0% found this document useful (0 votes)

257 views55 pages

(2022) CIS Controls Cloud Companion Guide - CIS

Uploaded by

Cleórbete Santos

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

257 views55 pages

(2022) CIS Controls Cloud Companion Guide - CIS

Uploaded by

Cleórbete Santos

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 55

v8

CIS Controls
Cloud Companion
Guide

March 2022

CIS Controls Cloud Companion Guide 1

Acknowledgements

CIS would like to thank the many security experts who volunteer their time and talent to This work is licensed under a
support the CIS Controls and other CIS work. CIS products represent the effort of a veritable Creative Commons Attribution-
army of volunteers from across the industry, generously giving their time and talent in the Non Commercial-No Derivatives
4.0 International Public License
name of a more secure online experience for everyone. (the link can be found at https://
creativecommons.org/licenses/
EDITORS by-nc-nd/4.0/legalcode).
G. Carpenter, AWS To further clarify the Creative
Randy Mowen, CIS Commons license related to the
Robin Regnier, CIS CIS Critical Security Controls®
(CIS Controls®) content, you
are authorized to copy and
CONTRIBUTORS redistribute the content as
Ginger Anderson, CIS a framework for use by you,
Tyler Desjardins, Arctic Wolf within your organization and
Siddiqui Faheem, Al Hilal Bank, United Arab Emirates outside of your organization, for
Staffan Huslid, Truesec AB non-commercial purposes only,
provided that (i) appropriate credit
Mosi K. Platt, Security Governance, Risk, Compliance and Assurance Professional is given to CIS, and (ii) a link to the
Dr. James Stewart, SME Cybersecurity, The Lynchpin Group license is provided. Additionally,
Valecia Stocchetti, CIS if you remix, transform, or build
upon the CIS Controls, you may not
In addition, we want to thank those contributors whose attributions were not available at the distribute the modified materials.
time of publication. Users of the CIS Controls
framework are also required to
refer to (http://www.cisecurity.
org/controls/) when referring to
the CIS Controls in order to ensure
that users are employing the most
up-to-date guidance. Commercial
use of the CIS Controls is subject
to the prior approval of the Center
for Internet Security, Inc.(CIS®).

CIS Controls Cloud Companion Guide Acknowledgements i

Contents Introduction 1
Methodology 4
How to Use This Document 5
Applicability Overview for Each Service Model 6

CIS Controls Cloud Applicability

CIS CONTROL 01 Inventory and Control of Enterprise Assets 8
Cloud Applicability 8
Cloud Service and Deployment Considerations 9

CIS CONTROL 02 Inventory and Control of Software Assets 10

Cloud Applicability 10
Cloud Service and Deployment Considerations 11

CIS CONTROL 03 Data Protection 12

Cloud Applicability 12
Cloud Service and Deployment Considerations 13

CIS CONTROL 04 Secure Configuration of Enterprise Assets and Software 15

Cloud Applicability 15
Cloud Service and Deployment Considerations 16

CIS CONTROL 05 Account Management 18

Cloud Applicability 18
Cloud Service and Deployment Considerations 19

CIS CONTROL 06 Access Management Control 20

Cloud Applicability 20
Cloud Service and Deployment Considerations 21

CIS CONTROL 07 Continuous Vulnerability Management 22

Cloud Applicability 22
Cloud Service and Deployment Considerations 23

CIS CONTROL 08 Audit Log Management 24

Cloud Applicability 24
Cloud Service and Deployment Considerations 25

CIS CONTROL 09 Email and Web Browser Protections 26

Cloud Applicability 26
Cloud Service and Deployment Considerations 27

CIS CONTROL 10 Malware Defenses 28

Cloud Applicability 28
Cloud Service and Deployment Considerations 29

CIS CONTROL 11 Data Recovery 30

Cloud Applicability 30
Cloud Service and Deployment Considerations 31

CIS CONTROL 12 Network Infrastructure Management 32

Cloud Applicability 32
Cloud Service and Deployment Considerations 33

CIS CONTROL 13 Network Monitoring and Defense 34

Cloud Applicability 34
Cloud Service and Deployment Considerations 35

CIS Controls Cloud Companion Guide Contents ii

CIS CONTROL 14 Security Awareness and Skills Training 36
Cloud Applicability 36
Cloud Service and Deployment Considerations 37

CIS CONTROL 15 Service Provider Management 38

Cloud Applicability 38
Cloud Service and Deployment Considerations 39

CIS CONTROL 16 Application Software Security 40

Cloud Applicability 40
Cloud Service and Deployment Considerations 42

CIS CONTROL 17 Incident Response Management 43

Cloud Applicability 43
Cloud Service and Deployment Considerations 44

CIS CONTROL 18 Penetration Testing 45

Cloud Applicability 45
Cloud Service and Deployment Considerations 46

Appendix

Abbreviations and Acronyms 48

Links and Resources 49
Information 50

CIS Controls Cloud Companion Guide Contents iii

Introduction

The Center for Internet Security, The CIS Critical Security Controls® (CIS Controls®) are a prioritized set of actions that
Inc. (CIS) is a 501(c)(3) nonprofit collectively form a defense-in-depth set of best practices that mitigate the most common
organization whose mission is attacks against systems and networks. The CIS Controls are developed by a community of
to make the connected world
a safer place by developing, information technology (IT) experts who apply their first-hand experience as cyber defenders
validating, and promoting timely to create these globally accepted security best practices. The experts who develop the CIS
best practice solutions that Controls come from a wide range of sectors including, retail, manufacturing, healthcare,
help people, businesses, and education, government, defense, and others. While the CIS Controls address the general
governments protect themselves practices that most enterprises should take to secure their systems, some operational
against pervasive cyber threats.
environments may present unique requirements not addressed by the CIS Controls.
For additional information, go to
www.cisecurity.org. We are at a fascinating point in the evolution of what we now call cyber defense. To help
us understand the cyber threat, we have seen the emergence of threat information feeds,
reports, tools, alert services, standards, and threat-sharing frameworks. To top it all off, we
are surrounded by security requirements, risk management frameworks, compliance regimes,
regulatory mandates, and so forth. There is no shortage of information available to security
practitioners on what they should do to secure their infrastructure. But all of this technology,
information, and oversight has become a veritable “Fog of More” — competing options,
priorities, opinions, and claims that can paralyze or distract an enterprise from vital action.
Business complexity is growing, dependencies are expanding, users are becoming more
mobile, and the threats are evolving. New technology brings us great benefits, but it also
means that our data and applications are distributed across multiple locations, many of which
are not within our enterprise’s infrastructure.

The CIS Controls started as a grassroots activity to cut through the “Fog of More” and
focus on the most fundamental and valuable actions that every enterprise should take. This
companion guide will break down and map the applicable Controls and their implementation
for the cloud environment. As the CIS Controls continue to be refined and re-worked through
the community, the call for CIS Controls guidance for the cloud was identified as one of the
high priority companion documents to be developed.

While many of the core security concerns of enterprise IT systems are shared within
cloud environments, the main challenge in applying best practices is tied to the fact that
these systems typically operate software and hardware under different assumed security
responsibilities. Ensuring and understanding that the service-level agreements (SLAs) and
Legal Contracts with the cloud service provider (CSP) highlight liability, service levels, breach
disclosure, and incident response timeframes is an important piece of your cloud security. The
shared security responsibility, as well as the specific cloud services and deployment models
utilized, changes who handles the security requirements and with whom the assumed security
risk resides. CSPs are constantly adding new functional services along with configuration and
security tools to better manage them at a very rapid pace. As new tools become available, the
cloud consumer should consider a hybrid approach using third-party tools along with CSP
native security tools that best fit an enterprise’s security and management needs. Enterprise
management processes should ensure there is overlap rather than gaps in coverage between
native and third-party tools.

CIS Controls Cloud Companion Guide Introduction 1

Cloud environments have service models that the applications or services can be classified
under. These models have evolved over time and continue to emerge:

• IaaS (Infrastructure as a Service) is a cloud environment that offers computing resources

such as virtual servers, storage, and networking hardware on demand. The consumer
utilizes their own software such as operating systems, middleware, and applications. The
underlying cloud infrastructure is managed by the CSP.
• PaaS (Platform as a Service) is a cloud computing environment for development and
management of a consumer’s applications. It includes the infrastructure hardware:
virtual servers, storage, and networking while tying in the middleware and development
tools to allow the consumer to deploy their applications. It is designed to support
the complete application life cycle while leaving the management of the underlying
infrastructure to the CSP.
• SaaS (Software as a Service) is a cloud computing software solution that provides the
consumer with access to a complete software product. The software application resides on
a cloud environment and is accessed by the consumer through the web or an application
program interface (API). The consumer can utilize the application to store and analyze data
without having to worry about managing the infrastructure, service, or software, as that
falls to the CSP.
• FaaS (Function as a Service) is a cloud computing service that allows the consumer
to develop, manage, and run their application functionalities without having to manage
and maintain any of the infrastructure that is required. The consumer can execute code in
response to events that happen within the CSP or the application without having to build
out or maintain a complex underlying infrastructure.

To complicate things even more, a cloud environment has multiple deployment models:

• Private cloud (on-prem) consists of all the computing resources being hosted and used
exclusively in private tenancy by one consumer (enterprise) within its own offices and
data centers. The consumer is responsible for the operational costs, hardware, software,
and the resources required to build and maintain the infrastructure. This is best used for
critical business operations that want to control all access, including physical access, to the
cloud system.
• Private cloud (third-party hosted) is a private tenancy cloud system that is hosted by an
external third-party provider. The third-party provides an exclusive use cloud environment
for the consumer to deploy applications and store data on. The third-party provides the
hardware, software, servers, supporting infrastructure and sometimes staff, which offers
the customer a reduced, up front capital investment and access to additional resources as
needed. This model can be useful for enterprises that have elastic computing needs, have
specific regulatory requirements that can be met at scale by a third-party much cheaper
than on-prem, or for enterprises that do not wish to make a large capital investment in IT
infrastructure and would rather pay as they go.
• Community cloud (shared) is a deployment solution where the computing resources and
infrastructure are shared between several enterprises or community of consumers. The
resources can be managed internally or by a third-party and they can be hosted on-prem or
externally. The enterprises share the cost and often have similar cloud security requirements
and business objectives.
• Public cloud is an infrastructure and computing service hosted by a third-party company
defined as a CSP and exists on the CSP’s premises. It is available over the internet and the
services can be delivered through a self-service portal. Public cloud is provisioned for open
use by the general public and the consumer is provided on-demand access and scalability
without the higher overhead cost of maintaining a private cloud environment, but gives up
private tenancy. The CSP is responsible for the management and maintenance of the system
while the consumer pays only for resources they use. This type of cloud system depends on
a “shared security responsibility model.”

CIS Controls Cloud Companion Guide Introduction 2

• Hybrid cloud is an environment that uses a combination of the two or more cloud
deployment models, private cloud (on-prem), private cloud (third-party hosted), and public
cloud with an orchestration service between the unique deployment models. A hybrid cloud
system can provide more flexibility than exclusively utilizing a public, private, or community
cloud system.

These different deployment models led to and now drive the CIS Controls Cloud
Companion Guide.

CIS Controls Cloud Companion Guide Introduction 3

Methodology

A consistent approach is needed for analyzing CIS Controls in the context for cloud. For each
of the CIS Controls, the following information is provided:

• Cloud Applicability — The applicability field assesses the degree to which a CIS Control
functions within the cloud space and which service model should be considered.
• Cloud Service and Deployment Considerations — Service and deployment model
considerations further define who is responsible for the Controls within the service model it
is applicable to and what the consumer of the CSP is responsible for.
• Cloud Additional Considerations — This is a general area for any additional guidance that
also needs to be noted. For instance, relevant tools, products, or threat information that
could be of use can be found here.

CIS Controls Cloud Companion Guide Methodology 4

How to Use This Document

In this document, we provide guidance on how to apply the security best practices found in
CIS Controls Version 8 to any cloud environment from the consumer/customer perspective.
For each top-level CIS Control, there is a brief discussion on how to interpret and apply the
CIS Control in such environments, along with any unique considerations or differences from
common IT environments.

The applicability of specific CIS Controls and CIS Safeguards is addressed, and additional
steps needed in any cloud environment are explained, based on the individual service
models. Throughout this document, we take into consideration the unique mission/business
requirements found in cloud environments, as well as the unique risks (vulnerabilities, threats,
consequences, and security responsibilities), which in turn drive the priority of the security
requirements (e.g., availability, integrity, and confidentiality of process data).

By reading through CIS Controls Version 8 with this companion guide, the reader should be
able to tailor the CIS Controls in the context of a specific IT/Operational Technology (OT)
cloud enterprise as an essential starting point for a security improvement assessment and
roadmap. We should mention that OT is hardware and software that detects or causes a
change through the direct monitoring and/or control of physical devices, processes, and
events in the enterprise. Finally, this document is also aimed at guiding enterprises involved in
the agile software development process via utilization of cloud-based services. DevSecOps,
which is short for development, security, and operations, automates the integration of security
at every phase of the software and its underlying infrastructure development life cycle, from
initial design through integration, testing, deployment, and software delivery. CIS Control 16
will cover these aspects.

