CIS Controls Initial Assessment Tool (v8.

0a)

Instructions - Read me first.

The purpose for this tool is to provide organizations with a simple tool for performing an initial assessment of their information assurance maturity level based on the controls defined by the CIS Controls. Any
questions about how this tool works or suggestions can be directed to [email protected]. In order to use this tool, the assessor must only complete the answers to the drop down menu questions lists on
the pages labeled CSC #1 - CSC #18. By choosing a drop down choice for each critical control, the assessment tool will automatically generate scores and maturity level based on the answers to each question.
Based on the answers to each question, the dashboard worksheet will automatically populate with the overall maturity level scores for the organization as a whole. These scores can therefore be used to
measure the organization's progress and what percentage of the CIS Controls they are currently following. Ideally in the long term organizations would deploy tools that would automate the collection of this
information, but in the meanwhile, this tool can be used to help start the process of manually assessing the organization's maturity level.

Field Definitions
ID This is the ID number of the specific CIS Control sub-control reference as included in the CIS Controls documentation.
CIS Control Detail This is the detail behind each specific sub-control as defined by the CIS Controls documentation.
NIST CSF This standards for NIST's Cybersecurity Framework function. These functions were defined by NIST in the CSF and act as control characteristics.
Implementation Groups This defines the impleementation groups that relate to each individual sub-control. Sub-controls often apply at multiple implementation group levels.
Sensor or Baseline This is the type of technical system or baseline that we believe is necessary in order to implement the specific sub control.
Policy Approved This question determines whether the organization currently has a policy defined that indicates that they should be implementing the defined sub control.
Control Implemented This question determines whether or not the organization currently has implemented this sub control and to what degree the control has been implemented.
Control Automated This question determines whether or not the organization currently has automated the implementation of this sub control and to what degree the control has been automated.
Control Reported to Business This question determines whether or not the organization is reporting this sub control to business representatives and to what degree the control has been reported.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Controls Initial Assessment Tool (v8.0a)

ATT&CK Activity Preventive Capability Detective Capability Implementation Group Scores

Initial Access Low Low Group #1 0% Group #2 0% Group #3 0% 0% 0%
Execution Low Low 0% 0%
Persistence Low Low 0% 0%
Privilege Escalation Low Low Implementation Group Scores 0% 0%
Defense Evasion Low Low 100% 0% 0%
Credential Access Low Low 80% 0% 0%
Discovery Low Low 60% 0% 0%
Lateral Movement Low Low 40% 0% 0%
Collection Low Low 20% 0% 0%
Command and Control Low Low 0% 0% 0%
Exfiltration Low Low Group #1 Group #2 Group #3 0% 0%

Group #1 0%
Maturity level: Description: Score: Group #2 0%
Level One Policies Complete 0.00 Maturity Level Aggregate Scores Group #3 0%
Level Two Controls 1-5 Implemented 0.00 1.00
Level Three All Controls Implemented 0.00 0.80 CSC #1 0%
Level Four All Controls Automated 0.00 0.60 CSC #2 0%
Level Five All Controls Reported 0.00 0.40 CSC #3 0%
0.20 CSC #4 0%
Maturity Rating*: 0.00 0.00 CSC #5 0%
*Rating is on a 0-5 scale. Policies Complete Controls 1-5 Implemented All Controls Implemented All Controls Automated All Controls Reported CSC #6 0%
CSC #7 0%
CSC #8 0%
CSC #9 0%
Implementation Percentage by Control CSC #10 0%
CSC #11 0%
100%
90%
CSC #12 0%
80% CSC #13 0%
70% CSC #14 0%
60% CSC #15 0%
50% CSC #16 0%
40% CSC #17 0%
30%
CSC #18 0%
20%
10%
0%
0%#1
CSC 0%#2
CSC 0%#3
CSC 0%#4
CSC 0%#5
CSC 0%#6
CSC 0%#7
CSC 0%#8
CSC 0%#9
CSC 0%#10
CSC 0%#11
CSC 0%#12
CSC 0%#13
CSC 0%#14
CSC 0%#15
CSC 0%#16
CSC 0%#17
CSC 0%#18
CSC

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #1: Inventory and Control of Enterprise Assets

Total Implementation of CSC #1

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Control Reported to Business
Groups Technically Enforced

