CIS Controls v8 Mappings | Open Security Architecture

Clause	Title	SP 800-53 Controls
CIS 1	Inventory and Control of Enterprise Assets	CM-08 CM-12 PM-05
CIS 1.1	Establish and Maintain Detailed Enterprise Asset Inventory	CM-08 CM-12
CIS 1.2	Address Unauthorized Assets	CM-08
CIS 1.3	Utilize DHCP Logging to Update Enterprise Asset Inventory	AU-03 CM-08 CM-12
CIS 1.4	Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory	AU-03 SI-04 CM-12
CIS 1.5	Use a Passive Asset Discovery Tool	CM-08 CM-12
CIS 2	Inventory and Control of Software Assets	CM-07 CM-08 CM-10 CM-11 CM-12 CM-14 SA-22
CIS 2.1	Establish and Maintain a Software Inventory	CM-08 CM-10 CM-12
CIS 2.2	Ensure Authorized Software is Currently Supported	SA-22
CIS 2.3	Address Unauthorized Software	CM-07 CM-11
CIS 2.4	Utilize Automated Software Inventory Tools	CM-08 CM-10 CM-12
CIS 2.5	Allowlist Authorized Software	CM-07
CIS 2.6	Allowlist Authorized Libraries	CM-07 CM-14 SA-10
CIS 2.7	Allowlist Authorized Scripts	CM-07
CIS 3	Data Protection	SC-28 SC-08 MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 AC-04 RA-02 SI-12 CM-12 CM-13 PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08
CIS 3.1	Establish and Maintain a Data Management Process	SI-12 PM-01 CM-13
CIS 3.2	Establish and Maintain a Data Inventory	RA-02 CM-08 CM-12 CM-13 PM-05
CIS 3.3	Configure Data Access Control Lists	AC-03 AC-06
CIS 3.4	Enforce Data Retention	SI-12 AU-11
CIS 3.5	Securely Dispose of Data	MP-06 SI-12 SR-12
CIS 3.6	Encrypt Data on End-User Devices	SC-28
CIS 3.7	Establish and Maintain a Data Classification Scheme	RA-02
CIS 3.8	Document Data Flows	AC-04 CM-12 CM-13 PL-08
CIS 3.9	Encrypt Data on Removable Media	MP-04 MP-05 SC-28
CIS 3.10	Encrypt Sensitive Data in Transit	SC-08
CIS 3.11	Encrypt Sensitive Data at Rest	SC-28
CIS 3.12	Segment Data Processing and Storage Based on Sensitivity	SC-32 AC-04 SC-07
CIS 3.13	Deploy a Data Loss Prevention Solution	AC-04 PE-19 SC-07 SI-04
CIS 3.14	Log Sensitive Data Access	AC-06 AU-02 AU-03 AU-12
CIS 4	Secure Configuration of Enterprise Assets and Software	CM-02 CM-06 CM-07 CM-03 SC-07 SC-28
CIS 4.1	Establish and Maintain a Secure Configuration Process	CM-01 CM-02 CM-06
CIS 4.2	Establish and Maintain a Secure Configuration Process for Network Infrastructure	CM-06 SC-07
CIS 4.3	Configure Automatic Session Locking on Enterprise Assets	AC-11
CIS 4.4	Implement and Manage a Firewall on Servers	SC-07
CIS 4.5	Implement and Manage a Firewall on End-User Devices	SC-07
CIS 4.6	Securely Manage Enterprise Assets and Software	CM-05 CM-06 AC-17
CIS 4.7	Manage Default Accounts on Enterprise Assets and Software	AC-02 CM-06 IA-05
CIS 4.8	Uninstall or Disable Unnecessary Services on Enterprise Assets and Software	CM-07
CIS 4.9	Configure Trusted DNS Servers on Enterprise Assets	SC-20 SC-21 SC-22
CIS 4.10	Enforce Automatic Device Lockout on Portable End-User Devices	AC-07 AC-11
CIS 4.11	Enforce Remote Wipe Capability on Portable End-User Devices	AC-19 MP-06
