The Center for Internet Security (CIS) released version 8.1 of its popular CIS Critical Controls on June 25, 2024.
Building on version 8.0, CIS Controls v8.1 provides even clearer guidance for improving organizations’ cybersecurity programs. It offers a practical set of prioritized recommendations, making it easier to implement effective cyber defenses.
Download the complete CIS Critical Controls v8.1
Asset Types
Version 8.1 introduces new asset classes that align with the various individual components of an enterprise’s infrastructure, ensuring each CIS Safeguard is applied effectively. In CIS Controls v8, the asset types the different controls were associated with were Devices, Users, Applications, Data, and Network. Version 8.1 adds the Documentation asset type, which includes Plans, Policies, Processes and Procedures.
For context, each Safeguard is associated with an Asset Type, a Security Function and one or more Implementation Groups.
The six Security Functions are Identify, Protect, Detect, Respond, Recover and Govern.
Implementation Groups
There are three Implementation Groups (IGs) defined in the CIS Controls document – IG1, IG2 and IG3. The Implementation Groups were created to make adoption easier for organizations of different sizes, with different security needs and risk appetites.
Implementation Group 1
SMEs with limited security expertise, low tolerance for downtime, and sensitive data that primarily concerns employee and financial information. The Safeguards in this category should “thwart general, non-targeted attacks.”
Implementation Group 2 (IG2)
Larger enterprises with dedicated security personnel, multiple departments, some regulatory compliance requirements and sensitive data that may include sensitive client information. Loss of public trust is a major concern, and the Safeguards, in addition to those included in IG1, should “help security teams cope with increased operational complexity.”
Implementation Group 3 (IG3)
Enterprise with security experts in specialised areas, the need to address data confidentiality and integrity and service availability, and significant regulatory oversight. Attacks can impact public welfare. The Safeguards in this category should “abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.”
The Governance Security Function
The addition of the “Governance” security function enables users to identify the essential policies, procedures, and processes needed to safeguard their assets. This provides them with the evidence required to demonstrate compliance with industry standards.
“Effective cybersecurity governance establishes a robust framework to guide an organization’s cybersecurity program towards achieving its business objectives,” explains Curtis Dukes, CIS Executive Vice President. “The new governance activities within CIS Controls v8.1 provide a clear roadmap for building comprehensive cybersecurity programs.”
What’s New in CIS Critical Controls Version 8.1?
- Enhanced Clarity: The update clarifies key terms used throughout the Controls (like “plan” and “sensitive data”) with improved glossary definitions.
- Streamlined Implementation: Asset classifications have been revised, along with updated mappings to the CIS Safeguards, making it easier to put the Controls into action.
- Improved Accuracy: Minor typos in the Safeguard descriptions have been corrected, ensuring a more accurate reference.
- Expanded Guidance: Certain Safeguard descriptions have been clarified for better understanding.
- Alignment with NIST CSF 2.0: The security function mappings have been updated to reflect the latest version of the NIST Cybersecurity Framework (NIST CSF 2.0).
CIS Controls v8.1 Governance Safeguards
Strong governance provides a framework for directing an organization’s cybersecurity program towards achieving its goals. Version 8.1 explicitly identifies governance-related recommendations to further strengthen the security program’s overall management.
Here’s a breakdown of the 25 new Govern function safeguards in CIS Controls v8.1, focusing on what they aim to achieve:
Data Management:
- Safeguard 3.1: Creates a documented process for managing data, including classification, ownership, handling procedures, and retention/disposal guidelines.
Secure Configuration:
- Safeguards 4.1 & 4.2: Establish documented processes for securely configuring devices, software, and network infrastructure.
Access Management:
- Safeguard 5.6: Centralizes user account management for efficient control.
- Safeguards 6.1 & 6.2: Define automated processes for granting and revoking access to resources based on user roles and needs.
- Safeguard 6.8: Implements role-based access control, ensuring users only have the access required for their duties. Reviews are conducted regularly to verify access privileges.
Vulnerability Management:
- Safeguards 7.1 & 7.2: Establish documented processes for identifying, prioritizing, and remediating vulnerabilities in enterprise assets.
Audit Log Management:
- Safeguard 8.1: Defines a documented process for managing audit logs, including collection, review, and retention procedures.
Data Recovery:
- Safeguard 11.1: Establishes a documented process for data recovery, outlining the scope, prioritization, and security of backups.
Documentation:
- Safeguard 12.4: Requires maintaining up-to-date network system documentation, including architecture diagrams.
Security Awareness:
- Safeguard 14.1: Establishes a program to educate employees on cybersecurity best practices for using company assets and data. Training is mandatory for new hires and repeated annually.
Service Provider Management:
- Safeguards 15.2 – 15.6: Implement a policy for managing service providers, including classification, assessment, monitoring, and termination procedures. Contracts with service providers must include security requirements aligned with this policy.
Secure Application Development:
- Safeguard 16.1: Establishes a secure development process for applications, addressing areas like secure design, coding practices, vulnerability management, and security testing.
Software Vulnerability Management:
- Safeguards 16.2 & 16.6: Define a process for handling software vulnerability reports, including a public reporting mechanism. A vulnerability rating system prioritizes fixing the most critical issues.
Security Incident Response:
- Safeguards 17.2 – 17.4: Establish procedures for reporting security incidents, including contact information, reporting process, and a documented incident response plan.
Penetration Testing:
- Safeguard 18.1: Implements a penetration testing program tailored to the organization’s size and needs. This program defines the scope, frequency, limitations, communication plan, and remediation procedures for these security assessments.
Download the complete CIS Critical Controls v8.1
In essence, CIS Controls v8.1 builds upon the core strengths of the previous version while offering improved clarity, more streamlined implementation, and a stronger focus on effective governance.