This document contains mappings of the CIS Critical Security Controls (CIS Controls) and CIS Safeguards t

Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (“SP 8
Last Updated January 2023

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editors
Thomas Sager

Contributors
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
subject to the prior approval of CIS® (Center for Internet Security, Inc.).
atives 4.0 International Public License (the link can be found at

you are authorized to copy and redistribute the content as a framework for use by you, within your
ed that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if
materials. Users of the CIS Controls framework are also required to refer to
e that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is
Mapping Methodology
Mapping Methodology

This page describes the methodology used to map the CIS Critical Security Controls to NIST Special Publi
Reference link for NIST SP 800-171 R2 DRAFT: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/d

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one Control will contribute
The general strategy used is to identify all of the aspects within a Control and attempt to discern if both item

CIS Control 6.1 - Establish an Acess Granting Process

Establish and follow a process, preferably automated, for granting access to enterprise assets upon new h

For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• Intersects: Although the CIS Control and the defensive mitigation have many similarities, neither is contai
awareness program and another requiring an information governance program.
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m
The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.

If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
Remember to download the CIS Controls Version 8 Guide where you can learn more about:

- This Version of the CIS Controls

- The CIS Controls Ecosystem ("It's not about the list')
- How to Get Started
- Using or Transitioning from Prior Versions of the CIS Controls
- Structure of the CIS Controls
- Implementation Groups
- Why is this Controls critical
- Procedures and tools
https://www.cisecurity.org/controls/v8/

A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/v8/

Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
 CIS CIS Sub- Security
Asset Type Title
Control Control Function

1 Inventory and Control of Hardware Assets

Actively manage (inventory, track, and correct)

network devices; non-computing/Internet of Th
virtually, remotely, and those within cloud envi
monitored and protected within the enterprise.
remove or remediate.

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory
1 1.2 Devices Respond Address Unauthorized Assets

1 1.3 Devices Detect Utilize an Active Discovery Tool

Use Dynamic Host Configuration

1 1.4 Devices Identify Protocol (DHCP) Logging to
Update Enterprise Asset Inventory
Use a Passive Asset Discovery
1 1.5 Devices Detect
Tool

2 Inventory and Control of Software Assets

Actively manage (inventory, track, and correct)

only authorized software is installed and can e
prevented from installation or execution.

Establish and Maintain a Software

2 2.1 Applications Protect
Inventory

Ensure Authorized Software is

2 2.2 Applications Identify
Currently Supported

2 2.3 Applications Respond Address Unauthorized Software

Utilize Automated Software

2 2.4 Applications Identify
Inventory Tools

2 2.5 Applications Protect Allowlist Authorized Software

2 2.5 Applications Protect Allowlist Authorized Software

2 2.6 Applications Protect Allowlist Authorized Libraries

2 2.7 Applications Protect Allowlist Authorized Scripts

3 Data Protection

Develop processes and technical controls to id

Establish and Maintain a Data

3 3.1 Data Identify
Management Process

Establish and Maintain a Data

3 3.2 Data Protect
Inventory

Configure Data Access Control

3 3.3 Data Protect
Lists

Configure Data Access Control

3 3.3 Data Protect
Lists

Configure Data Access Control

3 3.3 Data Protect
Lists

3 3.4 Data Protect Enforce Data Retention

3 3.5 Data Identify Securely Dispose of Data

3 3.6 Devices Protect Encrypt Data on End-User Devices

3 3.6 Devices Protect Encrypt Data on End-User Devices

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

3 3.8 Data Identify Document Data Flows

3 3.9 Data Protect Encrypt Data on Removable Media

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.11 Data Protect Encrypt Sensitive Data at Rest

3 3.11 Data Protect Encrypt Sensitive Data at Rest

Segment Data Processing and

3 3.12 Network Protect
Storage Based on Sensitivity

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution

3 3.14 Data Detect Log Sensitive Data Access

4 Secure Configuration of Enterprise Assets and

Establish and maintain the secure configuratio

network devices; non-computing/IoT devices; a

Establish and Maintain a Secure

4 4.1 Applications Protect
Configuration Process

Establish and Maintain a Secure

4 4.1 Applications Protect
Configuration Process

Establish and Maintain a Secure

4 4.1 Applications Protect
Configuration Process

Establish and Maintain a Secure

4 4.2 Network Protect Configuration Process for Network
Infrastructure
 Configure Automatic Session
4 4.3 Users Protect
Locking on Enterprise Assets

Implement and Manage a Firewall

4 4.4 Devices Protect
on Servers
Implement and Manage a Firewall
4 4.5 Devices Protect
on End-User Devices

Securely Manage Enterprise

4 4.6 Network Protect
Assets and Software

Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software

Uninstall or Disable Unnecessary

4 4.8 Devices Protect Services on Enterprise Assets and
Software

Configure Trusted DNS Servers on

4 4.9 Devices Protect
Enterprise Assets

Enforce Automatic Device Lockout

4 4.10 Devices Respond
on Portable End-User Devices

Enforce Remote Wipe Capability

4 4.11 Devices Protect
on Portable End-User Devices

Separate Enterprise Workspaces

4 4.12 Devices Protect
on Mobile End-User Devices

5 Account Management

Use processes and tools to assign and manage

accounts, as well as service accounts, to enter

Establish and Maintain an

5 5.1 Users Identify
Inventory of Accounts
5 5.2 Users Protect Use Unique Passwords

5 5.3 Users Respond Disable Dormant Accounts

Restrict Administrator Privileges to

5 5.4 Users Protect
Dedicated Administrator Accounts

Restrict Administrator Privileges to

5 5.4 Users Protect
Dedicated Administrator Accounts

Establish and Maintain an

5 5.5 Users Identify
Inventory of Service Accounts

5 5.6 Users Protect Centralize Account Management

6 Access Control Management

Use processes and tools to create, assign, man

and service accounts for enterprise assets and

Establish an Access Granting

6 6.1 Users Protect
Process

Establish an Access Revoking

6 6.2 Users Protect
Process

Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications

Require MFA for Remote Network

6 6.4 Users Protect
Access
Require MFA for Remote Network
6 6.4 Users Protect
Access

Require MFA for Remote Network

6 6.4 Users Protect
Access

Require MFA for Administrative

6 6.5 Users Protect
Access

Establish and Maintain an

6 6.6 Users Identify Inventory of Authentication and
Authorization Systems
6 6.7 Users Protect Centralize Access Control

Define and Maintain Role-Based

6 6.8 Data Protect
Access Control

Define and Maintain Role-Based

6 6.8 Data Protect
Access Control

7 Continuous Vulnerability Management

Develop a plan to continuously assess and trac

infrastructure, in order to remediate, and minim
industry sources for new threat and vulnerabili

Establish and Maintain a

7 7.1 Applications Protect
Vulnerability Management Process

Establish and Maintain a

7 7.1 Applications Protect
Vulnerability Management Process

Establish and Maintain a

7 7.2 Applications Respond
Remediation Process
Perform Automated Operating
7 7.3 Applications Protect
System Patch Management
Perform Automated Application
7 7.4 Applications Protect
Patch Management