CIS 4.12	Separate Enterprise Workspaces on Mobile End-User Devices	AC-19 SC-32
CIS 5	Account Management	AC-02 AC-05 AC-06 IA-04 IA-05 IA-02
CIS 5.1	Establish and Maintain an Inventory of Accounts	AC-02
CIS 5.2	Use Unique Passwords	IA-05
CIS 5.3	Disable Dormant Accounts	AC-02
CIS 5.4	Restrict Administrator Privileges to Dedicated Administrator Accounts	AC-06
CIS 5.5	Establish and Maintain an Inventory of Service Accounts	AC-02 IA-04
CIS 5.6	Centralize Account Management	AC-02 IA-02
CIS 6	Access Control Management	AC-01 AC-02 AC-03 AC-06 AC-17 AC-24
CIS 6.1	Establish an Access Granting Process	AC-02 AC-06
CIS 6.2	Establish an Access Revoking Process	AC-02 PS-04 PS-05
CIS 6.3	Require MFA for Externally-Exposed Applications	IA-02
CIS 6.4	Require MFA for Remote Network Access	AC-17 IA-02
CIS 6.5	Require MFA for Administrative Access	IA-02
CIS 6.6	Establish and Maintain an Inventory of Authentication and Authorization Systems	AC-02 IA-04 PM-05
CIS 6.7	Centralize Access Control	AC-02 AC-03 AC-24
CIS 6.8	Define and Maintain Role-Based Access Control	AC-02 AC-03 AC-06
CIS 7	Continuous Vulnerability Management	RA-05 SI-02 SI-05 CA-07
CIS 7.1	Establish and Maintain a Vulnerability Management Process	RA-05 SI-02
CIS 7.2	Establish and Maintain a Remediation Process	SI-02 CA-05
CIS 7.3	Perform Automated Operating System Patch Management	SI-02
CIS 7.4	Perform Automated Application Patch Management	SI-02
CIS 7.5	Perform Automated Vulnerability Scans of Internal Enterprise Assets	RA-05
CIS 7.6	Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets	RA-05
CIS 7.7	Remediate Detected Vulnerabilities	SI-02 CA-05 RA-05
CIS 8	Audit Log Management	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 SC-45
CIS 8.1	Establish and Maintain an Audit Log Management Process	AU-01 AU-02
CIS 8.2	Collect Audit Logs	AU-02 AU-03 AU-12
CIS 8.3	Ensure Adequate Audit Log Storage	AU-04 AU-11
CIS 8.4	Standardize Time Synchronization	AU-08 SC-45
CIS 8.5	Collect Detailed Audit Logs	AU-03
CIS 8.6	Collect DNS Query Audit Logs	AU-02 AU-03 SC-20
CIS 8.7	Collect URL Request Audit Logs	AU-02 AU-03 SI-04
CIS 8.8	Collect Command-Line Audit Logs	AU-02 AU-03 AU-14
CIS 8.9	Centralize Audit Logs	AU-06 SI-04
CIS 8.10	Retain Audit Logs	AU-11
CIS 8.11	Conduct Audit Log Reviews	AU-06
CIS 8.12	Collect Service Provider Logs	AU-02 SA-09 AU-16
CIS 9	Email and Web Browser Protections	SC-07 SI-03 SI-08 SC-18
CIS 9.1	Ensure Use of Only Fully Supported Browsers and Email Clients	SA-22 CM-07
CIS 9.2	Use DNS Filtering Services	SC-07 SC-20 SC-21
CIS 9.3	Maintain and Enforce Network-Based URL Filters	SC-07 SI-03 AC-04
CIS 9.4	Restrict Unnecessary or Unauthorized Browser and Email Client Extensions	CM-07 CM-11
CIS 9.5	Implement DMARC	SI-08
CIS 9.6	Block Unnecessary File Types	SC-07 SI-03 SC-18
CIS 9.7	Deploy and Maintain Email Server Anti-Malware Protections	SI-03 SI-08
CIS 10	Malware Defenses	SC-44 SI-03 SI-04 SI-08 SI-16
CIS 10.1	Deploy and Maintain Anti-Malware Software	SI-03
CIS 10.2	Configure Automatic Anti-Malware Signature Updates	SI-03
