CIS Controls v8 Mapping To ASD Essential Eight - 2-2023
CIS Controls v8 Mapping To ASD Essential Eight - 2-2023
"Essential Eight"
Last updated January 2023
Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]
Editors
Thomas Sager
Contributors
License for Use
This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
nc-nd/4.0/legalcode
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
to the prior approval of CIS® (Center for Internet Security, Inc.).
es 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-
u are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
als. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject
Mapping Methodology
Mapping Methodology
This page describes the methodology used to map the CIS Critical Security Controls to the Australian Sign
Reference link for ASD Essential Eight: https://www.cyber.gov.au/acsc/view-all-content/essential-eight
The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one Control will contribute
The general strategy used is to identify all of the aspects within a Control and attempt to discern if both item
For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights
If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m
The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
CIS Controls Navigator
Remember to download the CIS Controls Version 8 Guide where you can learn more about:
A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/
Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
CIS Security
CIS Safeguard Asset Type
Control Function
1
10
12
12 12.1 Network Protect
13
16
17
18
Use processes and tools to assign and manage authorization to credentials for user accounts, inclu
accounts, as well as service accounts, to enterprise assets and software.
Centralize Account
Management
Access Control Management
Use processes and tools to create, assign, manage, and revoke access credentials and privileges f
and service accounts for enterprise assets and software.
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover
Implement DMARC
Enable Anti-Exploitation
Features
Establish, implement, and actively manage (track, report, correct) network devices, in order to prev
exploiting vulnerable network services and access points.
Ensure Network Infrastructure is
Up-to-Date
Centralize Network
Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
an Enterprise’s AAA
Infrastructure
Network Monitoring and
Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and d
security threats across the enterprise’s network infrastructure and user base.
Establish and maintain a security awareness program to influence behavior among the workforce t
conscious and properly skilled to reduce cybersecurity risks to the enterprise.
Develop a process to evaluate service providers who hold sensitive data, or are responsible for an
platforms or processes, to ensure these providers are protecting those platforms and data appropr
Securely Decommission
Service Providers
Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, dete
security weaknesses before they can impact the enterprise.
Penetration Testing
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weakn
(people, processes, and technology), and simulating the objectives and actions of an attacker.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records
the network address (if static), hardware address, machine name, enterprise asset owner,
department for each asset, and whether the asset has been approved to connect to the network.
For mobile end-user devices, MDM type tools can support this process, where appropriate. This
inventory includes assets connected to the infrastructure physically, virtually, remotely, and those
within cloud environments. Additionally, it includes assets that are regularly connected to the
enterprise’s network infrastructure, even if they are not under control of the enterprise. Review
and update the inventory of all enterprise assets bi-annually, or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise
may choose to remove the asset from the network, deny the asset from connecting remotely to
the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure
the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to
update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset
inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and
use scans to update the enterprise’s asset inventory at least weekly, or more frequently.
l of Software Assets
entory, track, and correct) all software (operating systems and applications) on the network so that
ware is installed and can execute, and that unauthorized and unmanaged software is found and
Ensure that only currently supported software is designated as authorized in the software
lation or execution.
inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the
enterprise’s mission, document an exception detailing mitigating controls and residual risk
acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more
Ensure that unauthorized software is either removed from use on enterprise assets or receives a
frequently.
documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the
discovery and documentation of installed software.
nd technical controls to identify, classify, securely handle, retain, and dispose of data.
Establish and maintain a data management process. In the process, address data sensitivity, data
owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and
retention standards for the enterprise. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,
with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
Retain data according to the enterprise’s data management process. Data retention must include
both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.
Encrypt data on end-user devices containing sensitive data. Example implementations can
include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.
Establish and maintain an overall data classification scheme for the enterprise. Enterprises may
use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to
those labels. Review and update the classification scheme annually, or when significant
enterprise changes occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should
be based on the enterprise’s data management process. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
ools to assign and manage authorization to credentials for user accounts, including administrator
service accounts, to enterprise assets and software.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should contain
the person’s name, username, start/stop dates, and department. Validate that all active accounts
are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
ools to create, assign, manage, and revoke access credentials and privileges for user, administrator,
for enterprise assets and software.