Perform Automated Vulnerability

7 7.5 Applications Identify
Scans of Internal Enterprise Assets

Perform Automated Vulnerability

7 7.6 Applications Identify Scans of Externally-Exposed
Enterprise Assets

7 7.7 Applications Respond Remediate Detected Vulnerabilities

7 7.7 Applications Respond Remediate Detected Vulnerabilities

8 Audit Log Management

 Collect, alert, review, and retain audit logs of e

Establish and Maintain an Audit

8 8.1 Network Protect
Log Management Process

8 8.2 Network Detect Collect Audit Logs

Ensure Adequate Audit Log

8 8.3 Network Protect
Storage

8 8.4 Network Protect Standardize Time Synchronization

8 8.5 Network Detect Collect Detailed Audit Logs

8 8.6 Network Detect Collect DNS Query Audit Logs

8 8.7 Network Detect Collect URL Request Audit Logs

8 8.8 Devices Detect Collect Command-Line Audit Logs

8 8.9 Network Detect Centralize Audit Logs

8 8.10 Network Protect Retain Audit Logs

8 8.11 Network Detect Conduct Audit Log Reviews

8 8.11 Network Detect Conduct Audit Log Reviews

8 8.12 Data Detect Collect Service Provider Logs

9 Email and Web Browser Protections

Improve protections and detections of threats

manipulate human behavior through direct eng

Ensure Use of Only Fully

9 9.1 Applications Protect Supported Browsers and Email
Clients
9 9.2 Network Protect Use DNS Filtering Services

Maintain and Enforce Network-

9 9.3 Network Protect
Based URL Filters

Restrict Unnecessary or
9 9.4 Applications Protect Unauthorized Browser and Email
Client Extensions

9 9.5 Network Protect Implement DMARC

9 9.6 Network Protect Block Unnecessary File Types

Deploy and Maintain Email Server

9 9.7 Network Protect
Anti-Malware Protections

10 Malware Defenses

Prevent or control the installation, spread, and

Deploy and Maintain Anti-Malware

10 10.1 Devices Protect
Software
Configure Automatic Anti-Malware
10 10.2 Devices Protect
Signature Updates
Disable Autorun and Autoplay for
10 10.3 Devices Protect
Removable Media
Configure Automatic Anti-Malware
10 10.4 Devices Detect
Scanning of Removable Media

Configure Automatic Anti-Malware

10 10.4 Devices Detect
Scanning of Removable Media

10 10.5 Devices Protect Enable Anti-Exploitation Features

Centrally Manage Anti-Malware

10 10.6 Devices Protect
Software
Use Behavior-Based Anti-Malware
10 10.7 Devices Detect
Software

11 Data Recovery
 Establish and maintain data recovery practices
trusted state.

Establish and Maintain a Data

11 11.1 Data Recover
Recovery Process 

11 11.2 Data Recover Perform Automated Backups 

11 11.3 Data Protect Protect Recovery Data

Establish and Maintain an Isolated

11 11.4 Data Recover
Instance of Recovery Data 

11 11.5 Data Recover Test Data Recovery

Network Infrastructure
12
Management

Establish, implement, and actively manage (tra

exploiting vulnerable network services and acc

Ensure Network Infrastructure is

12 12.1 Network Protect
Up-to-Date

Establish and Maintain a Secure

12 12.2 Network Protect
Network Architecture

Establish and Maintain a Secure

12 12.2 Network Protect
Network Architecture

Establish and Maintain a Secure

12 12.2 Network Protect
Network Architecture

Establish and Maintain a Secure

12 12.2 Network Protect
Network Architecture
 Securely Manage Network
12 12.3 Network Protect
Infrastructure

Establish and Maintain

12 12.4 Network Identify
Architecture Diagram(s)

Centralize Network Authentication,

12 12.5 Network Protect
Authorization, and Auditing (AAA)
Use of Secure Network
12 12.6 Network Protect Management and Communication
Protocols 
Use of Secure Network
12 12.6 Network Protect Management and Communication
Protocols 
Use of Secure Network
12 12.6 Network Protect Management and Communication
Protocols 
Ensure Remote Devices Utilize a
12 12.7 Devices Protect VPN and are Connecting to an
Enterprise’s AAA Infrastructure
Ensure Remote Devices Utilize a
12 12.7 Devices Protect VPN and are Connecting to an
Enterprise’s AAA Infrastructure
Establish and Maintain Dedicated
12 12.8 Devices Protect Computing Resources for All
Administrative Work
Establish and Maintain Dedicated
12 12.8 Devices Protect Computing Resources for All
Administrative Work

13 Network Monitoring and Defense

Operate processes and tooling to establish and

security threats across the enterprise’s networ

13 13.1 Network Detect Centralize Security Event Alerting

Deploy a Host-Based Intrusion

13 13.2 Devices Detect
Detection Solution
 Deploy a Network Intrusion
13 13.3 Network Detect
Detection Solution

Perform Traffic Filtering Between

13 13.4 Network Protect
Network Segments

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

13 13.6 Network Detect Collect Network Traffic Flow Logs

Deploy a Host-Based Intrusion

13 13.7 Devices Protect
Prevention Solution

Deploy a Network Intrusion

13 13.8 Network Protect
Prevention Solution

13 13.9 Devices Protect Deploy Port-Level Access Control

13 13.9 Devices Protect Deploy Port-Level Access Control

13 13.10 Network Protect Perform Application Layer Filtering

Tune Security Event Alerting

13 13.11 Network Detect
Thresholds

14 Security Awareness and Skills Training

Establish and maintain a security awareness p

conscious and properly skilled to reduce cyber

Establish and Maintain a Security

14 14.1 N/A Protect
Awareness Program

Train Workforce Members to

14 14.2 N/A Protect Recognize Social Engineering
Attacks
Train Workforce Members on
14 14.3 N/A Protect
Authentication Best Practices
 Train Workforce on Data Handling
14 14.4 N/A Protect
Best Practices

Train Workforce Members on

14 14.5 N/A Protect Causes of Unintentional Data
Exposure
Train Workforce Members on
14 14.6 N/A Protect Recognizing and Reporting
Security Incidents
Train Workforce on How to Identify
and Report if Their Enterprise
14 14.7 N/A Protect
Assets are Missing Security
Updates

Train Workforce on the Dangers of

Connecting to and Transmitting
14 14.8 N/A Protect
Enterprise Data Over Insecure
Networks

Conduct Role-Specific Security

14 14.9 N/A Protect
Awareness and Skills Training

15 Service Provider Management

Develop a process to evaluate service provider

platforms or processes, to ensure these provid

Establish and Maintain an

15 15.1 N/A Identify
Inventory of Service Providers

Establish and Maintain a Service

15 15.2 N/A Identify
Provider Management Policy

15 15.3 N/A Identify Classify Service Providers

 Ensure Service Provider Contracts
15 15.4 N/A Protect
Include Security Requirements

15 15.5 N/A Identify Assess Service Providers

15 15.6 Data Detect Monitor Service Providers

Securely Decommission Service

15 15.7 Data Protect
Providers

16 Application Software Security

Manage the security life cycle of in-house deve

security weaknesses before they can impact th

Establish and Maintain a Secure

16 16.1 Applications Protect
Application Development Process

Establish and Maintain a Process

16 16.2 Applications Protect to Accept and Address Software
Vulnerabilities

Perform Root Cause Analysis on

16 16.3 Applications Protect
Security Vulnerabilities
 Establish and Manage an
16 16.4 Applications Protect Inventory of Third-Party Software
Components

Use Up-to-Date and Trusted Third-

16 16.5 Applications Protect
Party Software Components

Establish and Maintain a Severity

16 16.6 Applications Protect Rating System and Process for
Application Vulnerabilities

Use Standard Hardening

16 16.7 Applications Protect Configuration Templates for
Application Infrastructure

Separate Production and Non-

16 16.8 Applications Protect
Production Systems

Train Developers in Application

16 16.9 Applications Protect Security Concepts and Secure
Coding

Apply Secure Design Principles in

16 16.10 Applications Protect
Application Architectures

Leverage Vetted Modules or

16 16.11 Applications Protect Services for Application Security
Components

Implement Code-Level Security

16 16.12 Applications Protect
Checks

Conduct Application Penetration

16 16.13 Applications Protect
Testing
16 16.14 Applications Protect Conduct Threat Modeling

