The CIS Critical Security Controls (CIS Controls) are a set of best practices designed to help organizations protect themselves from the most common cyber attacks. First developed in 2008, the controls define the minimum level of cybersecurity any organization that collects or maintains personal information should meet.
CIS released version 8.1 of the CIS Critical Security Controls on June 25th, 2024. While the changes between v8 and v8.1 are relatively minimal—especially compared to previous updates, such as those from v7.1 and v8—it’s worth briefly exploring the update.
How do CIS Controls Work?
Each Control in the CIS Controls document contains the following elements:
- Overview: A brief description of the intent of the Control and its utility as a defensive action.
- Why is this Control critical?: A description of the importance of this Control in blocking, mitigating, or identifying attacks, and an explanation of how attackers actively exploit the absence of this Control.
- Procedures and tools: A more technical description of the processes and technologies that enable implementation and automation of this Control.
- Safeguard descriptions: A table of the specific actions that enterprises should take to implement the Control.
The Governance Security Function
The most significant update to CIS Controls v8.1 is the addition of the “Governance” security function to align with NIST Cybersecurity Framework 2.0 (NIST CSF 2.0). The Controls now specifically identify governance topics as recommendations that organizations can implement to improve the governance of their cybersecurity program, identify the governance pieces of their program, and equip themselves with the evidence needed to demonstrate compliance.
New and Expanded Glossary Definitions
The update also includes new and expanded glossary definitions for reserved words, such as plan, process, and sensitive data, used throughout the CIS Controls. Please see the full definitions below:
- Plan: A plan implements policies and may include groups of policies, processes, and procedures.
- Process: A set of general tasks and activities to achieve a series of security-related goals.
- Sensitive Data: Physical or digital data stored, processed, or managed by the enterprise that must be kept private, accurate, reliable, and available. If released or destroyed in an unauthorized manner, it would cause harm to the enterprise or its customers. These impacts may be due to a data breach or a violation of a policy, contract, or regulation.
Added Clarification to Some Safeguard Descriptions
In the CIS Controls, Safeguard descriptions are a table of specific actions enterprises should take to implement the Control. CIS Controls v8.1 updates some of these descriptions to provide further clarity to organizations.
Revised Asset Classes and New Mappings to Safeguards
In the CIS Controls, each Safeguard is associated with an Asset Type, a Security Function, and one or more Implementation Groups. The six Security Functions are Identify, Protect, Detect Respond, Recover, and Govern.
CIS Controls v8.1 introduces new asset classifications and improved descriptions of CIS safeguards to help organizations categorize their assets and implement specific security measures. The asset types are now Devices, Users, Applications, Data, Networks, Software, and—the newest addition—Documentation. This asset type includes Plans, Policies, and Procedures.
Minor Typo Corrections in Safeguard Descriptions
CIS Controls v8.1 corrects minor typos in the CIS Safeguard descriptions to ensure more accurate referencing than the previous iteration.
Conclusion
These are relatively minor updates made by CIS to enhance the scope and practical applicability of Safeguards, align with other major security frameworks (namely, NIST CSF 2.0), and ensure continuity for existing CIS Controls users.
Tripwire is currently working on updating our blog series that examines each of the 18 security measures contained within CIS Controls to align with v8.1. Until then, find out more about how Tripwire’s solutions align with CIS Controls and how you can take advantage of them by checking out our CIS Controls Monitoring Solution here.
Editor's Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.