CIS Controls v8.1 Mapping To NIST CSF v2.0 6-24-2024 Final 1
CIS Controls v8.1 Mapping To NIST CSF v2.0 6-24-2024 Final 1
Editors
Thomas Sager
To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Con
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing t
the prior approval of CIS® (Center for Internet Security, Inc.).
are authorized to copy and redistribute the content as a framework for use by you, within your
hat (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
ls. Users of the CIS Controls framework are also required to refer to
at users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to
This page describes the methodology used to map the CIS Critical Security Controls to NIST Cybersecurit
Reference link for NIST CSF v2.0
https://www.nist.gov/cyberframework
The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
The general strategy used is to identify all of the aspects within a control and attempt to discern if both item
For a defensive mitigation to map to this CIS Safeguard it must have at least one of the following:
• A clearly documented process, covering both new employees and changes in access.
• All relevant enteprise access control must be covered under this process, there can be no seperation whe
• Automated tools are ideally used, such as a SSO provider or routing access control through a directory s
• The same process is followed every time a user's rights change, so a user never amasses greater rights
If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.
The relationships should be read from left to right, like a sentence. CIS Safeguard X is Equivalent to this <
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m
The CIS Controls are written with certain principles in mind, such as only having one ask per Safeguard. T
can often be "Subset."
Mappings are available from a variety of sources online, and different individuals may make their own deci
other mapping.
If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
A free tool with a dynamic list of the CIS Safeguards that can be filtered by Implemtation Groups and
mappings to multiple frameworks.
https://www.cisecurity.org/controls/cis-controls-navigator
Join our community where you can discuss the CIS Controls with our global army of experts and
voluneers!
https://workbench.cisecurity.org/dashboard
Uninstall or Disable
4 4.8 Devices Protect Unnecessary Services on
Enterprise Assets and Software
Separate Enterprise
4 4.12 Data Protect Workspaces on Mobile End-
User Devices
Centralize Account
5 5.6 Users Protect
Management
Documentati Establish an Access Granting
6 6.1 Govern
on Process
Perform Automated
7 7.5 Software Identify Vulnerability Scans of Internal
Enterprise Assets
Perform Automated
Vulnerability Scans of
7 7.6 Software Identify
Externally-Exposed Enterprise
Assets
Remediate Detected
7 7.7 Software Respond
Vulnerabilities
Restrict Unnecessary or
9 9.4 Software Protect Unauthorized Browser and
Email Client Extensions
Enable Anti-Exploitation
10 10.5 Devices Protect
Features
Centralize Network
12 12.5 Network Protect Authentication, Authorization,
and Auditing (AAA)
Use of Secure Network
12 12.6 Network Protect Management and
Communication Protocols
Ensure Remote Devices Utilize
a VPN and are Connecting to
12 12.7 Devices Protect
an Enterprise’s AAA
Infrastructure
Establish and Maintain
Dedicated Computing
12 12.8 Devices Protect
Resources for All Administrative
Work
Securely Decommission
15 15.7 Data Protect
Service Providers
Conduct Application
16 16.13 Software Govern
Penetration Testing
Designate Personnel to
17 17.1 Users Respond
Manage Incident Handling
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
X
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually,
or more frequently.
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware
address, machine name, enterprise asset owner, department for each asset, and
whether the asset has been approved to connect to the network. For mobile end-user
X
devices, MDM type tools can support this process, where appropriate. This inventory
includes assets connected to the infrastructure physically, virtually, remotely, and
those within cloud environments. Additionally, it includes assets that are regularly
connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually,
or more frequently.
Ensure that a process exists to address unauthorized assets on a weekly basis. The
enterprise may choose to remove the asset from the network, deny the asset from X
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
tools to update the enterprise’s asset inventory. Review and use logs to update the
enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network.
Review and use scans to update the enterprise’s asset inventory at least weekly, or
more frequently.
Establish and maintain a detailed inventory of all licensed software installed on
enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
X
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism,
and decommission date. Review and update the software inventory bi-annually, or
more frequently.
Use technical controls, such as application allowlisting, to ensure that only authorized
software can execute or be accessed. Reassess bi-annually, or more frequently.
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, and .so files, are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
Use technical controls, such as digital signatures and version control, to ensure that
only authorized scripts, such as specific .ps1, and .py files are allowed to execute.
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer
supports the enterprise.
Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory mustmust at a minimum include user, administrator accounts, and service
accounts. The inventory, at a minimum, should contain the person’s name, username, X
start/stop dates, and department. Validate that all active accounts are authorized, on a
recurring schedule at a minimum quarterly, or more frequently.
Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory mustmust at a minimum include user, administrator accounts, and service
accounts. The inventory, at a minimum, should contain the person’s name, username, X
start/stop dates, and department. Validate that all active accounts are authorized, on a
recurring schedule at a minimum quarterly, or more frequently.
Use unique passwords for all enterprise assets. Best practice implementation includes,
at a minimum, an 8-character password for accounts using Multi-Factor Authentication X
(MFA) and a 14-character password for accounts not using MFA.
Delete or disable any dormant accounts after a period of 45 days of inactivity, where
X
supported.
Establish and follow a documented process, preferably automated, for granting access
X
to enterprise assets upon new hire or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise
assets, through disabling accounts immediately upon termination, rights revocation, or
X
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.
Require all externally-exposed enterprise or third-party applications to enforce MFA,
where supported. Enforcing MFA through a directory service or SSO provider is a X
satisfactory implementation of this Safeguard.
Require MFA for all administrative access accounts, where supported, on all enterprise
X
assets, whether managed on-site or through a service provider.
Centralize access control for all enterprise assets through a directory service or SSO
provider, where supported.
Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
its assigned duties. Perform access control reviews of enterprise assets to validate that
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.
Establish and maintain a documented vulnerability management process for enterprise
assets. Review and update documentation annually, or when significant enterprise X
changes occur that could impact this Safeguard.
Establish and maintain a risk-based remediation strategy documented in a remediation
X
process, with monthly, or more frequent, reviews.
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Centralize, to the extent possible, audit log collection and retention across enterprise
assets in accordance with the documented audit log management process. Example
implementations include leveraging a SIEM tool to centralize multiple log sources.
Retain audit logs across enterprise assets for a minimum of 90 days.
Conduct reviews of audit logs to detect anomalies or abnormal events that could
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include
collecting authentication and authorization events, data creation and disposal events,
and user management events.
To lower the chance of spoofed or modified emails from valid domains, implement
DMARC policy and verification, starting with implementing the Sender Policy
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Configure automatic updates for anti-malware signature files on all enterprise assets. X
Establish and maintain a documented data recovery process. In the process, address
the scope of data recovery activities, recovery prioritization, and the security of backup
X
data. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
X
more frequently, based on the sensitivity of the data.
Design and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum. Example
implementations will not solely include documentation, but also policy and design components.
Securely manage network infrastructure. Example implementations include version-
controlled Infrastructure-as-Code (IaC), and the use of secure network protocols, such
as SSH and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system
documentation. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
Protected Access 2 (WPA2) Enterprise or greater).
Train workforce to understand how to verify and report out-of-date software patches or
any failures in automated processes and tools. Part of this training should include X
notifying IT personnel of any failures in automated processes and tools.
Train workforce members on the dangers of connecting to, and transmitting data over,
insecure networks for enterprise activities. If the enterprise has remote workers,
X
training must include guidance to ensure that all users securely configure their home
network infrastructure.
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
X
for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
X
for each service provider. Review and update the inventory annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy
addresses the classification, inventory, assessment, monitoring, and decommissioning
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.
Assess service providers consistent with the enterprise’s service provider management
policy. Assessment scope may vary based on classification(s), and may include review
of standardized assessment reports, such as Service Organization Control 2 (SOC 2)
and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
annually, at a minimum, or with new and renewed contracts.
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
general security principles and application security standard practices. Conduct
training at least annually and design in a way to promote security within the
development team, and build a culture of security among the developers.
Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the coordination
and documentation of incident response and recovery efforts and can consist of
employees internal to the enterprise, service providers, or a hybrid approach. If using a X
service provider, designate at least one person internal to the enterprise to oversee
any third-party work. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, service vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information X
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, service vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information X
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, service vendors, law
enforcement, cyber insurance providers, relevant government agencies, Information X
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.
Establish and maintain an documented enterprise process for the workforce to report
security incidents. The process includes reporting timeframe, personnel to report to,
mechanism for reporting, and the minimum information to be reported. Ensure the X
process is publicly available to all of the workforce. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.
Establish and maintain a documented incident response process that addresses roles
and responsibilities, compliance requirements, and a communication plan. Review
annually, or when significant enterprise changes occur that could impact this
Safeguard.
Assign key roles and responsibilities for incident response, including staff from legal,
IT, information security, facilities, public relations, human resources, incident
responders, and analysts. Review annually, or when significant enterprise changes
occur that could impact this Safeguard.