17 Incident Response Management

Establish a program to develop and maintain a

roles, training, and communications) to prepar

Designate Personnel to Manage

17 17.1 N/A Respond
Incident Handling

Establish and Maintain Contact

17 17.2 N/A Respond Information for Reporting Security
Incidents

Establish and Maintain an

17 17.3 N/A Respond Enterprise Process for Reporting
Incidents

Establish and Maintain an Incident

17 17.4 N/A Respond
Response Process

Assign Key Roles and

17 17.5 N/A Respond
Responsibilities

Define Mechanisms for

17 17.6 N/A Respond Communicating During Incident
Response

Conduct Routine Incident

17 17.7 N/A Recover
Response Exercises

17 17.8 N/A Recover Conduct Post-Incident Reviews

 Establish and Maintain Security
17 17.9 N/A Recover
Incident Thresholds

18 Penetration Testing

Test the effectiveness and resiliency of enterpr

(people, processes, and technology), and simu

Establish and Maintain a

18 18.1 N/A Identify
Penetration Testing Program

Perform Periodic External

18 18.2 Network Identify
Penetration Tests

Remediate Penetration Test

18 18.3 Network Protect
Findings

18 18.4 Network Protect Validate Security Measures

Perform Periodic Internal

18 18.5 N/A Identify
Penetration Tests
 Description

of Hardware Assets

tory, track, and correct) all enterprise assets (end-user devices, including portable and mobile;
omputing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically,
those within cloud environments, to accurately know the totality of assets that need to be
ed within the enterprise. This will also support identifying unauthorized and unmanaged assets to

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory
records the network address (if static), hardware address, machine name, enterprise asset
owner, department for each asset, and whether the asset has been approved to connect to the
network. For mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure physically, virtually,
remotely, and those within cloud environments. Additionally, it includes assets that are
regularly connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more
frequently.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory
records the network address (if static), hardware address, machine name, data asset owner,
department for each asset, and whether the asset has been approved to connect to the
network. For mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure physically, virtually,
remotely, and those within cloud environments. Additionally, it includes assets that are
regularly connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more
frequently.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory
records the network address (if static), hardware address, machine name, data asset owner,
department for each asset, and whether the asset has been approved to connect to the
network. For mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure physically, virtually,
remotely, and those within cloud environments. Additionally, it includes assets that are
regularly connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more
frequently.
 Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise
may choose to remove the asset from the network, deny the asset from connecting remotely to
the network, or quarantine the asset.

Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to
update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset
inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review
and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.

of Software Assets

tory, track, and correct) all software (operating systems and applications) on the network so that
re is installed and can execute, and that unauthorized and unmanaged software is found and
tion or execution.

Establish and maintain a detailed inventory of all licensed software installed on enterprise
assets. The software inventory must document the title, publisher, initial install/use date, and
business purpose for each entry; where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the software inventory bi-annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the software
inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of
the enterprise’s mission, document an exception detailing mitigating controls and residual risk
acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more
frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives
a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the
discovery and documentation of installed software.

Use technical controls, such as application allowlisting, to ensure that only authorized software
can execute or be accessed. Reassess bi-annually, or more frequently.

Use technical controls, such as application allowlisting, to ensure that only authorized software
can execute or be accessed. Reassess bi-annually, or more frequently.

Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized
libraries from loading into a system process. Reassess bi-annually, or more frequently.

Use technical controls, such as digital signatures and version control, to ensure that only
authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block
unauthorized scripts from executing. Reassess bi-annually, or more frequently.
technical controls to identify, classify, securely handle, retain, and dispose of data.

Establish and maintain a data management process. In the process, address data sensitivity,
data owner, handling of data, data retention limits, and disposal requirements, based on
sensitivity and retention standards for the enterprise. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,
with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.
Retain data according to the enterprise’s data management process. Data retention must
include both minimum and maximum timelines.

Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.

Encrypt data on end-user devices containing sensitive data. Example implementations can
include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

Encrypt data on end-user devices containing sensitive data. Example implementations can
include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

Establish and maintain an overall data classification scheme for the enterprise. Enterprises
may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data
according to those labels. Review and update the classification scheme annually, or when
significant enterprise changes occur that could impact this Safeguard.
Document data flows. Data flow documentation includes service provider data flows and should
be based on the enterprise’s data management process. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.
Encrypt data on removable media.
Encrypt sensitive data in transit. Example implementations can include: Transport Layer
Security (TLS) and Open Secure Shell (OpenSSH).
 Encrypt sensitive data in transit. Example implementations can include: Transport Layer
Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data in transit. Example implementations can include: Transport Layer
Security (TLS) and Open Secure Shell (OpenSSH).

Encrypt sensitive data at rest on servers, applications, and databases containing sensitive
data. Storage-layer encryption, also known as server-side encryption, meets the minimum
requirement of this Safeguard. Additional encryption methods may include application-layer
encryption, also known as client-side encryption, where access to the data storage device(s)
does not permit access to the plain-text data.

Encrypt sensitive data at rest on servers, applications, and databases containing sensitive
data. Storage-layer encryption, also known as server-side encryption, meets the minimum
requirement of this Safeguard. Additional encryption methods may include application-layer
encryption, also known as client-side encryption, where access to the data storage device(s)
does not permit access to the plain-text data.
Segment data processing and storage based on the sensitivity of the data. Do not process
sensitive data on enterprise assets intended for lower sensitivity data.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to
identify all sensitive data stored, processed, or transmitted through enterprise assets, including
those located onsite or at a remote service provider, and update the enterprise's sensitive data
inventory.
Log sensitive data access, including modification and disposal.

f Enterprise Assets and Software

the secure configuration of enterprise assets (end-user devices, including portable and mobile;
omputing/IoT devices; and servers) and software (operating systems and applications).

Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software
(operating systems and applications). Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software
(operating systems and applications). Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software
(operating systems and applications). Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
 Configure automatic session locking on enterprise assets after a defined period of inactivity.
For general purpose operating systems, the period must not exceed 15 minutes. For mobile
end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example implementations
include a virtual firewall, operating system firewall, or a third-party firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a
default-deny rule that drops all traffic except those services and ports that are explicitly
allowed.
Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative
interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet
(Teletype Network) and HTTP, unless operationally essential.

Manage default accounts on enterprise assets and software, such as root, administrator, and
other pre-configured vendor accounts. Example implementations can include: disabling default
accounts or making them unusable.

Uninstall or disable unnecessary services on enterprise assets and software, such as an

unused file sharing service, web application module, or service function.

Configure trusted DNS servers on enterprise assets. Example implementations include:

configuring assets to use enterprise-controlled DNS servers and/or reputable externally
accessible DNS servers.

Enforce automatic device lockout following a predetermined threshold of local failed

authentication attempts on portable end-user devices, where supported. For laptops, do not
allow more than 20 failed authentication attempts; for tablets and smartphones, no more than
10 failed authentication attempts. Example implementations include Microsoft® InTune Device
Lock and Apple® Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed
appropriate such as lost or stolen devices, or when an individual no longer supports the
enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal applications
and data.

ls to assign and manage authorization to credentials for user accounts, including administrator
rvice accounts, to enterprise assets and software.

