Continue your mission
The CIS/SANS Critical Security Controls are 18 prioritized defensive actions organized into three Implementation Groups, providing prescriptive guidance derived from real attack data to defend against prevalent cyber threats.
# SANS Critical Security Controls
The SANS Critical Security Controls, now formally maintained by the Center for Internet Security as the CIS Controls, represent the most widely adopted prioritized framework for defensive cybersecurity action in existence. They were built from a foundational premise: that defenders should focus first on the attacks that are actually happening, not on theoretical threats. By distilling real-world attack data from government agencies, commercial incident responders, and intelligence sources, the controls identify the smallest set of actions that produce the greatest reduction in risk. For organizations that need a concrete starting point rather than a philosophical framework, the CIS Controls provide exactly that: a numbered, ordered, actionable list of what to do, in what sequence, and at what scale depending on organizational maturity.
---
The CIS Controls (formerly SANS Critical Security Controls, and before that the SANS Top 20) are a set of 18 prioritized defensive actions, each composed of individual safeguards, that guide organizations in building a defensible security posture. Version 8, released in May 2021, reorganized and consolidated the prior 20 controls into 18, restructured the safeguards around activities rather than technology categories, and introduced clearer Implementation Group definitions.
The controls are explicitly not a compliance framework in the traditional sense. They are not a checklist for satisfying a regulator. They are not a risk management methodology, an audit standard, or a governance model. They do not map one-to-one to NIST CSF functions, ISO 27001 clauses, or HIPAA requirements, though crosswalks between those frameworks and CIS Controls exist and are maintained by CIS. Understanding what the controls are not is critical: they are not sufficient on their own to constitute a full information security management system. They do not address policy governance, vendor risk management, or executive accountability in the depth that frameworks like ISO 27001 or NIST CSF do.
The controls exist in three Implementation Groups. IG1 contains 56 safeguards representing essential cyber hygiene that every organization, regardless of size or sector, should implement. IG2 adds 74 safeguards appropriate for organizations with dedicated IT and security staff handling sensitive data. IG3 adds the final 23 safeguards designed for organizations facing targeted, sophisticated adversaries, often in critical infrastructure or high-value commercial environments. The Implementation Group structure means a 12-person nonprofit and a 50,000-employee financial institution can both use the same framework without the smaller organization drowning in irrelevant controls.
What makes the CIS Controls unique is their empirical foundation. Unlike frameworks that start from theoretical security principles, the controls emerged from analysis of actual breach data. The creators analyzed thousands of documented intrusions to identify the most common attack vectors and the most effective defensive countermeasures. This data-driven approach explains why the controls prioritize basic asset inventory before advanced threat hunting, and why vulnerability management ranks higher than intrusion detection systems.
---
The 18 CIS Controls are ordered by defensive priority, not alphabetically or arbitrarily. The first six controls are often called the "foundational" controls because they address the most fundamental visibility and control problems: knowing what assets exist, knowing what software is running, protecting data, configuring systems securely, managing accounts, and managing vulnerabilities. An organization that cannot answer "what devices are on my network" or "what software is authorized to run" cannot effectively implement any of the higher controls. The ordering reflects that dependency.
Each control contains named safeguards with explicit Implementation Group assignments, asset types (devices, software, data, users, network), and security function labels drawn from the NIST CSF (Identify, Protect, Detect, Respond, Recover). This structure allows a practitioner to filter safeguards by IG level and by the security function they need to build out.
Control 1: Inventory and Control of Enterprise Assets requires organizations to maintain an accurate, actively managed inventory of all hardware connected to the network. This is not a one-time spreadsheet exercise. The safeguard requires active discovery tools that scan the network regularly and flag unauthorized devices. In practice, this means deploying a tool such as Rumble Network Discovery, Lansweeper, or a SIEM-integrated asset management platform that continuously identifies connected endpoints. Unauthorized devices detected by the discovery process trigger an incident response workflow.
Control 2: Inventory and Control of Software Assets mirrors Control 1 for software. Organizations must maintain an inventory of authorized software and block or alert on unauthorized software running on endpoints. This is typically implemented through endpoint detection and response (EDR) platforms, application allowlisting tools such as Microsoft AppLocker or Carbon Black App Control, or mobile device management (MDM) platforms for mobile endpoints.
Control 3: Data Protection requires classification of sensitive data and implementation of appropriate protections based on that classification. At IG1, this involves identifying and securing sensitive data on network shares. At IG2 and IG3, this expands to data loss prevention (DLP) systems, database activity monitoring, and cloud access security brokers (CASB) for cloud-stored data.
