CIS Controls Initial Assessment Tool (v7.1b) : Instructions - Read Me First
CIS Controls Initial Assessment Tool (v7.1b) : Instructions - Read Me First
CIS Controls Initial Assessment Tool (v7.1b) : Instructions - Read Me First
1b)
The purpose for this tool is to provide organizations with a simple tool for performing an initial assessment of their information assurance maturity level based on the controls defined by the CIS Controls and the
Council on Cybersecurity. Any questions about how this tool works or suggestions can be directed to [email protected]. In order to use this tool, the assessor must only complete the answers to the drop down
menu questions lists on the pages labeled CSC #1 - CSC #20. By choosing a drop down choice for each critical control, the assessment tool will automatically generate scores and maturity level based on the answers
to each question. Based on the answers to each question, the dashboard worksheet will automatically populate with the overall maturity level scores for the organization as a whole. These scores can therefore be
used to measure the organization's progress and what percentage of the CIS Controls they are currently following. Ideally in the long term organizations would deploy tools that would automate the collection of this
information, but in the meanwhile, this tool can be used to help start the process of manually assessing the organization's maturity level.
Field Definitions
ID This is the ID number of the specific CIS Control sub-control reference as included in the CIS Controls documentation.
CIS Control Detail This is the detail behind each specific sub-control as defined by the CIS Controls documentation.
EOF Function This standards for "Executive Order Framework (EOF)" function. These functions were defined by NIST in the EOF and act as control characteristics.
Sensor or Baseline This is the type of technical system or baseline that we believe is necessary in order to implement the specific sub control.
Policy Approved This question determines whether the organization currently has a policy defined that indicates that they should be implementing the defined sub control.
Control Implemented This question determines whether or not the organization currently has implemented this sub control and to what degree the control has been implemented.
Control Automated This question determines whether or not the organization currently has automated the implementation of this sub control and to what degree the control has been automated.
Control Reported to Business This question determines whether or not the organization is reporting this sub control to business representatives and to what degree the control has been reported.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Controls Initial Assessment Tool (v7.1b)
CSC #1 0%
Maturity level: Description: Score: CSC #2 0%
Level One Policies Complete 0.00 Maturity Level Aggregate Scores CSC #3 0%
Level Two Controls 1-5 Implemented 0.00 1.00 CSC #4 0%
Level Three All Controls Implemented 0.00 0.80 CSC #5 0%
Level Four All Controls Automated 0.00 0.60 CSC #6 0%
Level Five All Controls Reported 0.00 0.40 CSC #7 0%
0.20
CSC #8 0%
Maturity Rating*: 0.00 0.00 0.00 0.00 0.00 0.00
0.00 CSC #9 0%
*Rating is on a 0-5 scale. Policies Complete Controls 1-5 Implemented All Controls Implemented All Controls Automated All Controls Reported CSC #10 0%
CSC #11 0%
CSC #12 0%
CSC #13 0%
CSC #14 0%
Implementation Percentage by Control CSC #15 0%
CSC #16 0%
100%
90%
CSC #17 0%
80%
CSC #18 0%
70% CSC #19 0%
60% CSC #20 0%
50%
40%
30%
20%
10%
0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0% 0%
0%
CSC #1 CSC #2 CSC #3 CSC #4 CSC #5 CSC #6 CSC #7 CSC #8 CSC #9 CSC #10 CSC #11 CSC #12 CSC #13 CSC #14 CSC #15 CSC #16 CSC #17 CSC #18 CSC #19 CSC #20
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #1: Inventory and Control of Hardware Assets
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Control Automated or Control Reported to Business
Technically Enforced
1.1 Utilize an active discovery tool to identify devices connected to the organization's Identify Active Device Discovery System No Policy Not Implemented Not Automated Not Reported
network and update the hardware asset inventory.
1.2 Utilize a passive discovery tool to identify devices connected to the organization's Identify Passive Device Discovery System No Policy Not Implemented Not Automated Not Reported
network and automatically update the organization's hardware asset inventory.