Establish and follow a process, preferably automated, for granting access to enterprise assets
upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise assets,
through disabling accounts immediately upon termination, rights revocation, or role change of a
user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems,
including those hosted on-site or at a remote service provider. Review and update the inventory,
at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider,
where supported.
ility Management
ntinuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
er to remediate, and minimize, the window of opportunity for attackers. Monitor public and private
new threat and vulnerability information.
Establish and maintain a risk-based remediation strategy documented in a remediation process,
with monthly, or more frequent, reviews.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or
more frequent, basis, based on the remediation process.
and retain audit logs of events that could help detect, understand, or recover from an attack.
Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has
been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit
log management process.
Standardize time synchronization. Configure at least two synchronized time sources across
enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include event
source, date, username, timestamp, source addresses, destination addresses, and other useful
elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from
PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a
potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting
authentication and authorization events, data creation and disposal events, and user
management events.
ser Protections
and detections of threats from email and web vectors, as these are opportunities for attackers to
ehavior through direct engagement.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to
potentially malicious or unapproved websites. Example implementations include category-based
filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise
assets.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy
and verification, starting with implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or
sandboxing.
e installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Enable anti-exploitation features on enterprise assets and software, where possible, such as
Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or
Apple® System Integrity Protection (SIP) and Gatekeeper™.
in data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and
Protect recovery data with equivalent controls to the original data. Reference encryption or data
separation, based on requirements.
, and actively manage (track, report, correct) network devices, in order to prevent attackers from
network services and access points.
Ensure network infrastructure is kept up-to-date. Example implementations include running the
latest stable release of software and/or using currently supported network-as-a-service (NaaS)
offerings. Review software versions monthly, or more frequently, to verify software support.
Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.
Securely manage network infrastructure. Example implementations include version-controlled-
infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).
nd tooling to establish and maintain comprehensive network monitoring and defense against
ss the enterprise’s network infrastructure and user base.
Centralize security event alerting across enterprise assets for log correlation and analysis. Best
practice implementation requires the use of a SIEM, which includes vendor-defined event
correlation alerts. A log analytics platform configured with security-relevant correlation alerts also
satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or
supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example
implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent
cloud service provider (CSP) service.
Manage access control for assets remotely connecting to enterprise resources. Determine
amount of access to enterprise resources based on: up-to-date anti-malware software installed,
configuration compliance with the enterprise’s secure configuration process, and ensuring the
operating system and applications are up-to-date.
Collect network traffic flow logs and/or network traffic to review and alert upon from network
devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or
supported. Example implementations include use of an Endpoint Detection and Response (EDR)
client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations
include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network
access control protocols, such as certificates, and may incorporate user and/or device
authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application
layer firewall, or gateway.
Tune security event alerting thresholds monthly, or more frequently.
and Skills Training
Train workforce members on authentication best practices. Example topics include MFA,
password composition, and credential management.
Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive data. This also includes training workforce members on clear screen and desk best
practices, such as locking their screen when they step away from their enterprise asset, erasing
physical and virtual whiteboards at the end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics
include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to
unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such
an incident.
Train workforce to understand how to verify and report out-of-date software patches or any
failures in automated processes and tools. Part of this training should include notifying IT
personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.
Conduct role-specific security awareness and skills training. Example implementations include
secure system administration courses for IT professionals, (OWASP® Top 10 vulnerability
awareness and prevention training for web application developers, and advanced social
engineering awareness training for high-profile roles.
evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT
es, to ensure these providers are protecting those platforms and data appropriately.
Establish and maintain an inventory of service providers. The inventory is to list all known service
providers, include classification(s), and designate an enterprise contact for each service provider.
Review and update the inventory annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the
classification, inventory, assessment, monitoring, and decommissioning of service providers.
Review and update the policy annually, or when significant enterprise changes occur that could
impact this Safeguard.
