FRAMEWORKS AND STANDARDS

CIS Critical Controls Explained

An overview of the CIS controls, why they are important, and how to use them.

Published Date: August 15, 2024

Product Line: CIS Controls

Audience: Executives, Security Administrators

Get your copy of the CIS Controls V8.1 here.

What are the CIS Controls?

The CIS Critical Security Controls (CIS Controls) are a set of best practices developed to help organizations, including state and local governments, defend against common and significant cyber threats. Initially created to focus attention on the most crucial defense steps, these controls have evolved with input from a wide range of experts across different sectors. They offer a practical and prioritized framework for improving cybersecurity by addressing key areas such as asset management, data protection, and incident response.

The CIS Controls are now supported by a global community that collaborates to share insights, develop tools, and address common security challenges. This collective effort ensures that the recommendations are not just theoretical but grounded in real-world experience and data. The latest version, including updates like the Community Defense Model, reflects a more data-driven approach, mapping recommendations to actual attack patterns and providing clear, actionable guidance. For more details on these controls and how they can be implemented, you can visit the CIS website.

Why should we implement them?

Implementing the CIS Critical Security Controls (CIS Controls) offers several compelling benefits for organizations, particularly for state and local governments:

1. Enhanced Protection Against Common Threats: The CIS Controls are designed to address the most prevalent and damaging cyber threats. By following these best practices, organizations can significantly reduce their risk of falling victim to common cyber attacks, such as data breaches and ransomware. This proactive approach helps safeguard sensitive information and maintain the integrity of critical systems.

2. Prioritized and Actionable Guidance: The CIS Controls provide a clear, prioritized set of actions, making it easier for organizations to focus their cybersecurity efforts where they will have the most impact. This structured approach helps allocate resources more effectively, ensuring that the most critical security measures are implemented first.

3. Community Support and Alignment: Adopting the CIS Controls means joining a broad community of experts and peers who share insights, tools, and solutions. This community support can assist in overcoming implementation challenges and aligning security practices with regulatory and compliance requirements. It also ensures that the security measures are continuously updated based on the latest threat intelligence and best practices.

By implementing the CIS Controls, organizations can strengthen their cybersecurity posture, improve their resilience against attacks, and benefit from a well-supported and data-driven framework for managing security risks.

What are Implementation Groups?

Implementation Groups (IGs) provide a tiered approach to applying the CIS Controls based on the size and risk profile of an organization. Think of IGs as a way to tailor cybersecurity measures to fit different organizational contexts and needs.

• IG1: This is the starting point and is suitable for smaller organizations or those with limited resources. It focuses on the most fundamental and critical security actions that are essential for all organizations, such as ensuring basic security hygiene and protecting against the most common threats.

• IG2: This group builds on IG1 and is intended for medium-sized organizations or those with more complex environments. It includes additional controls that address more sophisticated threats and provides a more comprehensive approach to managing security risks.

• IG3: This is the most advanced tier and is meant for larger organizations or those with significant security needs. It involves implementing the full set of controls, including those that address the most complex and evolving threats.

By using IGs, organizations can start with the basics and gradually adopt more advanced security measures as their needs and capabilities grow. This approach helps ensure that cybersecurity improvements are manageable, scalable, and aligned with the organization's specific situation.