data deployed on-premise and across the cloud environment using processes and technical controls that helps to identify, classify, manage, retain, and dispose them. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
3.1	Establish and maintain a data management process detailing sensitivity, retention limits, disposal requirements, and owners	Identify	Data
3.2	Establish and maintain a data inventory based on the management process	Identify	Data
3.3	Configure data access controls lists to file systems, databases, and applications	Protect	Data
3.4	Retain data based on management processes including minimum and maximum timelines	Protect	Data
3.5	Dispose of data securely aligned with the level of sensitivity	Protect	Data
3.6	Encrypt data deployed on endpoint devices	Protect	Devices
3.7	Establish and maintain a data classification plan based on sensitive, public, or confidential categories	Identify	Data
3.8	Document data flows based on data management processes	Identify	Data
3.9	Encrypt data on removable media	Protect	Data
3.10	Encrypt data in transit using techniques like Transport Layer Security (TLS) or Open Secure Shell (OpenSSH)	Protect	Data
3.11	Encrypt sensitive data at rest deployed on servers, applications, or databases using techniques like server-side encryption or application-layer encryption	Protect	Data
3.12	Segment data processing and storage based on its sensitivity	Protect	Network
3.13	Use automated tools like Data Loss Prevention (DLP) to identify sensitive data stored, processed, or transmitted via enterprise assets	Protect	Data
3.14	Maintain a log of sensitive data access that includes modification and disposal	Detect	Data

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Establishes and maintains security configurations of enterprise assets and software like endpoint devices, servers, IoT systems, network devices, operating systems, and applications. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
4.1	Establish and maintain a secure configuration process for enterprise assets and software	Protect	Applications
4.2	Establish and maintain a secure configuration process for network devices	Protect	Network
4.3	Configure automated session lockout after a defined period of inactivity. The recommended period is 15 minutes for general operating systems and 2 minutes for mobile endpoint devices.	Protect	Users
4.4	Implement and manage firewalls on supported servers	Protect	Devices
4.5	Implement and manage a host based firewall or port filtering tool on endpoint devices. Configure the settings to allow only whitelisted traffic	Protect	Devices
4.6	Securely manage enterprise assets and software using version-controlled infrastructure-as-code and accessing administrative interfaces over secure network protocols like SSH and HTTPS	Protect	Network
4.7	Manage default accounts on assets like root, administrator, or pre-configured vendor accounts by disabling or making them inaccessible	Protect	Users
4.8	Implement and manage a host-based firewall or port filtering tool on endpoint devices. Configure the settings to allow only whitelisted traffic	Protect	Devices
4.9	Configure trusted DNS servers. Use only enterprise controlled or trusted externally accessible DNS servers	Protect	Devices
4.10	Configure automated device lockout following a predetermined number of failed authentication attempts. The suggested number is 20 for laptops and 10 for tablets or smartphones	Respond	Devices
4.11	Remotely delete data deployed in enterprise owned portable devices if the drive is lost or the assigned owner has exited the org	Protect	Devices
4.12	Use separate workspaces on mobile and endpoint devices for enterprise and personal application data	Protect	Devices

CIS Control 5: Account Management

Manage authorization for account login credentials for user, administrator, and service accounts to secure enterprise and software assets. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
5.1	Use unique passwords for each asset. Passwords should have at least eight characters if MFA is enabled and 14 characters if not enabled	Identify	Users
5.2	Use unique passwords for each asset. Passwords should have at least 8 characters if MFA is enabled and 14 characters if not enabled	Protect	Users
5.3	Delete or disable dormant accounts after 45 days of inactivity	Respond	Users
5.4	Restrict administrator privileges to administer accounts and conduct general activities from user/non-privileged accounts	Protect	Users
5.5	Establish and maintain an inventory of service accounts detailing department owner, review date, and purpose	Identify	Users
5.6	Centralize all account management activities using a directory or identity service	Protect	Users