1.3 Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP Identify Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
address management tools to update the organization's hardware asset inventory.
1.4 Maintain an accurate and up-to-date inventory of all technology assets with the Identify Asset Inventory System No Policy Not Implemented Not Automated Not Reported
potential to store or process information. This inventory shall include all assets,
whether connected to the organization's network or not.
1.5 Ensure that the hardware asset inventory records the network address, hardware Identify Asset Inventory System No Policy Not Implemented Not Automated Not Reported
address, machine name, data asset owner, and department for each asset and whether
the hardware asset has been approved to connect to the network.
1.6 Ensure that unauthorized assets are either removed from the network, quarantined or Respond Asset Inventory System No Policy Not Implemented Not Applicable Not Applicable
the inventory is updated in a timely manner.
Utilize port level access control, following 802.1x standards, to control which devices
1.7 can authenticate to the network. The authentication system shall be tied into the Protect Network Level Authentication (NLA) No Policy Not Implemented Not Automated Not Reported
hardware asset inventory data to ensure only authorized devices can connect to the
network.
1.8 Use client certificates to authenticate hardware assets connecting to the organization's Protect Public Key Infrastruture (PKI) No Policy Not Implemented Not Automated Not Reported
trusted network.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #2: Inventory and Control of Software Assets
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
2.1 Maintain an up-to-date list of all authorized software that is required in the enterprise Identify Software Application Inventory No Policy Not Implemented Not Applicable Not Applicable
for any business purpose on any business system.
Ensure that only software applications or operating systems currently supported and
2.2 receiving vendor updates are added to the organization's authorized software Identify Software Application Inventory No Policy Not Implemented Not Applicable Not Applicable
inventory. Unsupported software should be tagged as unsupported in the inventory
system.
2.3 Utilize software inventory tools throughout the organization to automate the Identify Software Application Inventory No Policy Not Implemented Not Automated Not Reported
documentation of all software on business systems.
2.4 The software inventory system should track the name, version, publisher, and install Identify Software Application Inventory No Policy Not Implemented Not Automated Not Reported
date for all software, including operating systems authorized by the organization.
2.5 The software inventory system should be tied into the hardware asset inventory so all Identify Software Application Inventory No Policy Not Implemented Not Automated Not Reported
devices and associated software are tracked from a single location.
2.6 Ensure that unauthorized software is either removed or the inventory is updated in a Identify Software Application Inventory No Policy Not Implemented Not Applicable Not Applicable
timely manner.
2.7 Utilize application whitelisting technology on all assets to ensure that only authorized Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
software executes and all unauthorized software is blocked from executing on assets.
The organization's application whitelisting software must ensure that only authorized
2.8 software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
process.
2.9 The organization's application whitelisting software must ensure that only authorized, Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
digitally signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
2.10 Physically or logically segregated systems should be used to isolate and run software Protect Network Firewall / Acess Control System No Policy Not Implemented Not Applicable Not Applicable
that is required for business operations but incurs higher risk for the organization.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #3: Continuous Vulnerability Management
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
Use a dedicated account for authenticated vulnerability scans, which should not be
SCAP Based Vulnerability Management
3.3 used for any other administrative activities and should be tied to specific machines at Detect System No Policy Not Implemented Not Automated Not Reported
specific IP addresses.
Deploy automated software update tools in order to ensure that the operating systems
3.4 Protect Patch Management System No Policy Not Implemented Not Automated Not Reported
are running the most recent security updates provided by the software vendor.
Deploy automated software update tools in order to ensure that third-party software
3.5 on all systems is running the most recent security updates provided by the software Protect Patch Management System No Policy Not Implemented Not Automated Not Reported
vendor.