As part of CIS Controls v8, the Implementation Groups (IGs) are a guideline to help
enterprises determine a starting point for implementation of the CIS Controls. Enterprises
will, at times, find the need to implement CIS Safeguards in a higher IG. When integrating
new technology into an environment, such as cloud, an enterprise should fully consider, and
assess the security risks and impacts to assets and data. That understanding should drive the
selection and implementation of appropriate CIS Safeguards regardless of IG.

ESSENTIAL CYBER HYGIENE

The number of Safeguards an enterprise is expected to implement increases
based on which group the enterprise falls into. 153
TOTAL SAFEGUARDS
IG1

IG2 IG3
IG3
IG3 assists enterprises with IT security experts to secure sensitive and
confidential data. IG3 aims to prevent and/or lessen the impact of
sophisticated attacks.
23
SAFEGUARDS

IG2
IG2 assists enterprises managing IT infrastructure of multiple
departments with differing risk profiles. IG2 aims to help enterprises cope
with increased operational complexity.
74
SAFEGUARDS

IG1
IG1 is the definition of essential cyber hygiene and represents a minimum
standard of information security for all enterprises. IG1 assists enterprises
with limited cybersecurity expertise thwart general, non-targeted attacks.
56
SAFEGUARDS

CIS Controls Cloud Companion Guide How to Use This Document 5

Applicability Overview for Each Service Model

Applicability of CONTROL CONTROL TITLE IaaS PaaS SaaS FaaS

Service Model 01 Inventory and Control of Enterprise Assets

More than 60% of CIS 02 Inventory and Control of Software Assets
Safeguards Apply
03 Data Protection
Between 60% and 0% of the
CIS Safeguards Apply 04 Secure Configuration of Enterprise Assets and Software
0%
05 Account Management

06 Access Control Management

07 Continuous Vulnerability Management

08 Audit Log Management

09 Email and Web Browser Protections

10 Malware Defenses

11 Data Recovery

12 Network Infrastructure Management

13 Network Monitoring and Defense

14 Security Awareness and Skills Training

15 Service Provider Management

16 Application Software Security

17 Incident Response Management

18 Penetration Testing

CIS Controls Cloud Companion Guide Applicability Overview for Each Service Model 6
CIS Controls
Cloud Applicability

CIS Controls Cloud Companion Guide 7

CIS CONTROL
01 Inventory and Control of
Enterprise Assets

Overview Actively manage (inventory, track, and correct) all enterprise assets (end-user devices,
including portable and mobile; network devices; non-computing/Internet of Things (IoT)
devices; and servers) connected to the infrastructure, physically, virtually, remotely, and
those within cloud environments, to accurately know the totality of assets that need
to be monitored and protected within the enterprise. This will also support identifying
unauthorized and unmanaged assets to remove or remediate.

Cloud Applicability The first CIS Control is considered the most important because it is necessary to first identify
the systems and devices that need to be secured. CIS Control 1 is about taking inventory.
Understanding and solving the asset inventory and device visibility problem is critical in
managing a business security program. This is challenging in cloud environments due to the
shared security responsibility and the cloud service model utilized.

IMPLEMENTATION APPLICABILITY OF
CIS Control 01: Inventory and Control of Enterprise Assets GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

1.1 Devices Identify Establish and Maintain Detailed Enterprise Asset Inventory 1 2 3 ✓ ✓

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to
store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/
IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name,
data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For
mobile end-user devices, mobile device management (MDM) type tools can support this process, where appropriate.
This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud
environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure,
even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually,
or more frequently.

1.2 Devices Respond Address Unauthorized Assets 1 2 3 ✓ ✓

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove
the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.

1.3 Devices Detect Utilize an Active Discovery Tool 2 3 ✓ ✓

Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery
tool to execute daily, or more frequently.

1.4 Devices Identify Use Dynamic Host Configuration Protocol (DHCP) Logging to Update 2 3 ✓ ✓
Enterprise Asset Inventory

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s
asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.

1.5 Devices Detect Use a Passive Asset Discovery Tool 3 ✓ ✓

Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update
the enterprise’s asset inventory at least weekly, or more frequently.

CIS Controls Cloud Companion Guide CIS Control 01: Inventory and Control of Enterprise Assets 8
Cloud Service and When considering deployment models, you will find that this CIS Control and Safeguards
Deployment Considerations are applicable for Private (on-prem). For Private (third-party hosted), Public, and Hybrid
deployment models, you will need to defer to the service/deployment model(s) your
enterprise is using.

• Private (on-prem) — The local administrator (cloud consumer) is responsible for the security
of everything (physical servers, room, network, storage, hypervisor, operating systems, etc.).
• IaaS — The administrator (cloud consumer) deploys, operates, and maintains the virtual
networks and virtual machines within this service model but does not manage the
underlying cloud infrastructure (physical servers, physical network, physical storage,
hypervisor, etc.) as that is the responsibility of the CSP.
• PaaS — The administrator (cloud consumer) manages the development, testing, and
deployment of their applications. They have full control over the applications and in some
cases the host environment settings and operating systems. The CSP is responsible for
the physical servers, physical network, storage, hypervisor, and operating systems. DHCP
logging, port level access control might not be applicable.
• SaaS — This is not applicable for the cloud consumer as SaaS and FaaS is under software
assets. The CSP is responsible for everything but the data.
• FaaS — This is not applicable for the cloud consumer as SaaS and FaaS is under software
assets. The CSP is responsible for everything but the data.

CLOUD ADDITIONAL CONSIDERATIONS

• In a cloud environment, assets in on-prem, IaaS, or PaaS service models are virtual and
can be in the form of virtual machines, virtual networks, virtual switches, etc. with limited
exceptions such as dedicated hardware security models (HSMs).
• Due to the nature of virtual systems and the ease to bring online a new virtual asset, it is
imperative to maintain a comprehensive list of all the cloud hardware assets you manage.
• It is always up to the consumer to request documentation outlining how the CSP is securing
the infrastructure and technology that falls under their responsibility.
• When collecting asset inventory, you should consider the criticality of the asset, the
operating system and version, when the asset was discovered, and the asset tag
if applicable.
• If containers are considered as FaaS, then the CSP is often not responsible for maintaining
security of the containers or the microservices that run within.

CIS Controls Cloud Companion Guide CIS Control 01: Inventory and Control of Enterprise Assets 9
CIS CONTROL
02 Inventory and Control of
Software Assets

Overview Actively manage (inventory, track, and correct) all software (operating systems and
applications) on the network so that only authorized software is installed and can
execute, and that unauthorized and unmanaged software is found and prevented from
installation or execution.

Cloud Applicability The second CIS Control offers the guidance needed to identify, track, and account for all
software utilized in an environment. This is challenging in cloud environments due to the
shared security responsibility and the cloud service model utilized.

IMPLEMENTATION APPLICABILITY OF
CIS Control 02: Inventory and Control of Software Assets GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

2.1 Applications Identify Establish and Maintain a Software Inventory 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software
inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where
appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and
decommission date. Review and update the software inventory bi-annually, or more frequently.

2.2 Applications Identify Ensure Authorized Software is Currently Supported 1 2 3 ✓ ✓ ✓

Ensure that only currently supported software is designated as authorized in the software inventory for enterprise
assets. If software is unsupported yet necessary for the fulfillment of the enterprise’s mission, document an exception
detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception
documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more
frequently.

2.3 Applications Respond Address Unauthorized Software 1 2 3 ✓ ✓ ✓ ✓

Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented
exception. Review monthly, or more frequently.

2.4 Applications Detect Utilize Automated Software Inventory Tools 1 2 3 ✓ ✓ ✓

Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and
documentation of installed software.

2.5 Applications Protect Allowlist Authorized Software 2 3 ✓ ✓

Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be
accessed. Reassess bi-annually, or more frequently.

2.6 Applications Protect Allowlist Authorized Libraries 2 3 ✓ ✓

Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc. files, are
allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-
annually, or more frequently.

2.7 Applications Protect Allowlist Authorized Scripts 3 ✓ ✓ ✓

Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as
specific .ps1, .py, etc. files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or
more frequently.

CIS Controls Cloud Companion Guide CIS Control 02: Inventory and Control of Software Assets 10
Cloud Service and When considering deployment models, you will find that these CIS Safeguards are applicable
Deployment Considerations for Private (on-prem). For Private (third-party hosted), Public, and Hybrid deployment models,
you will need to defer to the service/deployment model(s) your enterprise is using.

• Private (on-prem) — The local administrator is responsible for keeping the inventory of all
software utilized regardless of the service model.
• IaaS — The administrator (cloud consumer) deploys, operates, and maintains the software
utilized within this service model but does not manage the underlying cloud software like
the hypervisor, operating systems, or applications that provide specific services as that is
the responsibility of the CSP.
• PaaS — The administrator (cloud consumer) manages the development, testing, and
deployment of their software and applications. They have full control over the applications
and in some cases the operating systems so they are responsible for all software running
at this level. The CSP is responsible for the hypervisor and operating systems and other
applications that provide this service. Application whitelisting, whitelisting of libraries,
whitelisting of scripts, and segregating high-risk applications will not be applicable to all
PaaS service models.
• SaaS — The administrator (cloud consumer) is responsible for registering the software on
the inventory list as approved. They are also responsible to make sure the vendor maintains
support and vulnerability updates for the software and to keep record of it in the tracking
software. Tracking software inventory could be manual.
• FaaS — The administrator (cloud consumer) is responsible for maintaining an inventory of
authorized software. Tracking software inventory could be manual.

CLOUD ADDITIONAL CONSIDERATIONS

• In a cloud environment, running on-prem, IaaS, PaaS, SaaS, or FaaS, the software being
used and maintained has to be inventoried, patched, and monitored when applicable.
• It is imperative to maintain a comprehensive list of these cloud software assets to identify
and mitigate any vulnerabilities and data associated with the software that you manage.
• It is always up to the consumer to request documentation from the CSP outlining their
responsibilities on how the CSP is securing the infrastructure and technology.
• Also keep in mind that as part of the software inventory, the consumer should include the
API endpoints.
• For PaaS with managed Kubernetes services, the cloud consumer is responsible for
patches/updates on the Worker Notes.
• Discovery and inventory capabilities should extend to software running inside containers
(in the case of Containers-as-a-Service). CaaS is considered a subset of IaaS and is found
between IaaS and PaaS.

CIS Controls Cloud Companion Guide CIS Control 02: Inventory and Control of Software Assets 11
CIS CONTROL
03 Data
Protection

Overview Develop processes and technical controls to identify, classify, securely handle, retain,
and dispose of data.

Cloud Applicability The focus of this CIS Control is on data protection and ensuring the privacy and integrity
of sensitive information. The cloud environment is not an exception to private data. If cloud
consumers have realized anything while migrating information to the cloud, it is that protecting
data can be more complicated. It is a growing concern for CSPs and consumers because any
data leakage can go undetected for long periods of time.

IMPLEMENTATION APPLICABILITY OF
CIS Control 03: Data Protection GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

3.1 Data Identify Establish and Maintain a Data Management Process 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of
data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise.
Review and update documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.

3.2 Data Identify Establish and Maintain a Data Inventory 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data,
at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.

3.3 Data Protect Configure Data Access Control Lists 1 2 3 ✓ ✓ ✓ ✓

Configure data access control lists based on a user’s need to know. Apply data access control lists, also known as
access permissions, to local and remote file systems, databases, and applications.

3.4 Data Protect Enforce Data Retention 1 2 3 ✓ ✓ ✓ ✓

Retain data according to the enterprise’s data management process. Data retention must include both minimum and
maximum timelines.

3.5 Data Protect Securely Dispose of Data 1 2 3 ✓ ✓ ✓ ✓

Securely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and
method are commensurate with the data sensitivity.

3.6 Devices Protect Encrypt Data on End-User Devices 1 2 3

Encrypt data on end-user devices containing sensitive data. Example implementations can include, Windows
BitLocker®, Apple FileVault®, Linux® dm-crypt.

3.7 Data Identify Establish and Maintain a Data Classification Scheme 2 3 ✓ ✓ ✓ ✓

Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such
as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the
classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.

CIS Controls Cloud Companion Guide CIS Control 03: Data Protection 12
IMPLEMENTATION APPLICABILITY OF
CIS Control 03: Data Protection GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

3.8 Data Identify Document Data Flows 2 3 ✓ ✓ ✓ ✓

Document data flows. Data flow documentation includes service provider data flows and should be based on the
enterprise’s data management process. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

3.9 Data Protect Encrypt Data on Removable Media 2 3

Encrypt data on removable media.

3.10 Data Protect Encrypt Sensitive Data in Transit 2 3 ✓ ✓ ✓ ✓

Encrypt sensitive data in transit. Example implementations can include, Transport Layer Security (TLS) and Open Secure
Shell (OpenSSH).

3.11 Data Protect Encrypt Sensitive Data At Rest 2 3 ✓ ✓

Encrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer
encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional
encryption methods may include application-layer encryption, also known as client-side encryption, where access to
the data storage device(s) does not permit access to the plain-text data.

3.12 Network Protect Segment Data Processing and Storage Based on Sensitivity 2 3 ✓

Segment data processing and storage, based on the sensitivity of the data. Do not process sensitive data on enterprise
assets intended for lower sensitivity data.

3.13 Data Protect Deploy a Data Loss Prevention Solution 3 ✓

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored,
processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and
update the enterprise’s sensitive data inventory.

3.14 Data Detect Log Sensitive Data Access 3 ✓ ✓ ✓ ✓

Log sensitive data access, including modification and disposal.