CIS Control 6: Access Control Management

Implement tools and processes to manage, assign, create, and revoke credentials or privileges for administrators, and service accounts of enterprise assets and software. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
6.1	Establish a process to manage access privileges for new hires or role changes	Protect	Users
6.2	Establish a process to manage access removal for role change or termination	Protect	Users
6.3	Maintain role-based access control based on role-wise access rights to ensure each function can carry out their assigned tasks	Protect	Users
6.4	Enforce MFA for remote network access requests	Protect	Users
6.5	Enforce MFA on all externally managed or third-party accessible applications	Protect	Users
6.6	Establish and maintain an inventory of authentication and authorization systems	Identify	Users
6.7	Centralize access control activities using a directory or SSO provider	Protect	Users
6.8	Maintain a role-based access control based on role-wise access rights to ensure each function can carry out their assigned tasks	Protect	Data

Sprinto helps you set up role-based access control for enterprise assets based on individual roles and responsibilities. By defining who can access what, when, and how, you can meet CIS access control safeguards. 

• Describe how to protect login system using Sprinto’s login mechanism strengthening tools
• Set up ticket-based access control to manage request exceptions
• Gain a granular view of org-wide accounts, access, and status history

CIS Control 7: Continuous Vulnerability Management

Create a plan to assess and track vulnerabilities in assets within the infrastructure in order to minimize and remediate the attack surface for malicious actors. You can scan industry sources to stay updated with information-related threats or vulnerabilities. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
7.1	Establish and maintain a documented process to manage vulnerabilities	Protect	Applications
7.2	Establish and maintain a documented risk remediation plan	Respond	Applications
7.3	Conduct automated vulnerability scans (authenticated and unauthenticated) on internal assets using a SCAP-compliant scanning tool	Protect	Applications
7.4	Update applications using automated patch management tools	Protect	Applications
7.5	Conduct automated vulnerability scans (authenticated and unauthenticated) on internal assets using a SCAP compliant scanning tool	Identify	Applications
7.6	Conduct automated vulnerability scans (authenticated and unauthenticated) on external assets using a SCAP-compliant scanning tool	Identify	Applications
7.7	Remediate software vulnerabilities using tools and processes	Respond	Applications

Sprinto monitors and resolves infrastructure vulnerabilities for cloud-hosted applications using workflow checks. 

• Track and remediate vulnerabilities in real time
• Integrates with vulnerability scanners which scan your code for risks you may get from existing libraries
• Assigns a score for each vulnerability based on the level of severity

CIS Control 8: Audit Log Management

Maintain a comprehensive audit log detailing the events that help you detect, collect, or understand, and recover from attacks. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
8.1	Establish and maintain a process to collect, review, and retain audit logs	Protect	Network
8.2	Centralize audit log collection and retention processes	Detect	Network
8.3	Ensure adequate storage capabilities in audit log destinations	Protect	Network
8.4	Collect audit logs across assets aligned with the enterprise’s log management process	Protect	Network
8.5	Collect detailed audit logs for sensitive data that includes event source, date, username, timestamp, address and destination sources, and more to support forensic investigation	Detect	Network
8.6	Collect DNS query audit logs	Detect	Network
8.7	Collect URL request audit logs	Detect	Network
8.8	Collect command line audit logs	Detect	Devices
8.9	Centralize audit log collect and retention processes	Detect	Network
8.10	Retain audit logs for at least 90 days	Protect	Network
8.11	Collect audit log reviews to detect anomalous behavior or abnormal events that could be a security threat	Detect	Network
8.12	Collect service provider logs	Detect	Data

Sprinto helps you eliminate cumbersome audit activities and collects evidence automatically, effectively, and comprehensively for all CIS critical controls. 

• Collects system snapshots, generates documents, and monitoring logs in a centralized repository
• Collects evidence of corrective actions against system failures
• Accommodates special cases and syncs to new tasks as your enterprise grows

CIS Control 9: Email and Web Browser Protections

Protect emails and web vectors from threats like phishing attacks using detective techniques and prevent exploitation of human behavior. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
9.1	Run only supported and authorized browsers or email clients. Use only the latest vendor provided version	Protect	Applications
9.2	Use anti-malware systems like attachment scanning or sandboxing to secure email servers	Protect	Network
9.3	Use anti-malware systems like attachment scanning or sandboxing to secure email servers	Protect	Network
9.4	Use anti-malware systems like attachment scanning or sandboxing to secure email servers	Protect	Applications
9.5	Use DMARC (Domain-based Message Authentication) policy and verification to minimize email spoofing and email modification	Protect	Network
9.6	Block unnecessary files entering the email gateway	Protect	Network
9.7	Us anti-malware systems like attachment scanning or sandboxing to secure email servers	Protect	Network