Classify service providers. Classification consideration may include one or more characteristics,
such as data sensitivity, data volume, availability requirements, applicable regulations, inherent
risk, and mitigated risk. Update and review classifications annually, or when significant enterprise
changes occur that could impact this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may
include minimum security program requirements, security incident and/or data breach notification
and response, data encryption requirements, and data disposal commitments. These security
requirements must be consistent with the enterprise’s service provider management policy.
Review service provider contracts annually to ensure contracts are not missing security
requirements.
Assess service providers consistent with the enterprise’s service provider management policy.
Assessment scope may vary based on classification(s), and may include review of standardized
assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry
(PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous
processes. Reassess service providers annually, at a minimum, or with new and renewed
contracts.
Monitor service providers consistent with the enterprise’s service provider management policy.
Monitoring may include periodic reassessment of service provider compliance, monitoring service
provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service
account deactivation, termination of data flows, and secure disposal of enterprise data within
service provider systems.
Security
ife cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate
before they can impact the enterprise.
Establish and maintain a secure application development process. In the process, address such
items as: secure application design standards, secure coding practices, developer training,
vulnerability management, security of third-party code, and application security testing
procedures. Review and update documentation annually, or when significant enterprise changes
occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities,
including providing a means for external entities to report. The process is to include such items
as: a vulnerability handling policy that identifies reporting process, responsible party for handling
vulnerability reports, and a process for intake, assignment, remediation, and remediation
testing. As part of the process, use a vulnerability tracking system that includes severity ratings,
and metrics for measuring timing for identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to
set expectations for outside stakeholders.
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause
analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows
development teams to move beyond just fixing individual vulnerabilities as they arise.
Establish and manage an updated inventory of third-party components used in development,
often referred to as a “bill of materials,” as well as components slated for future use. This
inventory is to include any risks that each third-party component could pose. Evaluate the list at
least monthly to identify any changes or updates to these components, and validate that the
component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose established
and proven frameworks and libraries that provide adequate security. Acquire these components
from trusted sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that
facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes
setting a minimum level of security acceptability for releasing code or applications. Severity
ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps
ensure the most severe bugs are fixed first. Review and update the system and process annually.
Use standard, industry-recommended hardening configuration templates for application
infrastructure components. This includes underlying servers, databases, and web servers, and
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
Do not allow in-house developed software to weaken configuration hardening.
Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities. Training can include general security
principles and application security standard practices. Conduct training at least annually and
design in a way to promote security within the development team, and build a culture of security
among the developers.
Apply secure design principles in application architectures. Secure design principles include the
concept of least privilege and enforcing mediation to validate every operation that the user
makes, promoting the concept of "never trust user input." Examples include ensuring that explicit
error checking is performed and documented for all input, including for size, data type, and
acceptable ranges or formats. Secure design also means minimizing the application infrastructure
attack surface, such as turning off unprotected ports and services, removing unnecessary
programs and files, and renaming or removing default accounts.
Leverage vetted modules or services for application security components, such as identity
management, encryption, and auditing and logging. Using platform features in critical security
functions will reduce developers’ workload and minimize the likelihood of design or
implementation errors. Modern operating systems provide effective mechanisms for identification,
authentication, and authorization and make those mechanisms available to applications. Use only
standardized, currently accepted, and extensively reviewed encryption algorithms. Operating
systems also provide mechanisms to create and maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding
practices are being followed.
Conduct application penetration testing. For critical applications, authenticated penetration testing
is better suited to finding business logic vulnerabilities than code scanning and automated
security testing. Penetration testing relies on the skill of the tester to manually manipulate an
application as an authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application
security design flaws within a design, before code is created. It is conducted through specially
trained individuals who evaluate the application design and gauge security risks for each entry
point and access level. The goal is to map out the application, architecture, and infrastructure in a
structured way to understand its weaknesses.
anagement
o develop and maintain an incident response capability (e.g., policies, plans, procedures, defined
ommunications) to prepare, detect, and quickly respond to an attack.
