Inside Cybersecurity

December 4, 2022

Daily News

Center for Internet Security streamlines heralded family of controls in ‘version 8’

By Charlie Mitchell / May 19, 2021

The Center for Internet Security has updated and streamlined its well-known security controls in “CIS Controls v8,” addressing cloud and mobile device security while moving to develop “the whole ecosystem” through promotion of risk management, self-assessment, and the “Community Defense Model,” among other elements.

“The moment we’ve all been waiting for is finally here. [CIS] officially launched CIS Controls v8, which was enhanced to keep up with evolving technology (modern systems and software), evolving threats, and even the evolving workplace. The pandemic changed a lot of things, and it also prompted changes in the CIS Controls,” CIS said in a blog post on Tuesday, titled “18 is the new 20: CIS Controls v8 is here!”

“The newest version of the Controls now includes cloud and mobile technologies. There’s even a new CIS Control: Service Provider Management, that provides guidance on how enterprises can manage their cloud services,” according to CIS. The post includes a link to download CIS Controls v8 as well as a video explainer.

CIS says “the new version combines and consolidates the CIS Controls by activities, rather than by who manages the devices. Physical devices, fixed boundaries, and discrete islands of security implementation are less important in the new version; this is reflected through revised terminology and grouping of Safeguards (formerly Sub-Controls), resulting in a decrease of the number of Controls from 20 to 18. The 18 top-level Controls contain 153 Safeguards that provide a prioritized path to improve an enterprise’s cybersecurity posture.”

Curtis Dukes, CIS executive vice president and general manager of security best practices, said in a statement, “Whether you use the CIS Controls or another framework to guide your cybersecurity program, you should recognize that it’s not just about the list. Think of the Controls as a prioritized set of actions to take to provide an effective cyber defense. It’s important to look for the ecosystem that grows up around the list.”

According to CIS, “The v8 release is not just an update to the Controls; the whole ecosystem surrounding the Controls has been (or soon will be) updated as well,” including:

  • CIS Controls Self Assessment Tool (CSAT) (Hosted & Pro) – a way for enterprises to conduct, track, and assess their implementation of the CIS Controls over time, and measure implementation against industry peers; CIS CSAT hosted is free for use in a noncommercial capacity o Updated CIS CSAT Pro – on-premises, data sharing optional, different user roles for different organizations, separation of administrative function, different look and feel
  • Community Defense Model (CDM) – data-driven, rigorous, transparent approach that helps prioritize the Controls based on the evolving threat; CDM v1.0 utilized the 2019 Verizon Data Breach Investigations Report (DBIR) to determine top attacks and the MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework v6.3 o CDM v2.0 – Maps Safeguards as mitigations down to the ATT&CK Technique and Sub-Technique level (MITRE ATT&CK Framework v8.2), uses well-known industry threat reporting to determine the top attack types
  • CIS Risk Assessment Method (CIS RAM) – helps an enterprise justify investments for reasonable implementation of the CIS Controls, define their acceptable level of risk, prioritize and implement the CIS Controls reasonably, and help demonstrate “due care” o CIS RAM 2.0 – includes a simplified CIS RAM worksheet for IG1, and additional modules tailored to developing key risk indicators using quantitative analysis
  • CIS Controls Mobile Companion Guide – helps enterprises implement the consensus developed best practices using CIS Controls v8 for phones, tablets, and mobile application
  • CIS Controls Cloud Companion Guide – guidance on how to apply the security best practices found in CIS Controls v8 to any cloud environment from the consumer/customer perspective
  • Mappings to other regulatory frameworks – enterprises that implement the CIS Controls can show compliance to other frameworks

The center says, “CIS Controls v8 and some of these tools and resources are available today. As additional resources are updated, they'll be added to the v8 page.”

Founded in 2000, the center is home to the CIS Controls and CIS Benchmarks, which it describes as “globally recognized best practices for securing IT systems and data.” CIS also houses the Multi-State Information Sharing and Analysis Center and the Elections Infrastructure Information Sharing and Analysis Center. – Charlie Mitchell (cmitchell@iwpnews.com)