CIS 10.3	Disable Autorun and Autoplay for Removable Media	CM-07 MP-07
CIS 10.4	Configure Automatic Anti-Malware Scanning of Removable Media	MP-07 SI-03
CIS 10.5	Enable Anti-Exploitation Features	SI-16 CM-06
CIS 10.6	Centrally Manage Anti-Malware Software	SI-03
CIS 10.7	Use Behavior-Based Anti-Malware Software	SC-44 SI-03 SI-04
CIS 11	Data Recovery	CP-09 CP-06 CP-10
CIS 11.1	Establish and Maintain a Data Recovery Process	CP-09 CP-02
CIS 11.2	Perform Automated Backups	CP-09
CIS 11.3	Protect Recovery Data	CP-09 CP-06 SC-28
CIS 11.4	Establish and Maintain an Isolated Instance of Recovery Data	CP-06 CP-09
CIS 11.5	Test Data Recovery	CP-04 CP-09
CIS 12	Network Infrastructure Management	SC-07 CM-02 CM-06 CM-07 AC-04
CIS 12.1	Ensure Network Infrastructure is Up-to-Date	SA-22 SI-02 CM-06
CIS 12.2	Establish and Maintain a Secure Network Architecture	PL-08 SC-07 SC-32
CIS 12.3	Securely Manage Network Infrastructure	AC-17 CM-05 CM-06 SC-08
CIS 12.4	Establish and Maintain Architecture Diagram(s)	PL-02 PL-08
CIS 12.5	Centralize Network Authentication, Authorization, and Auditing (AAA)	AC-02 AU-06 IA-02
CIS 12.6	Use of Secure Network Management and Communication Protocols	AC-17 SC-08
CIS 12.7	Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure	AC-17 IA-02
CIS 12.8	Establish and Maintain Dedicated Computing Resources for All Administrative Work	AC-06 SC-07 SC-32
CIS 13	Network Monitoring and Defense	SI-04 AU-06 SC-07 IR-04 CA-07 SC-48
CIS 13.1	Centralize Security Event Alerting	AU-06 SI-04
CIS 13.2	Deploy a Host-Based Intrusion Detection Solution	SI-04 SI-07
CIS 13.3	Deploy a Network Intrusion Detection Solution	SI-04 SC-07
CIS 13.4	Perform Traffic Filtering Between Network Segments	AC-04 SC-07
CIS 13.5	Manage Access Control for Remote Assets	AC-17 AC-20
CIS 13.6	Collect Network Traffic Flow Logs	AU-03 SI-04
CIS 13.7	Deploy a Host-Based Intrusion Prevention Solution	SI-04 SI-07 SI-16
CIS 13.8	Deploy a Network Intrusion Prevention Solution	SC-07 SI-04
CIS 13.9	Deploy Port-Level Access Control	AC-03 SC-07 IA-03
CIS 13.10	Perform Application Layer Filtering	AC-04 SC-07 SI-04
CIS 13.11	Tune Security Event Alerting Thresholds	AU-06 SI-04
CIS 14	Security Awareness and Skills Training	AT-01 AT-02 AT-03 AT-04 AT-06 PM-13 PM-14
CIS 14.1	Establish and Maintain a Security Awareness Program	AT-01 AT-02 PM-13
CIS 14.2	Train Workforce Members to Recognize Social Engineering Attacks	AT-02
CIS 14.3	Train Workforce Members on Authentication Best Practices	AT-02 AT-03 IA-05
CIS 14.4	Train Workforce on Data Handling Best Practices	AT-02 AT-03 MP-01
CIS 14.5	Train Workforce Members on Causes of Unintentional Data Exposure	AT-02 AT-03 MP-01
CIS 14.6	Train Workforce Members on Recognizing and Reporting Security Incidents	AT-02 IR-02 AT-06
CIS 14.7	Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates	AT-02 AT-03 SI-02
CIS 14.8	Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks	AT-02 AT-03 AC-17