Designate one key person, and at least one backup, who will manage the enterprise’s incident
handling process. Management personnel are responsible for the coordination and
documentation of incident response and recovery efforts and can consist of employees internal to
the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate
at least one person internal to the enterprise to oversee any third-party work. Review annually, or
when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security
incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber
insurance providers, relevant government agencies, Information Sharing and Analysis Center
(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-
to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the
minimum information to be reported. Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT,
information security, facilities, public relations, human resources, incident responders, and
analysts, as applicable. Review annually, or when significant enterprise changes occur that could
impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report
during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in mind
that certain mechanisms, such as emails, can be affected during a security incident. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in
the incident response process to prepare for responding to real-world incidents. Exercises need
to test communication channels, decision making, and workflows. Conduct testing on an annual
basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through
identifying lessons learned and follow-up action.
Establish and maintain security incident thresholds, including, at a minimum, differentiating
between an incident and an event. Examples can include: abnormal activity, security vulnerability,
security weakness, data breach, privacy incident, etc. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.
s and resiliency of enterprise assets through identifying and exploiting weaknesses in controls
nd technology), and simulating the objectives and actions of an attacker.
Establish and maintain a penetration testing program appropriate to the size, complexity, and
maturity of the enterprise. Penetration testing program characteristics include scope, such as
network, web application, Application Programming Interface (API), hosted services, and physical
premise controls; frequency; limitations, such as acceptable hours, and excluded attack types;
point of contact information; remediation, such as how findings will be routed internally; and
retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than
annually. External penetration testing must include enterprise and environmental reconnaissance
to detect exploitable information. Penetration testing requires specialized skills and experience
and must be conducted through a qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and
prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and
capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than
annually. The testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship Security Control
X X X
X X X
X X
X X
X X X
X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X X
X X X
X X
X X
X X
X X X
X X
X X X
X X X
X X
X X
X X X
X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X X X
X X
X X
X X
X X X
X X X
X X
X X
X X
X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X
X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X X
X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X X
X X X
X X X
X X
X X
X X
X X
X X
X X
X X
X X
X
Description
1.1
1.2
1.3
1.4
1.5
2.3
2.4
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
4.2
4.3
4.4
4.5
4.6
4.9
4.10
4.11
4.12
5.1
5.6
6.1
6.2
6.6
6.7
7.2
7.7
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
9.2
9.3
9.5
9.6
9.7
10.1
10.3
10.4
10.5
10.6
10.7
11.3
12.1
12.2
12.3
12.4
12.5
12.6
12.7
13.1
13.2
13.3
13.4
13.5
13.6
13.7
13.8
13.9
13.10
13.11
14.1
14.2
14.3
14.4
14.5
14.6
14.7
14.8
14.9
15.1
15.2
15.3
15.4
15.5
15.6
15.7
16.1
16.2
16.3
16.4
16.5
16.6
16.7
16.8
16.9
16.10
16.11
16.12
16.13
16.14
17.1
17.2
17.3
17.4
17.5
17.6
17.7
17.8
17.9
18.1
18.2
18.3
18.4
18.5
The following CIS Safeguards are NOT mapped to one of the ASD Essential Eight
Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory
Implement DMARC
Block Unnecessary File Types
Deploy and Maintain Email Server Anti-Malware Protections
Deploy and Maintain Anti-Malware Software
Disable Autorun and Autoplay for Removable Media
Configure Automatic Anti-Malware Scanning of Removable Media
Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates
Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities
Securely manage enterprise assets and software. Example implementations include managing configuration through
code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hype
(HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operat
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use en
and/or reputable externally accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on porta
supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no m
attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxF
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as
individual no longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implemen
Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applicatio
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user
inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate th
on a recurring schedule at a minimum quarterly, or more frequently.
Centralize account management through a directory or identity service.
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling ac
rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to p
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those ho
provider. Review and update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or mo
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis,
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a m
review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when signifi
could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled acros
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management p
Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, usernam
destination addresses, and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™
terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct
frequent, basis.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
disposal events, and user management events.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious o
implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, s
Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Deploy and maintain anti-malware software on all enterprise assets.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execu
Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based o
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release
supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify so
Establish and maintain a secure network architecture. A secure network architecture must address segmentation, le
minimum.