3.6 Regularly compare the results from consecutive vulnerability scans to verify that Respond SCAP Based Vulnerability Management No Policy Not Implemented Not Automated Not Reported
vulnerabilities have been remediated in a timely manner. System
SCAP Based Vulnerability Management
3.7 Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities. Respond No Policy Not Implemented Not Automated Not Reported
System
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #4: Controlled Use of Administrative Privileges
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
Use automated tools to inventory all administrative accounts, including domain and
4.1 local accounts, to ensure that only authorized individuals have elevated privileges. Detect Privileged Account Management System No Policy Not Implemented Not Automated Not Reported
4.2 Before deploying any new asset, change all default passwords to have values consistent Protect Privileged Account Management System No Policy Not Implemented Not Automated Not Reported
with administrative level accounts.
Ensure that all users with administrative account access use a dedicated or secondary
4.3 account for elevated activities. This account should only be used for administrative Protect Privileged Account Management System No Policy Not Implemented Not Applicable Not Applicable
activities and not Internet browsing, email, or similar activities.
Use multi-factor authentication and encrypted channels for all administrative account
4.5 access. Protect Multi-Factor Authentication System No Policy Not Implemented Not Automated Not Reported
Ensure administrators use a dedicated machine for all administrative tasks or tasks
requiring administrative access. This machine will be segmented from the
4.6 Protect Dedicated Administration Systems No Policy Not Implemented Not Applicable Not Applicable
organization's primary network and not be allowed Internet access. This machine will
not be used for reading email, composing documents, or browsing the Internet.
4.7 Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
administrative or development users with the need to access those capabilities.
4.8 Configure systems to issue a log entry and alert when an account is added to or Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
removed from any group assigned administrative privileges.
4.9 Configure systems to issue a log entry and alert on unsuccessful logins to an Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
administrative account.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #5: Secure Configuration for Hardware and Software
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Control Automated or Control Reported to Business
Technically Enforced
5.1 Maintain documented security configuration standards for all authorized operating Protect System Configuration Baselines & Images No Policy Not Implemented Not Applicable Not Applicable
systems and software.
Maintain secure images or templates for all systems in the enterprise based on the
5.2 organization's approved configuration standards. Any new system deployment or Protect System Configuration Baselines & Images No Policy Not Implemented Not Applicable Not Applicable
existing system that becomes compromised should be imaged using one of those
images or templates.
Store the master images and templates on securely configured servers, validated with
5.3 integrity monitoring tools, to ensure that only authorized changes to the images are Protect System Configuration Baselines & Images No Policy Not Implemented Not Automated Not Reported
possible.
5.4 Deploy system configuration management tools that will automatically enforce and Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
redeploy configuration settings to systems at regularly scheduled intervals.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #6: Maintenance, Monitoring, and Analysis of Audit Logs
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
Use at least three synchronized time sources from which all servers and network
6.1 devices retrieve time information on a regular basis so that timestamps in logs are Detect Network Time Protocol (NTP) Systems No Policy Not Implemented Not Automated Not Reported
consistent.
6.2 Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
Ensure that local logging has been enabled on all systems and networking devices.
6.3 Enable system logging to include detailed information such as an event source, date, Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
user, timestamp, source addresses, destination addresses, and other useful elements.
6.4 Ensure that all systems that store logs have adequate storage space for the logs Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
generated.
6.5 Ensure that appropriate logs are being aggregated to a central log management system Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
for analysis and review.
6.6 Deploy Security Information and Event Management (SIEM) or log analytic tools for log Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
correlation and analysis
6.7 Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
On a regular basis, review logs to identify anomalies or abnormal events.
6.8 On a regular basis, tune your SIEM system to better identify actionable events and Detect Log Management System / SIEM No Policy Not Implemented Not Applicable Not Applicable
decrease event noise.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #7: Email and Web Browser Protections
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
Ensure that only fully supported web browsers and email clients are allowed to execute
7.1 in the organization, ideally only using the latest version of the browsers and email Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
clients provided by the vendor.
7.2 Uninstall or disable any unauthorized browser or email client plugins or add-on Protect Software Whitelisting System No Policy Not Implemented Not Automated Not Reported
applications.
7.3 Ensure that only authorized scripting languages are able to run in all web browsers and Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
email clients.