Cloud Service and When considering deployment models, you will find that this CIS Control and Safeguards
Deployment Considerations are applicable for Private (on-prem). For Private (third-party hosted), Public, and Hybrid
deployment models, you will need to defer to the service/deployment model(s) your
enterprise is using.

• Private (on-prem) — The administrator (cloud consumer) is responsible for all of the data
regardless of the service model used.
• IaaS — The administrator (cloud consumer) is responsible for data protection but is limited
to the virtual networks and virtual machines within this service model. The CSP is not
responsible for any data loss due to lack of action or security defined for the consumer.
• PaaS — The administrator (cloud consumer) manages the data and access for the
applications and in some cases the host environment settings and operating systems.
• SaaS — The administrator (cloud consumer) is responsible for the data. The CSP is only
responsible for making sure the data is online and that access is not granted outside of the
application controlled by the cloud consumer.
• FaaS — The administrator (cloud consumer) is responsible for the code and any data. The
CSP is only responsible for making sure the data is online and that access is not granted
outside of the functions called and controlled by the cloud consumer.

CIS Controls Cloud Companion Guide CIS Control 03: Data Protection 13
CLOUD ADDITIONAL CONSIDERATIONS
• Make sure that the data is not accessible to the public. Encrypt or use tokenization to protect
sensitive data. Encryption has a number of limitations in SaaS solutions and does not allow
the data to be searched; however, tokenization addresses that concern and limitation.
• Control the systems and users that have access to the cloud platform and the data
that might be exposed. When hosting any data in the cloud, consider the possible legal
implications based on the data classification. More often than not, data protection,
redundancy, and backup are the responsibility of the cloud consumer and not the CSP.

CIS Controls Cloud Companion Guide CIS Control 03: Data Protection 14
CIS CONTROL
04 Secure Configuration of
Enterprise Assets and Software

Overview Establish and maintain the secure configuration of enterprise assets (end-user devices,
including portable and mobile; network devices; non-computing/IoT devices; and
servers) and software (operating systems and applications).

Cloud Applicability This CIS Control provides guidance for securing hardware and software. As delivered by the
CSP, the default configurations for operating systems and applications are normally geared
toward ease-of-deployment and ease-of-use ― not security. Basic controls, open services
and ports, default accounts or passwords, older (vulnerable) protocols, pre-installation
of unneeded software ― all can be exploitable in their default state. Even if a strong initial
configuration is developed and deployed in the cloud, it must be continually managed to avoid
configuration drift as software is updated or patched, new security vulnerabilities are reported,
and configurations are “tweaked” to allow the installation of new software or to support new
operational requirements. If not, attackers will find opportunities to exploit both network-
accessible services and client software.

IMPLEMENTATION APPLICABILITY OF
CIS Control 04: Secure Configuration of Enterprise Assets and Software GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

4.1 Applications Protect Establish and Maintain a Secure Configuration Process 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable
and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and
update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

4.2 Network Protect Establish and Maintain a Secure Configuration Process for Network 1 2 3 ✓ ✓
Infrastructure

Establish and maintain a secure configuration process for network devices. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.

4.3 Users Protect Configure Automatic Session Locking on Enterprise Assets 1 2 3 ✓

Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose
operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2
minutes.

4.4 Devices Protect Implement and Manage a Firewall on Servers 1 2 3 ✓ ✓

Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall,
operating system firewall, or a third-party firewall agent.

4.5 Devices Protect Implement and Manage a Firewall on End-User Devices 1 2 3 ✓ ✓

Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that
drops all traffic except those services and ports that are explicitly allowed.

CIS Controls Cloud Companion Guide CIS Control 04: Secure Configuration of Enterprise Assets and Software 15
IMPLEMENTATION APPLICABILITY OF
CIS Control 04: Secure Configuration of Enterprise Assets and Software GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

4.6 Network Protect Securely Manage Enterprise Assets and Software 1 2 3 ✓ ✓ ✓ ✓

Securely manage enterprise assets and software. Example implementations include managing configuration through
version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such
as Secure Shell (SSH) and Hypertext Transfer Protocol (HTTPS). Do not use insecure management protocols, such as
Telnet and HTTP, unless operationally essential.

4.7 Users Protect Manage Default Accounts on Enterprise Assets and Software 1 2 3 ✓ ✓ ✓ ✓

Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured
vendor accounts. Example implementations can include, disabling default accounts or making them unusable.

4.8 Devices Protect Uninstall or Disable Unnecessary Services on Enterprise Assets and 1 2 3 ✓ ✓
Applications

Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service,
web application module, or service function.

4.9 Devices Protect Configure Trusted Domain Name System (DNS) Servers on 2 3 ✓ ✓
Enterprise Assets

Configure trusted DNS servers on enterprise assets. Example implementations include, configuring assets to use
enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.

4.10 Devices Respond Enforce Automatic Device Lockout on Portable End-User Devices 2 3 ✓ ✓

Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on
portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for
tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft ®
InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.

4.11 Devices Protect Enforce Remote Wipe Capability on Portable End-User Devices 2 3 ✓ ✓

Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as
lost or stolen devices, or when an individual no longer supports the enterprise.

4.12 Devices Protect Separate Enterprise Workspaces on Mobile End-User Devices 3 ✓ ✓

Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example
implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise
applications and data from personal applications and data.

• Private (on-prem) — The administrator (cloud consumer) is responsible for the use of a

security baseline for all physical and virtual systems, software, and applications.
• IaaS — The administrator (cloud consumer) is responsible for utilizing a security baseline for
the software, virtual servers, virtual networking, middleware, and applications in the cloud
environment.
• PaaS — The administrator (cloud consumer) is responsible for utilizing a security baseline for
the applications and development tools utilized.
• SaaS — The administrator (cloud consumer) is responsible for a security baseline within the
software and the data that is being utilized.
• FaaS — The administrator (cloud consumer) is responsible for a security baseline within the
code and the data being utilized.

CIS Controls Cloud Companion Guide CIS Control 04: Secure Configuration of Enterprise Assets and Software 16
CLOUD ADDITIONAL CONSIDERATIONS
• When configuration management tools are used, they should be set to alert-only without
automated configuration re-deployment unless it is known to be safe to do so.
• The CSP hosts typical image storage in cloud environments for PaaS, SaaS, and FaaS;
therefore, the secure configuration of the underlying servers is the responsibility of the CSP.
• As part of the established secure configurations, SaaS and FaaS should always
communicate over TLS and validate the TLS API endpoint certificate.
• Also consider cloud access security broker (CASB) services that can provide granular
controls for monitoring user’s application sessions and blocking actions.

CIS Controls Cloud Companion Guide CIS Control 04: Secure Configuration of Enterprise Assets and Software 17
CIS CONTROL
05 Account
Management

Overview Use processes and tools to assign and manage authorization to credentials for user
accounts, including administrator accounts, as well as service accounts, to enterprise
assets and software.

Cloud Applicability This CIS Control focuses on managing the life cycle of system, application, and user accounts.
As part of this management, rules and processes should be established for the creation, use,
dormancy, and deletion of all cloud accounts, in order to minimize opportunities for attackers
to leverage them. When an employee leaves the enterprise or changes roles, vulnerabilities
can arise if employee accounts are not closed or modified.

IMPLEMENTATION APPLICABILITY OF
CIS Control 05: Account Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

5.1 Users Identify Establish and Maintain an Inventory of Accounts 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user
and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop
dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly,
or more frequently.

5.2 Users Protect Use Unique Passwords 1 2 3 ✓ ✓ ✓ ✓

Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character
password for accounts using multifactor authentication (MFA) and a 14-character password for accounts not
using MFA.

5.3 Users Respond Disable Dormant Accounts 1 2 3 ✓ ✓ ✓ ✓

Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

5.4 Users Protect Restrict Administrator Privileges to Dedicated Administrator Accounts 1 2 3 ✓ ✓ ✓ ✓

Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing
activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged, account.

5.5 Users Identify Establish and Maintain an Inventory of Service Accounts 2 3 ✓ ✓ ✓ ✓

Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner,
review date, and purpose. Perform service account reviews to validate all active accounts are authorized, on a recurring
schedule at a minimum quarterly, or more frequently.

5.6 Users Protect Centralize Account Management 2 3 ✓ ✓ ✓ ✓

Centralize account management through a directory or identity service.

CIS Controls Cloud Companion Guide CIS Control 05: Account Management 18
Cloud Service and When considering deployment models, you will find that this CIS Control and Safeguards
Deployment Considerations are applicable for Private (on-prem). For Private (third-party hosted), Public, and Hybrid
deployment models, you will need to defer to the service/deployment model(s) your
enterprise is using.

• Private (on-prem) — The administrator (cloud consumer) is responsible for all accounts

regardless of the service model used.
• IaaS — The administrator (cloud consumer) is responsible for all accounts utilized on the
virtual networks, virtual machines, applications, etc. The CSP is not responsible for this
access at the cloud consumer account level.
• PaaS — The administrator (cloud consumer) manages the accounts for the applications and
in some cases the host operating systems.
• SaaS — The administrator (cloud consumer) is responsible for the application accounts.
• FaaS — The administrator (cloud consumer) is responsible for the accounts that have the
ability to build the code execution based on the cloud functions.

CLOUD ADDITIONAL CONSIDERATIONS

• For consumers operating in the cloud, it is even more important to understand and maintain
account management. The consumer is responsible for all the accounts.
• The account principle of least privilege access should be followed.

CIS Controls Cloud Companion Guide CIS Control 05: Account Management 19
CIS CONTROL
06 Access Management
Control

Overview Use processes and tools to create, assign, manage, and revoke access credentials
and privileges for user, administrator, and service accounts for enterprise assets
and software.

Cloud Applicability This CIS Control addresses the need for limiting and managing access. The misuse of
administrative privileges is a primary method for attackers to spread laterally inside a target
enterprise. One of the two primary ways for attackers to spread inside a system is by tricking
a user with elevated credentials into opening an email attachment, downloading and running
an infected file, and visiting a malicious website from an asset connected to the cloud
environment. The second common technique used by attackers is elevation of privileges
by guessing or cracking a password for an administrative user to gain access to a target
machine. If administrator privileges are loosely and widely distributed, or identical passwords
are used on less critical systems, the attacker has a much easier time gaining full control of
systems, because there are many more accounts that can act as avenues for the attacker to
compromise administrative privileges.

IMPLEMENTATION APPLICABILITY OF
CIS Control 06: Access Management Control GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

6.1 Users Protect Establish an Access Granting Process 1 2 3 ✓ ✓ ✓ ✓

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights
grant, or role change of a user.

6.2 Users Protect Establish an Access Revoking Process 1 2 3 ✓ ✓ ✓ ✓

Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling
accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of
deleting accounts, may be necessary to preserve audit trails.

6.3 Users Protect Require MFA for Externally-Exposed Applications 1 2 3 ✓ ✓ ✓ ✓

Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA
through a directory service or single sign-on (SSO) provider is a satisfactory implementation of this Safeguard.

6.4 Users Protect Require MFA for Remote Network Access 1 2 3 ✓

Require MFA for remote network access.

6.5 Users Protect Require MFA for Administrative Access 1 2 3 ✓ ✓ ✓ ✓

Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-
site or through a third-party provider.

6.6 Users Identify Establish and Maintain an Inventory of Authentication and 2 3 ✓ ✓ ✓ ✓

Authorization Systems

Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those
hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more
frequently.

CIS Controls Cloud Companion Guide CIS Control 06: Access Management Control 20
IMPLEMENTATION APPLICABILITY OF
CIS Control 06: Access Management Control GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

6.7 Users Protect Centralize Access Control 2 3 ✓ ✓ ✓ ✓

Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.

6.8 Data Protect Define and Maintain Role-Based Access Control 3 ✓ ✓ ✓ ✓

Define and maintain role-based access control, through determining and documenting the access rights necessary
for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of
enterprise assets to validate all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.

• Private (on-prem) — The administrator (cloud consumer) is responsible for all accounts

CLOUD ADDITIONAL CONSIDERATIONS

• For consumers operating in the cloud, it is even more important to understand and maintain
account control. The consumer is responsible for all the accounts and what level of access
those accounts have to their cloud environment.
• When possible, MFA should be required.
• The use of shared service accounts should be limited.
• Permissions should be granted through group membership, as that is easier to manage.
• Role-based access control (RBAC) has become the primary methodology and is a critical
capability for managing access to cloud-based resources.

CIS Controls Cloud Companion Guide CIS Control 06: Access Management Control 21
CIS CONTROL
07 Continuous Vulnerability
Management

Overview Develop a plan to continuously assess and track vulnerabilities on all enterprise assets
within the enterprise’s infrastructure, in order to remediate, and minimize, the window of
opportunity for attackers. Monitor public and private industry sources for new threat and
vulnerability information.

Cloud Applicability This CIS Control addresses the need for continuous vulnerability management, which can be
a significant task in most enterprises. Understanding and managing vulnerabilities in a cloud
environment can be more challenging than in traditional IT systems. A cloud environment
is dynamic, allowing you to scale your environment at an ever-changing pace. With the
increasing use of DevSecOps, the internal landscape is ever-changing. As enterprises migrate
to the cloud, they are in a difficult position because of the risks and vulnerabilities associated
with the use of cloud services. Giving control of some assets to a third-party depending on the
deployment model you are utilizing, and verifying the security and vulnerability status of those
assets, is not always the responsibility of cloud consumers. Cloud environments also host
cloud-specific vulnerabilities that have to be monitored and managed.

