The CIS Critical Security Controls for Effective Cyber Defense

Goals

The guidelines consist of 20 key actions, called critical security controls (CSC), that organizations should take to block or mitigate known attacks. The controls are designed so that primarily automated means can be used to implement, enforce and monitor them. The security controls give no-nonsense, actionable recommendations for cyber security, written in language that’s easily understood by IT personnel. Goals of the Consensus Audit Guidelines include to:

Leverage cyber offense to inform cyber defense, focusing on high payoff areas,

Ensure that security investments are focused to counter highest threats,

Maximize use of automation to enforce security controls, thereby negating human errors, and

Use consensus process to collect best ideas.

Controls

Version 3.0 was released on April 13, 2011. Version 5.0 was released on February 2, 2014 by the Council on Cyber Security (CCS). Version 6.0 was released on October 15, 2015 and consists of the security controls below. Version 6.1 was released on August 31, 2016 and has the same priorization as version 6. Compared to version 5, version 6/6.1 has re-prioritized the controls and changed these two controls:

'Secure Network Engineering' was CSC 19 in version 5 but has been deleted in version 6/6.1.

'CSC 7: Email and Web Browser Protections' has been added in version 6/6.1.

CSC 1: Inventory of Authorized and Unauthorized DevicesCSC 2: Inventory of Authorized and Unauthorized SoftwareCSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and ServersCSC 4: Continuous Vulnerability Assessment and RemediationCSC 5: Controlled Use of Administrative PrivilegesCSC 6: Maintenance, Monitoring, and Analysis of Audit LogsCSC 7: Email and Web Browser ProtectionsCSC 8: Malware DefensesCSC 9: Limitation and Control of Network Ports, Protocols, and ServicesCSC 10: Data Recovery CapabilityCSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and SwitchesCSC 12: Boundary DefenseCSC 13: Data ProtectionCSC 14: Controlled Access Based on the Need to KnowCSC 15: Wireless Access ControlCSC 16: Account Monitoring and ControlCSC 17: Security Skills Assessment and Appropriate Training to Fill GapsCSC 18: Application Software SecurityCSC 19: Incident Response and ManagementCSC 20: Penetration Tests and Red Team Exercises

Contributors

The Consensus Audit Guidelines (CAG) were compiled by a consortium of more than 100 contributors from US government agencies, commercial forensics experts and pen testers. Authors of the initial draft include members of:

US National Security Agency Red Team and Blue Team

US Department of Homeland Security, US-CERT

US DoD Computer Network Defense Architecture Group

US DoD Joint Task Force – Global Network Operations (JTF-GNO)

US DoD Defense Cyber Crime Center (DC3)

US Department of Energy Los Alamos National Lab, and three other National Labs.

US Department of State, Office of the CISO

US Air Force

US Army Research Laboratory

US Department of Transportation, Office of the CIO

US Department of Health and Human Services, Office of the CISO

US Government Accountability Office (GAO)

MITRE Corporation

The SANS Institute

Notable results

Starting in 2009, the US Department of State began supplementing its risk scoring program in part using the Consensus Audit Guidelines. According to the Department's measurements, in the first year of site scoring using this approach the department reduced overall risk on its key unclassified network by nearly 90 percent in overseas sites, and by 89 percent in domestic sites.