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise
assets with the potential to store or process data, to include: end-user devices
(including portable and mobile), network devices, non-computing/IoT devices, and
servers. Ensure the inventory records the network address (if static), hardware address,
machine name, data asset owner, department for each asset, and whether the asset
has been approved to connect to the network. For mobile end-user devices, MDM type
1.1 Identify 1,2,3 Asset Inventory and Discovery System No Policy Not Implemented Not Automated Not Reported
tools can support this process, where appropriate. This inventory includes
assets connected to the infrastructure physically, virtually, remotely, and those within
cloud environments. Additionally, it includes assets that are regularly connected to the
enterprise’s network infrastructure, even if they are not under control of the
enterprise. Review and update the inventory of all enterprise assets bi-annually, or
more frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The
1.2 enterprise may choose to remove the asset from the network, deny the asset from Respond 1,2,3 Asset Inventory and Discovery System No Policy Not Implemented Not Applicable Not Applicable
connecting remotely to the network, or quarantine the asset.
Utilize an active discovery tool to identify assets connected to the enterprise’s network.
1.3 Detect 2,3 Asset Inventory and Discovery System No Policy Not Implemented Not Automated Not Reported
Configure the active discovery tool to execute daily, or more frequently.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management
1.4 tools to update the enterprise’s asset inventory. Review and use logs to update the Identify 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network.
1.5 Review and use scans to update the enterprise’s asset inventory at least weekly, or Detect 3 Asset Inventory and Discovery System No Policy Not Implemented Not Automated Not Reported
more frequently.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #2: Inventory and Control of Software Assets

Total Implementation of CSC #2

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Control Reported to Business
Groups Technically Enforced

Establish and maintain a detailed inventory of all licensed software installed on

enterprise assets. The software inventory must document the title, publisher, initial
install/use date, and business purpose for each entry; where appropriate, include the
2.1 Identify 1,2,3 Software Inventory and Discovery System No Policy Not Implemented Not Applicable Not Applicable
Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and
decommission date. Review and update the software inventory bi-annually, or more
Ensure that only currently supported software is designated as authorized in the
frequently.
software inventory for enterprise assets. If software is unsupported, yet necessary for
the fulfillment of the enterprise’s mission, document an exception detailing mitigating
2.2 Identify 1,2,3 Software Inventory and Discovery System No Policy Not Implemented Not Applicable Not Applicable
controls and residual risk acceptance. For any unsupported software without an
Ensure thatdocumentation,
exception unauthorized software is as
designate either removed from
unauthorized. usethe
Review on enterprise assets
software list or
to verify
2.3 Respond 1,2,3 Software Inventory and Discovery System No Policy Not Implemented Not Applicable Not Applicable
receives
softwareasupport
documented
at leastexception.
monthly, Review
or moremonthly, or more frequently.
frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate
2.4 Detect 2,3 Software Inventory and Discovery System No Policy Not Implemented Not Automated Not Reported
the discovery and documentation of installed software.

Use technical controls, such as application allowlisting, to ensure that only authorized
2.5 Protect 2,3 Application Control System No Policy Not Implemented Not Automated Not Reported
software can execute or be accessed. Reassess bi-annually, or more frequently.

Use technical controls to ensure that only authorized software libraries, such as specific
2.6 .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized Protect 2,3 Application Control System No Policy Not Implemented Not Automated Not Reported
libraries from loading into a system process. Reassess bi-annually, or more frequently.

Use technical controls, such as digital signatures and version control, to ensure that
2.7 only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Protect 3 Application Control System No Policy Not Implemented Not Automated Not Reported
Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #3: Data Protection

Total Implementation of CSC #3

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Control Reported to Business
Groups Technically Enforced

Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
3.1 requirements, based on sensitivity and retention standards for the enterprise. Review Identify 1,2,3 Data Inventory System No Policy Not Implemented Not Applicable Not Applicable
and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Establish and maintain a data inventory, based on the enterprise’s data management
3.2 process. Inventory sensitive data, at a minimum. Review and update inventory Identify 1,2,3 Data Inventory System No Policy Not Implemented Not Applicable Not Applicable
annually, at a minimum, with a priority on sensitive data.
Configure data access control lists based on a user’s need to know. Apply data access
3.3 control lists, also known as access permissions, to local and remote file systems, Protect 1,2,3 Access Management System No Policy Not Implemented Not Applicable Not Applicable
databases, and applications.
Retain data according to the enterprise’s data management process. Data retention
3.4 Protect 1,2,3 Access Management System No Policy Not Implemented Not Applicable Not Applicable
must include both minimum and maximum timelines.