7.4 Enforce network-based URL filters that limit a system's ability to connect to websites Protect Network URL Filtering System No Policy Not Implemented Not Automated Not Reported
not approved by the organization. This filtering shall be enforced for each of the
organization's systems, whether they are physically at an organization's facilities or not.
Subscribe to URL-categorization services to ensure that they are up-to-date with the
7.5 most recent website category definitions available. Uncategorized sites shall be blocked Protect Network URL Filtering System No Policy Not Implemented Not Automated Not Reported
by default.
7.6 Log all URL requests from each of the organization's systems, whether on-site or a Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
mobile device, in order to identify potentially malicious activity and assist incident
handlers with identifying potentially compromised systems.
7.7 Use Domain Name System (DNS) filtering services to help block access to known Protect DNS Domain Filtering System No Policy Not Implemented Not Automated Not Reported
malicious domains.
7.8 To lower the chance of spoofed or modified emails from valid domains, implement Protect Anti-Spam Gateway No Policy Not Implemented Not Automated Not Reported
Domain-based Message Authentication, Reporting and Conformance (DMARC) policy
and verification, starting by implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail (DKIM) standards.
7.9 Block all email attachments entering the organization's email gateway if the file types Protect Anti-Spam Gateway No Policy Not Implemented Not Automated Not Reported
are unnecessary for the organization's business.
7.10 Use sandboxing to analyze and block inbound email attachments with malicious Protect Anti-Spam Gateway No Policy Not Implemented Not Automated Not Reported
behavior.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #8: Malware Defenses
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
8.1 Utilize centrally managed anti-malware software to continuously monitor and defend Protect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
each of the organization's workstations and servers.
8.2 Ensure that the organization's anti-malware software updates its scanning engine and Protect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
signature database on a regular basis.
8.3 Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
Space Layout Randomization (ASLR) that are available in an operating system or deploy
appropriate toolkits that can be configured to apply protection to a broader set of
applications and executables.
8.4 Configure devices so that they automatically conduct an anti-malware scan of Detect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
removable media when inserted or connected.
8.5 Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
Configure devices to not auto-run content from removable media.
8.6 Send all malware detection events to enterprise anti-malware administration tools and Detect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
event log servers for analysis and alerting.
8.7 Enable Domain Name System (DNS) query logging to detect hostname lookups for Detect DNS Domain Filtering System No Policy Not Implemented Not Automated Not Reported
known malicious domains.
8.8 Enable command-line audit logging for command shells, such as Microsoft PowerShell Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
and Bash.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #9: Limitation and Control of Network Ports
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
Associate active ports, services, and protocols to the hardware assets in the asset SCAP Based Vulnerability Management
9.1 inventory. Identify System No Policy Not Implemented Not Automated Not Reported
Ensure that only network ports, protocols, and services listening on a system with SCAP Based Vulnerability Management
9.2 Protect No Policy Not Implemented Not Automated Not Reported
validated business needs are running on each system. System
Perform automated port scans on a regular basis against all systems and alert if SCAP Based Vulnerability Management
9.3 unauthorized ports are detected on a system. Detect System No Policy Not Implemented Not Automated Not Reported
9.4 Apply host-based firewalls or port-filtering tools on end systems, with a default-deny Protect Host Based Firewall No Policy Not Implemented Not Automated Not Reported
rule that drops all traffic except those services and ports that are explicitly allowed.
Place application firewalls in front of any critical servers to verify and validate the traffic
9.5 going to the server. Any unauthorized traffic should be blocked and logged. Protect Application Aware Firewall No Policy Not Implemented Not Automated Not Reported
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #10: Data Recovery Capability
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
10.1 Ensure that all system data is automatically backed up on a regular basis. Protect Backup / Recovery System No Policy Not Implemented Not Automated Not Reported
10.2 Ensure that all of the organization's key systems are backed up as a complete system, Protect Backup / Recovery System No Policy Not Implemented Not Automated Not Reported
through processes such as imaging, to enable the quick recovery of an entire system.
