← Frameworks / CIS Controls v8 / Control Mappings

CIS Critical Security Controls Version 8

Prioritized set of actions to protect organizations and data from known cyber attack vectors. Developed by a global community of IT experts.

Controls: 134
Total Mappings: 468
Publisher: Center for Internet Security Version: 8
CIS Controls v8 → SP 800-53 SP 800-53 → CIS Controls v8 Coverage Analysis
AC (12) AT (5) AU (14) CA (4) CM (13) CP (5) IA (4) IR (9) MP (7) PE (1) PL (2) PM (6) PS (2) PT (8) RA (3) SA (10) SC (13) SI (8) SR (8)

AC Access Control

Control Name CIS Controls v8 References
AC-01 Access Control Policies and Procedures
CIS 6
AC-02 Account Management
CIS 12.5CIS 4.7CIS 5CIS 5.1CIS 5.3CIS 5.5CIS 5.6CIS 6CIS 6.1CIS 6.2CIS 6.6CIS 6.7CIS 6.8
AC-03 Access Enforcement
CIS 13.9CIS 3.3CIS 6CIS 6.7CIS 6.8
AC-04 Information Flow Enforcement
CIS 12CIS 13.10CIS 13.4CIS 3CIS 3.12CIS 3.13CIS 3.8CIS 9.3
AC-05 Separation Of Duties
CIS 5
AC-06 Least Privilege
CIS 12.8CIS 3.14CIS 3.3CIS 5CIS 5.4CIS 6CIS 6.1CIS 6.8
AC-07 Unsuccessful Login Attempts
CIS 4.10
AC-11 Session Lock
CIS 4.10CIS 4.3
AC-17 Remote Access
CIS 12.3CIS 12.6CIS 12.7CIS 13.5CIS 14.8CIS 4.6CIS 6CIS 6.4
AC-19 Access Control For Portable And Mobile Devices
CIS 4.11CIS 4.12
AC-20 Use Of External Information Systems
CIS 13.5
AC-24 Access Control Decisions
CIS 6CIS 6.7

AT Awareness and Training

Control Name CIS Controls v8 References
AT-01 Security Awareness And Training Policy And Procedures
CIS 14CIS 14.1
AT-02 Security Awareness
CIS 14CIS 14.1CIS 14.2CIS 14.3CIS 14.4CIS 14.5CIS 14.6CIS 14.7CIS 14.8
AT-03 Security Training
CIS 14CIS 14.3CIS 14.4CIS 14.5CIS 14.7CIS 14.8CIS 14.9CIS 16.9
AT-04 Security Training Records
CIS 14
AT-06 Training Feedback
CIS 14CIS 14.6CIS 14.9

AU Audit and Accountability

Control Name CIS Controls v8 References
AU-01 Audit And Accountability Policy And Procedures
CIS 8CIS 8.1
AU-02 Auditable Events
CIS 3.14CIS 8CIS 8.1CIS 8.12CIS 8.2CIS 8.6CIS 8.7CIS 8.8
AU-03 Content Of Audit Records
CIS 1.3CIS 1.4CIS 13.6CIS 3.14CIS 8CIS 8.2CIS 8.5CIS 8.6CIS 8.7CIS 8.8
AU-04 Audit Storage Capacity
CIS 8CIS 8.3
AU-05 Response To Audit Processing Failures
CIS 8
AU-06 Audit Monitoring, Analysis, And Reporting
CIS 12.5CIS 13CIS 13.1CIS 13.11CIS 8CIS 8.11CIS 8.9
AU-07 Audit Reduction And Report Generation
CIS 8
AU-08 Time Stamps
CIS 8CIS 8.4
AU-09 Protection Of Audit Information
CIS 8
AU-10 Non-Repudiation
CIS 8
AU-11 Audit Record Retention
CIS 3.4CIS 8CIS 8.10CIS 8.3
AU-12 Audit Record Generation
CIS 3.14CIS 8CIS 8.2
AU-14 Session Audit
CIS 8.8
AU-16 Cross-Organizational Audit Logging
CIS 8.12

CA Security Assessment and Authorization

Control Name CIS Controls v8 References
CA-02 Security Assessments
CIS 15.5CIS 18.4
CA-05 Plan Of Action And Milestones
CIS 16.3CIS 18.3CIS 7.2CIS 7.7
CA-07 Continuous Monitoring
CIS 13CIS 15.6CIS 7
CA-08 Penetration Testing
CIS 16.13CIS 18CIS 18.1CIS 18.2CIS 18.4CIS 18.5