Securely dispose of data as outlined in the enterprise’s data management process.

3.5 Protect 1,2,3 Physical Security Program No Policy Not Implemented Not Applicable Not Applicable
Ensure the disposal process and method are commensurate with the data sensitivity.

Encrypt data on end-user devices containing sensitive data. Example implementations

3.6 Protect 1,2,3 Removable Media Protection System No Policy Not Implemented Not Automated Not Reported
can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

Establish and maintain an overall data classification scheme for the enterprise.
Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and
3.7 classify their data according to those labels. Review and update the classification Identify 2,3 Data Inventory System No Policy Not Implemented Not Applicable Not Applicable
scheme annually, or when significant enterprise changes occur that could impact this
Safeguard.

Document data flows. Data flow documentation includes service provider data flows
and should be based on the enterprise’s data management process. Review and update
3.8 Identify 2,3 Data Inventory System No Policy Not Implemented Not Applicable Not Applicable
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.
3.9 Encrypt data on removable media. Protect 2,3 Removable Media Protection System No Policy Not Implemented Not Automated Not Reported
Encrypt sensitive data in transit. Example implementations can include: Transport Layer
3.10 Security (TLS) and Open Secure Shell (OpenSSH). Protect 2,3 Configuration Management System No Policy Not Implemented Not Automated Not Reported

Encrypt sensitive data at rest on servers, applications, and databases containing

sensitive data. Storage-layer encryption, also known as server-side encryption, meets
3.11 the minimum requirement of this Safeguard. Additional encryption methods may Protect 2,3 Access Management System No Policy Not Implemented Not Automated Not Reported
include application-layer encryption, also known as client-side encryption, where access
to the data storage device(s) does not permit access to the plain-text data.

Segment data processing and storage based on the sensitivity of the data. Do not
3.12 process sensitive data on enterprise assets intended for lower sensitivity data. Protect 2,3 Network Segmentation and Control System No Policy Not Implemented Not Applicable Not Applicable

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to
identify all sensitive data stored, processed, or transmitted through enterprise assets,
3.13 Protect 3 Boundary Filtering System No Policy Not Implemented Not Automated Not Reported
including those located onsite or at a remote service provider, and update the
enterprise's sensitive data inventory.
3.14 Log sensitive data access, including modification and disposal. Detect 3 Log Management System No Policy Not Implemented Not Automated Not Reported

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #4: Secure Configuration of Enterprise Assets and Software

Total Implementation of CSC #4

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Establish and maintain a secure configuration process for enterprise assets (end-user
devices, including portable and mobile; non-computing/IoT devices; and servers) and
4.1 software (operating systems and applications). Review and update documentation Protect 1,2,3 Configuration Management System No Policy Not Implemented Not Applicable Not Applicable
annually, or when significant enterprise changes occur that could impact this
Safeguard.

Establish and maintain a secure configuration process for network devices. Review and
4.2 update documentation annually, or when significant enterprise changes occur that Protect 1,2,3 Network Device Management System No Policy Not Implemented Not Applicable Not Applicable
could impact this Safeguard.
Configure automatic session locking on enterprise assets after a defined period of
4.3 inactivity. For general purpose operating systems, the period must not exceed 15 Protect 1,2,3 Configuration Management System No Policy Not Implemented Not Automated Not Reported
minutes. For mobile end-user devices, the period must not exceed 2 minutes.
Implement and manage a firewall on servers, where supported. Example
4.4 implementations include a virtual firewall, operating system firewall, or a third-party Protect 1,2,3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
firewall agent.
Implement and manage a host-based firewall or port-filtering tool on end-user devices,
4.5 with a default-deny rule that drops all traffic except those services and ports that are Protect 1,2,3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
explicitly allowed.