IMPLEMENTATION APPLICABILITY OF
CIS Control 07: Continuous Vulnerability Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

7.1 Applications Protect Establish and Maintain a Vulnerability Management Process 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain a documented vulnerability management process for enterprise assets. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

7.2 Applications Respond Establish and Maintain a Remediation Process 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more
frequent, reviews.

7.3 Applications Protect Perform Automated Operating System Patch Management 1 2 3 ✓ ✓

Perform operating system updates on enterprise assets through automated patch management on a monthly, or more
frequent, basis.

7.4 Applications Protect Perform Automated Application Patch Management 1 2 3 ✓ ✓ ✓

Perform application updates on enterprise assets through automated patch management on a monthly, or more
frequent, basis.

7.5 Applications Identify Perform Automated Vulnerability Scans of Internal Enterprise Assets 2 3 ✓ ✓

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct
both authenticated and unauthenticated scans, using a security content automation protocol (SCAP)-compliant
vulnerability scanning tool.

7.6 Applications Identify Perform Automated Vulnerability Scans of Externally-Exposed 2 3 ✓ ✓

Enterprise Assets

Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability
scanning tool. Perform scans on a monthly, or more frequent, basis.

CIS Controls Cloud Companion Guide CIS Control 07: Continuous Vulnerability Management 22
IMPLEMENTATION APPLICABILITY OF
CIS Control 07: Continuous Vulnerability Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

7.7 Applications Respond Remediate Detected Vulnerabilities 2 3 ✓ ✓

Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis,
based on the remediation process.

• Private (on-prem) — The administrator (cloud consumer) is responsible for continuous

vulnerability management of the hardware and software, both physical and virtual servers,
networking, middleware, and applications utilized.
• IaaS — The administrator (cloud consumer) is responsible for continuous vulnerability
management of the software, virtual servers, virtual networking, middleware, and
applications utilized. The CSP is responsible for continuous vulnerability management with
the infrastructure and technology that they provide.
• PaaS — The administrator (cloud consumer) is responsible for continuous vulnerability
management of the applications and development tools utilized. The CSP is responsible
for continuous vulnerability management of the hardware infrastructure and software
technology that they provide.
• SaaS — This is not applicable for the cloud consumer. The CSP is responsible for everything
but the data.
• FaaS — This is not applicable for the cloud consumer. The CSP is responsible for everything
but the code and the data utilized within the functions.

CLOUD ADDITIONAL CONSIDERATIONS

• It is always the cloud consumer’s responsibility to request documentation from the
CSP detailing how the CSP is securing the infrastructure and the technology they are
responsible for.
• The consumer should continuously acquire, assess, and take action on new information
in order to identify vulnerabilities, remediate, and minimize the window of opportunity
for attackers.
• When considering PaaS environments, some will have images or stem cells which, by
default, do not allow for interactive users such as scanner accounts. The consumer should
consider a solution that identifies vulnerabilities without introducing new vulnerabilities and
which does not require a dedicated scanner account.
• Some agents have download dependencies that may require opening up proxies or firewalls,
which can introduce other risk elements that the consumer has to be aware of.

CIS Controls Cloud Companion Guide CIS Control 07: Continuous Vulnerability Management 23
CIS CONTROL
08 Audit Log
Management

Overview Collect, alert, review, and retain audit logs of events that could help detect, understand,
or recover from an attack.

Cloud Applicability This CIS Control offers guidance for the maintenance and monitoring of audit logs. Without
protected and complete logging records, an attack may go unnoticed indefinitely and the
particular damages done may be irreversible. The CSP helps a consumer meet this Control by
providing the ability to generate and monitor audit logs.

IMPLEMENTATION APPLICABILITY OF
CIS Control 08: Audit Log Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

8.1 Network Protect Establish and Maintain an Audit Log Management Process 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At
a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

8.2 Network Detect Collect Audit Logs 1 2 3 ✓ ✓ ✓ ✓

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across
enterprise assets.

8.3 Network Protect Ensure Adequate Audit Log Storage 1 2 3 ✓ ✓ ✓

Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management
process.

8.4 Network Protect Standardize Time Synchronization 2 3 ✓

Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where
supported.

8.5 Network Detect Collect Detailed Audit Logs 2 3 ✓ ✓ ✓ ✓

Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username,
timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic
investigation.

8.6 Network Detect Collect DNS Query Audit Logs 2 3 ✓ ✓

Collect DNS query audit logs on enterprise assets, where appropriate and supported.

8.7 Network Detect Collect URL Request Audit Logs 2 3 ✓ ✓

Collect URL request audit logs on enterprise assets, where appropriate and supported.

8.8 Devices Detect Collect Command-Line Audit Logs 2 3 ✓ ✓

Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH, and
remote administrative terminals.

CIS Controls Cloud Companion Guide CIS Control 08: Audit Log Management 24
IMPLEMENTATION APPLICABILITY OF
CIS Control 08: Audit Log Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

8.9 Network Detect Centralize Audit Logs 2 3 ✓ ✓ ✓ ✓

Centralize, to the extent possible, audit log collection, and retention across enterprise assets.

8.10 Network Protect Retain Audit Logs 2 3 ✓ ✓ ✓ ✓

Retain audit logs across enterprise assets for a minimum of 90 days.

8.11 Network Detect Conduct Audit Log Reviews 2 3 ✓ ✓ ✓ ✓

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct
reviews on a weekly, or more frequent, basis.

8.12 Data Detect Collect Service Provider Logs 3 ✓ ✓ ✓ ✓

Collect service provider logs, where supported. Example implementations include collecting authentication and
authorization events; data creation and disposal events; and user management events.

• Private (on-prem) — The administrator (cloud consumer) is responsible for the setup,

maintenance, monitoring, and processing of the audit logs for all systems.
• IaaS — The administrator (cloud consumer) is responsible for the setup, maintenance,
monitoring, and process analysis of the audit logs for the software, virtual servers, virtual
networking, middleware, and applications when applicable in the cloud environment.
• PaaS — The administrator (cloud consumer) is responsible for the setup, maintenance,
monitoring, and process analysis of the audit logs for the applications, operating systems,
and development tools utilized when applicable in the cloud environment.
• SaaS — The administrator (cloud consumer) is responsible for the setup, maintenance,
monitoring, and process analysis of the audit logs once they are made available by the CSP.
Time sources and the ability to enable logging are dependent on the CSP.
• FaaS — The administrator (cloud consumer) is responsible for the setup, maintenance,
monitoring, and process analysis of the audit logs once they are made available by the CSP.
Time sources and the ability to enable logging are dependent on the CSP.

CLOUD ADDITIONAL CONSIDERATIONS

• For SaaS and FaaS solutions, it is often required that the CSP provides the required audit
logs and allows for the consumer to access, review, and maintain logs based on the Controls
as defined.
• In some cases, the service solution might not support the level of logging recommended by
this Control and its Safeguards.
• It is the responsibility of cloud consumers to request the logs from the CSP. The consumer
might want to consider creating a secure channel to download logs from the CSP.
• Ensure adequate audit log storage is applicable for IaaS as that is typically where storage
will occur and you have to make sure you have allotted enough storage for logging of all
the services.
• Retain audit logs across enterprise assets for a minimum of 90 days or in accordance to the
local regulatory demands.

CIS Controls Cloud Companion Guide CIS Control 08: Audit Log Management 25
CIS CONTROL
09 Email and Web Browser
Protections

Overview Improve protections and detections of threats from email and web vectors, as these are
opportunities for attackers to manipulate human behavior through direct engagement.

Cloud Applicability This CIS Control focuses on the security of web browsers and email clients, which are very
vulnerable attack vectors. Quite often, cloud environments require internet web access.
Depending on the cloud model, there might not be a requirement for email clients, and if email
is utilized, it is typically only in an outgoing manner. It is common to have alerts and other
message systems in place that monitor critical processes and send out reports via email.
These emails are typically accessed from business or corporate assets that are on separate
networks. Most web-based applications are now operating in the cloud.

IMPLEMENTATION APPLICABILITY OF
CIS Control 09: Email and Web Browser Protections GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

9.1 Applications Protect Ensure Use of Only Fully Supported Browsers and Email Clients 1 2 3 ✓ ✓ ✓ ✓

Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest
version of browsers and email clients provided through the vendor.

9.2 Network Protect Use DNS Filtering Services 1 2 3 ✓ ✓

Use DNS filtering services on all enterprise assets to block access to known malicious domains.

9.3 Network Protect Maintain and Enforce Network-Based URL Filters 2 3 ✓ ✓

Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or
unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through
the use of block lists. Enforce filters for all enterprise assets.

9.4 Applications Protect Restrict Unnecessary or Unauthorized Browser and Email Client 2 3 ✓ ✓ ✓ ✓
Extensions

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins,
extensions, and add-on applications.

9.5 Network Protect Implement DMARC 2 3 ✓ ✓ ✓

To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification,
starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.

9.6 Network Protect Block Unnecessary File Types 2 3 ✓ ✓ ✓

Block unnecessary file types attempting to enter the enterprise’s email gateway.

9.7 Network Protect Deploy and Maintain Email Server Anti-Malware Protections 3 ✓ ✓ ✓

Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.

CIS Controls Cloud Companion Guide CIS Control 09: Email and Web Browser Protections 26
Cloud Service and When considering deployment models, you will find that this CIS Control and Safeguards
Deployment Considerations are applicable for Private (on-prem). For Private (third-party hosted), Public, and Hybrid
deployment models, you will need to defer to the service/deployment model(s) your
enterprise is using.

• Private (on-prem) — The administrator (cloud consumer) is responsible for the setup,

maintenance, monitoring, and analysis of the email and web browser security.
• IaaS — The administrator (cloud consumer) is responsible for the setup, maintenance,
monitoring, and analysis of the email and web browser for the software, virtual servers,
virtual networking, middleware, and applications when applicable in the cloud environment.
• PaaS — The administrator (cloud consumer) is responsible for the setup, maintenance,
monitoring, and analysis of the email and web browser capabilities for the applications,
operating systems, and development tools utilized when applicable.
• SaaS — The administrator (cloud consumer) is responsible for email and web
browser security.
• FaaS — The administrator (cloud consumer) is responsible for email and web
browser security.

CLOUD ADDITIONAL CONSIDERATIONS

• The rest of the Safeguards related to using authorized browsers, scripting filters, and
logging are applicable if you utilize any browser access off the servers or systems that you
are running.
• Since SaaS and possibly FaaS may be using a web browser to interact with the application,
the web browser should be up-to-date. Additionally, any third-party extensions such as
Adobe Flash or Java should be updated and the highest possible security policies should be
applied according to your enterprise requirements.
• Ensure that no email clients are installed or present on any systems. Where a device or
system has the capability to send email-based alerts or reports, make sure that it is limited
to outbound only.

CIS Controls Cloud Companion Guide CIS Control 09: Email and Web Browser Protections 27
CIS CONTROL
10 Malware
Defenses

Overview Prevent or control the installation, spread, and execution of malicious applications, code,
or scripts on enterprise assets.

Cloud Applicability This CIS Control addresses the steps needed to ensure a strong defense against malware
intrusions. Malicious code is a very real threat to all environments and the cloud is no
exception. While proper network segmentation and defense-in-depth strategies help
to mitigate this risk by making it difficult for threat actors to deliver malware to their
intended locations, malware defense still needs tools and processes in place to thwart and
detect incidents.

IMPLEMENTATION APPLICABILITY OF
CIS Control 10: Malware Defenses GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

10.1 Devices Protect Deploy and Maintain Anti-Malware Software 1 2 3 ✓ ✓

Deploy and maintain anti-malware software on all enterprise assets.

10.2 Devices Protect Configure Automatic Anti-Malware Signature Updates 1 2 3 ✓ ✓

Configure automatic updates for anti-malware signature files on all enterprise assets.

10.3 Devices Protect Disable Autorun and Autoplay for Removable Media 1 2 3 ✓

Disable autorun and autoplay auto-execute functionality for removable media.

10.4 Devices Detect Configure Automatic Anti-Malware Scanning of Removable Media 2 3 ✓

Configure anti-malware software to automatically scan removable media.

10.5 Devices Protect Enable Anti-Exploitation Features 2 3 ✓ ✓

Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data
Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and
Gatekeeper™.

10.6 Devices Protect Centrally Manage Anti-Malware Software 2 3 ✓ ✓

Centrally manage anti-malware software.

10.7 Devices Detect Use Behavior-Based Anti-Malware Software 2 3 ✓ ✓

Use behavior-based anti-malware software.

CIS Controls Cloud Companion Guide CIS Control 10: Malware Defenses 28
Cloud Service and When considering deployment models, you will find that this CIS Control and Safeguards
Deployment Considerations are applicable for Private (on-prem). For Private (third-party hosted), Public, and Hybrid
deployment models, you will need to defer to the service/deployment model(s) your
enterprise is using.

• Private (on-prem) — The administrator (cloud consumer) is responsible for the setup,

maintenance, monitoring, and analysis of the anti-malware software and other security
settings for all physical and virtual devices in place to prevent any intrusions.
• IaaS — The administrator (cloud consumer) is responsible for the setup, maintenance,
monitoring, and analysis of the anti-malware software and other security settings for the
software, virtual servers, virtual networking, middleware, and applications when applicable
in the cloud environment.
• PaaS — The administrator (cloud consumer) is responsible for the setup, maintenance,
monitoring, and analysis of the anti-malware software and other security settings for the
applications, operating systems, and development tools utilized when applicable.
• SaaS — This Control and all of it Safeguards are not applicable for the cloud consumer.
• FaaS — This Control and all of it Safeguards are not applicable for the cloud consumer.