10.3 Test data integrity on backup media on a regular basis by performing a data restoration Protect Backup / Recovery System No Policy Not Implemented Not Applicable Not Applicable
process to ensure that the backup is properly working.
Ensure that backups are properly protected via physical security or encryption when
10.4 they are stored, as well as when they are moved across the network. This includes Protect Backup / Recovery System No Policy Not Implemented Not Automated Not Reported
remote backups and cloud services.
10.5 Ensure that all backups have at least one offline (i.e., not accessible via a network Protect Backup / Recovery System No Policy Not Implemented Not Automated Not Reported
connection) backup destination.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #11: Secure Configurations for Network Devices
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
11.1 Maintain documented security configuration standards for all authorized network Protect Network Device Management System No Policy Not Implemented Not Applicable Not Applicable
devices.
11.2 All configuration rules that allow traffic to flow through network devices should be Protect Network Device Management System No Policy Not Implemented Not Applicable Not Applicable
documented in a configuration management system with a specific business reason for
each rule, a specific individual’s name responsible for that business need, and an
expected duration of the need.
11.3 Compare all network device configurations against approved security configurations Detect Network Device Management System No Policy Not Implemented Not Automated Not Reported
defined for each network device in use, and alert when any deviations are discovered.
11.4 Protect Network Device Management System No Policy Not Implemented Not Automated Not Reported
Install the latest stable version of any security-related updates on all network devices.
11.5 Protect Multi-Factor Authentication System No Policy Not Implemented Not Automated Not Reported
Manage all network devices using multi-factor authentication and encrypted sessions.
11.6 Ensure network engineers use a dedicated machine for all administrative tasks or tasks Protect Dedicated Administration Systems No Policy Not Implemented Not Applicable Not Applicable
requiring elevated access. This machine shall be segmented from the organization's
primary network and not be allowed Internet access. This machine shall not be used for
reading email, composing documents, or surfing the Internet.
11.7 Manage the network infrastructure across network connections that are separated Protect Dedicated Administration Systems No Policy Not Implemented Not Applicable Not Applicable
from the business use of that network, relying on separate VLANs or, preferably, on
entirely different physical connectivity for management sessions for network devices.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #12: Boundary Defense
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
12.1 Maintain an up-to-date inventory of all of the organization's network boundaries. Identify Network Firewall / Acess Control System No Policy Not Implemented Not Applicable Not Applicable
12.2 Perform regular scans from outside each trusted network boundary to detect any Detect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
unauthorized connections which are accessible across the boundary.
Deny communications with known malicious or unused Internet IP addresses and limit
12.3 access only to trusted and necessary IP address ranges at each of the organization's Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
network boundaries.
Configure monitoring systems to record network packets passing through the boundary
12.5 at each of the organization's network boundaries. Detect Network Packet Capture System No Policy Not Implemented Not Automated Not Reported
Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual
12.6 attack mechanisms and detect compromise of these systems at each of the Detect Network Based Intruston Detection System No Policy Not Implemented Not Automated Not Reported
(NIDS)
organization's network boundaries.
12.7 Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network Detect Network Based Intrusion Prevention System No Policy Not Implemented Not Automated Not Reported
traffic at each of the organization's network boundaries. (IPS)
12.8 Enable the collection of NetFlow and logging data on all network boundary devices. Detect Network Device Management System No Policy Not Implemented Not Automated Not Reported
12.9 Ensure that all network traffic to or from the Internet passes through an authenticated Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
application layer proxy that is configured to filter unauthorized connections.
Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the
12.10 content. However, the organization may use whitelists of allowed sites that can be Detect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
accessed through the proxy without decrypting the traffic.
Require all remote login access to the organization's network to encrypt data in transit
12.11 Protect Multi-Factor Authentication System No Policy Not Implemented Not Automated Not Reported
and use multi-factor authentication.
