Scroll Top

Unpacking the CIS 20 (Now the 18)

Cybersecurity Month CIS Blog FI

CIS Controls v8 is here, and there are some significant changes organizations should pay attention to.

We spend a lot of time in our blogs talking about—and recommending—cybersecurity frameworks. The reason for this is pretty straightforward: there are a lot of decisions that go into cybersecurity planning, and failing to use a framework makes the process exponentially more complicated.

One of the most popular frameworks we recommend often is from the Center for Internet Security. CIS is a nonprofit organization that’s been around 21 years with the goal of making the connected world a safer place by developing, validating and promoting timely best practice solutions that help people, businesses and governments protect themselves against pervasive cyberthreats.

CIS Controls map to many established standards and regulatory frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), the ISO 27000 series of standards, PCI DSS, HIPAA, etc.


Responding to Evolving Cybersecurity Threats

Cybersecurity is an evolving industry with an endless list of threat actors. The tools we use to stay safe and secure must be updated to match the current threat landscape. Likewise, the frameworks we use to guide our security strategies must evolve with the times. The events of the past 18 months have moved digital transformation ahead several years. We’ve also seen exponential increases in cyberattacks, breaches and ransomware payouts. So it’s not surprising that CIS chose to update its security controls.

CIS Controls v8 brings several welcomed updates. Here are some of the highlights:

  • A task-focused approach—Rather than focusing on who manages network devices, v8 controls are task-focused and combined by activities within implementation groups (IGs). This new version adds a couple of benefits:
    • It decreases the number of controls from 20 to 18 (there were some redundancies in the previous versions that were eliminated, too)
    • For the first time, users can follow the controls in order. Initially, the controls weren’t designed this way, but the CIS organization discovered that’s how people tended to use its framework. Previous control versions could hypothetically take an admin two years into their CIS 20 journey before implementing critical security measures. The new version puts the essential hygiene steps upfront.
  • New safeguards—Formerly known as sub-controls, the updated safeguards (there are 153) are prioritized into implementation groups, or IGs, with IG1 defining basic cyber hygiene.
  • It’s more than just a list—The v8 release isn’t just an update to the controls; the whole ecosystem surrounding the controls has been updated as well, including:
    • CIS Controls Self-Assessment Tool—CSAT provides a way for companies to conduct, track and assess their implementation of the CIS Controls over time and measure their performance against their peers. Also, the hosted version of the CSAT tool is free for non-commercial use.
    • Community Defense Model—CDM is a data-driven, transparent approach that helps prioritize the controls based on the evolving threat landscape. For example, CDM v2.0 maps safeguards as mitigations using MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Framework v8.2.
    • CIS Risk Assessment Method—CIS RAM helps organizations define their acceptable level of risk and helps justify investments in CIS Controls implementations. CIS RAM 2.0, for instance, includes a simplified CIS RAM worksheet for IG1, plus additional modules tailored to developing key risk indicators using quantitative analysis.
    • CIS Controls Mobile Companion Guide—The guide helps companies implement consensus-developed best practices using CIS Controls v8 for phones, tablets, and mobile applications.
    • CIS Controls Cloud Companion Guide—This guide details how to apply the security best practices found in CIS Controls v8 to any cloud environment from a consumer or customer perspective.
    • Control 15: Service Provider Management—This new control helps enterprises manage their cloud services. It includes seven safeguards covering all aspects of the service provider lifecycle, from establishing and maintaining an agreement to decommissioning services.
    • Mappings to other regulatory frameworks— Enterprises that implement the CIS Controls can comply with other industry frameworks.


Closing Thoughts

One of the nice things about the CIS framework is that it isn’t developed by a security manufacturer or group trying to convince you to buy its products. Instead, it’s crowd-sourced and community-led by leaders across multiple industries, so participants can have confidence knowing they’re getting the best-of-the-best vendor-agnostic recommendations applicable to their particular needs. As a result, CIS Controls v8 is a fresh rebuild of the framework that’s easier to follow and contains fewer redundancies than previous versions. It also brings clarity and simplicity to the world of cybersecurity, which is often the exact opposite of many companies’ experiences. To learn more about CIS Controls v8, download it for free here.

+ posts