CIS Control 10: Malware Defenses

Prevent malicious applications, scripts, or codes from being installed, executed, and spread on enterprise assets. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
10.1	Deploy and maintain anti-malware software	Protect	Devices
10.2	Configure auto update for anti-malware signature files	Protect	Devices
10.3	Disable the autorun and autoplay functionality for removable media files	Protect	Devices
10.4	Enable anti-exploitation functions on assets and software	Detect	Devices
10.5	Centralize anti-malware software management	Protect	Devices
10.6	Use behavior-based anti-malware software	Protect	Devices
10.7	Use a behavior based anti malware software	Detect	Devices

CIS Control 11: Data Recovery

Maintain the confidentiality, availability, and integrity of data using effective recovery practices that help you restore compromised data to the pre-incident stage. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
11.1	Establish and maintain a data recovery process that includes the scope of activities, prioritization details, and security of backed up data	Recover	Data
11.2	Backup in scope assets automatically. The frequency should be based on the sensitivity of the data	Recover	Data
11.3	Protect recovery data using the same controls as the original data	Protect	Data
11.4	Establish and maintain an isolated container of recovery data	Recover	Data
11.5	Test the backup recovery system at frequent intervals	Recover	Data

CIS Control 12: Network Infrastructure Management

Prevent malicious actors from exploiting vulnerabilities in network services and access points. Establish, complement, track, report, and correct network devices. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
12.1	Keep network infrastructure updated by running the latest software version and using the currently supported NaaS (network-as-a-service)	Protect	Network
12.2	Establish and maintain a secure network architecture to ensure segmentation, implement least privilege, and availability	Protect	Network
12.3	Ensure network infrastructure security using version-controlled-infrastructure-as-code and secure network protocols	Protect	Network
12.4	Establish and maintain an architecture diagram and other necessary network system documents	Identify	Network
12.5	Centralize network AAA (Authentication, Authorization, and Auditing)	Protect	Network
12.6	Use secure network management and communication protocols	Protect	Network
12.7	Ensure that users authenticate via enterprise managed VPN to access enterprise resources on endpoint devices	Protect	Devices
12.8	Establish and maintain computing resources segmented from the primary enterprise network and internet connection to manage tasks that require administrative access	Protect	Devices

CIS Control 13: Network Monitoring and Defense

Protect the enterprise’s network infrastructure and user base from security threats using tools and processes to monitor the network comprehensively. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
13.1	Implement a host-based anti-intrusion solution like EDR (Endpoint Detection and Response) systems or host-based IPS agents on supported or applicable assets	Detect	Network
13.2	Implement a host-based anti-intrusion solution like EDR (Endpoint Detection and Response) systems or host-based IPS agents on supported or applicable assets	Detect	Devices
13.3	Deploy network intrusion detection systems as applicable like NIDS (Network Intrusion Detection System) or CSP (cloud service provider) service	Detect	Network
13.4	Filter traffic between network segments as where applicable	Protect	Network
13.5	Implement a host-based anti intrusion solution like EDR (Endpoint Detection and Response) systems or host-based IPS agents on supported or applicable assets	Protect	Devices
13.6	Collect network traffic logs for reviewing and altering purposes	Detect	Network
13.7	Implement anti-network intrusion systems like NIPS (Network Intrusion Prevention System) on supported or applicable assets	Protect	Devices
13.8	Implement port-level access control (802.1x or equivalent access control protocols). User and device authentication is recommended	Protect	Network
13.9	Manage access control for remotely connected assets. Determine access requirements based on the updated anti-malware solution, configuration compliance with the enterprise’s configuration, and updating operating systems and applications	Protect	Devices
13.1	Filter application layers like proxy filtering, application layer firewall, or gateway	Protect	Network
13.11	Tune security event alerting thresholds on a monthly basis or a higher frequency	Detect	Network

Sprinto connects with your assets to automatically map and continuously monitor security controls against CIS benchmarks to test compliance and trigger remediation workflows.