CIS 14.9	Conduct Role-Specific Security Awareness and Skills Training	AT-03 AT-06 PM-13
CIS 15	Service Provider Management	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06
CIS 15.1	Establish and Maintain an Inventory of Service Providers	SA-09 PM-05
CIS 15.2	Establish and Maintain a Service Provider Management Policy	SA-04 SA-09 SR-01
CIS 15.3	Classify Service Providers	RA-02 SA-09 SR-02
CIS 15.4	Ensure Service Provider Contracts Include Security Requirements	SA-04 SA-09 SR-03
CIS 15.5	Assess Service Providers	SR-06 SA-09 CA-02
CIS 15.6	Monitor Service Providers	SA-09 SR-06 CA-07
CIS 15.7	Securely Decommission Service Providers	SA-09 PS-04 MP-06
CIS 16	Application Software Security	SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-17
CIS 16.1	Establish and Maintain a Secure Application Development Process	SA-03 SA-15
CIS 16.2	Establish and Maintain a Process to Accept and Address Software Vulnerabilities	SI-02 RA-05 SA-11
CIS 16.3	Perform Root Cause Analysis on Security Vulnerabilities	SA-11 IR-03 CA-05
CIS 16.4	Establish and Manage an Inventory of Third-Party Software Components	CM-08 SA-10 SR-04
CIS 16.5	Use Up-to-Date and Trusted Third-Party Software Components	SA-22 SR-04 SR-11
CIS 16.6	Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities	RA-05 RA-03
CIS 16.7	Use Standard Hardening Configuration Templates for Application Infrastructure	CM-02 CM-03 CM-06
CIS 16.8	Separate Production and Non-Production Systems	CM-04 SA-11 SC-32
CIS 16.9	Train Developers in Application Security Concepts and Secure Coding	AT-03 SA-16
CIS 16.10	Apply Secure Design Principles in Application Architectures	SA-08 SA-17
CIS 16.11	Leverage Vetted Modules or Services for Application Security Components	SA-08 SC-13 SR-04
CIS 16.12	Implement Code-Level Security Checks	SA-11
CIS 16.13	Conduct Application Penetration Testing	CA-08 SA-11
CIS 16.14	Conduct Threat Modeling	SA-08 SA-17 RA-03
CIS 17	Incident Response Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09
CIS 17.1	Designate Personnel to Manage Incident Handling	IR-01 IR-02 PM-02
CIS 17.2	Establish and Maintain Contact Information for Reporting Security Incidents	IR-06 IR-07 PM-15
CIS 17.3	Establish and Maintain an Enterprise Process for Reporting Incidents	IR-06 IR-08
CIS 17.4	Establish and Maintain an Incident Response Process	IR-08 IR-01
CIS 17.5	Assign Key Roles and Responsibilities	IR-01 IR-02 PM-02
CIS 17.6	Define Mechanisms for Communicating During Incident Response	IR-04 IR-06 IR-07 SC-47
CIS 17.7	Conduct Routine Incident Response Exercises	IR-03 PM-14
CIS 17.8	Conduct Post-Incident Reviews	IR-03 IR-04
CIS 17.9	Establish and Maintain Security Incident Thresholds	IR-04 IR-05 IR-08
CIS 18	Penetration Testing	CA-08 RA-05
CIS 18.1	Establish and Maintain a Penetration Testing Program	CA-08
CIS 18.2	Perform Periodic External Penetration Tests	CA-08
CIS 18.3	Remediate Penetration Test Findings	CA-05 SI-02
CIS 18.4	Validate Security Measures	CA-02 CA-08 RA-05
CIS 18.5	Perform Periodic Internal Penetration Tests	CA-08