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should
contain the person’s name, username, start/stop dates, and department. Validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
 Use unique passwords for all enterprise assets. Best practice implementation includes, at a
minimum, an 8-character password for accounts using MFA and a 14-character password for
accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets.
Conduct general computing activities, such as internet browsing, email, and productivity suite
use, from the user’s primary, non-privileged account.
Restrict administrator privileges to dedicated administrator accounts on enterprise assets.
Conduct general computing activities, such as internet browsing, email, and productivity suite
use, from the user’s primary, non-privileged account.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must
contain department owner, review date, and purpose. Perform service account reviews to
validate that all active accounts are authorized, on a recurring schedule at a minimum
quarterly, or more frequently.
Centralize account management through a directory or identity service.

ls to create, assign, manage, and revoke access credentials and privileges for user, administrator,
or enterprise assets and software.

Establish and follow a process, preferably automated, for granting access to enterprise assets
upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for revoking access to enterprise assets,
through disabling accounts immediately upon termination, rights revocation, or role change of a
user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit
trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where
supported. Enforcing MFA through a directory service or SSO provider is a satisfactory
implementation of this Safeguard.

Require MFA for remote network access.

Require MFA for remote network access.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise assets,
whether managed on-site or through a third-party provider.

Establish and maintain an inventory of the enterprise’s authentication and authorization

systems, including those hosted on-site or at a remote service provider. Review and update the
inventory, at a minimum, annually, or more frequently.
 Centralize access control for all enterprise assets through a directory service or SSO provider,
where supported.
Define and maintain role-based access control, through determining and documenting the
access rights necessary for each role within the enterprise to successfully carry out its
assigned duties. Perform access control reviews of enterprise assets to validate that all
privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

Define and maintain role-based access control, through determining and documenting the
access rights necessary for each role within the enterprise to successfully carry out its
assigned duties. Perform access control reviews of enterprise assets to validate that all
privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

ty Management

nuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
to remediate, and minimize, the window of opportunity for attackers. Monitor public and private
w threat and vulnerability information.

Establish and maintain a documented vulnerability management process for enterprise assets.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a documented vulnerability management process for enterprise assets.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation
process, with monthly, or more frequent, reviews.
Perform operating system updates on enterprise assets through automated patch management
on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch management on a
monthly, or more frequent, basis.
Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more
frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-
compliant vulnerability scanning tool.

Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-

compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.

Remediate detected vulnerabilities in software through processes and tooling on a monthly, or

more frequent, basis, based on the remediation process.
Remediate detected vulnerabilities in software through processes and tooling on a monthly, or
more frequent, basis, based on the remediation process.
nd retain audit logs of events that could help detect, understand, or recover from an attack.

Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has
been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s
audit log management process.

Standardize time synchronization. Configure at least two synchronized time sources across
enterprise assets, where supported.

Configure detailed audit logging for enterprise assets containing sensitive data. Include event
source, date, username, timestamp, source addresses, destination addresses, and other
useful elements that could assist in a forensic investigation.

Collect DNS query audit logs on enterprise assets, where appropriate and supported.

Collect URL request audit logs on enterprise assets, where appropriate and supported.

Collect command-line audit logs. Example implementations include collecting audit logs from
PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a
potential threat. Conduct reviews on a weekly, or more frequent, basis.

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a
potential threat. Conduct reviews on a weekly, or more frequent, basis.

Collect service provider logs, where supported. Example implementations include collecting
authentication and authorization events, data creation and disposal events, and user
management events.

r Protections

d detections of threats from email and web vectors, as these are opportunities for attackers to
avior through direct engagement.

Ensure only fully supported browsers and email clients are allowed to execute in the enterprise,
only using the latest version of browsers and email clients provided through the vendor.
 Use DNS filtering services on all enterprise assets to block access to known malicious
domains.

Enforce and update network-based URL filters to limit an enterprise asset from connecting to
potentially malicious or unapproved websites. Example implementations include category-
based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all
enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or

email client plugins, extensions, and add-on applications.

To lower the chance of spoofed or modified emails from valid domains, implement DMARC
policy and verification, starting with implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail (DKIM) standards.

Block unnecessary file types attempting to enter the enterprise’s email gateway.

Deploy and maintain email server anti-malware protections, such as attachment scanning
and/or sandboxing.

nstallation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software, where possible, such as
Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or
Apple® System Integrity Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

Use behavior-based anti-malware software.

data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and

Establish and maintain a data recovery process. In the process, address the scope of data
recovery activities, recovery prioritization, and the security of backup data. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more
frequently, based on the sensitivity of the data.

Protect recovery data with equivalent controls to the original data. Reference encryption or data
separation, based on requirements.

Establish and maintain an isolated instance of recovery data. Example implementations

include, version controlling backup destinations through offline, cloud, or off-site systems or
services.

Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise
assets.

nd actively manage (track, report, correct) network devices, in order to prevent attackers from
etwork services and access points.

Ensure network infrastructure is kept up-to-date. Example implementations include running the
latest stable release of software and/or using currently supported network-as-a-service (NaaS)
offerings. Review software versions monthly, or more frequently, to verify software support.

Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.

Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.
 Securely manage network infrastructure. Example implementations include version-controlled-
infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.

Establish and maintain architecture diagram(s) and/or other network system documentation.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication services prior to

accessing enterprise resources on end-user devices.

Require users to authenticate to enterprise-managed VPN and authentication services prior to

accessing enterprise resources on end-user devices.
Establish and maintain dedicated computing resources, either physically or logically separated,
for all administrative tasks or tasks requiring administrative access. The computing resources
should be segmented from the enterprise's primary network and not be allowed internet
access.
Establish and maintain dedicated computing resources, either physically or logically separated,
for all administrative tasks or tasks requiring administrative access. The computing resources
should be segmented from the enterprise's primary network and not be allowed internet
access.

tooling to establish and maintain comprehensive network monitoring and defense against
the enterprise’s network infrastructure and user base.

Centralize security event alerting across enterprise assets for log correlation and analysis. Best
practice implementation requires the use of a SIEM, which includes vendor-defined event
correlation alerts. A log analytics platform configured with security-relevant correlation alerts
also satisfies this Safeguard.

Deploy a host-based intrusion detection solution on enterprise assets, where appropriate

and/or supported.
 Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System (NIDS) or
equivalent cloud service provider (CSP) service.

Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources. Determine
amount of access to enterprise resources based on: up-to-date anti-malware software
installed, configuration compliance with the enterprise’s secure configuration process, and
ensuring the operating system and applications are up-to-date.

Collect network traffic flow logs and/or network traffic to review and alert upon from network
devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate

and/or supported. Example implementations include use of an Endpoint Detection and
Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations
include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network
access control protocols, such as certificates, and may incorporate user and/or device
authentication.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network
access control protocols, such as certificates, and may incorporate user and/or device
authentication.
Perform application layer filtering. Example implementations include a filtering proxy,
application layer firewall, or gateway.

Tune security event alerting thresholds monthly, or more frequently.

d Skills Training

a security awareness program to influence behavior among the workforce to be security

y skilled to reduce cybersecurity risks to the enterprise.

Establish and maintain a security awareness program. The purpose of a security awareness
program is to educate the enterprise’s workforce on how to interact with enterprise assets and
data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and
update content annually, or when significant enterprise changes occur that could impact this
Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing, pre-
texting, and tailgating. 

Train workforce members on authentication best practices. Example topics include MFA,
password composition, and credential management.
 Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive data. This also includes training workforce members on clear screen and desk best
practices, such as locking their screen when they step away from their enterprise asset,
erasing physical and virtual whiteboards at the end of meetings, and storing data and assets
securely.
Train workforce members to be aware of causes for unintentional data exposure. Example
topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing
data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to report
such an incident. 