• Configure automated altering rules and activate high-fidelity alerts
• Tracks progress in real-time using a centralized dashboard
• Integrates with everything – cloud apps, infrastructure, code repos, devices, and people

CIS Control 14: Security Awareness and Skills Training

Conduct security training and awareness programs for employees to minimize incidents. Instill security best practices and necessary skills that protect your enterprise from cyber attacks. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
14.1	Train employees to recognize and report threat incidents	Protect	N/A
14.2	Train employees to identify social engineering attacks like phishing, pretexting, and tailgating	Protect	N/A
14.3	Train employees on authentication practices like MFA, credential management, and password composition	Protect	N/A
14.4	Train employees to identify, store, transfer, and archive sensitive data including clear screen and desk best practices	Protect	N/A
14.5	Train employees on accidental data exposure causes	Protect	N/A
14.6	Conduct role-based security training and awareness programs	Protect	N/A
14.7	Conduct role-based security training and awareness programs	Protect	N/A
14.8	Train employees to understand the security consequences of connecting to and transmitting data over insecure networks. Remote workers should securely configure their home network infrastructure	Protect	N/A
14.9	Conduct role based security training and awareness programs	Protect	N/A

Sprinto’s custom training module helps you train employees, conduct tests once completed, and collect evidence of completion to meet CIS control 14.  

CIS Control 15: Service Provider Management

Conduct vendor due diligence processes to evaluate the security practices of vendors with access to sensitive data and offer managed services for IT platforms or critical processes. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
15.1	Establish and maintain an inventory of service providers listing all vendors, their classification, and a designated contact	Identify	N/A
15.2	Establish and maintain a service provider management policy that addresses classification, inventory, assessment, monitoring, and decommissioning on each vendor	Identify	N/A
15.3	Classify service providers based on data sensitivity, data volume, data availability, regulations, inherent risk, and mitigated risk	Identify	N/A
15.4	Ensure service providers contract include security clauses like breach notification, data encryption, data disposal and others based on the security policy	Protect	N/A
15.5	Assess service providers based on your management policy to address compliance reports like SOC 2, AoC (Attestation of Compliance) of PCI DSS, custom questionnaires, and others	Identify	N/A
15.6	Monitor service providers based on your management policy to address vendor compliance, vendor release notes, and dark web monitoring.	Detect	Data
15.7	Decommission service providers to address user and service account deactivation, data flow termination, data disposal within providers systems	Protect	Data

CIS Control 16: Application Software Security

Secure the software developed, hosted, or acquired in house throughout its life cycle. Prevent, detect, and remediate vulnerabilities that can disrupt business operations. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
16.1	Analyze the root cause of vulnerabilities to evaluate underlying code issues	Protect	Applications
16.2	Establish and maintain a process to accept and address software vulnerability reports that details the policies, responsible parties, assignment, intake process, remediation, and remediation testing. Additionally, use a vulnerability tracking system	Protect	Applications
16.3	Analyze root cause of vulnerabilities to evaluate underlying code issues	Protect	Applications
16.4	Use industry-grade hardening configuration templates for application infrastructure components like databases, web servers, as well as cloud containers, and PaaS or SaaS components	Protect	Applications
16.5	Separate production environments for production and non-production systems	Protect	Applications
16.6	Create a severity rating system to address vulnerabilities in the order of its discovery	Protect	Applications
16.7	Use industry grade hardening configuration templates for application infrastructure components like databases, web servers, as well as cloud containers, and PaaS or SaaS components	Protect	Applications
16.8	Separate the environments for production and non-production systems	Protect	Applications
16.9	Train software developers to write secure code, general security principles and application security practices	Protect	Applications
16.10	Use secure principles to design application architectures like least privilege, validate user operation input, check inputs for errors, and minimize the infrastructure attack surface	Protect	Applications
16.11	Use vetted modules or services for application security components like identity management, encryption, logging, and auditing	Protect	Applications
16.12	Use static and dynamic tools to analyze the application life cycle and ensure secure coding practices	Protect	Applications
16.13	Conduct application pen testings. Authenticated pen tests are recommended for critical applications to identify business logic vulnerabilities over code scanning and automated testing	Protect	Applications
16.14	Conduct threat modeling to identify and address application design security flaws	Protect	Applications

CIS Control 17: Incident Response Management

Build resilience against incidents by creating an incident response program detailing the policies, plans, procedures, roles, stakeholders, training, and communications. Use the plan to effectively mitigate breaches by preparing, detecting, and responding to attacks. 

