The Center for Internet Security (CIS) Controls version 8, released in 2021, is a prioritized set of 18 cybersecurity safeguards designed to mitigate the most prevalent cyber threats. Developed through a community consensus process involving practitioners, government agencies, and industry experts, the CIS Controls distill complex cybersecurity guidance into actionable, prioritized steps. Unlike comprehensive frameworks like NIST SP 800-53, CIS Controls focus on the most impactful defensive actions first. Version 8 reorganized the controls around activities rather than device ownership, reflecting modern cloud and hybrid environments. The controls are organized into three Implementation Groups (IGs) based on organizational size and risk.
The 18 CIS Controls cover: Inventory and Control of Enterprise Assets, Inventory and Control of Software Assets, Data Protection, Secure Configuration of Enterprise Assets and Software, Account Management, Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email and Web Browser Protections, Malware Defenses, Data Recovery, Network Infrastructure Management, Network Monitoring and Defense, Security Awareness and Skills Training, Service Provider Management, Application Software Security, Incident Response Management, and Penetration Testing. Each control contains specific safeguards, totaling 153 across all controls. Implementation Group 1 (IG1) defines essential cyber hygiene with 56 safeguards for all organizations. IG2 adds 74 safeguards for organizations with dedicated IT staff managing sensitive data. IG3 adds 23 safeguards for organizations facing sophisticated threats. CIS provides free mapping tools connecting controls to NIST CSF, NIST SP 800-53, PCI DSS, HIPAA, and other frameworks.
CIS Controls are widely referenced in insurance underwriting, regulatory safe harbor provisions, and contractual security requirements. Several states reference CIS Controls as a reasonable security standard in their data protection laws. The prioritized approach makes them particularly valuable for resource-constrained organizations that cannot implement a comprehensive framework all at once. Mapping CIS Controls to compliance frameworks helps organizations demonstrate that their security investments satisfy multiple regulatory requirements simultaneously.