Train workforce to understand how to verify and report out-of-date software patches or any
failures in automated processes and tools. Part of this training should include notifying IT
personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations include
secure system administration courses for IT professionals, (OWASP® Top 10 vulnerability
awareness and prevention training for web application developers, and advanced social
engineering awareness training for high-profile roles.

valuate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT
, to ensure these providers are protecting those platforms and data appropriately.

Establish and maintain an inventory of service providers. The inventory is to list all known
service providers, include classification(s), and designate an enterprise contact for each
service provider. Review and update the inventory annually, or when significant enterprise
changes occur that could impact this Safeguard.

Establish and maintain a service provider management policy. Ensure the policy addresses the
classification, inventory, assessment, monitoring, and decommissioning of service providers.
Review and update the policy annually, or when significant enterprise changes occur that could
impact this Safeguard.

Classify service providers. Classification consideration may include one or more

characteristics, such as data sensitivity, data volume, availability requirements, applicable
regulations, inherent risk, and mitigated risk. Update and review classifications annually, or
when significant enterprise changes occur that could impact this Safeguard.
 Ensure service provider contracts include security requirements. Example requirements may
include minimum security program requirements, security incident and/or data breach
notification and response, data encryption requirements, and data disposal commitments.
These security requirements must be consistent with the enterprise’s service provider
management policy. Review service provider contracts annually to ensure contracts are not
missing security requirements.

Assess service providers consistent with the enterprise’s service provider management policy.
Assessment scope may vary based on classification(s), and may include review of
standardized assessment reports, such as Service Organization Control 2 (SOC 2) and
Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or
other appropriately rigorous processes. Reassess service providers annually, at a minimum, or
with new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider management policy.
Monitoring may include periodic reassessment of service provider compliance, monitoring
service provider release notes, and dark web monitoring.

Securely decommission service providers. Example considerations include user and service
account deactivation, termination of data flows, and secure disposal of enterprise data within
service provider systems.

ecurity

e cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate
efore they can impact the enterprise.

Establish and maintain a secure application development process. In the process, address
such items as: secure application design standards, secure coding practices, developer
training, vulnerability management, security of third-party code, and application security testing
procedures. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Establish and maintain a process to accept and address reports of software vulnerabilities,
including providing a means for external entities to report. The process is to include such items
as: a vulnerability handling policy that identifies reporting process, responsible party for
handling vulnerability reports, and a process for intake, assignment, remediation, and
remediation testing. As part of the process, use a vulnerability tracking system that includes
severity ratings, and metrics for measuring timing for identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that helps to
set expectations for outside stakeholders.

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root
cause analysis is the task of evaluating underlying issues that create vulnerabilities in code,
and allows development teams to move beyond just fixing individual vulnerabilities as they
arise.
Establish and manage an updated inventory of third-party components used in development,
often referred to as a “bill of materials,” as well as components slated for future use. This
inventory is to include any risks that each third-party component could pose. Evaluate the list at
least monthly to identify any changes or updates to these components, and validate that the
component is still supported. 

Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate security. Acquire these
components from trusted sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that
facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process
includes setting a minimum level of security acceptability for releasing code or applications.
Severity ratings bring a systematic way of triaging vulnerabilities that improves risk
management and helps ensure the most severe bugs are fixed first. Review and update the
system and process annually.
Use standard, industry-recommended hardening configuration templates for application
infrastructure components. This includes underlying servers, databases, and web servers, and
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
Do not allow in-house developed software to weaken configuration hardening.

Maintain separate environments for production and non-production systems.

Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities. Training can include general security
principles and application security standard practices. Conduct training at least annually and
design in a way to promote security within the development team, and build a culture of
security among the developers.

Apply secure design principles in application architectures. Secure design principles include the
concept of least privilege and enforcing mediation to validate every operation that the user
makes, promoting the concept of "never trust user input." Examples include ensuring that
explicit error checking is performed and documented for all input, including for size, data type,
and acceptable ranges or formats. Secure design also means minimizing the application
infrastructure attack surface, such as turning off unprotected ports and services, removing
unnecessary programs and files, and renaming or removing default accounts.

Leverage vetted modules or services for application security components, such as identity
management, encryption, and auditing and logging. Using platform features in critical security
functions will reduce developers’ workload and minimize the likelihood of design or
implementation errors. Modern operating systems provide effective mechanisms for
identification, authentication, and authorization and make those mechanisms available to
applications. Use only standardized, currently accepted, and extensively reviewed encryption
algorithms. Operating systems also provide mechanisms to create and maintain secure audit
logs.
Apply static and dynamic analysis tools within the application life cycle to verify that secure
coding practices are being followed.
Conduct application penetration testing. For critical applications, authenticated penetration
testing is better suited to finding business logic vulnerabilities than code scanning and
automated security testing. Penetration testing relies on the skill of the tester to manually
manipulate an application as an authenticated and unauthenticated user. 
 Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is conducted
through specially trained individuals who evaluate the application design and gauge security
risks for each entry point and access level. The goal is to map out the application, architecture,
and infrastructure in a structured way to understand its weaknesses.

develop and maintain an incident response capability (e.g., policies, plans, procedures, defined
mmunications) to prepare, detect, and quickly respond to an attack.

Designate one key person, and at least one backup, who will manage the enterprise’s incident
handling process. Management personnel are responsible for the coordination and
documentation of incident response and recovery efforts and can consist of employees internal
to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor,
designate at least one person internal to the enterprise to oversee any third-party work. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security
incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber
insurance providers, relevant government agencies, Information Sharing and Analysis Center
(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is
up-to-date.
Establish and maintain an enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the
minimum information to be reported. Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise changes occur that could impact
this Safeguard.
Establish and maintain an incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

Assign key roles and responsibilities for incident response, including staff from legal, IT,
information security, facilities, public relations, human resources, incident responders, and
analysts, as applicable. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report
during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in
mind that certain mechanisms, such as emails, can be affected during a security incident.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
Plan and conduct routine incident response exercises and scenarios for key personnel involved
in the incident response process to prepare for responding to real-world incidents. Exercises
need to test communication channels, decision making, and workflows. Conduct testing on an
annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through
identifying lessons learned and follow-up action.
 Establish and maintain security incident thresholds, including, at a minimum, differentiating
between an incident and an event. Examples can include: abnormal activity, security
vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.

and resiliency of enterprise assets through identifying and exploiting weaknesses in controls
d technology), and simulating the objectives and actions of an attacker.

Establish and maintain a penetration testing program appropriate to the size, complexity, and
maturity of the enterprise. Penetration testing program characteristics include scope, such as
network, web application, Application Programming Interface (API), hosted services, and
physical premise controls; frequency; limitations, such as acceptable hours, and excluded
attack types; point of contact information; remediation, such as how findings will be routed
internally; and retrospective requirements.

