Scroll Top

Unpacking the CIS 20 (Now the 18)

Home Unpacking the CIS 20 (Now the 18)

By Justin Mason Insight Blog Security October 22, 2021

CIS Controls v8 is here, and there are some significant changes organizations should pay attention to.

We spend a lot of time in our blogs talking about—and recommending—cybersecurity frameworks. The reason for this is pretty straightforward: there are a lot of decisions that go into cybersecurity planning, and failing to use a framework makes the process exponentially more complicated.

One of the most popular frameworks we recommend often is from the Center for Internet Security. CIS is a nonprofit organization that’s been around 21 years with the goal of making the connected world a safer place by developing, validating and promoting timely best practice solutions that help people, businesses and governments protect themselves against pervasive cyberthreats.

CIS Controls map to many established standards and regulatory frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), the ISO 27000 series of standards, PCI DSS, HIPAA, etc.

Responding to Evolving Cybersecurity Threats

Cybersecurity is an evolving industry with an endless list of threat actors. The tools we use to stay safe and secure must be updated to match the current threat landscape. Likewise, the frameworks we use to guide our security strategies must evolve with the times. The events of the past 18 months have moved digital transformation ahead several years. We’ve also seen exponential increases in cyberattacks, breaches and ransomware payouts. So it’s not surprising that CIS chose to update its security controls.

CIS Controls v8 brings several welcomed updates. Here are some of the highlights:

A task-focused approach—Rather than focusing on who manages network devices, v8 controls are task-focused and combined by activities within implementation groups (IGs). This new version adds a couple of benefits:
- It decreases the number of controls from 20 to 18 (there were some redundancies in the previous versions that were eliminated, too)
- For the first time, users can follow the controls in order. Initially, the controls weren’t designed this way, but the CIS organization discovered that’s how people tended to use its framework. Previous control versions could hypothetically take an admin two years into their CIS 20 journey before implementing critical security measures. The new version puts the essential hygiene steps upfront.
New safeguards—Formerly known as sub-controls, the updated safeguards (there are 153) are prioritized into implementation groups, or IGs, with IG1 defining basic cyber hygiene.
It’s more than just a list—The v8 release isn’t just an update to the controls; the whole ecosystem surrounding the controls has been updated as well, including:
- CIS Controls Self-Assessment Tool—CSAT provides a way for companies to conduct, track and assess their implementation of the CIS Controls over time and measure their performance against their peers. Also, the hosted version of the CSAT tool is free for non-commercial use.
- Community Defense Model—CDM is a data-driven, transparent approach that helps prioritize the controls based on the evolving threat landscape. For example, CDM v2.0 maps safeguards as mitigations using MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) Framework v8.2.
- CIS Risk Assessment Method—CIS RAM helps organizations define their acceptable level of risk and helps justify investments in CIS Controls implementations. CIS RAM 2.0, for instance, includes a simplified CIS RAM worksheet for IG1, plus additional modules tailored to developing key risk indicators using quantitative analysis.
- CIS Controls Mobile Companion Guide—The guide helps companies implement consensus-developed best practices using CIS Controls v8 for phones, tablets, and mobile applications.
- CIS Controls Cloud Companion Guide—This guide details how to apply the security best practices found in CIS Controls v8 to any cloud environment from a consumer or customer perspective.
- Control 15: Service Provider Management—This new control helps enterprises manage their cloud services. It includes seven safeguards covering all aspects of the service provider lifecycle, from establishing and maintaining an agreement to decommissioning services.
- Mappings to other regulatory frameworks— Enterprises that implement the CIS Controls can comply with other industry frameworks.

Closing Thoughts

One of the nice things about the CIS framework is that it isn’t developed by a security manufacturer or group trying to convince you to buy its products. Instead, it’s crowd-sourced and community-led by leaders across multiple industries, so participants can have confidence knowing they’re getting the best-of-the-best vendor-agnostic recommendations applicable to their particular needs. As a result, CIS Controls v8 is a fresh rebuild of the framework that’s easier to follow and contains fewer redundancies than previous versions. It also brings clarity and simplicity to the world of cybersecurity, which is often the exact opposite of many companies’ experiences. To learn more about CIS Controls v8, download it for free here.

Justin Mason

+ posts

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use nonessential cookies that help us analyze and understand how you use this website and enhance your user experience. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
Zoominfo	session	Zoominfo uses technologies to collect and store information when you interact with services it offer to their partners, such as advertising services or analytics. All of those processes are meant to improve your user experience and the overall quality of our services.

Analytics

Analytics cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_111355416_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's pageview limit.
_hjIncludedInSessionSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's daily session limit.
_hjTLDTest	session	Hotjar test cookie to check the most generic cookie path it should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
oktgid	1 year	This cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsid	session	This cookie is used for storing the session ID of the user who clicked on an okt.to link.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by YouTube and is used to track the views of embedded videos on YouTube pages.

Other

Other uncategorized cookies are those that are being analyzed and have not yet been classified into a category according to their type and purpose.

Cookie	Duration	Description
__gwtCookieCheck	session	This cookie is used to check if the visitors' browser supports cookies.
AnalyticsSyncHistory	1 month	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
li_gc	2 years	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
UserMatchHistory	1 month	LinkedIn - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

Unpacking the CIS 20 (Now the 18)

Justin Mason

UJIMA

VETs

WONDER

PRIDE

Mental Health Matters

KEVIN FLEURIE

Dan O’Brien

BRYAN CALDER

ROBERT KIM

VINCENT TRAMA

WAHEED CHOUDHRY

CHRIS CAGNAZZI

BRID GRAHAM

MICHAEL KELLY

KEVIN WATKINS

JENNIFER JACKSON

MANNY KORAKIS

JUSTIN FILIA

GOPINATHAN PANDURANGAN

STEVEN PALMESE

ELLIOT BRECHER

BARBARA ROBIDOUX

Please select your venue city and
complete registration form below.

Please complete registration
form below.

Dave Hart

CHRIS BARNEY

JOHN HANLON

Greg Hedrick

Courtney Washington

CHRISTINE KOMOLA

VINU THOMAS

JULIETTE AUSTIN