Scan all enterprise devices remotely logging into the organization's network prior to
12.12 accessing the network to ensure that each of the organization's security policies has Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
been enforced in the same manner as local network devices.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #13: Data Protection
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
Remove sensitive data or systems not regularly accessed by the organization from the
13.2 network. These systems shall only be used as stand-alone systems (disconnected from Protect Data Inventory / Classification System No Policy Not Implemented Not Applicable Not Applicable
the network) by the business unit needing to occasionally use the system or completely
virtualized and powered off until needed.
Deploy an automated tool on network perimeters that monitors for unauthorized Network Based Data Loss Prevention (DLP)
13.3 transfer of sensitive information and blocks such transfers while alerting information Identify System No Policy Not Implemented Not Automated Not Reported
security professionals.
13.4 Only allow access to authorized cloud storage or email providers. Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
Monitor all traffic leaving the organization and detect any unauthorized use of Network Based Data Loss Prevention (DLP)
13.5 encryption. Detect System No Policy Not Implemented Not Automated Not Reported
If USB storage devices are required, enterprise software should be used that can
13.7 configure systems to allow the use of specific devices. An inventory of such devices Identify Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
should be maintained.
Configure systems not to write data to external removable media, if there is no
13.8 Protect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
business need for supporting such devices.
If USB storage devices are required, all data stored on such devices must be encrypted
13.9 while at rest. Protect Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #14: Controlled Access Based on the Need to Know
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
Segment the network based on the label or classification level of the information stored
14.1 on the servers, locate all sensitive information on separated Virtual Local Area Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
Networks (VLANs).
14.2 Enable firewall filtering between VLANs to ensure that only authorized systems are able Protect Network Firewall / Acess Control System No Policy Not Implemented Not Automated Not Reported
to communicate with other systems necessary to fulfill their specific responsibilities.
Utilize an active discovery tool to identify all sensitive information stored, processed, or
14.5 transmitted by the organization's technology systems, including those located on-site or Detect Data Inventory / Classification System No Policy Not Implemented Not Automated Not Reported
at a remote service provider, and update the organization's sensitive information
inventory.
14.6 Protect all information stored on systems with file system, network share, claims, Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
application, or database specific access control lists. These controls will enforce the
principle that only authorized individuals should have access to the information based
on their need to access the information as a part of their responsibilities.
14.7 Use an automated tool, such as host-based Data Loss Prevention, to enforce access Protect Host Based Data Loss Prevention (DLP) System No Policy Not Implemented Not Automated Not Reported
controls to data even when the data is copied off a system.
Encrypt all sensitive information at rest using a tool that requires a secondary
14.8 authentication mechanism not integrated into the operating system, in order to access Protect Host Based Data Loss Prevention (DLP) System No Policy Not Implemented Not Automated Not Reported
the information.
Enforce detailed audit logging for access to sensitive data or changes to sensitive data
14.9 (utilizing tools such as File Integrity Monitoring or Security Information and Event Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
Monitoring).
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #15: Wireless Access Control
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
Configure network vulnerability scanning tools to detect and alert on unauthorized SCAP Based Vulnerability Management
15.2 Identify No Policy Not Implemented Not Automated Not Reported
wireless access points connected to the wired network. System
Use a wireless intrusion detection system (WIDS) to detect and alert on unauthorized
15.3 wireless access points connected to the network. Detect Wireless Intrusion Detection System (WIDS) No Policy Not Implemented Not Automated Not Reported
Disable wireless access on devices that do not have a business purpose for wireless
15.4 access. Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
15.6 Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients. Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
15.7 Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit. Protect Network Device Management System No Policy Not Implemented Not Automated Not Reported
Disable wireless peripheral access of devices [such as Bluetooth and Near Field
15.9 Protect System Configuration Enforcement System No Policy Not Implemented Not Automated Not Reported
Communication (NFC)], unless such access is required for a business purpose.