Perform periodic external penetration tests based on program requirements, no less than
annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires specialized skills
and experience and must be conducted through a qualified party. The testing may be clear box
or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and
prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets
and capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than
annually. The testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship ID

x x x Superset 3.1.20

x x x Superset 3.1.18

x x x Subset 3.12.4
x x x

x x

x x

x x x

x x x

x x x

x x Subset 3.4.9

x x Equivalent 3.4.8

x x Subset 3.13.6

x x

x
x x x

x x x

x x x Subset 3.1.1

x x x Subset 3.1.2

x x x Superset 3.8.2

x x x

x x x Equivalent 3.8.3

x x x Subset 3.1.13

x x x Subset 3.8.1

x x

x x Superset 3.1.3

x x Subset 3.8.7

x x Subset 3.1.13
 x x Superset 3.5.10

x x Equivalent 3.13.8

x x Subset 3.8.1

x x Equivalent 3.13.16

x x Superset 3.1.22

x x x Superset 3.1.18

x x x Superset 3.4.1

x x x Equivalent 3.4.2

x x x Superset 3.4.4
x x x Subset 3.1.10

x x x

x x x

x x x

x x x

x x Subset 3.4.7

x x

x x Subset 3.1.8

x x

x x x
x x x Equivalent 3.5.7

x x x

x x x Superset 3.1.6

x x x Superset 3.1.7

x x

x x

x x x Subset 3.5.2

x x x

x x x

x x x Subset 3.1.12

x x x Subset 3.1.18

x x x Subset 3.5.3

x x x Subset 3.5.3

x x
 x x

x Superset 3.1.4

x Superset 3.1.5

x x x Subset 3.12.2

x x x Subset 3.14.1

x x x

x x x

x x x

x x Subset 3.11.2

x x Subset 3.11.2

x x Equivalent 3.11.3

x x Subset 3.14.1
x x x Equivalent 3.3.1

x x x

x x x

x x Equivalent 3.3.7

x x

x x

x x

x x

x x
x x

x x Subset 3.3.3

x x Subset 3.3.5

x x x
x x x

x x

x x

x x

x x

x x x Subset 3.14.2

x x x Equivalent 3.14.4

x x x Subset 3.8.7

x x Subset 3.8.7

x x Subset 3.14.5

x x

x x

x x
x x x

x x x

x x x Superset 3.8.9

x x x

x x

x x x

x x Superset 3.1.5

x x Superset 3.4.6

x x Subset 3.13.2

x x Superset 3.13.5
x x

x x

x x

x x Subset 3.1.17

x x Subset 3.13.1

x x Superset 3.13.15

x x Subset 3.1.12

x x Subset 3.1.14

x Subset 3.13.3

x Subset 3.13.4

x x Subset 3.14.3

x x Subset 3.14.6
 x x Subset 3.14.6

x x Subset 3.13.1

x x Superset 3.1.12

x x Subset 3.13.1

x Subset 3.1.1

x Subset 3.13.6

x x x Superset 3.2.1

x x x

x x x
x x x

x x x

x x x

x x x

x x x

x x Superset 3.2.2

x x x

x x

x x
x x

x x Subset 3.13.2

x x

x x
x x

x x

x x

x x

x x

x x

x x

x x

x
 x

x x x

x x x Subset 3.6.2

x x x Subset 3.6.2

x x Equivalent 3.6.1

x x

x x

x x Equivalent 3.6.3

x x
 x

x x

x x

x x

x
 Security Requirement

Verify and control/limit connections to and use of external

systems.

Control connection of mobile devices.

Develop, document, and periodically update system security

plans that describe system boundaries, system environments of
operation, how security requirements are implemented, and the
relationships with or connections to other systems.
Control and monitor user-installed software.

Apply deny-by-exception (blacklisting) policy to prevent the use

of unauthorized software or deny-all, permit-by-exception
(whitelisting) policy to allow the execution of authorized
software.

Deny network communications traffic by default and allow

network communications traffic by exception (i.e., deny all,
permit by exception).
Limit system access to authorized users, processes acting on
behalf of authorized users, and devices (including other
systems).

Limit system access to the types of transactions and functions

that authorized users are permitted to execute.

Limit access to CUI on system media to authorized users.

Sanitize or destroy system media containing CUI before

disposal or release for reuse.

Employ cryptographic mechanisms to protect the confidentiality

of remote access sessions.

Protect (i.e., physically control and securely store) system

media containing CUI, both paper and digital.

Control the flow of CUI in accordance with approved

authorizations.

Control the use of removable media on system components.

Employ cryptographic mechanisms to protect the confidentiality
of remote access sessions.
Store and transmit only cryptographically-protected passwords.

Implement cryptographic mechanisms to prevent unauthorized

disclosure of CUI during transmission unless otherwise
protected by alternative physical safeguards.

Protect (i.e., physically control and securely store) system

media containing CUI, both paper and digital.

Protect the confidentiality of CUI at rest.

Control CUI posted or processed on publicly accessible

systems.

Control connection of mobile devices.

Establish and maintain baseline configurations and inventories

of organizational systems (including hardware, software,
firmware, and documentation) throughout the respective system
development life cycles.

Establish and enforce security configuration settings for

information technology products employed in organizational
systems.

Analyze the security impact of changes prior to implementation.

Use session lock with pattern-hiding displays to prevent access
and viewing of data after period of inactivity.

Restrict, disable, or prevent the use of nonessential programs,

functions, ports, protocols, and services.

Limit unsuccessful logon attempts.

Enforce a minimum password complexity and change of
characters when new passwords are created.

Use non-privileged accounts or roles when accessing

nonsecurity functions.

Prevent non-privileged users from executing privileged

functions and audit the execution of such functions.

Authenticate (or verify) the identities of users, processes, or

devices, as a prerequisite to allowing access to organizational
systems.

Monitor and control remote access sessions.

Control connection of mobile devices.

Use multifactor authentication for local and network access to

privileged accounts and for network access to non-privileged
accounts.
Use multifactor authentication for local and network access to
privileged accounts and for network access to non-privileged
accounts.
Separate the duties of individuals to reduce the risk of
malevolent activity without collusion.

Employ the principle of least privilege, including for specific

security functions and privileged accounts.

Develop and implement plans of action designed to correct

deficiencies and reduce or eliminate vulnerabilities in
organizational systems.

Identify, report, and correct system flaws in a timely manner.

Scan for vulnerabilities in organizational systems and

applications periodically and when new vulnerabilities affecting
those systems and applications are identified.
Scan for vulnerabilities in organizational systems and
applications periodically and when new vulnerabilities affecting
those systems and applications are identified.

Remediate vulnerabilities in accordance with risk assessments.

Identify, report, and correct system flaws in a timely manner.

Create and retain system audit logs and records to the extent
needed to enable the monitoring, analysis, investigation, and
reporting of unlawful or unauthorized system activity.

Provide a system capability that compares and synchronizes

internal system clocks with an authoritative source to generate
time stamps for audit records.

Review and update logged events.

Correlate audit record review, analysis, and reporting processes

for investigation and response to indications of unlawful,
unauthorized, suspicious, or unusual activity.
Provide protection from malicious code at designated locations
within organizational systems.
Update malicious code protection mechanisms when new
releases are available.

Control the use of removable media on system components.

Control the use of removable media on system components.

Perform periodic scans of organizational systems and real-time

scans of files from external sources as files are downloaded,
opened, or executed.
Protect the confidentiality of backup CUI at storage locations.

Employ the principle of least privilege, including for specific

security functions and privileged accounts.

Employ the principle of least functionality by configuring

organizational systems to provide only essential capabilities.

Employ architectural designs, software development

techniques, and systems engineering principles that promote
effective information security within organizational systems.

Implement subnetworks for publicly accessible system

components that are physically or logically separated from
internal networks.
Protect wireless access using authentication and encryption.

Monitor, control, and protect communications (i.e., information

transmitted or received by organizational systems) at the
external boundaries and key internal boundaries of
organizational systems.

Protect the authenticity of communications sessions.

Monitor and control remote access sessions.

Route remote access via managed access control points.

Separate user functionality from system management

functionality.

Prevent unauthorized and unintended information transfer via

shared system resources.

Monitor system security alerts and advisories and take action in

response.

Monitor organizational systems, including inbound and

outbound communications traffic, to detect attacks and
indicators of potential attacks.
Monitor organizational systems, including inbound and
outbound communications traffic, to detect attacks and
indicators of potential attacks.
Monitor, control, and protect communications (i.e., information
transmitted or received by organizational systems) at the
external boundaries and key internal boundaries of
organizational systems.