CIS 1

Inventory and Control of Enterprise Assets

CM-08 CM-12 PM-05

CIS 1.1

Establish and Maintain Detailed Enterprise Asset Inventory

CM-08 CM-12

CIS 1.2

Address Unauthorized Assets

CM-08

CIS 1.3

Utilize DHCP Logging to Update Enterprise Asset Inventory

AU-03 CM-08 CM-12

CIS 1.4

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

AU-03 SI-04 CM-12

CIS 1.5

Use a Passive Asset Discovery Tool

CM-08 CM-12

CIS 2

Inventory and Control of Software Assets

CM-07 CM-08 CM-10 CM-11 CM-12 CM-14 SA-22

CIS 2.1

Establish and Maintain a Software Inventory

CM-08 CM-10 CM-12

CIS 2.2

Ensure Authorized Software is Currently Supported

SA-22

CIS 2.3

Address Unauthorized Software

CM-07 CM-11

CIS 2.4

Utilize Automated Software Inventory Tools

CM-08 CM-10 CM-12

CIS 2.5

Allowlist Authorized Software

CM-07

CIS 2.6

Allowlist Authorized Libraries

CM-07 CM-14 SA-10

CIS 2.7

Allowlist Authorized Scripts

CM-07

CIS 3

Data Protection

SC-28 SC-08 MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 MP-07 AC-04 RA-02 SI-12 CM-12 CM-13 PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 PT-08