Create a separate wireless network for personal or untrusted devices. Enterprise access
15.10 Protect Network Device Management System No Policy Not Implemented Not Applicable Not Applicable
from this network should be treated as untrusted and filtered and audited accordingly.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #16: Account Monitoring and Control
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
16.1 Maintain an inventory of each of the organization's authentication systems, including Identify Identity & Access Management System No Policy Not Implemented Not Applicable Not Applicable
those located on-site or at a remote service provider.
16.2 Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
Configure access for all accounts through as few centralized points of authentication as
possible, including network, security, and cloud systems.
16.3 Require multi-factor authentication for all user accounts, on all systems, whether Protect Multi-Factor Authentication System No Policy Not Implemented Not Automated Not Reported
managed on-site or by a third-party provider.
16.4 Encrypt or hash with a salt all authentication credentials when stored. Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
16.5 Ensure that all account usernames and authentication credentials are transmitted Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
across networks using encrypted channels.
16.6 Identify Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
Maintain an inventory of all accounts organized by authentication system.
Establish and follow an automated process for revoking system access by disabling
16.7 accounts immediately upon termination or change of responsibilities of an employee or Protect Identity & Access Management System No Policy Not Implemented Not Applicable Not Applicable
contractor. Disabling these accounts, instead of deleting accounts, allows preservation
of audit trails.
16.8 Disable any account that cannot be associated with a business process or business Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
owner.
16.9 Automatically disable dormant accounts after a set period of inactivity. Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
16.10 Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
Ensure that all accounts have an expiration date that is monitored and enforced.
16.11 Protect Identity & Access Management System No Policy Not Implemented Not Automated Not Reported
Automatically lock workstation sessions after a standard period of inactivity.
16.12 Monitor attempts to access deactivated accounts through audit logging. Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
16.13 Alert when users deviate from normal login behavior, such as time-of-day, workstation Detect Log Management System / SIEM No Policy Not Implemented Not Automated Not Reported
location, and duration.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #17: Implement a Security Awareness and Training Program
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
17.1 Perform a skills gap analysis to understand the skills and behaviors workforce members Identify Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
are not adhering to, using this information to build a baseline education roadmap.
17.2 Deliver training to address the skills gap identified to positively impact workforce Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
members' security behavior.
17.3 Create a security awareness program for all workforce members to complete on a Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
regular basis to ensure they understand and exhibit the necessary behaviors and skills
to help ensure the security of the organization. The organization's security awareness
program should be communicated in a continuous and engaging manner.
Ensure that the organization's security awareness program is updated frequently (at
17.4 least annually) to address new technologies, threats, standards, and business Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
requirements.
17.5 Train workforce members on the importance of enabling and utilizing secure Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
authentication.
17.6 Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
Train the workforce on how to identify different forms of social engineering attacks,
such as phishing, phone scams, and impersonation calls.
17.7 Train workforce members on how to identify and properly store, transfer, archive, and Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
destroy sensitive information.
Train workforce members to be aware of causes for unintentional data exposures, such
17.8 as losing their mobile devices or emailing the wrong person due to autocomplete in Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
email.
17.9 Train workforce members to be able to identify the most common indicators of an Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
incident and be able to report such an incident.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #18: Application Software Security
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
For in-house developed software, ensure that explicit error checking is performed and
18.2 documented for all input, including for size, data type, and acceptable ranges or Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
formats.
Verify that the version of all software acquired from outside your organization is still
18.3 supported by the developer or appropriately hardened based on developer security Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
recommendations.
Only use up-to-date and trusted third-party components for the software developed by
18.4 the organization. Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
18.5 Use only standardized, currently accepted, and extensively reviewed encryption Protect Secure Coding Standards No Policy Not Implemented Not Applicable Not Applicable
algorithms.
18.6 Ensure that all software development personnel receive training in writing secure code Protect Training / Awareness Education Plans No Policy Not Implemented Not Applicable Not Applicable
for their specific development environment and responsibilities.