CLOUD ADDITIONAL CONSIDERATIONS

• In a cloud environment, there are some instances where the virtual devices do not support
the required endpoint software, thus making on-device malware monitoring difficult.
• In the instances where malware defense is not the responsibility of the cloud consumer, it
then becomes the responsibility of the CSP.

CIS Controls Cloud Companion Guide CIS Control 10: Malware Defenses 29
CIS CONTROL
11 Data
Recovery

Overview Establish and maintain data recovery practices sufficient to restore in-scope enterprise
assets to a pre-incident and trusted state.

Cloud Applicability This CIS Control references the need for performing system backups for data recovery
capability. Backing up system data to include user data in the cloud environment is important
in all four service models. The ability to protect and recover a system or user data in a
timely manner is critical to cloud consumers. The challenge is often for the cloud consumer
to remember that the protection and integrity of the user and system data can be their
responsibility where the only thing the CSP is guaranteeing is the availability of the data.

IMPLEMENTATION APPLICABILITY OF
CIS Control 11: Data Recovery GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

11.1 Data Recover Establish and Maintain a Data Recovery Process 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery
prioritization, and the security of backup data. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.

11.2 Data Recover Perform Automated Backups 1 2 3 ✓ ✓ ✓ ✓

Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the
sensitivity of the data.

11.3 Data Protect Protect Recovery Data 1 2 3 ✓ ✓ ✓ ✓

Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on
requirements.

11.4 Data Recover Establish and Maintain an Isolated Instance of Recovery Data 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling
backup destinations through offline, cloud, or off-site systems or services.

11.5 Data Recover Test Data Recovery 2 3 ✓ ✓ ✓ ✓

Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.

CIS Controls Cloud Companion Guide CIS Control 11: Data Recovery 30
Cloud Service and When considering deployment models, you will find that this CIS Control and Safeguards
Deployment Considerations are applicable for Private (on-prem). For Private (third-party hosted), Public, and Hybrid
deployment models, you will need to defer to the service/deployment model(s) your
enterprise is using.

• Private (on-prem) — The administrator (cloud consumer) is responsible for all data recovery
capabilities in the environment.
• IaaS — The administrator (cloud consumer) is responsible for data recovery capabilities
for all software, virtual servers, virtual networking, middleware, and applications, where
applicable, in the cloud environment.
• PaaS — The administrator (cloud consumer) is responsible for data recovery capabilities
for all applications, hosting environment operating systems settings, and developing the
tools utilized.
• SaaS — The administrator (cloud consumer) is responsible for data recovery capabilities for
the application/software that is running as a service in the cloud environment.
• FaaS — The administrator (cloud consumer) is responsible for data recovery capabilities for
the code and functions that are running as a service in the cloud environment.

CLOUD ADDITIONAL CONSIDERATIONS

• Data can be utilized and affected by all the Service models.
• When referencing system data, be sure to include user data in that context. This inclusion
is what makes this CIS Control and the majority of the CIS Safeguards applicable to a SaaS
and FaaS service model.
• The cloud consumer is always responsible for “their” data regardless of the service model.
It is imperative that they have backup and/or redundancy in place so that there is no
loss of data.

CIS Controls Cloud Companion Guide CIS Control 11: Data Recovery 31
CIS CONTROL
12 Network Infrastructure
Management

Overview Establish, implement, and actively manage (track, report, correct) network devices, in
order to prevent attackers from exploiting vulnerable network services and access points.

Cloud Applicability This CIS Control addresses the need to manage the configuration of the network using
architecture diagrams along with authentication, authorization, and auditing. The network
infrastructure of a cloud environment should require the same rigorous configuration
management and change control process as a physical environment. Attack vectors, although
virtual, remain the same with unsecure services, poor firewall and network configurations, and
default or legacy credentials.

IMPLEMENTATION APPLICABILITY OF
CIS Control 12: Network Infrastructure Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

12.1 Network Protect Ensure Network Infrastructure is Up-to-Date 1 2 3 ✓

Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of
software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or
more frequently, to verify software support.

12.2 Network Protect Establish and Maintain a Secure Network Architecture 2 3 ✓ ✓ ✓ ✓

Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least
privilege, and availability, at a minimum.

12.3 Network Protect Securely Manage Network Infrastructure 2 3 ✓ ✓ ✓ ✓

Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code,

and the use of secure network protocols, such as SSH and HTTPS.

12.4 Network Identify Establish and Maintain Architecture Diagram(s) 2 3 ✓ ✓ ✓ ✓

Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update
documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

12.5 Network Protect Centralize Network Authentication, Authorization, and Auditing (AAA) 2 3 ✓

Centralize network AAA.

12.6 Network Protect Use of Secure Network Management and Communication Protocols 2 3 ✓

Use secure network management and communication protocols (e.g. 802.1X, Wi-Fi Protected Access 2 (WPA2)
Enterprise or greater).

CIS Controls Cloud Companion Guide CIS Control 12: Network Infrastructure Management 32
IMPLEMENTATION APPLICABILITY OF
CIS Control 12: Network Infrastructure Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

12.7 Devices Protect Ensure Remote Devices Utilize a VPN and are Connecting to an 2 3 ✓
Enterprise’s AAA Infrastructure

Require users to authenticate using MFA to enterprise-managed VPN and authentication services prior to accessing
enterprise resources on end-user devices.

12.8 Devices Protect Establish and Maintain Dedicated Computing Resources For All 3 ✓
Administrative Work

Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative
tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise’s
primary network and not be allowed internet access.

• Private (on-prem) — The local administrator (cloud consumer) is responsible for the secure
configuration of all network devices.
• IaaS — The administrator (cloud consumer) deploys, operates, and maintains the virtual
networks and web application firewalls within this service model but does not manage
the underlying cloud infrastructure like the physical servers, physical network, storage,
hypervisor, etc., as that is the responsibility of the CSP.
• PaaS — The administrator (cloud consumer) manages the application, the host environment
network settings, and the development tools network settings. The CSP is responsible for
the physical servers, physical network, storage, hypervisor, and operating systems.
• SaaS — This is not applicable for the cloud consumer. The CSP is responsible for all physical
and virtual network device configuration.
• FaaS — This is not applicable for the cloud consumer. The CSP is responsible for all physical
and virtual network device configuration.

CLOUD ADDITIONAL CONSIDERATIONS

• Ensure all virtual firewalls are configured to deny by default.
• Apply multi-factor authentication, which will help maintain accountability and
configuration management.

CIS Controls Cloud Companion Guide CIS Control 12: Network Infrastructure Management 33
CIS CONTROL
13 Network Monitoring
and Defense

Overview Operate processes and tooling to establish and maintain comprehensive network
monitoring and defense against security threats across the enterprise’s network
infrastructure and user base.

Cloud Applicability This CIS Control focuses on the importance of managing the flow of information between
networks of different trust levels. To control the flow of traffic through network borders and
police content by looking for attacks and evidence of compromised machines, boundary
defenses should be multi-layered, relying on firewalls, proxies, demilitarized zone (DMZ)
perimeter networks, network-based intrusion prevention systems (IPS) and intrusion detection
systems (IDS). It is also critical to filter both inbound and outbound traffic. This can be
challenging in a cloud environment, as you do not always have the ability to set up multiple
layers to the same extent you can in a physical setup. Therefore, your boundary changes,
along with where you set up that defense. Nonetheless, you still have to set up some defense.

IMPLEMENTATION APPLICABILITY OF
CIS Control 13: Network Monitoring and Defense GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

13.1 Network Detect Centralize Security Event Alerting 2 3 ✓ ✓ ✓ ✓

Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation
requires the use of a security information and event management (SIEM), which includes vendor-defined event correlation
alerts; a log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.

13.2 Devices Detect Deploy a Host-Based Intrusion Detection Solution 2 3 ✓

Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.

13.3 Network Detect Deploy a Network Intrusion Detection Solution 2 3 ✓

Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations
include the use of a Network Intrusion Detection System (NIDS) or equivalent Cloud Service Provider (CSP) service.

13.4 Network Protect Perform Traffic Filtering Between Network Segments 2 3 ✓

Perform traffic filtering between network segments, where appropriate.

13.5 Devices Protect Manage Access Control for Remote Assets 2 3 ✓

Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to
enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the
enterprise’s secure configuration process, and ensuring the operating system and applications are up-to-date.

13.6 Network Detect Collect Network Traffic Flow Logs 2 3 ✓

Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.

13.7 Devices Protect Deploy a Host-Based Intrusion Prevention Solution 3 ✓

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example
implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

CIS Controls Cloud Companion Guide CIS Control 13: Network Monitoring and Defense 34
IMPLEMENTATION APPLICABILITY OF
CIS Control 13: Network Monitoring and Defense GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

13.8 Network Protect Deploy a Network Intrusion Prevention Solution 3 ✓

Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a
Network Intrusion Prevention System (NIPS) or equivalent CSP service.

13.9 Devices Protect Deploy Port-Level Access Control 3 ✓

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols,
such as certificates, and may incorporate user and/or device authentication.

13.10 Network Protect Perform Application Layer Filtering 3 ✓

Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or
gateway.

13.11 Network Detect Tune Security Event Alerting Thresholds 3 ✓ ✓ ✓ ✓

Tune security event alerting thresholds monthly, or more frequently.

• Private (on-prem) — The administrator (cloud consumer) is responsible for the network

boundary monitoring and defense.
• IaaS — The administrator (cloud consumer) deploys, operates, and maintains the virtual
networks and virtual infrastructure so they are responsible for boundary defense from the
cloud perspective. The CSP is responsible for the underlying cloud infrastructure boundary
defense for the physical network.
• PaaS — The administrator (cloud consumer) might have some network port control
options within the application or the host environment settings and operating systems
and the development tools utilized to apply some deny communications, as outlined in
Safeguard 13.4.
• SaaS — The majority of these Safeguards are not applicable to the cloud consumer. The CSP
would be responsible for the boundary defense.
• FaaS — The majority of these Safeguards are not applicable to the cloud consumer. The CSP
would be responsible for the boundary defense.

CLOUD ADDITIONAL CONSIDERATIONS

• Maintain and enforce a minimum-security standard for all devices remotely logging into the
cloud network for on-prem and IaaS.
• Maintain logging of all activities and traffic that pass through the cloud environment when
looking at IaaS service models.
• Recognize that not all traffic, ingress or egress, will necessarily pass through one virtual
device or network. For this reason, it is crucial to identify all known and potential means for
accessing your cloud environment and the virtual systems and networking.
• Implement a zero-trust policy, requiring authentication and trust for internal network
communication.

CIS Controls Cloud Companion Guide CIS Control 13: Network Monitoring and Defense 35
CIS CONTROL
14 Security Awareness
and Skills Training

Overview Establish and maintain a security awareness program to influence behavior among the
workforce to be security conscious and properly skilled to reduce cybersecurity risks to
the enterprise.

Cloud Applicability This CIS Control focuses on educating and training the enterprise workforce in a range
of security practices that span from “basic to advanced skills” to “security awareness and
vigilance.” Human error, oversights, and negligence are leading causes of security weakness,
and the consequences of untrained or infrequently trained personnel in a cloud environment
can have a range of damaging effects. Regardless of the service model or deployment,
security awareness and training are the responsibility of the enterprise operating in the cloud.

IMPLEMENTATION APPLICABILITY OF
CIS Control 14: Security Awareness and Skills Training GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

14.1 Protect Establish and Maintain a Security Awareness Program 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the
enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire
and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that
could impact this Safeguard.

14.2 Protect Train Workforce Members to Recognize Social Engineering Attacks 1 2 3 ✓ ✓ ✓ ✓

Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

14.3 Protect Train Workforce Members on Authentication Best Practices 1 2 3 ✓ ✓ ✓ ✓

Train workforce members on authentication best practices. Example topics include MFA, password composition, and
credential management.

14.4 Protect Train Workforce on Data Handling Best Practices 1 2 3 ✓ ✓ ✓ ✓

Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also
includes training workforce members on clear screen and desk best practices, such as locking their screen when they
step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data
and assets securely.

14.5 Protect Train Workforce Members on Causes of Unintentional Data Exposure 1 2 3 ✓ ✓ ✓ ✓

Train workforce members to be aware of causes for unintentional data exposure. Example topics include misdelivery of
sensitive data, losing a portable end-user device, or publishing data to unintended audiences.

14.6 Protect Train Workforce Members on Recognizing and Reporting Security 1 2 3 ✓ ✓ ✓ ✓

Incidents

Train workforce members to be able to recognize a potential incident and be able to report such an incident.

CIS Controls Cloud Companion Guide CIS Control 14: Security Awareness and Skills Training 36
IMPLEMENTATION APPLICABILITY OF
CIS Control 14: Security Awareness and Skills Training GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

14.7 Protect Train Workforce on How to Identify and Report if their Enterprise 1 2 3 ✓ ✓ ✓ ✓
Assets are Missing Security Updates

Train workforce to understand how to verify and report out-of-date software patches or any failures in automated
processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes
and tools.