CIS 3.1

Establish and Maintain a Data Management Process

SI-12 PM-01 CM-13

CIS 3.2

Establish and Maintain a Data Inventory

RA-02 CM-08 CM-12 CM-13 PM-05

CIS 3.3

Configure Data Access Control Lists

AC-03 AC-06

CIS 3.4

Enforce Data Retention

SI-12 AU-11

CIS 3.5

Securely Dispose of Data

MP-06 SI-12 SR-12

CIS 3.6

Encrypt Data on End-User Devices

SC-28

CIS 3.7

Establish and Maintain a Data Classification Scheme

RA-02

CIS 3.8

Document Data Flows

AC-04 CM-12 CM-13 PL-08

CIS 3.9

Encrypt Data on Removable Media

MP-04 MP-05 SC-28

CIS 3.10

Encrypt Sensitive Data in Transit

SC-08

CIS 3.11

Encrypt Sensitive Data at Rest

SC-28

CIS 3.12

Segment Data Processing and Storage Based on Sensitivity

SC-32 AC-04 SC-07

CIS 3.13

Deploy a Data Loss Prevention Solution

AC-04 PE-19 SC-07 SI-04

CIS 3.14

Log Sensitive Data Access

AC-06 AU-02 AU-03 AU-12

CIS 4

Secure Configuration of Enterprise Assets and Software

CM-02 CM-06 CM-07 CM-03 SC-07 SC-28

CIS 4.1

Establish and Maintain a Secure Configuration Process

CM-01 CM-02 CM-06

CIS 4.2

Establish and Maintain a Secure Configuration Process for Network Infrastructure

CM-06 SC-07

CIS 4.3

Configure Automatic Session Locking on Enterprise Assets

AC-11

CIS 4.4

Implement and Manage a Firewall on Servers

SC-07

CIS 4.5

Implement and Manage a Firewall on End-User Devices

SC-07

CIS 4.6

Securely Manage Enterprise Assets and Software

CM-05 CM-06 AC-17

CIS 4.7

Manage Default Accounts on Enterprise Assets and Software

AC-02 CM-06 IA-05

CIS 4.8

Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

CM-07

CIS 4.9

Configure Trusted DNS Servers on Enterprise Assets

SC-20 SC-21 SC-22

CIS 4.10

Enforce Automatic Device Lockout on Portable End-User Devices

AC-07 AC-11

CIS 4.11

Enforce Remote Wipe Capability on Portable End-User Devices

AC-19 MP-06

CIS 4.12

Separate Enterprise Workspaces on Mobile End-User Devices

AC-19 SC-32

CIS 5

Account Management

AC-02 AC-05 AC-06 IA-04 IA-05 IA-02

CIS 5.1

Establish and Maintain an Inventory of Accounts

AC-02

CIS 5.2

Use Unique Passwords

IA-05

CIS 5.3

Disable Dormant Accounts

AC-02

CIS 5.4

Restrict Administrator Privileges to Dedicated Administrator Accounts

AC-06

CIS 5.5

Establish and Maintain an Inventory of Service Accounts

AC-02 IA-04

CIS 5.6

Centralize Account Management

AC-02 IA-02

CIS 6

Access Control Management

AC-01 AC-02 AC-03 AC-06 AC-17 AC-24

CIS 6.1

Establish an Access Granting Process

AC-02 AC-06

CIS 6.2

Establish an Access Revoking Process

AC-02 PS-04 PS-05

CIS 6.3

Require MFA for Externally-Exposed Applications

IA-02

CIS 6.4

Require MFA for Remote Network Access

AC-17 IA-02

CIS 6.5

Require MFA for Administrative Access

IA-02

CIS 6.6

Establish and Maintain an Inventory of Authentication and Authorization Systems

AC-02 IA-04 PM-05

CIS 6.7

Centralize Access Control

AC-02 AC-03 AC-24

CIS 6.8

Define and Maintain Role-Based Access Control

AC-02 AC-03 AC-06

CIS 7

Continuous Vulnerability Management

RA-05 SI-02 SI-05 CA-07

CIS 7.1