CIS Safeguard	Control Requirement	Security Function	Asset Type
17.1	Assign one key role and a backup role to manage incidents. If it is handled by a third party service, an internal person should oversee their work	Respond	N/A
17.2	Create and maintain a contact list of parties who should be informed in case a security incident occurs	Respond	N/A
17.3	Establish and maintain a process for all employees to report security incidents that includes a reporting timeframe, reporting personnel, processes, and information to report	Respond	N/A
17.4	Establish and maintain an incident response policy detailing the roles, accountabilities, compliance requirements and accountability plan	Respond	N/A
17.5	Assign key roles and responsibilities to respond to incidents from departments like legal, IT, information security, facilities, public relations human resources, analysts, and others as applicable	Respond	N/A
17.6	Determine the primary and secondary measures to communicate and report security incidents	Respond	N/A
17.7	Conduct incident response exercises based on real scenarios to prepare key roles to process and respond to incidents	Recover	N/A
17.8	Conduct post incident reviews to avoid repeat occurrences	Recover	N/A
17.9	Establish and maintain incident thresholds to differentiate between incidents and events.	Recover	N/A

Sprinto’s built-in security solution users proactively mitigate vulnerabilities across enterprise assets, eliminate security blind spots, and remediate security issues.

• Leverages AI to recommend corrective actions against security gaps. 
• Scans the cloud for malicious behavior and non-compliant activities

CIS Control 18: Penetration Testing

Identifies weaknesses and vulnerabilities in controls, processes, and technology to test the effectiveness and resilience of enterprise assets by stimulating attacks.

CIS Safeguard	Control Requirement	Security Function	Asset Type
18.1	Establish and maintain a pen testing program based on the enterprise’s sixe, complexity, and maturity. Address scope, limitations, retrospective requirements, and remediation	Identify	N/A
18.2	Conduct external pen tests – clear box or opaque box at least once annually. Include enterprise and environmental reconnaissance in the pen test	Identify	Network
18.3	Remediate the vulnerabilities identified in the pen test based on enterprise scope and prioritization	Protect	Network
18.4	Validate secure measures after a pen test and make the necessary modifications and in configurations and detection capabilities	Protect	Network
18.5	Conduct internal pen tests – clear box or opaque box at least once annually, based on requirements	Identify	N/A

How Sprinto helps you implement CIS controls

Sprinto automates CIS control requirements by continuously monitoring your controls, culling out vulnerabilities, assigning impact scores against risks, training your employees, scanning for non-compliant activities, and much more. With Sprinto, you get:

• Single dashboard, 360 degree granular view of risks and controls
• Cross-map and reuse controls from existing frameworks
• Real-time compliance status through automated checks and workflows
• Continuous, comprehensive, and accurate monitoring of cloud assets

Want to know how we helped organizations like yours get CIS compliant? Talk to our experts today!

FAQs

What is the difference between the CIS and NIST CSF framework?

The key differences between CIS and NIST controls lie in focus (CIS is action-focused and offers a list of prioritized actions against common attacks, whereas NIST helps security teams manage security risks across the org based on risk profile). Another difference is use cases (CIS helps to improve tactics of an org’s cyber defenses compared to NIST, which helps to build a strategic security program).

What does CIS Controls stand for?

CIS stands for The Center for Internet Security. It offers 18 security standards or basic controls to build an effective defense against security vulnerabilities.    

Is CIS part of NIST?

CIS is not a part of NIST. While these frameworks have similar or overlapping security requirements, NIST is set by government agencies and compulsory for some companies while CIS is formed by companies, government agencies, institutions, and expert individuals.