Tackling the New CIS Controls

In the early part of 2024, the Center for Internet Security (CIS) released the latest version of the well-respected Critical Security Controls (CSC). The new version, 8.1, adds contours to the prior versions, making it more comprehensive and timely in today’s challenging cybersecurity environment.

The CIS CSC has been a valued source of guidance for many organizations since its initial release in 2008. However, its detail and depth make it somewhat intimidating for some organizations. The latest version contains 153 safeguards. In a recent webinar, I reviewed the new version and highlighted the alignment with NIST CSF 2.0. Here are some observations about the new version and, most importantly, how organizations can get started with the Controls.

The CSC is divided into eighteen categories with tiered controls that spread over three separate Implementation Groups. Implementation Groups were introduced in version 7.1 to help organizations effectively prioritize security implementation. The most basic level of the CSC is codified in Implementation Group 1 (IG1), which could be viewed as basic security hygiene. Each Implementation Group progresses to the next group. This means that IG2 can only be achieved after IG1 is completed, and IG3 must also include the safeguards outlined in both IG1 and IG2.

What Changed in Version 8.1?

Version 8.1 introduces design principles of Context, Clarity, and Consistency. There are also explanations that address the Security Function Mapping to Match NIST CSF 2.0 and New Mappings for Safeguards. To quote version 8.1 directly:

Context

We’ve updated the CIS Controls with new asset classes to better match the specific parts of an enterprise’s infrastructure to which each Safeguard applies. New classes require new definitions, so we’ve also enhanced the descriptions of several Safeguards for greater detail, practicality, and clarity.

Coexistence

The CIS Controls has always maintained alignment with evolving industry standards and frameworks and will continue to do so. This assists all users of the Controls and is a core principle of how the Controls operate. The release of NIST’s CSF 2.0 necessitated  updated mappings and updated security functions.

Consistency

Traditionally, any iterative update to the CIS Controls should minimize disruption to Controls users. This means that no  implementation Groups were modified in this update, and the spirit of any given Safeguard remains the same. Additionally, the new asset classes and definitions needed to be consistently applied throughout the Controls, and in doing so, some minor updates were added.

A major addition to version 8.1 is the “Governance” security function. This was added in an effort to help organizations better identify the authoritative pieces of the cybersecurity program and to equip the organizations with the evidence required to prove compliance.

We can go beyond the explanation of the theoretical aspects of the CIS CSC by demonstrating the application of Controls 1 and 4 and showing how to use Fortra’s Tripwire Enterprise to incorporate the safeguards into an organization’s environment.

The key takeaways of the first control emphasize the importance of starting with the basics, including the all-important asset inventory, tool availability, and reusability. These are the basics for setting a foundation for enterprise security. The main asset types that are specific to the Control 1 Safeguards are devices.

Control 4

Control 4 focuses on secure configurations. The key takeaways from this include the importance of modifying default configurations of devices and software, since those defaults are not as secure as required for good security. Layered security is also introduced in this control.

Control 4 is also the first time that the new security type, Govern, is introduced in the new CIS CSC. The CSC glossary page defines the Govern function as:

Governance activities are critical for incorporating cybersecurity into an organization’s broader enterprise risk management (ERM) strategy. GOVERN addresses an understanding of organizational context, the establishment of cybersecurity strategy and cybersecurity supply chain risk management; roles, responsibilities, authorities, policy, and the oversight of cybersecurity strategy.

Governance is the task of outlining the processes of the enterprise security program. In most of the controls, this focuses on documentation. User safeguards fill out the other aspect of the governance function.

To add an even greater layer of ease with the CIS Controls, Fortra’s Tripwire Enterprise solution can be used to achieve a high compliance score for Control 4. Tune into the webinar here to see this firsthand.

The CIS Critical Security Controls were founded on the principle of simplifying security. However, even the most basic security can be improved with the help from a trusted partner who has the experience to help you succeed. Fortra has a solid history and catalogue of solutions for all organizational types. If you would like to find out more about how Fortra can help you with your enterprise security, contact us here.