Monitor and control remote access sessions.

Monitor, control, and protect communications (i.e., information

transmitted or received by organizational systems) at the
external boundaries and key internal boundaries of
organizational systems.

Limit system access to authorized users, processes acting on

behalf of authorized users, and devices (including other
systems).
Deny network communications traffic by default and allow
network communications traffic by exception (i.e., deny all,
permit by exception).

Ensure that managers, systems administrators, and users of

organizational systems are made aware of the security risks
associated with their activities and of the applicable policies,
standards, and procedures related to the security of those
systems.
Ensure that personnel are trained to carry out their assigned
information security-related duties and responsibilities.
Employ architectural designs, software development
techniques, and systems engineering principles that promote
effective information security within organizational systems.
Track, document, and report incidents to designated officials
and/or authorities both internal and external to the organization.

Track, document, and report incidents to designated officials

and/or authorities both internal and external to the organization.

Establish an operational incident-handling capability for

organizational systems that includes preparation, detection,
analysis, containment, recovery, and user response activities.

Test the organizational incident response capability.

ID
3.1
3.1.9
3.1.11
3.1.15
3.1.16
3.1.21
3.2
3.2.3
3.3

3.3.2
3.3.4
3.3.6
3.3.8
3.3.9
3.4
3.4.3
3.4.5
3.5
3.5.1
3.5.5
3.5.6
3.5.8
3.5.9
3.5.11
3.7
3.7.1
3.7.2
3.7.3
3.7.4

3.7.5
3.7.6
3.8
3.8.4
3.8.5

3.8.6
3.8.8
3.9
3.9.1
3.9.2
3.10
3.10.1
3.10.2
3.10.3
3.10.4
3.10.5
3.10.6
3.11

3.11.1
3.12
3.12.1
3.12.3
3.13

3.13.7
3.13.9
3.13.10
3.13.11
3.13.12
3.13.13
3.13.14
Security Requirement
Access Control
Provide privacy and security notices consistent with applicable CUI rules.
Terminate (automatically) a user session after a defined condition.
Authorize remote execution of privileged commands and remote access to security-relevant information.
Authorize wireless access prior to allowing such connections.
Limit use of portable storage devices on external systems.
Awareness and Training
Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Audit and Accountability
Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accou
actions.
Alert in the event of an audit logging process failure.
Provide audit record reduction and report generation to support on-demand analysis and reporting.
Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Limit management of audit logging functionality to a subset of privileged users.
Configuration Management
Track, review, approve or disapprove, and log changes to organizational systems.
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organiz
Identification and Authentication
Identify system users, processes acting on behalf of users, and devices.
Prevent reuse of identifiers for a defined period.
Disable identifiers after a defined period of inactivity.
Prohibit password reuse for a specified number of generations.
Allow temporary password use for system logons with an immediate change to a permanent password.
Obscure feedback of authentication information.
Maintenance
Perform maintenance on organizational systems.
Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
Check media containing diagnostic and test programs for malicious code before the media are used in organizationa
Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and
connections when nonlocal maintenance is complete.
Supervise the maintenance activities of maintenance personnel without required access authorization.
Media Protection
Mark media with necessary CUI markings and distribution limitations.
Control access to media containing CUI and maintain accountability for media during transport outside of controlled
Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport un
protected by alternative physical safeguards.
Prohibit the use of portable storage devices when such devices have no identifiable owner.
Personnel Security
Screen that
Ensure individuals prior to authorizing
organizational access toCUI
systems containing organizational systems
are protected during containing CUI.
and after personnel actions such as termina
transfers.
Physical Protection
Limit physical access to organizational systems, equipment, and the respective operating environments to authorize
Protect and monitor the physical facility and support infrastructure for organizational systems.
Escort visitors and monitor visitor activity.
Maintain audit logs of physical access.
Control and manage physical access devices.
Enforce safeguarding measures for CUI at alternate work sites.
Risk Assessment
Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organiza
and individuals, resulting from the operation of organizational systems and the associated processing, storage, or tra
CUI.
Security Assessment
Periodically assess the security controls in organizational systems to determine if the controls are effective in their a
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
System and Communications Protection
Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and c
via some other
Terminate connection
network to resources
connections in external
associated networks (i.e.,sessions
with communications split tunneling).
at the end of the sessions or after a defin
inactivity.
Establish and manage cryptographic keys for cryptography employed in organizational systems.
Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users prese
Control and monitor the use of mobile code.
Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
The following CIS Control Safeguards are NOT mapped to 800-171

1.2
1.3

1.4

1.5

2.1

2.2
2.3

2.6

2.7

3.1

3.2
3.4

3.7

3.13
3.14
4.4

4.5

4.6

4.7

4.9

4.11

4.12
 5.1
5.3

5.5
5.6

6.2

6.3

6.6
6.7
7.2
7.3
7.4
8.2
8.3

8.5
8.6
8.7
8.8
8.9
8.10

8.12

9.1
9.2

9.3
9.4

9.5
9.6
9.7

10.5
10.6
10.7

11.1
11.2
 11.4
11.5

12.1

12.3

12.4
12.5

13.7

13.8
13.10
13.11
14.2
14.3

14.4

14.5
14.6

14.7

14.8

15.1

15.2

15.3

15.4

15.5

15.6

15.7
 16.2

16.3

16.4

16.5

16.6

16.7
16.8

16.9

16.10

16.11
16.12

16.13

16.14

17.1

17.5
17.6
17.8

17.9

18.1

18.2
18.3
18.4
18.5
The following CIS Control Safeguards are NOT mapped to 800-171

Address Unauthorized Assets

Utilize an Active Discovery Tool

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

Use a Passive Asset Discovery Tool

Establish and Maintain a Software Inventory

Ensure Authorized Software is Currently Supported

Address Unauthorized Software

Allowlist Authorized Libraries

Allowlist Authorized Scripts

Establish and Maintain a Data Management Process

Establish and Maintain a Data Inventory

Enforce Data Retention

Establish and Maintain a Data Classification Scheme

Deploy a Data Loss Prevention Solution

Log Sensitive Data Access
Implement and Manage a Firewall on Servers

Implement and Manage a Firewall on End-User Devices

Securely Manage Enterprise Assets and Software

Manage Default Accounts on Enterprise Assets and Software

Configure Trusted DNS Servers on Enterprise Assets

Enforce Remote Wipe Capability on Portable End-User Devices

Separate Enterprise Workspaces on Mobile End-User Devices

Establish and Maintain an Inventory of Accounts
Disable Dormant Accounts

Establish and Maintain an Inventory of Service Accounts

Centralize Account Management

Establish an Access Revoking Process

Require MFA for Externally-Exposed Applications

Establish and Maintain an Inventory of Authentication and Authorization Systems

Centralize Access Control
Establish and Maintain a Remediation Process
Perform Automated Operating System Patch Management
Perform Automated Application Patch Management
Collect Audit Logs
Ensure Adequate Audit Log Storage

Collect Detailed Audit Logs

Collect DNS Query Audit Logs
Collect URL Request Audit Logs
Collect Command-Line Audit Logs
Centralize Audit Logs
Retain Audit Logs

Collect Service Provider Logs

Ensure Use of Only Fully Supported Browsers and Email Clients

Use DNS Filtering Services

Maintain and Enforce Network-Based URL Filters

Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

Implement DMARC
Block Unnecessary File Types
Deploy and Maintain Email Server Anti-Malware Protections

Enable Anti-Exploitation Features

Centrally Manage Anti-Malware Software
Use Behavior-Based Anti-Malware Software

Establish and Maintain a Data Recovery Process 

Perform Automated Backups 
Establish and Maintain an Isolated Instance of Recovery Data 
Test Data Recovery