14.8 Protect Train Workforce on the Dangers of Connecting to and Transmitting 1 2 3 ✓ ✓ ✓ ✓

Enterprise Data Over Insecure Networks

Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise
activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely
configure their home network infrastructure.

14.9 Protect Conduct Role-Specific Security Awareness and Skills Training 2 3 ✓ ✓ ✓ ✓

Conduct role-specific security awareness and skills training. Example implementations include secure system
administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web
application developers, and advanced social engineering awareness training for high-profile roles.

Private Cloud (on-prem) is not a shared security model like public cloud. So the responsibility
is strictly on the organization to provide and meet all security standards.

Be aware that Private Cloud deployments are not necessarily more secure than any other
deployment method. It requires diligence and attention to:

• Breach Exposure
• Physical Security Risk
• Compliance Issues
• Responsiveness, Capacity, Performance, and Uptime

CLOUD CONSIDERATIONS
• The security awareness and training program is solely the cloud consumer’s responsibility.
Although the CSP should implement their own security training program, this CIS Control
and its applicability to the cloud environment is a requirement for the cloud consumer.

CIS Controls Cloud Companion Guide CIS Control 14: Security Awareness and Skills Training 37
CIS CONTROL
15 Service Provider
Management

Overview Develop a process to evaluate service providers who hold sensitive data, or are
responsible for an enterprise’s critical IT platforms or processes, to ensure these
providers are protecting those platforms and data appropriately.

Cloud Applicability This CIS Control focuses on evaluating and maintaining the many different service providers
that can be utilized by an enterprise. Service providers can be classified as internal, external
or shared. They can include many different types from: application, cloud, internet, managed,
etc. At times, the service provider will handle and hold your enterprise’s sensitive data. When
working in the cloud, you are often storing and transferring sensitive data; and, based on the
shared responsibility of the enterprise operating in the cloud, keeping track of this information
is critical.

IMPLEMENTATION APPLICABILITY OF
CIS Control 15: Service Provider Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

15.1 Identify Establish and Maintain an Inventory of Service Providers 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
classification(s), and designate an enterprise contact for each service provider. Review and update the inventory
annually, or when significant enterprise changes occur that could impact this Safeguard.

15.2 Identify Establish and Maintain a Service Provider Management Policy 2 3 ✓ ✓ ✓ ✓

Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory,
assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when
significant enterprise changes occur that could impact this Safeguard.

15.3 Identify Classify Service Providers 2 3 ✓ ✓ ✓ ✓

Classify service providers. Classification consideration may include one or more characteristics, such as data
sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and
review classifications annually, or when significant enterprise changes occur that could impact this Safeguard.

15.4 Protect Ensure Service Provider Contracts Include Security Requirements 2 3 ✓ ✓ ✓ ✓

Ensure service provider contracts include security requirements. Example requirements may include minimum security
program requirements, security incident and/or data breach notification and response, data encryption requirements,
and data disposal commitments, and must be consistent with the enterprise’s service provider management policy.
Review service provider contracts annually to ensure contracts are not missing security requirements.

15.5 Identify Assess Service Providers 3 ✓ ✓ ✓ ✓

Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope
may vary based on classification(s), and may include review of standardized assessment reports, such as Service
Organizational Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaire, or other appropriately rigorous process. Reassess service providers annually, at a minimum, or with new
and renewed contracts.

CIS Controls Cloud Companion Guide CIS Control 15: Service Provider Management 38
IMPLEMENTATION APPLICABILITY OF
CIS Control 15: Service Provider Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

15.6 Data Detect Monitor Service Providers 3 ✓ ✓ ✓ ✓

Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may include
periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web
monitoring.

15.7 Data Protect Securely Decommission Service Providers 3 ✓ ✓ ✓ ✓

Securely decommission service providers. Example considerations include user and service account deactivation,
termination of data flows, and secure disposal of enterprise data within service provider systems.

Cloud Service and When considering deployment models, you will find that this CIS Control and Safeguards
Deployment Considerations are applicable for Private (on-prem). For Private (third party hosted), Public, and Hybrid
deployment models, you will need to defer to the service/deployment model(s) your
enterprise is using.

• Private (on-prem) — The administrator (cloud consumer) is responsible for all service

provider information. Typically, this will encompass application, network, internet, storage,
telecommunications etc.
• IaaS — The administrator (cloud consumer) is responsible for the cloud service provider
information. Application, network, managed, and storage services among others will all
fall to the administrator for information gathering if applicable. The CSP will provide the
information to the administrator if requested.
• PaaS — The administrator (cloud consumer) is responsible for the cloud service provider
information. Application, managed and storage services among others will all fall to the
administrator for information gathering if applicable. The CSP will provide the information to
the administrator if requested.
• SaaS — The administrator (cloud consumer) is responsible for the cloud service provider
information and the software service provider if outside of the CSP. Application, network,
managed and storage services among others will all fall to the administrator for information
gathering if applicable. The CSP will provide the information to the administrator
if requested.
• FaaS — The administrator (cloud consumer) is responsible for the cloud service provider
information. The CSP will provide the information to the Administrator if requested.

CLOUD ADDITIONAL CONSIDERATIONS

• The key to gathering the information required for the service provider Control and the
Safeguards is to understand the cloud service provider will fall into all the cloud service
models. However, other service providers might be categorized into some of the service
models depending on what is being utilized. Therefore, additional information gathering will
be required outside of just documenting the CSP.

CIS Controls Cloud Companion Guide CIS Control 15: Service Provider Management 39
CIS CONTROL
16 Application Software
Security

Overview Manage the security life cycle of in-house developed, hosted, or acquired software
to prevent, detect, and remediate security weaknesses before they can impact
the enterprise.

Cloud Applicability This CIS Control focuses on the security of applications (in-house developed or acquired
off the shelf or from external developers). This is a complex activity requiring a complete
program encompassing enterprise-wide policy, technology, and the role of people. Any
cloud environment service model or deployment model should be a part of this program.
All software should be regularly tested for vulnerabilities when applicable. The operational
practice of scanning for application vulnerabilities is consolidated within CIS Control 3:
Continuous Vulnerability Management. However, the most effective approach is to implement
a full supply chain security program for externally acquired software and a Secure Software
Development Life Cycle for internally developed software.

IMPLEMENTATION APPLICABILITY OF
CIS Control 16: Application Software Security GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

16.1 Applications Protect Establish and Maintain a Secure Application Development Process 2 3 ✓ ✓ ✓ ✓

Establish and maintain a secure application development process. In the process, address such items as: secure
application design standards, secure coding practices, developer training, vulnerability management, security of
third-party code, and application security testing procedures. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.

16.2 Applications Protect Establish and Maintain a Process to Accept and Address Software 2 3 ✓ ✓ ✓ ✓
Vulnerabilities

Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a
means for external entities to report. The process is to include such items as: a vulnerability handling policy that
identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment,
remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity
ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and
update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to set expectations for
outside stakeholders.

16.3 Applications Protect Perform Root Cause Analysis on Security Vulnerabilities 2 3 ✓ ✓ ✓ ✓

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task
of evaluating underlying issues that creates vulnerabilities in code, and allows development teams to move beyond just
fixing individual vulnerabilities as they arise.

16.4 Applications Protect Establish and Manage an Inventory of Third-Party Software 2 3 ✓ ✓ ✓

Components

Establish and manage an updated inventory of third-party components used in development, often referred to as a “bill
of materials,” as well as components slated for future use. This inventory is to include any risks that each third-party
component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and
validate the component is still supported.

CIS Controls Cloud Companion Guide CIS Control 16: Application Software Security 40
IMPLEMENTATION APPLICABILITY OF
CIS Control 16: Application Software Security GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

16.5 Applications Protect Use Up-to-Date and Trusted Third-Party Software Components 2 3 ✓ ✓ ✓

Use up-to-date and trusted third-party software components. When possible, choose established and proven
frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate
the software for vulnerabilities before use.

16.6 Applications Protect Establish and Maintain a Severity Rating System and Process for 2 3 ✓ ✓ ✓ ✓
Application Vulnerabilities

Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing
the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security
acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that
improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and
process annually.

16.7 Applications Protect Use Standard Hardening Configuration Templates for Application 2 3 ✓ ✓ ✓ ✓
Infrastructure

Use standard, industry-recommended hardening configuration templates for application infrastructure components.
This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service
(PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration
hardening.

16.8 Applications Protect Separate Production and Non-Production Systems 2 3 ✓ ✓ ✓ ✓

Maintain separate environments for production and non-production systems.

16.9 Applications Protect Train Developers in Application Security Concepts and Secure Coding 2 3 ✓ ✓ ✓ ✓

Ensure that all software development personnel receive training in writing secure code for their specific development
environment and responsibilities. Training can include general security principles and application security standard
practices. Conduct training at least annually and design in a way to promote security within the development team, and
build a culture of security among the developers.

16.10 Applications Protect Apply Secure Design Principles in Application Architectures 2 3 ✓ ✓ ✓ ✓

Apply secure design principles in application architectures including the security of APIs involved. Secure design
principles include the concept of least privilege and enforcing mediation to validate every operation that the user
makes, promoting the concept of “never trust user input.” Examples include ensuring that explicit error checking is
performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design
also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services,
removing unnecessary programs and files, and renaming or removing default accounts.

16.11 Applications Protect Leverage Vetted Modules or Services for Application Security 2 3 ✓ ✓ ✓ ✓
Components

Leverage vetted modules or services for application security components, such as identity management, encryption,
and auditing and logging. Using platform features in critical security functions will reduce developers’ workload and
minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms
for identification, authentication, and authorization and make those mechanisms available to applications. Use only
standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.

16.12 Applications Protect Implement Code-Level Security Checks 3 ✓ ✓ ✓ ✓

Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being
followed.

16.13 Applications Protect Conduct Application Penetration Testing 3 ✓ ✓ ✓

Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to
finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on
the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user.

CIS Controls Cloud Companion Guide CIS Control 16: Application Software Security 41
IMPLEMENTATION APPLICABILITY OF
CIS Control 16: Application Software Security GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

16.14 Applications Protect Conduct Threat Modeling 3 ✓ ✓ ✓ ✓

Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design
flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the
application design and gauge security risks for each entry point and access level. The goal is to map out the application,
architecture, and infrastructure in a structured way to understand its weaknesses.

• Private (on-prem) — The administrator (cloud consumer) is responsible for all application

software security regardless of the service model used.
• IaaS — The administrator (cloud consumer) is responsible for all application software
security. The CSP will provide permission and access for scanning the cloud
consumer software.
• PaaS — The administrator (cloud consumer) manages the application software security for
the applications and in some cases the host environment settings and operating systems.
The CSP will provide permission and access for scanning the cloud consumer software.
• SaaS — The administrator (cloud consumer) is responsible for the application software
security. The CSP is only responsible for making sure the data is online and for providing
access for scanning for vulnerabilities by the cloud consumer.
• FaaS — The administrator (cloud consumer) is responsible for the functional code and
application software security.

CLOUD ADDITIONAL CONSIDERATIONS

• Depending on the deployment model, scanning applications for vulnerabilities will
sometimes require the cloud consumer to request permission from the CSP. As part of
this request, the consumer will often have to provide detailed information to include any IP
addresses, timeframe, etc.
• If the consumer is utilizing a SaaS service model, the conversation will focus on the CSP’s
ability to provide the application vulnerability management along with the vulnerability
assessment reports for the product if applicable.
• In the SaaS and IaaS service models, there is often the opportunity for vendor-provided
API integration. Any vendor-provided APIs or custom-built APIs should be scanned
and reviewed.
• Additionally, DevOps teams need to be armed with tools that help them build security in
from the start.
• If continuous integration/continuous delivery pipelines are being used, scanning of
development artifacts should prevent vulnerable workloads from being released into
production and to better build runtime protection profiles.
• Securely manage configuration files for building out the infrastructure your applications run
on (Infrastructure as Code–IaC), change management, testing, and deployment for Docker
files, Kubernetes manifests, Helm charts, etc. If utilizing IaC, ensure that secrets that are
needed to run applications and systems are safeguarded, as exposed secrets can put your
systems at risk.

CIS Controls Cloud Companion Guide CIS Control 16: Application Software Security 42
CIS CONTROL
17 Incident Response
Management

Overview Establish a program to develop and maintain an incident response capability (e.g.,
policies, plans, procedures, defined roles, training, and communications) to prepare,
detect, and quickly respond to an attack.

Cloud Applicability This CIS Control focuses on how to manage and respond to a successful cyber-attack against
an enterprise. The question of a successful cyber-attack against an enterprise is not “if” but
“when.” Cyber incidents are now just part of our way of life. Even large, well-funded, and
technically sophisticated enterprises struggle to keep up with the frequency and complexity
of attacks. When an incident occurs, it is too late to develop the right procedures, reporting,
data collection, management responsibility, legal protocols, and communications strategy that
will allow the enterprise to successfully manage and recover. Without an incident response
plan, an enterprise may not discover an attack in the first place, or, if the attack is detected,
the enterprise may not follow good procedures to contain damage, eradicate the attacker’s
presence, and recover in a secure fashion.

IMPLEMENTATION APPLICABILITY OF
CIS Control 17: Incident Response Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

17.1 Respond Designate Personnel to Manage Incident Handling 1 2 3 ✓ ✓ ✓ ✓

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process.
Management personnel are responsible for the coordination and documentation of incident response and recovery
efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a
third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.