CM Configuration Management

Control Name CIS Controls v8 References
CM-01 Configuration Management Policy And Procedures
CIS 4.1
CM-02 Baseline Configuration
CIS 12CIS 16.7CIS 4CIS 4.1
CM-03 Configuration Change Control
CIS 16.7CIS 4
CM-04 Monitoring Configuration Changes
CIS 16.8
CM-05 Access Restrictions For Change
CIS 12.3CIS 4.6
CM-06 Configuration Settings
CIS 10.5CIS 12CIS 12.1CIS 12.3CIS 16.7CIS 4CIS 4.1CIS 4.2CIS 4.6CIS 4.7
CM-07 Least Functionality
CIS 10.3CIS 12CIS 2CIS 2.3CIS 2.5CIS 2.6CIS 2.7CIS 4CIS 4.8CIS 9.1CIS 9.4
CM-08 Information System Component Inventory
CIS 1CIS 1.1CIS 1.2CIS 1.3CIS 1.5CIS 16.4CIS 2CIS 2.1CIS 2.4CIS 3.2
CM-10 Software Usage Restrictions
CIS 2CIS 2.1CIS 2.4
CM-11 User-Installed Software
CIS 2CIS 2.3CIS 9.4
CM-12 Information Location
CIS 1CIS 1.1CIS 1.3CIS 1.4CIS 1.5CIS 2CIS 2.1CIS 2.4CIS 3CIS 3.2CIS 3.8
CM-13 Data Action Mapping
CIS 3CIS 3.1CIS 3.2CIS 3.8
CM-14 Signed Components
CIS 2CIS 2.6

CP Contingency Planning

Control Name CIS Controls v8 References
CP-02 Contingency Plan
CIS 11.1
CP-04 Contingency Plan Testing And Exercises
CIS 11.5
CP-06 Alternate Storage Site
CIS 11CIS 11.3CIS 11.4
CP-09 Information System Backup
CIS 11CIS 11.1CIS 11.2CIS 11.3CIS 11.4CIS 11.5
CP-10 Information System Recovery And Reconstitution
CIS 11

IA Identification and Authentication

Control Name CIS Controls v8 References
IA-02 User Identification And Authentication
CIS 12.5CIS 12.7CIS 5CIS 5.6CIS 6.3CIS 6.4CIS 6.5
IA-03 Device Identification And Authentication
CIS 13.9
IA-04 Identifier Management
CIS 5CIS 5.5CIS 6.6
IA-05 Authenticator Management
CIS 14.3CIS 4.7CIS 5CIS 5.2

IR Incident Response

Control Name CIS Controls v8 References
IR-01 Incident Response Policy And Procedures
CIS 17CIS 17.1CIS 17.4CIS 17.5
IR-02 Incident Response Training
CIS 14.6CIS 17CIS 17.1CIS 17.5
IR-03 Incident Response Testing And Exercises
CIS 16.3CIS 17CIS 17.7CIS 17.8
IR-04 Incident Handling
CIS 13CIS 17CIS 17.6CIS 17.8CIS 17.9
IR-05 Incident Monitoring
CIS 17CIS 17.9
IR-06 Incident Reporting
CIS 17CIS 17.2CIS 17.3CIS 17.6
IR-07 Incident Response Assistance
CIS 17CIS 17.2CIS 17.6
IR-08 Incident Response Plan
CIS 17CIS 17.3CIS 17.4CIS 17.9
IR-09 Information Spillage Response
CIS 17

MP Media Protection

Control Name CIS Controls v8 References
MP-01 Media Protection Policy And Procedures
CIS 14.4CIS 14.5CIS 3
MP-02 Media Access
CIS 3
MP-03 Media Labeling
CIS 3
MP-04 Media Storage
CIS 3CIS 3.9
MP-05 Media Transport
CIS 3CIS 3.9
MP-06 Media Sanitization And Disposal
CIS 15.7CIS 3CIS 3.5CIS 4.11
MP-07 Media Use
CIS 10.3CIS 10.4CIS 3

PE Physical and Environmental Protection

Control Name CIS Controls v8 References
PE-19 Information Leakage
CIS 3.13

PL Planning

Control Name CIS Controls v8 References
PL-02 System Security Plan
CIS 12.4
PL-08 Security and Privacy Architectures
CIS 12.2CIS 12.4CIS 3.8

PM Program Management

Control Name CIS Controls v8 References
PM-01 Information Security Program Plan
CIS 3.1
PM-02 Information Security Program Leadership Role
CIS 17.1CIS 17.5
PM-05 System Inventory
CIS 1CIS 15.1CIS 3.2CIS 6.6
PM-13 Security and Privacy Workforce
CIS 14CIS 14.1CIS 14.9
PM-14 Testing, Training, and Monitoring
CIS 14CIS 17.7
PM-15 Security and Privacy Groups and Associations
CIS 17.2

PS Personnel Security

Control Name CIS Controls v8 References
PS-04 Personnel Termination
CIS 15.7CIS 6.2
PS-05 Personnel Transfer
CIS 6.2

PT Personally Identifiable Information Processing and Transparency

Control Name CIS Controls v8 References
PT-01 Policy and Procedures
CIS 3
PT-02 Authority to Process Personally Identifiable Information
CIS 3
PT-03 Personally Identifiable Information Processing Purposes
CIS 3
PT-04 Consent
CIS 3
PT-05 Privacy Notice
CIS 3
PT-06 System of Records Notice
CIS 3
PT-07 Specific Categories of Personally Identifiable Information
CIS 3
PT-08 Computer Matching Requirements
CIS 3