X X Equivalent ID.AM-01
X X Subset ID.AM-08
X X Subset PR.PS-03
X X
X X
X X Subset ID.AM-02
X X Subset PR.PS-02
X X
X X Equivalent PR.PS-05
X X
X X
X X Equivalent ID.AM-07
X X
X X
X X Subset ID.AM-08
X X
X X Subset ID.AM-03
X X
X X Subset PR.DS-02
X X Subset PR.DS-01
X X Subset PR.IR-01
X X Subset PR.PS-01
X X Subset PR.PS-01
X X
X X
X X
X X
X X
X X
X X
X X
X X Subset PR.AA-01
X X Subset PR.AA-05
X X
X X
X X
X X Subset PR.AA-01
X X Subset GV.RR-04
X X Subset GV.RR-04
X X
X X
X X
X X
X X
X Equivalent PR.AA-05
X X Superset ID.RA-01
X X Superset ID.RA-08
X X Superset ID.IM-02
X X
X X
X X
X X
X X
X X Equivalent PR.PS-04
X X
X X
X X
X X
X X
X X
X X
X X
X X Superset DE.AE-02
X X
X X
X X
X X
X X
X X Subset DE.CM-09
X X
X X
X X
X X
X X
X X Subset DE.CM-03
X X
X X Subset PR.DS-11
X X
X X Subset PR.DS-11
X X Superset RC.RP-03
X X
X X Subset PR.IR-01
X X
X X
X X
X X
X X
X X Subset DE.CM-01
X X
X X
X X
X X
X X Subset GV.RR-01
X X Equivalent PR.AT-01
X X
X X
X X
X X
X X
X X
X X Subset GV.RR-02
X X Equivalent PR.AT-02
X X Subset GV.SC-04
X X Subset ID.AM-04
X X Subset GV.SC-01
X X Subset GV.SC-04
X X Subset GV.SC-02
X X Equivalent GV.SC-05
X X Superset GV.SC-08
X Equivalent GV.SC-06
X Superset GV.SC-07
X Subset DE.CM-06
X Subset GV.SC-10
X X Superset PR.PS-06
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X
X X Subset RS.CO-02
X X Subset RS.CO-03
X X Subset RC.CO-04
X X
X X Superset RS.MA-01
X X
X X
X X Equivalent RS.AN-03
X Equivalent RS.MA-05
X X
X X
X X
k management processes
communicated
, including risks from suppliers and other third parties
ersecurity risks is established and communicated
izational cybersecurity risk discussions
es and responsibilities, and policies
cybersecurity strategy, and priorities and is communicated and enforced
orced to reflect changes in requirements, threats, technology, and organizational mission
strategy and direction
age of organizational requirements and risks
d for adjustments needed
rprise risk management, risk assessment, and improvement processes
d, and improved
rse situations
DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a re
riod of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period
mplementations include a virtual firewall, operating system firewall, or a third-party firewall agent.
user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
s include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure ne
administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making the
, such as an unused file sharing service, web application module, or service function.
ons include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers.
ocal failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authenti
evices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.
es, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterp
on includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA.
ty, where supported.
terprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary
a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accoun
orce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.
supported.
ng audit logs from PowerShell®, BASH™, and remote administrative terminals.
enterprise assets.
possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Pro
scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or
ementations include, version controlling backup destinations through offline, cloud, or off-site systems or services.
s include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review soft
e version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.
m documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeg
ces. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance
upon from network devices.
here appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-bas
le implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
r similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.
ring proxy, application layer firewall, or gateway.
secure code for their specific development environment and responsibilities. Training can include general security principles and applicatio
rinciples include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the co
those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory.
ative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use inse
efault accounts or making them unusable.
le DNS servers.
w more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example imp
e enterprise.
ork Profile to separate enterprise applications and data from personal applications and data.
r accounts not using MFA.
or enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safe
-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
e documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
e (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
urces should be segmented from the enterprise's primary network and not be allowed internet access.
ed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are u
est practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the
data to unintended audiences.
and allows development teams to move beyond just fixing individual vulnerabilities as they arise.
inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or
omponents from trusted sources or evaluate the software for vulnerabilities before use.
includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of tria
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to
curity principles and application security standard practices. Conduct training at least annually and design in a way to promote security wit
user makes, promoting the concept of "never trust user input." Examples include ensuring that explicit error checking is performed and do
mated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and
specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is
mentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hyb
and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when si
ysts, as applicable. Review annually, or when significant enterprise changes occur that could impact this Safeguard.
ises need to test communication channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum.
h as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitati
ance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qu
cure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.
cation attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.
and virtual whiteboards at the end of meetings, and storing data and assets securely.
hly to identify any changes or updates to these components, and validate that the component is still supported.
bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Re
-house developed software to weaken configuration hardening.
a way to promote security within the development team, and build a culture of security among the developers.
checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also me
asis, at a minimum.
se controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such a
st be conducted through a qualified party. The testing may be clear box or opaque box.
Profile maxFailedAttempts.
ormats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and servic
rmation; remediation, such as how findings will be routed internally; and retrospective requirements.