17.2 Respond Establish and Maintain Contact Information for Reporting Security 1 2 3 ✓ ✓ ✓ ✓
Incidents

Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may
include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies,
Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that
information is up-to-date.

17.3 Respond Establish and Maintain an Enterprise Process for Reporting Incidents 1 2 3 ✓ ✓ ✓ ✓

Establish and maintain an enterprise process for the workforce to report security incidents. The process includes
reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported.
Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes
occur that could impact this Safeguard.

17.4 Respond Establish and Maintain an Incident Response Process 2 3 ✓ ✓ ✓ ✓

Establish and maintain an incident response process that addresses roles and responsibilities, compliance
requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could
impact this Safeguard.

CIS Controls Cloud Companion Guide CIS Control 17: Incident Response Management 43
IMPLEMENTATION APPLICABILITY OF
CIS Control 17: Incident Response Management GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

17.5 Respond Assign Key Roles and Responsibilities 2 3 ✓ ✓ ✓ ✓

Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities,
public relations, human resources, incident responders and analysts, as applicable. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.

17.6 Respond Define Mechanisms for Communicating During Incident Response 2 3 ✓ ✓ ✓ ✓

Determine which primary and secondary mechanisms will be used to communicate and report during a security
incident. Mechanisms can include phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails,
can be affected during a security incident. Review annually, or when significant enterprise changes occur that could
impact this Safeguard.

17.7 Recover Conduct Routine Incident Response Exercises 2 3 ✓ ✓ ✓ ✓

Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response
process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision-
making, and workflows. Conduct testing on an annual basis, at a minimum.

17.8 Recover Conduct Post-Incident Reviews 2 3 ✓ ✓ ✓ ✓

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons
learned and follow-up action.

17.9 Recover Establish and Maintain Security Incident Thresholds 3 ✓ ✓ ✓ ✓

Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and
an event. Examples can include, abnormal activity, security vulnerability, security weakness, data breach, privacy
incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard.

Incident response and management is no different in the cloud. If you have process and
procedures in place organizationally, they can be utilized for any of the cloud service and
deployment models. The major consideration is where the security management lies and the
conversations that you will have with the CSP around the incident.

CLOUD ADDITIONAL CONSIDERATIONS

• Throughout the development and documentation of the incident response plan and recovery
efforts, the CSP’s shared responsibility model must be taken into consideration to identify
the areas to be focused upon and those that would primarily fall within the customer’s realm
of responsibility.

CIS Controls Cloud Companion Guide CIS Control 17: Incident Response Management 44
CIS CONTROL
18 Penetration
Testing

Overview Test the effectiveness and resiliency of enterprise assets through identifying and
exploiting weaknesses in controls (people, processes, and technology), and simulating
the objectives and actions of an attacker.

Cloud Applicability This CIS Control is focused on designing and conducting controlled penetration testing in an
operational technology environment, including connected devices and systems regardless
of their location and nature (physical, virtual, cloud). Attackers often exploit the gap between
good defensive designs and intentions and implementation or maintenance. Examples
include: the time window between announcement of a vulnerability, the availability of a vendor
patch, and actual installation on every machine. Other examples include: failure to apply good
configurations to machines that come on and off of the network, and failure to understand
the interaction among multiple defensive tools, or with normal system operations that have
security implications.

As outlined in the Controls, penetration tests can provide significant value and improvement,
but only when basic defensive measures are already in place and when these tests are
performed as part of a comprehensive, ongoing security management program. Each
enterprise should define a clear scope and rules of engagement for penetration testing and
Red Team analyses. The scope of such projects should include, at a minimum, systems with
the enterprise’s highest value information and production processing functionality.

IMPLEMENTATION APPLICABILITY OF
CIS Control 18: Penetration Testing GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

18.1 Identify Establish and Maintain a Penetration Testing Program 2 3 ✓ ✓ ✓ ✓

Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the
enterprise. Penetration testing program characteristics include: scope, such as network, web application, Application
Programming Interface (API), hosted services, and physical premise controls, frequency; limitations, such as acceptable
hours, and excluded attack types, point of contact information, remediation, such as how findings will be routed
internally, and retrospective requirements.

18.2 Network Identify Perform Periodic External Penetration Tests 2 3 ✓ ✓ ✓ ✓

Perform periodic external penetration tests based on program requirements, no less than annually. External penetration
testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration
testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be
clear box or opaque box.

18.3 Network Protect Remediate Penetration Test Findings 2 3 ✓ ✓ ✓ ✓

Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.

18.4 Network Protect Validate Security Measures 3 ✓ ✓ ✓ ✓

Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect
the techniques used during testing.

CIS Controls Cloud Companion Guide CIS Control 18: Penetration Testing 45
IMPLEMENTATION APPLICABILITY OF
CIS Control 18: Penetration Testing GROUPS SERVICE MODEL
SECURITY
SAFEGUARD ASSET TYPE CONTROL TITLE/DESCRIPTION IG1 IG2 IG3 IaaS PaaS SaaS FaaS
FUNCTION

18.5 Identify Perform Periodic Internal Penetration Tests 3 ✓ ✓ ✓ ✓

Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be
clear box or opaque box.

Pen testing is no different in the cloud. If you have process and procedures in place
organizationally, they can be utilized for any of the cloud service and deployment models. The
major consideration is where the security management lies and the conversations that you will
have with the CSP if an exception is detected.

CLOUD CONSIDERATIONS
• Running pen tests will require the cloud consumer to request permission from the CSP. As
part of this request, the consumer will often have to provide detailed information to include
any IPs to be scanned, source IPs, timeframe, etc. A penetration tester might have to obtain
credentials to any third-party tools that complement the cloud provider tools available in
the security center to obtain a complete picture of the client’s security operations. The
penetration tester, when doing a cloud review, will also need, at minimum, the Reader and
SecurityReader roles to include access to the cloud provider’s security center.
• While you may need permission to test from the FaaS service provider, regular testing
against the application interface should be a part of this process. Penetration testing
against FaaS may require commentary to permit exceptions where this is not practical, or is
explicitly prohibited by the FaaS service provider. In the case that pen testing is not practical
or is prohibited, source code review should be done in addition to performing security
related unit testing.

CIS Controls Cloud Companion Guide CIS Control 18: Penetration Testing 46
Appendix

CIS Controls Cloud Companion Guide 47

Abbreviations and Acronyms

AAA Authentication, Authorization, and Auditing IPS Intrusion Prevention System

API Application Program Interface ISAC Information Sharing and Analysis Center

AoC Attestation of Compliance IT Information Technology

CASB Cloud Access Security Broker MDM Mobile Device Management

CIS Center for Internet Security MFA Multifactor Authentication

CSP Cloud Service Provider NaaS Network-as-a-Service

CWPP Cloud Workload Protection Platforms NIDS Network Intrusion Detection System

DEP Data Execution Prevention NIPS Network Intrusion Prevent System

DevSecOps Development, Security, and Operations, Automats the NIS National Intelligence Service
Integration of Security
OpenSSH Open Secure Shell
DHCP Dynamic Host Configuration Protocol
OT Operational Technology
DKIM DomainKeys Identified Mail
PaaS Platform as a Service
DLP Data Loss Prevention
PCI Payment Card Industry
DMARC Domain-based Message Authentication Reporting, and
Conformance RBAC Role-Based Access Control

DMZ Demilitarized Zone SaaS Software as a Service

DNS Domain Name System SCAP Security Content Automation Protocol

EDR Endpoint Detection and Response SIEM Security Information and Event Management

FaaS Function as a Service SIP System Integrity Protection

GDPR General Data Protection Regulation SLA Service-Level Agreements

HSM Hardware Security Model SOC2 Service Organization Control 2

HTTP Hypertext Transfer Protocol SPF Sender Policy Framework

HTTPS Hypertext Transfer Protocol Secure SSH Secure Shell

IaaS Infrastructure as a Service SSO Single Sign On

IaC Infrastructure as Code TLS Transport Layer Security

IDS Intrusion Detection Systems URL Uniform Resource Locator

IG Implementation Group VPN Virtual Private Network

IoT Internet of Things WDEG Windows Defender Exploit Guard

IP Internet Protocol WPA2 Wi-Fi Protected Access 2

CIS Controls Cloud Companion Guide Abbreviations and Acronyms 48

Links and Resources

• CIS Controls — https://www.cisecurity.org/controls/ • https://www.redhat.com/en/topics/cloud-computing/

• https://www.nist.gov/system/files/documents/itl/cloud/ what-is-public-cloud
NIST_SP-500-291_Version-2_2013_June18_FINAL.pdf • https://www.redhat.com/en/topics/cloud-computing/
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/ what-is-private-cloud
NIST.SP.500-316.pdf • http://www.cloudgarage.in/cloud-services/hybrid/
• https://iasecontent.disa.mil/cloud/SRG/index.html • https://www.webopedia.com/TERM/P/public_cloud.html
• https://aws.amazon.com/types-of-cloud-computing/ • https://www.liquidweb.com/kb/difference-private-cloud-
• https://azure.microsoft.com/en-us/overview/what-is- premise/
paas/ • https://www.techopedia.com/definition/26559/
• https://azure.microsoft.com/en-us/overview/what-is-a- community-cloud
private-cloud/ • https://www.eci.com/cloudforum/private-cloud-
• https://azure.microsoft.com/en-us/overview/what-is-a- explained.html
public-cloud/ • https://www.ibm.com/cloud/learn/iaas-paas-saas
• https://azure.microsoft.com/en-us/overview/what-are- • https://medium.com/@BoweiHan/an-introduction-
private-public-hybrid-clouds/ to-serverless-and-faas-functions-as-a-service-
• https://azure.microsoft.com/en-us/overview/what-is-a- fb5cec0417b2
private-cloud/ • Gartner’s Market Guide for Cloud Workload Protection
• https://azure.microsoft.com/en-us/overview/serverless- Platforms
computing/

CIS Controls Cloud Companion Guide Links and Resources 49

Information

CONTACT In this document, we provide guidance on how to apply the security best practices found in
CIS CIS Controls Version 8 to cloud environments. You can find the newest version of the CIS
31 Tech Valley Drive Controls and other complementary documents at www.cisecurity.org.
East Greenbush, NY 12061
518.266.3460 As a nonprofit organization driven by its volunteers, we are always in the process of looking
[email protected] for new topics and for assistance in creating cybersecurity guidance. If you are interested
in volunteering or if you have questions, comments, or have identified ways to improve this
guide, please contact us at [email protected].

All references to tools or other products in this document are provided for informational
purposes only, and do not represent the endorsement by CIS of any particular company,
product, or technology.

Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Microsoft, PowerShell, and Windows are registered trademarks of Microsoft Corporation.

Android is a trademark of Google LLC.

CIS Controls Cloud Companion Guide Information 50

The Center for Internet Security, Inc. (CIS®) makes the connected
world a safer place for people, businesses, and governments through
our core competencies of collaboration and innovation. We are a
community-driven nonprofit, responsible for the CIS Critical Security
Controls® and CIS Benchmarks™, globally recognized best practices
for securing IT systems and data. We lead a global community of IT
professionals to continuously evolve these standards and provide
products and services to proactively safeguard against emerging
threats. Our CIS Hardened Images® provide secure, on-demand,
scalable computing environments in the cloud.

CIS is home to the Multi-State Information Sharing and Analysis

Center® (MS-ISAC®), the trusted resource for cyber threat prevention,
protection, response, and recovery for U.S. State, Local, Tribal, and
Territorial government entities, and the Elections Infrastructure
Information Sharing and Analysis Center® (EI-ISAC®), which supports
the rapidly changing cybersecurity needs of U.S. election offices. To
learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.

cisecurity.org
[email protected]
518-266-3460
Center for Internet Security
@CISecurity
TheCISecurity
cisecurity