Control 4: Secure Configuration of Enterprise Assets and Software addresses the reality that default configurations are optimized for functionality, not security. The safeguards require organizations to implement hardened configuration baselines for operating systems, applications, network devices, and cloud services. This is where the CIS Benchmarks become operationally critical. Organizations download the CIS Benchmark for Windows Server 2022 or Ubuntu 20.04, customize it for their environment, and deploy it through group policy or configuration management tools like Ansible or Puppet.
Control 5: Account Management requires tracking all accounts, including service accounts and administrator accounts, and removing or disabling accounts that are no longer needed. The practical implementation involves integration with Active Directory or an identity governance platform, scheduled access reviews (often quarterly for privileged accounts), and automated deprovisioning tied to HR system offboarding workflows.
Control 6: Access Control Management builds on Control 5 by requiring that access rights match job functions and that privileged access is strictly controlled. This often requires implementing privileged access management (PAM) platforms like CyberArk or BeyondTrust, just-in-time access provisioning, and multi-factor authentication for administrative accounts.
Control 7: Continuous Vulnerability Management is one of the most operationally demanding controls. Safeguard 7.1 requires establishing a vulnerability management process. Safeguard 7.2 requires automated vulnerability scanning. Safeguard 7.3 requires remediating vulnerabilities based on risk. The implementation involves deploying a vulnerability scanner (Tenable Nessus, Qualys, Rapid7 InsightVM) with credentialed scanning credentials on all endpoints, integrating scanner output into a ticketing system such as ServiceNow or Jira, and enforcing remediation SLAs by severity. Critical vulnerabilities might carry a 15-day remediation SLA; high severity vulnerabilities might carry a 30-day SLA.
Control 8: Audit Log Management requires that logs are collected, protected from modification, and reviewed. The implementation requires a centralized logging platform (a SIEM or a dedicated log management system), defined retention periods (often 90 days hot, one year cold), and alerts for specific log events such as privilege escalation, failed authentication spikes, and firewall rule changes.
Higher-numbered controls address more sophisticated defensive capabilities. Control 11: Data Recovery covers backup and recovery systems. Control 12: Network Infrastructure Management addresses network segmentation and boundary defense. Control 13: Network Monitoring and Defense covers intrusion detection and network behavior analysis. Control 16: Application Software Security addresses secure development and testing practices.
Concrete scenario: A mid-size healthcare organization with 800 endpoints begins implementing CIS Controls at IG1. In the first 30 days, they deploy a network discovery scan and discover 47 devices that are not in their asset register, including two unmanaged medical devices running end-of-life operating systems. They also run their first credentialed vulnerability scan and identify 312 vulnerabilities rated critical or high, concentrated on systems that had not been patched in over 90 days. Without Control 1 and Control 7 implemented, neither of those discoveries would have surfaced through routine operations. The unmanaged medical devices represented direct risk of lateral movement from a compromised workstation. The vulnerability backlog represented exploitable paths to protected health information (PHI). Both findings are now tracked, owned, and assigned remediation timelines. That is the controls working as designed.
Implementation of the full 18 controls at IG2 or IG3 requires coordination across IT operations, security operations, application development, and HR. The controls do not implement themselves and they do not stay implemented without continuous monitoring and re-assessment.
---
Organizations that do not implement foundational security controls suffer breaches that are, in most cases, entirely preventable. The CIS Controls are grounded in the recognition that the majority of successful attacks exploit known vulnerabilities, misconfigured systems, unmanaged accounts, and insufficient visibility, not zero-day exploits or nation-state tradecraft. The Verizon Data Breach Investigations Report has consistently found, across multiple years, that the overwhelming majority of breaches involve stolen credentials, phishing, exploitation of known vulnerabilities, and misconfigurations. The CIS Controls directly address every one of those attack vectors.
The business impact is measurable. Organizations with strong cyber hygiene programs report lower average breach costs, faster incident detection, and reduced audit findings. The 2023 Cost of a Data Breach Report found that organizations with mature security controls experienced average breach costs of $3.05 million compared to $5.09 million for organizations with minimal controls implementation. The difference compounds because organizations with strong controls also detect breaches faster (mean time to detection of 214 days versus 327 days) and contain them more quickly.