Securely manage enterprise assets and software. Example implementations include

managing configuration through version-controlled-infrastructure-as-code and
accessing administrative interfaces over secure network protocols, such as Secure Shell
4.6 Protect 1,2,3 Network Device Management System No Policy Not Implemented Not Automated Not Reported
(SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure
management protocols, such as Telnet (Teletype Network) and HTTP, unless
operationally essential.

Manage default accounts on enterprise assets and software, such as root,

4.7 administrator, and other pre-configured vendor accounts. Example implementations Protect 1,2,3 Privileged Account Management System No Policy Not Implemented Not Automated Not Reported
can include: disabling default accounts or making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as an
4.8 unused file sharing service, web application module, or service function. Protect 2,3 Configuration Management System No Policy Not Implemented Not Automated Not Reported

Configure trusted DNS servers on enterprise assets. Example implementations include:

4.9 configuring assets to use enterprise-controlled DNS servers and/or reputable externally Protect 2,3 Web Filtering System No Policy Not Implemented Not Automated Not Reported
accessible DNS servers. 

Enforce automatic device lockout following a predetermined threshold of local failed

authentication attempts on portable end-user devices, where supported. For laptops,
4.10 do not allow more than 20 failed authentication attempts; for tablets and smartphones, Respond 2,3 Configuration Management System No Policy Not Implemented Not Automated Not Reported
no more than 10 failed authentication attempts. Example implementations include
Microsoft® InTune Device Lock and Apple ® Configuration Profile maxFailedAttempts.

Remotely wipe enterprise data from enterprise-owned portable end-user devices when
4.11 deemed appropriate such as lost or stolen devices, or when an individual no longer Protect 2,3 Physical Security Program No Policy Not Implemented Not Applicable Not Applicable
supports the enterprise.

Ensure separate enterprise workspaces are used on mobile end-user devices, where
4.12 supported. Example implementations include using an Apple ® Configuration Profile or Protect 3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
Android™ Work Profile to separate enterprise applications and data from personal
applications and data.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #5: Account Management

Total Implementation of CSC #5

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Establish and maintain an inventory of all accounts managed in the enterprise. The
inventory must include both user and administrator accounts. The inventory, at a
5.1 minimum, should contain the person’s name, username, start/stop dates, and Identify 1,2,3 Identity Management System No Policy Not Implemented Not Applicable Not Applicable
department. Validate that all active accounts are authorized, on a recurring schedule at
a minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best practice implementation includes,
5.2 at a minimum, an 8-character password for accounts using MFA and a 14-character Protect 1,2,3 Privileged Account Management System No Policy Not Implemented Not Automated Not Reported
password for accounts not using MFA.

5.3 Delete or disable any dormant accounts after a period of 45 days of inactivity, where Respond 1,2,3 Identity Management System No Policy Not Implemented Not Automated Not Reported
supported.
Restrict administrator privileges to dedicated administrator accounts on enterprise
5.4 assets. Conduct general computing activities, such as internet browsing, email, and Protect 1,2,3 Privileged Account Management System No Policy Not Implemented Not Automated Not Reported
productivity suite use, from the user’s primary, non-privileged account.

Establish and maintain an inventory of service accounts. The inventory, at a minimum,

5.5 must contain department owner, review date, and purpose. Perform service account Identify 2,3 Privileged Account Management System No Policy Not Implemented Not Applicable Not Applicable
reviews to validate that all active accounts are authorized, on a recurring schedule at a
minimum quarterly, or more frequently.
5.6 Centralize account management through a directory or identity service. Protect 2,3 Identity Management System No Policy Not Implemented Not Automated Not Reported

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #6: Access Control Management

Total Implementation of CSC #6

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

6.1 Establish and follow a process, preferably automated, for granting access to enterprise Protect 1,2,3 Identity Management System No Policy Not Implemented Not Automated Not Reported
assets upon new hire, rights grant, or role change of a user.
Establish and follow a process, preferably automated, for revoking access to enterprise
6.2 assets, through disabling accounts immediately upon termination, rights revocation, or Protect 1,2,3 Identity Management System No Policy Not Implemented Not Automated Not Reported
role change of a user. Disabling accounts, instead of deleting accounts, may be
necessary to preserve audit trails.