Establish and Maintain a Vulnerability Management Process

RA-05 SI-02

CIS 7.2

Establish and Maintain a Remediation Process

SI-02 CA-05

CIS 7.3

Perform Automated Operating System Patch Management

SI-02

CIS 7.4

Perform Automated Application Patch Management

SI-02

CIS 7.5

Perform Automated Vulnerability Scans of Internal Enterprise Assets

RA-05

CIS 7.6

Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets

RA-05

CIS 7.7

Remediate Detected Vulnerabilities

SI-02 CA-05 RA-05

CIS 8

Audit Log Management

AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 AU-12 SC-45

CIS 8.1

Establish and Maintain an Audit Log Management Process

AU-01 AU-02

CIS 8.2

Collect Audit Logs

AU-02 AU-03 AU-12

CIS 8.3

Ensure Adequate Audit Log Storage

AU-04 AU-11

CIS 8.4

Standardize Time Synchronization

AU-08 SC-45

CIS 8.5

Collect Detailed Audit Logs

AU-03

CIS 8.6

Collect DNS Query Audit Logs

AU-02 AU-03 SC-20

CIS 8.7

Collect URL Request Audit Logs

AU-02 AU-03 SI-04

CIS 8.8

Collect Command-Line Audit Logs

AU-02 AU-03 AU-14

CIS 8.9

Centralize Audit Logs

AU-06 SI-04

CIS 8.10

Retain Audit Logs

AU-11

CIS 8.11

Conduct Audit Log Reviews

AU-06

CIS 8.12

Collect Service Provider Logs

AU-02 SA-09 AU-16

CIS 9

Email and Web Browser Protections

SC-07 SI-03 SI-08 SC-18

CIS 9.1

Ensure Use of Only Fully Supported Browsers and Email Clients

SA-22 CM-07

CIS 9.2

Use DNS Filtering Services

SC-07 SC-20 SC-21

CIS 9.3

Maintain and Enforce Network-Based URL Filters

SC-07 SI-03 AC-04

CIS 9.4

Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

CM-07 CM-11

CIS 9.5

Implement DMARC

SI-08

CIS 9.6

Block Unnecessary File Types

SC-07 SI-03 SC-18

CIS 9.7

Deploy and Maintain Email Server Anti-Malware Protections

SI-03 SI-08

CIS 10

Malware Defenses

SC-44 SI-03 SI-04 SI-08 SI-16

CIS 10.1

Deploy and Maintain Anti-Malware Software

SI-03

CIS 10.2

Configure Automatic Anti-Malware Signature Updates

SI-03

CIS 10.3

Disable Autorun and Autoplay for Removable Media

CM-07 MP-07

CIS 10.4

Configure Automatic Anti-Malware Scanning of Removable Media

MP-07 SI-03

CIS 10.5

Enable Anti-Exploitation Features

SI-16 CM-06

CIS 10.6

Centrally Manage Anti-Malware Software

SI-03

CIS 10.7

Use Behavior-Based Anti-Malware Software

SC-44 SI-03 SI-04

CIS 11

Data Recovery

CP-09 CP-06 CP-10

CIS 11.1

Establish and Maintain a Data Recovery Process

CP-09 CP-02

CIS 11.2

Perform Automated Backups

CP-09

CIS 11.3

Protect Recovery Data

CP-09 CP-06 SC-28

CIS 11.4

Establish and Maintain an Isolated Instance of Recovery Data

CP-06 CP-09

CIS 11.5

Test Data Recovery

CP-04 CP-09

CIS 12

Network Infrastructure Management

SC-07 CM-02 CM-06 CM-07 AC-04

CIS 12.1

Ensure Network Infrastructure is Up-to-Date

SA-22 SI-02 CM-06

CIS 12.2

Establish and Maintain a Secure Network Architecture

PL-08 SC-07 SC-32

CIS 12.3

Securely Manage Network Infrastructure

AC-17 CM-05 CM-06 SC-08

CIS 12.4

Establish and Maintain Architecture Diagram(s)

PL-02 PL-08

CIS 12.5

Centralize Network Authentication, Authorization, and Auditing (AAA)