CIS Controls Cloud Companion Guide 51

DPIA - Microsoft Copilot
No ratings yet
DPIA - Microsoft Copilot
169 pages
Mapping of NIST CSF To ISO
No ratings yet
Mapping of NIST CSF To ISO
9 pages
PCI - DSS - ISMS - Mapping
100% (2)
PCI - DSS - ISMS - Mapping
3 pages
CIS Controls v8.1 Mapping To NIST CSF v2.0 6-24-2024 Final 1
No ratings yet
CIS Controls v8.1 Mapping To NIST CSF v2.0 6-24-2024 Final 1
92 pages
NIST CSF 20 Audit Checklist Part 1 - 240429 - 094544
100% (2)
NIST CSF 20 Audit Checklist Part 1 - 240429 - 094544
21 pages
Incident Response Playbooks AND Workflows
No ratings yet
Incident Response Playbooks AND Workflows
62 pages
CIS Controls v8 Mapping To SOC2!2!2023
No ratings yet
CIS Controls v8 Mapping To SOC2!2!2023
152 pages
Gap Assessment For 27017
No ratings yet
Gap Assessment For 27017
9 pages
ISO 27001 2022 Checklist 2023 P3
No ratings yet
ISO 27001 2022 Checklist 2023 P3
10 pages
BR - OpenLoop - PETs Playbook - English - Open Loop
No ratings yet
BR - OpenLoop - PETs Playbook - English - Open Loop
79 pages
Tokenization: Practitioner Point of View: All You Need To Know To Tokenize Successfully Any Asset
100% (1)
Tokenization: Practitioner Point of View: All You Need To Know To Tokenize Successfully Any Asset
18 pages
Policy Template Guide: NIST Cybersecurity Framework
100% (4)
Policy Template Guide: NIST Cybersecurity Framework
17 pages
Evidence of NIST Compliance
No ratings yet
Evidence of NIST Compliance
42 pages
CIS Controls Initial Assessment Tool (V8.0a) : Instructions - Read Me First
No ratings yet
CIS Controls Initial Assessment Tool (V8.0a) : Instructions - Read Me First
21 pages
Qualys Guide Automating Cis 20 Critical Controls
No ratings yet
Qualys Guide Automating Cis 20 Critical Controls
44 pages
Injection Engine Control System. VAZ 21213, 21214 (Niva)
No ratings yet
Injection Engine Control System. VAZ 21213, 21214 (Niva)
3 pages
CIS Controls v8 Critical Security Controls 2023 08
No ratings yet
CIS Controls v8 Critical Security Controls 2023 08
82 pages
CIS Controls v8 Guide
100% (1)
CIS Controls v8 Guide
93 pages
ASI - IT Risk and Controls
No ratings yet
ASI - IT Risk and Controls
19 pages
NIST CSF Checklist Part 3
100% (1)
NIST CSF Checklist Part 3
16 pages
Acceptable Use Policy Template
100% (1)
Acceptable Use Policy Template
18 pages
Regulatory/ Compliance Risk Assessment Overview For Fair Practitioners
No ratings yet
Regulatory/ Compliance Risk Assessment Overview For Fair Practitioners
10 pages
Firewall Audit Work Program
No ratings yet
Firewall Audit Work Program
38 pages
How To Budget ISO27001 Project
No ratings yet
How To Budget ISO27001 Project
9 pages
Source Defense - The Essential Guide To PCI DSS 6.4.3 and 11.6.1
No ratings yet
Source Defense - The Essential Guide To PCI DSS 6.4.3 and 11.6.1
14 pages
Acceptable Encryption Policy
No ratings yet
Acceptable Encryption Policy
3 pages
ISO 27001 Information Security Policy Template - Secureframe
100% (1)
ISO 27001 Information Security Policy Template - Secureframe
4 pages
ISO27001 Global Report 2016
No ratings yet
ISO27001 Global Report 2016
26 pages
NIST CSF 2.0 Audit Checklist - Protect
100% (2)
NIST CSF 2.0 Audit Checklist - Protect
13 pages
NIST CSF 2 0 Audit Checklist Part 2 Identify ID 1716467086
100% (1)
NIST CSF 2 0 Audit Checklist Part 2 Identify ID 1716467086
15 pages
ISO27001
100% (2)
ISO27001
6 pages
SOC POFs
No ratings yet
SOC POFs
108 pages
CIS Google Chrome Benchmark v1.2.0
No ratings yet
CIS Google Chrome Benchmark v1.2.0
48 pages
Cybersecurity CISO Vital Part Operations
No ratings yet
Cybersecurity CISO Vital Part Operations
11 pages
OWASP Vulnerability Management Guide
No ratings yet
OWASP Vulnerability Management Guide
20 pages
CIS Benchmark Development Guide V02
No ratings yet
CIS Benchmark Development Guide V02
35 pages
1703629705341
100% (3)
1703629705341
36 pages
IT Systems Patching and Vulnerability Management Policy - Tivolv 2023
No ratings yet
IT Systems Patching and Vulnerability Management Policy - Tivolv 2023
2 pages
Network Security Policy
100% (1)
Network Security Policy
6 pages
Rsa Archer Information Security Management Systems (ISMS) Ds Letter
No ratings yet
Rsa Archer Information Security Management Systems (ISMS) Ds Letter
4 pages
Firewall Audit Checklist 1714246316
No ratings yet
Firewall Audit Checklist 1714246316
6 pages
Audit Log Management PolicyTemplate For CIS Control 8
No ratings yet
Audit Log Management PolicyTemplate For CIS Control 8
16 pages
Vulnerability Management Policy Template For Control 7
100% (1)
Vulnerability Management Policy Template For Control 7
17 pages
ISO 271001 - 2022 Audit Checklist Part 1, Part 2, and Part 3
100% (6)
ISO 271001 - 2022 Audit Checklist Part 1, Part 2, and Part 3
24 pages
Watkins NIST CSF Excel User Guide v6.0
No ratings yet
Watkins NIST CSF Excel User Guide v6.0
15 pages
(IT Risk Profiles) Data Center Security Management Finalized
No ratings yet
(IT Risk Profiles) Data Center Security Management Finalized
2 pages
Cybersecurity Incident Response Plans
No ratings yet
Cybersecurity Incident Response Plans
70 pages
PCI DSS v3.2 Vs ISO 27001 2013 - 160729
No ratings yet
PCI DSS v3.2 Vs ISO 27001 2013 - 160729
99 pages
SC ISO 27001 Self Assessment Checklist
No ratings yet
SC ISO 27001 Self Assessment Checklist
7 pages
Penetration Testing Report: Date
No ratings yet
Penetration Testing Report: Date
9 pages
Cyber Capability Toolkit - Cyber Incident Response - Public Sector Cyber Incident Response Plan
No ratings yet
Cyber Capability Toolkit - Cyber Incident Response - Public Sector Cyber Incident Response Plan
45 pages
Information Security Management and Metrics
No ratings yet
Information Security Management and Metrics
30 pages
Application Container Audit Program Excel Spreadsheet
No ratings yet
Application Container Audit Program Excel Spreadsheet
6 pages
Tenable Csis Compliance Whitepaper
No ratings yet
Tenable Csis Compliance Whitepaper
22 pages
How To Accelerate ISO 27001 Implementation
100% (2)
How To Accelerate ISO 27001 Implementation
15 pages
Blank ISO 27001 CLAUSE&SOA
No ratings yet
Blank ISO 27001 CLAUSE&SOA
70 pages
1170
No ratings yet
1170
65 pages
Secure Development Policy
No ratings yet
Secure Development Policy
7 pages
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
From Everand
IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
Lewis Heuermann
No ratings yet
Enterprise Mobile Device Management Complete Self-Assessment Guide
From Everand
Enterprise Mobile Device Management Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
ISMS The Ultimate Step-By-Step Guide
From Everand
ISMS The Ultimate Step-By-Step Guide
Gerardus Blokdyk
No ratings yet
Qualified Security Assessor Complete Self-Assessment Guide
From Everand
Qualified Security Assessor Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Business Continuity Plan Administrator Complete Self-Assessment Guide
From Everand
Business Continuity Plan Administrator Complete Self-Assessment Guide
Gerardus Blokdyk
No ratings yet
Business Continuity Management: Building an Effective Incident Management Plan
From Everand
Business Continuity Management: Building an Effective Incident Management Plan
Michael Blyth
No ratings yet
CCISO Third Edition
From Everand
CCISO Third Edition
Gerardus Blokdyk
No ratings yet
Mlmug Tcoyp Red
No ratings yet
Mlmug Tcoyp Red
52 pages
1718816063097
No ratings yet
1718816063097
47 pages
Corporate Governance Guide: Guidance On Effective Audit and Risk Management
No ratings yet
Corporate Governance Guide: Guidance On Effective Audit and Risk Management
104 pages
Mitre D3fend 1.0
No ratings yet
Mitre D3fend 1.0
6 pages
(2016) Cybersecurity Policy Handbook - Accellis
No ratings yet
(2016) Cybersecurity Policy Handbook - Accellis
38 pages
(2020) Compendium of AI Governance Framework Use Cases - Singapore DPA
No ratings yet
(2020) Compendium of AI Governance Framework Use Cases - Singapore DPA
37 pages
(2025) NIST Privacy Framework 1.1
No ratings yet
(2025) NIST Privacy Framework 1.1
51 pages
(2020) RoadMap of Artificial Intelligence - Hayder Zaeem
No ratings yet
(2020) RoadMap of Artificial Intelligence - Hayder Zaeem
24 pages
A Roadmap For Ai Governance: Lessons From G20 National Strategies
100% (1)
A Roadmap For Ai Governance: Lessons From G20 National Strategies
132 pages
Murky Consent: An Approach To The Fictions of Consent in Privacy Law - Daniel Solove
No ratings yet
Murky Consent: An Approach To The Fictions of Consent in Privacy Law - Daniel Solove
51 pages
Computer Law and Security Review - Artigo Exemplo
No ratings yet
Computer Law and Security Review - Artigo Exemplo
15 pages
Opinion 6 - 2023 On The Proposals For Regulations On The Collection and Transfer of Advance Passenger Information (API) - EDPS
No ratings yet
Opinion 6 - 2023 On The Proposals For Regulations On The Collection and Transfer of Advance Passenger Information (API) - EDPS
13 pages
U.S. National Maritime Cybersecurity Plan
No ratings yet
U.S. National Maritime Cybersecurity Plan
36 pages
11 Penetration Testing Tools The Pros Use
No ratings yet
11 Penetration Testing Tools The Pros Use
7 pages
Of Classic Contract Law
No ratings yet
Of Classic Contract Law
20 pages
(2022) Practical Guide GDPR For Data Protection Officers - CNIL
No ratings yet
(2022) Practical Guide GDPR For Data Protection Officers - CNIL
54 pages
Cyber Security - International Relations - Oxford Bibliographies
No ratings yet
Cyber Security - International Relations - Oxford Bibliographies
28 pages
Smart Contracts: Terminology, Technical Limitations and Real World Complexity DR Eliza Mik
No ratings yet
Smart Contracts: Terminology, Technical Limitations and Real World Complexity DR Eliza Mik
26 pages
Validation and Verification of Smart Contracts: A Research Agenda PDF
No ratings yet
Validation and Verification of Smart Contracts: A Research Agenda PDF
8 pages
Module 3 Post Test
100% (1)
Module 3 Post Test
5 pages
English Yr5 2015 Ms
No ratings yet
English Yr5 2015 Ms
9 pages
5 People Who Disappeared But Would Reappear Years Later
No ratings yet
5 People Who Disappeared But Would Reappear Years Later
5 pages
New Thesis Topics in Oral Medicine and Radiology
100% (3)
New Thesis Topics in Oral Medicine and Radiology
6 pages
Schema de Principe Electrical Schematic
No ratings yet
Schema de Principe Electrical Schematic
78 pages
WAH5 - Functional Language Worksheets
No ratings yet
WAH5 - Functional Language Worksheets
6 pages
Judo Physiological Profile Sportsmedicine Franchini
No ratings yet
Judo Physiological Profile Sportsmedicine Franchini
21 pages
ARINC Meteorological Data Collection and Reporting System (MDCRS)
No ratings yet
ARINC Meteorological Data Collection and Reporting System (MDCRS)
16 pages
Table of Contents (The Summary) : Intro
No ratings yet
Table of Contents (The Summary) : Intro
14 pages
Daniel Science
No ratings yet
Daniel Science
10 pages
Exhibit B - Security Policy
No ratings yet
Exhibit B - Security Policy
4 pages
Type A Type B 72 78 78 76 73 81 69 74 75 82 74 75 69 75 Heaters? Find The Approximate P-Value For The Test and Interpret Its Value
No ratings yet
Type A Type B 72 78 78 76 73 81 69 74 75 82 74 75 69 75 Heaters? Find The Approximate P-Value For The Test and Interpret Its Value
9 pages
Day 4 Plastic Pollution Ielts Nguyenhuyen
No ratings yet
Day 4 Plastic Pollution Ielts Nguyenhuyen
1 page
Imprest Format
No ratings yet
Imprest Format
3 pages
Cryptography
No ratings yet
Cryptography
201 pages
Parkinson Disease & ALS Cheat Sheet
No ratings yet
Parkinson Disease & ALS Cheat Sheet
4 pages
Q3 Gender 2018 Sex Gender Nature Nurture
No ratings yet
Q3 Gender 2018 Sex Gender Nature Nurture
5 pages
2018 Oakland Linuxmalware
No ratings yet
2018 Oakland Linuxmalware
15 pages
Modbus TCP Client RTU Slave MN67010 ENG
No ratings yet
Modbus TCP Client RTU Slave MN67010 ENG
9 pages
1. 听力部分SL Mock Examination02-S
No ratings yet
1. 听力部分SL Mock Examination02-S
8 pages
Oracle Final Exam Semester 1
100% (1)
Oracle Final Exam Semester 1
22 pages
Keralauniversity of Fisheries & Ocean Studies: Panangad P.O., Kochi 682 506, Kerala, India
No ratings yet
Keralauniversity of Fisheries & Ocean Studies: Panangad P.O., Kochi 682 506, Kerala, India
13 pages
Saon Bhakta@
No ratings yet
Saon Bhakta@
5 pages
Employee Welfare
No ratings yet
Employee Welfare
44 pages
Service Manual, PM7100, English PT00112534 Rev A Release 8-2020
No ratings yet
Service Manual, PM7100, English PT00112534 Rev A Release 8-2020
64 pages
Pickle Brand Auditing and Strengthening
No ratings yet
Pickle Brand Auditing and Strengthening
34 pages
Dilution Systems For Aerosols Series DIL, DDS and HDS: Special Advantages
No ratings yet
Dilution Systems For Aerosols Series DIL, DDS and HDS: Special Advantages
4 pages
2
No ratings yet
2
29 pages
Think Pair Share Food Safety 2
No ratings yet
Think Pair Share Food Safety 2
4 pages
Computerised Assessment of Handwriting
No ratings yet
Computerised Assessment of Handwriting
15 pages