Real-world consequence: The 2020 SolarWinds supply chain attack compromised thousands of organizations. But post-incident analysis consistently found that organizations with strong asset inventory practices (Control 1 and 2), robust log collection (Control 8), and network monitoring (Control 13) were substantially better positioned to detect and contain the intrusion. Organizations with no centralized logging had no forensic record of attacker activity. Organizations without network segmentation (Control 12) suffered wider lateral movement. The controls do not prevent every attack. They reduce dwell time, limit blast radius, and improve detection speed, all of which reduce the total cost and impact of an incident.
Cyber insurance underwriters increasingly reference CIS Controls implementation as a factor in policy pricing and eligibility. Lloyd's of London and other major underwriters now require evidence of specific control implementation, particularly around asset management, vulnerability management, and backup systems, before issuing coverage. Organizations that cannot demonstrate consistent implementation of IG1 controls face higher premiums or coverage exclusions.
Common misconception: Many organizations treat CIS Controls as a one-time project with a completion date. Teams complete a controls assessment, score themselves, remediate gaps, and consider the work done. This is incorrect. Controls degrade. Assets are added to the network without being inventoried. Accounts are created and never deprovisioned. Patches are applied inconsistently as IT staff turn over. Vulnerabilities are discovered continuously. The controls require continuous operation, not one-time implementation.
A second misconception is that IG1 is too basic to matter for organizations with mature security programs. IG1 is the minimum floor. Organizations that have not consistently met all 56 IG1 safeguards have foundational gaps regardless of how advanced their security tooling appears. A Fortune 500 company running a $10 million security operations center still needs accurate asset inventory and timely vulnerability patching.
The compliance value extends beyond cybersecurity. Many regulatory frameworks, including PCI DSS, HIPAA, and CMMC 2.0, accept CIS Controls implementation as evidence of due diligence. Organizations that implement the controls systematically can map their safeguards to multiple compliance requirements simultaneously, reducing audit burden and demonstrating consistent security practices across different regulatory domains.
---
CDA approaches the CIS Controls through the Planetary Defense Model (PDM) under the RGA (Risk Governance and Assurance) domain, with secondary relevance to SPH (Security Posture and Hygiene), VSD (Vulnerability and Surface Defense), and TID (Threat Intelligence and Detection). The foundational CDA methodology here is Perpetual Compliance Assurance (PCA), built on the principle that "Compliance is not an event. It is a state."
The conventional approach to CIS Controls implementation treats the framework as a project: scope the controls, assess current state, remediate gaps, document findings, close the project. CDA rejects this model as structurally inadequate. Security posture is dynamic. Assets change. Configurations drift. Staff turn over. New vulnerabilities emerge daily. A point-in-time assessment produces a point-in-time result that is out of date before the report is printed.
CDA operationalizes the CIS Controls through continuous automated measurement. Every safeguard with a measurable technical state (asset inventory completeness, vulnerability remediation SLA compliance, log coverage percentage, patch compliance rate, account review cadence) is instrumented with a metric that feeds into the organization's ongoing compliance posture dashboard. The dashboard does not show a pass or fail from the last assessment. It shows the current state, updated continuously.
For the RGA domain specifically, CDA maps each CIS safeguard to a governance accountability owner, a technical control owner, and a measurement frequency. A safeguard without an owner is a safeguard that will degrade. A safeguard without a measurement frequency is a safeguard that cannot be assured. This tripartite ownership model ensures that readiness is maintained, governance accountability is clear, and assurance is continuous rather than periodic.
When CDA conducts a CIS Controls engagement for a client, the deliverable is not a gap report. It is a living control baseline: a set of continuously monitored metrics, mapped to the 18 controls and their safeguards, with defined thresholds, owners, escalation paths, and remediation workflows. The client does not leave with a list of findings. They leave with an operational compliance system that measures control effectiveness in real time and alerts stakeholders when controls drift out of acceptable ranges.
This approach transforms the CIS Controls from a compliance checklist into an operational security management system. Organizations implement the controls not to satisfy an auditor but to maintain defensible security posture under continuous measurement and improvement.
---
---
---
CDA Theater missions that address topics covered in this article.
COBIT 2019 is ISACA's IT governance framework with 40 objectives across five domains, featuring a flexible design factor system that aligns IT strategy with business goals and maps to standards like NIST CSF and ISO 27001.
CMMC 2.0 requires defense contractors to demonstrate cybersecurity maturity at three levels.
HITRUST CSF harmonizes multiple frameworks into one certifiable standard for healthcare.
Written by CDA Editorial
Found an issue? Help improve this article.