AC-02 AU-06 IA-02

CIS 12.6

Use of Secure Network Management and Communication Protocols

AC-17 SC-08

CIS 12.7

Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure

AC-17 IA-02

CIS 12.8

Establish and Maintain Dedicated Computing Resources for All Administrative Work

AC-06 SC-07 SC-32

CIS 13

Network Monitoring and Defense

SI-04 AU-06 SC-07 IR-04 CA-07 SC-48

CIS 13.1

Centralize Security Event Alerting

AU-06 SI-04

CIS 13.2

Deploy a Host-Based Intrusion Detection Solution

SI-04 SI-07

CIS 13.3

Deploy a Network Intrusion Detection Solution

SI-04 SC-07

CIS 13.4

Perform Traffic Filtering Between Network Segments

AC-04 SC-07

CIS 13.5

Manage Access Control for Remote Assets

AC-17 AC-20

CIS 13.6

Collect Network Traffic Flow Logs

AU-03 SI-04

CIS 13.7

Deploy a Host-Based Intrusion Prevention Solution

SI-04 SI-07 SI-16

CIS 13.8

Deploy a Network Intrusion Prevention Solution

SC-07 SI-04

CIS 13.9

Deploy Port-Level Access Control

AC-03 SC-07 IA-03

CIS 13.10

Perform Application Layer Filtering

AC-04 SC-07 SI-04

CIS 13.11

Tune Security Event Alerting Thresholds

AU-06 SI-04

CIS 14

Security Awareness and Skills Training

AT-01 AT-02 AT-03 AT-04 AT-06 PM-13 PM-14

CIS 14.1

Establish and Maintain a Security Awareness Program

AT-01 AT-02 PM-13

CIS 14.2

Train Workforce Members to Recognize Social Engineering Attacks

AT-02

CIS 14.3

Train Workforce Members on Authentication Best Practices

AT-02 AT-03 IA-05

CIS 14.4

Train Workforce on Data Handling Best Practices

AT-02 AT-03 MP-01

CIS 14.5

Train Workforce Members on Causes of Unintentional Data Exposure

AT-02 AT-03 MP-01

CIS 14.6

Train Workforce Members on Recognizing and Reporting Security Incidents

AT-02 IR-02 AT-06

CIS 14.7

Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

AT-02 AT-03 SI-02

CIS 14.8

Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

AT-02 AT-03 AC-17

CIS 14.9

Conduct Role-Specific Security Awareness and Skills Training

AT-03 AT-06 PM-13

CIS 15

Service Provider Management

SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06

CIS 15.1

Establish and Maintain an Inventory of Service Providers

SA-09 PM-05

CIS 15.2

Establish and Maintain a Service Provider Management Policy

SA-04 SA-09 SR-01

CIS 15.3

Classify Service Providers

RA-02 SA-09 SR-02

CIS 15.4

Ensure Service Provider Contracts Include Security Requirements

SA-04 SA-09 SR-03

CIS 15.5

Assess Service Providers

SR-06 SA-09 CA-02

CIS 15.6

Monitor Service Providers

SA-09 SR-06 CA-07

CIS 15.7

Securely Decommission Service Providers

SA-09 PS-04 MP-06

CIS 16

Application Software Security

SA-03 SA-04 SA-08 SA-10 SA-11 SA-15 SA-17

CIS 16.1

Establish and Maintain a Secure Application Development Process

SA-03 SA-15

CIS 16.2

Establish and Maintain a Process to Accept and Address Software Vulnerabilities

SI-02 RA-05 SA-11

CIS 16.3

Perform Root Cause Analysis on Security Vulnerabilities

SA-11 IR-03 CA-05

CIS 16.4

Establish and Manage an Inventory of Third-Party Software Components

CM-08 SA-10 SR-04

CIS 16.5

Use Up-to-Date and Trusted Third-Party Software Components

SA-22 SR-04 SR-11

CIS 16.6

Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

RA-05 RA-03

CIS 16.7

Use Standard Hardening Configuration Templates for Application Infrastructure

CM-02 CM-03 CM-06

CIS 16.8

Separate Production and Non-Production Systems

CM-04 SA-11 SC-32

CIS 16.9

Train Developers in Application Security Concepts and Secure Coding

AT-03 SA-16

CIS 16.10

Apply Secure Design Principles in Application Architectures

SA-08 SA-17

CIS 16.11

Leverage Vetted Modules or Services for Application Security Components

SA-08 SC-13 SR-04

CIS 16.12

Implement Code-Level Security Checks

SA-11

CIS 16.13

Conduct Application Penetration Testing

CA-08 SA-11

CIS 16.14

Conduct Threat Modeling

SA-08 SA-17 RA-03

CIS 17

Incident Response Management

IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 IR-09

CIS 17.1

Designate Personnel to Manage Incident Handling

IR-01 IR-02 PM-02

CIS 17.2

Establish and Maintain Contact Information for Reporting Security Incidents

IR-06 IR-07 PM-15

CIS 17.3

Establish and Maintain an Enterprise Process for Reporting Incidents

IR-06 IR-08

CIS 17.4

Establish and Maintain an Incident Response Process

IR-08 IR-01

CIS 17.5

Assign Key Roles and Responsibilities

IR-01 IR-02 PM-02

CIS 17.6

Define Mechanisms for Communicating During Incident Response

IR-04 IR-06 IR-07 SC-47

CIS 17.7

Conduct Routine Incident Response Exercises

IR-03 PM-14

CIS 17.8

Conduct Post-Incident Reviews

IR-03 IR-04

CIS 17.9

Establish and Maintain Security Incident Thresholds

IR-04 IR-05 IR-08

CIS 18

Penetration Testing

CA-08 RA-05

CIS 18.1

Establish and Maintain a Penetration Testing Program

CA-08

CIS 18.2

Perform Periodic External Penetration Tests

CA-08

CIS 18.3

Remediate Penetration Test Findings

CA-05 SI-02

CIS 18.4

Validate Security Measures

CA-02 CA-08 RA-05

CIS 18.5

Perform Periodic Internal Penetration Tests

CA-08

CIS Critical Security Controls Version 8