Apply static and dynamic analysis tools to verify that secure coding practices are being
18.7 adhered to for internally developed software. Detect Software Vulnerability Scanning Tool No Policy Not Implemented Not Automated Not Reported
Protect web applications by deploying web application firewalls (WAFs) that inspect all
traffic flowing to the web application for common web application attacks. For
applications that are not web-based, specific application firewalls should be deployed if
18.10 such tools are available for the given application type. If the traffic is encrypted, the Protect Web Application Firewall (WAF) No Policy Not Implemented Not Automated Not Reported
device should either sit behind the encryption or be capable of decrypting the traffic
prior to analysis. If neither option is appropriate, a host-based web application firewall
should be deployed.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #19: Incident Response and Management
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
19.1 Ensure that there are written incident response plans that define roles of personnel as Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
well as phases of incident handling/management.
Assign job titles and duties for handling computer and network incidents to specific
19.2 individuals, and ensure tracking and documentation throughout the incident through Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
resolution.
19.3 Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
Designate management personnel, as well as backups, who will support the incident
handling process by acting in key decision-making roles.
19.4 Devise organization-wide standards for the time required for system administrators and Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
other workforce members to report anomalous events to the incident handling team,
the mechanisms for such reporting, and the kind of information that should be included
in the incident notification.
19.5 Assemble and maintain information on third-party contact information to be used to Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
report a security incident, such as Law Enforcement, relevant government
departments, vendors, and Information Sharing and Analysis Center (ISAC) partners.
19.6 Publish information for all workforce members, regarding reporting computer Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
anomalies and incidents, to the incident handling team. Such information should be
included in routine employee awareness activities.
19.7 Plan and conduct routine incident response exercises and scenarios for the workforce Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
involved in the incident response to maintain awareness and comfort in responding to
real-world threats. Exercises should test communication channels, decision making, and
incident responder’s technical capabilities using tools and data available to them.
Create incident scoring and prioritization schema based on known or potential impact
19.8 to your organization. Utilize score to define frequency of status updates and escalation Protect Incident Management Plans No Policy Not Implemented Not Applicable Not Applicable
procedures.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
CIS Control #20: Penetration Tests and Red Team Exercises
Control Automated or
ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
20.1 Protect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
Establish a program for penetration tests that includes a full scope of blended attacks,
such as wireless, client-based, and web application attacks.
20.2 Conduct regular external and internal penetration tests to identify vulnerabilities and Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
attack vectors that can be used to exploit enterprise systems successfully.
20.3 Perform periodic Red Team exercises to test organizational readiness to identify and Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
stop attacks or to respond quickly and effectively.
20.4 Include tests for the presence of unprotected system information and artifacts that Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
would be useful to attackers, including network diagrams, configuration files, older
penetration test reports, emails or documents containing passwords or other
information critical to system operation.
20.5 Create a test bed that mimics a production environment for specific penetration tests Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
and Red Team attacks against elements that are not typically tested in production, such
as attacks against supervisory control and data acquisition and other control systems.
Use vulnerability scanning and penetration testing tools in concert. The results of
20.6 vulnerability scanning assessments should be used as a starting point to guide and Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
focus penetration testing efforts.
20.7 Wherever possible, ensure that Red Team results are documented using open, Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
machine-readable standards (e.g., SCAP). Devise a scoring method for determining the
results of Red Team exercises so that results can be compared over time.
20.8 Any user or system accounts used to perform penetration testing should be controlled Detect Penetration Testing Plans No Policy Not Implemented Not Applicable Not Applicable
and monitored to make sure they are only being used for legitimate purposes, and are
removed or restored to normal function after testing is over.
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
DO NOT CHANGE THESE VALUES
Policy Status
No Policy
Informal Policy
Partial Written Policy
Written Policy
Approved Written Policy
Implementation Status
Not Implemented
Parts of Policy Implemented
Implemented on Some Systems
Implemented on Most Systems
Implemented on All Systems
Automation Status
Not Automated
Parts of Policy Automated
Automated on Some Systems
Automated on Most Systems
Automated on All Systems
Reporting Status
Not Reported
Parts of Policy Reported
Reported on Some Systems
Reported on Most Systems
Reported on All Systems