Ensure Network Infrastructure is Up-to-Date

Securely Manage Network Infrastructure

Establish and Maintain Architecture Diagram(s)

Centralize Network Authentication, Authorization, and Auditing (AAA)

Deploy a Host-Based Intrusion Prevention Solution

Deploy a Network Intrusion Prevention Solution

Perform Application Layer Filtering
Tune Security Event Alerting Thresholds
Train Workforce Members to Recognize Social Engineering Attacks
Train Workforce Members on Authentication Best Practices

Train Workforce on Data Handling Best Practices

Train Workforce Members on Causes of Unintentional Data Exposure

Train Workforce Members on Recognizing and Reporting Security Incidents

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

Establish and Maintain an Inventory of Service Providers

Establish and Maintain a Service Provider Management Policy

Classify Service Providers

Ensure Service Provider Contracts Include Security Requirements

Assess Service Providers

Monitor Service Providers

Securely Decommission Service Providers

Establish and Maintain a Process to Accept and Address Software Vulnerabilities

Perform Root Cause Analysis on Security Vulnerabilities

Establish and Manage an Inventory of Third-Party Software Components

Use Up-to-Date and Trusted Third-Party Software Components

Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

Use Standard Hardening Configuration Templates for Application Infrastructure

Separate Production and Non-Production Systems

Train Developers in Application Security Concepts and Secure Coding

Apply Secure Design Principles in Application Architectures

Leverage Vetted Modules or Services for Application Security Components

Implement Code-Level Security Checks

Conduct Application Penetration Testing

Conduct Threat Modeling

Designate Personnel to Manage Incident Handling

Assign Key Roles and Responsibilities

Define Mechanisms for Communicating During Incident Response
Conduct Post-Incident Reviews

Establish and Maintain Security Incident Thresholds

Establish and Maintain a Penetration Testing Program

Perform Periodic External Penetration Tests

Remediate Penetration Test Findings
Validate Security Measures
Perform Periodic Internal Penetration Tests
Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remo
from connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discove
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterpris
update the enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to upda
weekly, or more frequently.
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inve
install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (UR
mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise as
for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk ac
without an exception documentation, designate as unauthorized. Review the software list to verify software support
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented excep
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are
unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as
execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling o
requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation an
occur that could impact this Safeguard.
Establish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive d
inventory annually, at a minimum, with a priority on sensitive data.
Retain data
Establish according
and maintaintoanthe enterprise’s
overall data management
data classification schemeprocess. Data retention
for the enterprise. must include
Enterprises both
may use minimum
labels, suchand
as
classify their data according to those labels. Review and update the classification scheme annually, or when signific
this Safeguard.
Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data sto
enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitiv
Log sensitive
Implement anddata access,
manage including
a firewall on modification andsupported.
servers, where disposal. Example implementations include a virtual firewall, o
agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that
that are explicitly allowed.
Securely manage enterprise assets and software. Example implementations include managing configuration through
accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Trans
insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured v
include: disabling default accounts or making them unusable.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use en
reputable externally accessible DNS servers.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as
longer supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implemen
Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data.
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user
a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active a
schedule at a minimum quarterly, or more frequently.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department own
account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly,
Centralize account management through a directory or identity service.
Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling ac
revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserv
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MF
is a satisfactory implementation of this Safeguard.
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those ho
Review and update the inventory, at a minimum, annually, or more frequently.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or mo
Perform operating system updates on enterprise assets through automated patch management on a monthly, or mo
Perform application updates on enterprise assets through automated patch management on a monthly, or more freq
Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled acros
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management p
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, usernam
addresses, and other useful elements that could assist in a forensic investigation.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Retain audit logs across enterprise assets for a minimum of 90 days.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
events, and user management events.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest
through the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious o
implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, ex
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, s
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execu
Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recov
data. Review and update documentation annually, or when significant enterprise changes occur that could impact th
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the s
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling b
off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release
network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software sup
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code
as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update doc
enterprise changes occur that could impact this Safeguard.
Centralize network AAA.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Exam
Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a N
equivalent CSP service.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or ga
Tune security event alerting thresholds monthly, or more frequently.
Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating. 
Train workforce members on authentication best practices. Example topics include MFA, password composition, and
Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This al
clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset,
end of meetings, and storing data and assets securely.
Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-deliver
device, or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to report such an incident. 
Train workforce to understand how to verify and report out-of-date software patches or any failures in automated pro
include notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterpr
workers, training must include guidance to ensure that all users securely configure their home network infrastructure
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include
contact for each service provider. Review and update the inventory annually, or when significant enterprise changes
Establish and maintain a service provider management policy. Ensure the policy addresses the classification, invent
decommissioning of serviceClassification
Classify service providers. providers. Review and update
consideration maythe policyone
include annually,
or moreorcharacteristics,
when significant enterprise
such as datachange
sensit
applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significa
this Safeguard.
Ensure service provider contracts include security requirements. Example requirements may include minimum secu
and/or data breach notification and response, data encryption requirements, and data disposal commitments. These
the enterprise’s service provider management policy. Review service provider contracts annually to ensure contracts
Assess service providers consistent with the enterprise’s service provider management policy. Assessment scope m
include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment C
(AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually,
contracts.
Monitor service providers consistent with the enterprise’s service provider management policy. Monitoring may inclu
compliance, monitoring service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service account deactivation, te
enterprise data within service provider systems.
Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a me
is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for hand
intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system
measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation a
occur that could impact this Safeguard.

Third-party application developers need to consider this an externally-facing policy that helps to set expectations for
Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the tas
vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they ar
Establish and manage an updated inventory of third-party components used in development, often referred to as a “
for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at
updates to these components, and validate that the component is still supported. 
Use up-to-date and trusted third-party software components. When possible, choose established and proven framew
security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use.
Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing t
fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Seve
vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and up
Use standard, industry-recommended hardening configuration templates for application infrastructure components.
and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS component
weaken configuration hardening.
Maintain separate environments for production and non-production systems.
Ensure that all software development personnel receive training in writing secure code for their specific developmen
include general security principles and application security standard practices. Conduct training at least annually and
development team, and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design principles include the concept of least priv
operation that the user makes, promoting the concept of "never trust user input." Examples include ensuring that ex
documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means
surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renamin

Leverage vetted modules or services for application security components, such as identity management, encryption
features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implem
provide effective mechanisms for identification, authentication, and authorization and make those mechanisms avail
currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to
Apply static
Conduct and dynamic
application analysis
penetration tools within
testing. the application
For critical life authenticated
applications, cycle to verify penetration
that secure testing
coding is
practices are bein
better suited to
scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate a
unauthenticated user. 
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design fla
conducted through specially trained individuals who evaluate the application design and gauge security risks for eac
map out the application, architecture, and infrastructure in a structured way to understand its weaknesses.

Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Ma
coordination and documentation of incident response and recovery efforts and can consist of employees internal to
approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-
enterprise changes occur that could impact this Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilitie
responders, and analysts, as applicable. Review annually, or when significant enterprise changes occur that could im
Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident.
changes occur that could impact this Safeguard.
Conduct
Establishpost-incident
and maintainreviews.
security Post-incident reviewsincluding,
incident thresholds, help prevent
at a incident
minimum, recurrence through
differentiating identifying
between lessons
an incident le
and
activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when signif
impact this Safeguard.
Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterpr
include scope, such as network, web application, Application Programming Interface (API), hosted services, and phy
such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how finding
requirements.
Perform periodic external penetration tests based on program requirements, no less than annually. External penetra
environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and e
qualified party. The testing may be clear box or opaque box.
Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to det
Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may