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code
protocols, such as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update doc
significant enterprise changes occur that could impact this Safeguard.
Centralize network AAA.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) En
Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementa
which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant cor
Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations inc
Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Perform traffic filtering between network segments, where appropriate.
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to ente
date anti-malware software installed, configuration compliance with the enterprise’s secure configuration process, an
applications are up-to-date.
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Exam
Endpoint Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a N
(NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocol
incorporate user and/or device authentication.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or ga
Tune security event alerting thresholds monthly, or more frequently.
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate t
interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. R
or when significant enterprise changes occur that could impact this Safeguard.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA, password composition, and
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This al
members on clear screen and desk best practices, such as locking their screen when they step away from their ente
virtual whiteboards at the end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-deliver
end-user device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an incident.
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated pro
should include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterpr
remote workers, training must include guidance to ensure that all users securely configure their home network infras
Conduct role-specific security awareness and skills training. Example implementations include secure system admin
(OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced so
for high-profile roles.
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
enterprise contact for each service provider. Review and update the inventory annually, or when significant enterpris
this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the classification, invent
decommissioning of service providers. Review and update the policy annually, or when significant enterprise change
Safeguard.
Classify service providers. Classification consideration may include one or more characteristics, such as data sensit
requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or
occur that could impact this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may include minimum secu
incident and/or data breach notification and response, data encryption requirements, and data disposal commitment
be consistent with the enterprise’s service provider management policy. Review service provider contracts annually
security requirements.
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope m
and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and P
Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess s
minimum, or with new and renewed contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may inclu
provider compliance, monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account deactivation, te
disposal of enterprise data within service provider systems.
Establish and maintain a secure application development process. In the process, address such items as: secure ap
coding practices, developer training, vulnerability management, security of third-party code, and application security
update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a me
process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party
and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerabili
severity ratings, and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Revi
annually, or when significant enterprise changes occur that could impact this Safeguard.
Third-party application developers need to consider this an externally-facing policy that helps to set expectations for
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the tas
create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as
Establish and manage an updated inventory of third-party components used in development, often referred to as a “
components slated for future use. This inventory is to include any risks that each third-party component could pose.
identify any changes or updates to these components, and validate that the component is still supported.
Use up-to-date and trusted third-party software components. When possible, choose established and proven framew
adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities befor
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing t
vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or
systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are
system and process annually.
Use standard, industry-recommended hardening configuration templates for application infrastructure components.
databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS
developed software to weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific developmen
Training can include general security principles and application security standard practices. Conduct training at leas
promote security within the development team, and build a culture of security among the developers.
Apply secure design principles in application architectures. Secure design principles include the concept of least priv
validate every operation that the user makes, promoting the concept of "never trust user input." Examples include en
performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure des
application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary
removing default accounts.
Leverage vetted modules or services for application security components, such as identity management, encryption
platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design
operating systems provide effective mechanisms for identification, authentication, and authorization and make those
applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating
create and maintain secure audit logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are bein
Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to
than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually m
authenticated and unauthenticated user.
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design fla
created. It is conducted through specially trained individuals who evaluate the application design and gauge security
level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its we
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Ma
for the coordination and documentation of incident response and recovery efforts and can consist of employees inte
vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise
Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may in
vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analy
stakeholders. Verify contacts annually to ensure that information is up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes rep
to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities, compliance requirem
Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilitie
incident responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur tha
Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security inc
significant enterprise changes occur that could impact this Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident respo
responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows
at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons le
Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and
abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or w
occur that could impact this Safeguard.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterpr
characteristics include scope, such as network, web application, Application Programming Interface (API), hosted se
controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; re
be routed internally; and retrospective requirements.
Perform periodic external penetration tests based on program requirements, no less than annually. External penetra
and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills a
conducted through a qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to det
testing.
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may