RA Risk Assessment

Control Name CIS Controls v8 References
RA-02 Security Categorization
CIS 15.3CIS 3CIS 3.2CIS 3.7
RA-03 Risk Assessment
CIS 16.14CIS 16.6
RA-05 Vulnerability Scanning
CIS 16.2CIS 16.6CIS 18CIS 18.4CIS 7CIS 7.1CIS 7.5CIS 7.6CIS 7.7

SA System and Services Acquisition

Control Name CIS Controls v8 References
SA-03 Life Cycle Support
CIS 16CIS 16.1
SA-04 Acquisitions
CIS 15CIS 15.2CIS 15.4CIS 16
SA-08 Security Engineering Principles
CIS 16CIS 16.10CIS 16.11CIS 16.14
SA-09 External Information System Services
CIS 15CIS 15.1CIS 15.2CIS 15.3CIS 15.4CIS 15.5CIS 15.6CIS 15.7CIS 8.12
SA-10 Developer Configuration Management
CIS 16CIS 16.4CIS 2.6
SA-11 Developer Security Testing
CIS 16CIS 16.12CIS 16.13CIS 16.2CIS 16.3CIS 16.8
SA-15 Development Process, Standards, and Tools
CIS 16CIS 16.1
SA-16 Developer-Provided Training
CIS 16.9
SA-17 Developer Security and Privacy Architecture and Design
CIS 16CIS 16.10CIS 16.14
SA-22 Unsupported System Components
CIS 12.1CIS 16.5CIS 2CIS 2.2CIS 9.1

SC System and Communications Protection

Control Name CIS Controls v8 References
SC-07 Boundary Protection
CIS 12CIS 12.2CIS 12.8CIS 13CIS 13.10CIS 13.3CIS 13.4CIS 13.8CIS 13.9CIS 3.12CIS 3.13CIS 4CIS 4.2CIS 4.4CIS 4.5CIS 9CIS 9.2CIS 9.3CIS 9.6
SC-08 Transmission Integrity
CIS 12.3CIS 12.6CIS 3CIS 3.10
SC-13 Use Of Cryptography
CIS 16.11
SC-18 Mobile Code
CIS 9CIS 9.6
SC-20 Secure Name / Address Resolution Service (Authoritative Source)
CIS 4.9CIS 8.6CIS 9.2
SC-21 Secure Name / Address Resolution Service (Recursive Or Caching Resolver)
CIS 4.9CIS 9.2
SC-22 Architecture And Provisioning For Name / Address Resolution Service
CIS 4.9
SC-28 Protection of Information at Rest
CIS 11.3CIS 3CIS 3.11CIS 3.6CIS 3.9CIS 4
SC-32 System Partitioning
CIS 12.2CIS 12.8CIS 16.8CIS 3.12CIS 4.12
SC-44 Detonation Chambers
CIS 10CIS 10.7
SC-45 System Time Synchronization
CIS 8CIS 8.4
SC-47 Alternate Communications Paths
CIS 17.6
SC-48 Sensor Relocation
CIS 13

SI System and Information Integrity

Control Name CIS Controls v8 References
SI-02 Flaw Remediation
CIS 12.1CIS 14.7CIS 16.2CIS 18.3CIS 7CIS 7.1CIS 7.2CIS 7.3CIS 7.4CIS 7.7
SI-03 Malicious Code Protection
CIS 10CIS 10.1CIS 10.2CIS 10.4CIS 10.6CIS 10.7CIS 9CIS 9.3CIS 9.6CIS 9.7
SI-04 Information System Monitoring Tools And Techniques
CIS 1.4CIS 10CIS 10.7CIS 13CIS 13.1CIS 13.10CIS 13.11CIS 13.2CIS 13.3CIS 13.6CIS 13.7CIS 13.8CIS 3.13CIS 8.7CIS 8.9
SI-05 Security Alerts And Advisories
CIS 7
SI-07 Software And Information Integrity
CIS 13.2CIS 13.7
SI-08 Spam Protection
CIS 10CIS 9CIS 9.5CIS 9.7
SI-12 Information Output Handling And Retention
CIS 3CIS 3.1CIS 3.4CIS 3.5
SI-16 Memory Protection
CIS 10CIS 10.5CIS 13.7

SR Supply Chain Risk Management

Control Name CIS Controls v8 References
SR-01 Policy and Procedures
CIS 15CIS 15.2
SR-02 Supply Chain Risk Management Plan
CIS 15CIS 15.3
SR-03 Supply Chain Controls and Processes
CIS 15CIS 15.4
SR-04 Provenance
CIS 16.11CIS 16.4CIS 16.5
SR-05 Acquisition Strategies, Tools, and Methods
CIS 15
SR-06 Supplier Assessments and Reviews
CIS 15CIS 15.5CIS 15.6
SR-11 Component Authenticity
CIS 16.5
SR-12 Component Disposal
CIS 3.5