Continue your mission
CIS Controls v8 provides 18 prioritized cybersecurity safeguards in three implementation groups, widely used as a practical security baseline.
The Center for Internet Security (CIS) Controls version 8, released in 2021, is a prioritized set of 18 cybersecurity safeguards designed to mitigate the most prevalent cyber threats. Developed through a community consensus process involving practitioners, government agencies, and industry experts, the CIS Controls distill complex cybersecurity guidance into actionable, prioritized steps. Unlike comprehensive frameworks like NIST SP 800-53, CIS Controls focus on the most impactful defensive actions first. Version 8 reorganized the controls around activities rather than device ownership, reflecting modern cloud and hybrid environments. The controls are organized into three Implementation Groups (IGs) based on organizational size and risk.
The 18 CIS Controls cover: Inventory and Control of Enterprise Assets, Inventory and Control of Software Assets, Data Protection, Secure Configuration of Enterprise Assets and Software, Account Management, Access Control Management, Continuous Vulnerability Management, Audit Log Management, Email and Web Browser Protections, Malware Defenses, Data Recovery, Network Infrastructure Management, Network Monitoring and Defense, Security Awareness and Skills Training, Service Provider Management, Application Software Security, Incident Response Management, and Penetration Testing. Each control contains specific safeguards, totaling 153 across all controls. Implementation Group 1 (IG1) defines essential cyber hygiene with 56 safeguards for all organizations. IG2 adds 74 safeguards for organizations with dedicated IT staff managing sensitive data. IG3 adds 23 safeguards for organizations facing sophisticated threats. CIS provides free mapping tools connecting controls to NIST CSF, NIST SP 800-53, PCI DSS, HIPAA, and other frameworks.
CIS Controls are widely referenced in insurance underwriting, regulatory safe harbor provisions, and contractual security requirements. Several states reference CIS Controls as a reasonable security standard in their data protection laws. The prioritized approach makes them particularly valuable for resource-constrained organizations that cannot implement a comprehensive framework all at once. Mapping CIS Controls to compliance frameworks helps organizations demonstrate that their security investments satisfy multiple regulatory requirements simultaneously.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.