Require all externally-exposed enterprise or third-party applications to enforce MFA,

6.3 where supported. Enforcing MFA through a directory service or SSO provider is a Protect 1,2,3 Identity Management System No Policy Not Implemented Not Automated Not Reported
satisfactory implementation of this Safeguard.
6.4 Require MFA for remote network access. Protect 1,2,3 Identity Management System No Policy Not Implemented Not Automated Not Reported
Require MFA for all administrative access accounts, where supported, on all enterprise
6.5 assets, whether managed on-site or through a third-party provider. Protect 1,2,3 Identity Management System No Policy Not Implemented Not Automated Not Reported

Establish and maintain an inventory of the enterprise’s authentication and

6.6 authorization systems, including those hosted on-site or at a remote service provider. Identify 2,3 Identity Management System No Policy Not Implemented Not Applicable Not Applicable
Review and update the inventory, at a minimum, annually, or more frequently.

6.7 Centralize access control for all enterprise assets through a directory service or SSO Protect 2,3 Identity Management System No Policy Not Implemented Not Automated Not Reported
provider, where supported.

Define and maintain role-based access control, through determining and documenting
the access rights necessary for each role within the enterprise to successfully carry out
6.8 its assigned duties. Perform access control reviews of enterprise assets to validate that Protect 3 Access Management System No Policy Not Implemented Not Applicable Not Applicable
all privileges are authorized, on a recurring schedule at a minimum annually, or more
frequently.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #7: Continuous Vulnerability Management

Total Implementation of CSC #7

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Establish and maintain a documented vulnerability management process for enterprise

7.1 assets. Review and update documentation annually, or when significant enterprise Protect 1,2,3 Vulnerability Management System No Policy Not Implemented Not Applicable Not Applicable
changes occur that could impact this Safeguard.

7.2 Establish and maintain a risk-based remediation strategy documented in a remediation Respond 1,2,3 Vulnerability Management System No Policy Not Implemented Not Applicable Not Applicable
process, with monthly, or more frequent, reviews.

7.3 Perform operating system updates on enterprise assets through automated patch Protect 1,2,3 Patch Management System No Policy Not Implemented Not Automated Not Reported
management on a monthly, or more frequent, basis.
Perform application updates on enterprise assets through automated patch
7.4 management on a monthly, or more frequent, basis. Protect 1,2,3 Patch Management System No Policy Not Implemented Not Automated Not Reported

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or

7.5 more frequent, basis. Conduct both authenticated and unauthenticated scans, using a Identify 2,3 Vulnerability Management System No Policy Not Implemented Not Automated Not Reported
SCAP-compliant vulnerability scanning tool.
Perform automated vulnerability scans of externally-exposed enterprise assets using a
7.6 SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more Identify 2,3 Vulnerability Management System No Policy Not Implemented Not Automated Not Reported
frequent, basis.

7.7 Remediate detected vulnerabilities in software through processes and tooling on a Respond 2,3 Vulnerability Management System No Policy Not Implemented Not Automated Not Reported
monthly, or more frequent, basis, based on the remediation process.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #8: Audit Log Management

Total Implementation of CSC #8

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Establish and maintain an audit log management process that defines the enterprise’s
8.1 logging requirements. At a minimum, address the collection, review, and retention of Protect 1,2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
audit logs for enterprise assets. Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.

8.2 Collect audit logs. Ensure that logging, per the enterprise’s audit log management Detect 1,2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
process, has been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the
8.3 enterprise’s audit log management process. Protect 1,2,3 Log Management System No Policy Not Implemented Not Automated Not Reported

8.4 Standardize time synchronization. Configure at least two synchronized time sources Protect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
across enterprise assets, where supported.
Configure detailed audit logging for enterprise assets containing sensitive data. Include
8.5 event source, date, username, timestamp, source addresses, destination addresses, Detect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
and other useful elements that could assist in a forensic investigation.

8.6 Collect DNS query audit logs on enterprise assets, where appropriate and supported. Detect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported

8.7 Collect URL request audit logs on enterprise assets, where appropriate and supported. Detect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported

Collect command-line audit logs. Example implementations include collecting audit logs
8.8 Detect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
from PowerShell®, BASH™, and remote administrative terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise
8.9 Detect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
assets.
8.10 Retain audit logs across enterprise assets for a minimum of 90 days. Protect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
Conduct reviews of audit logs to detect anomalies or abnormal events that could
8.11 Detect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.
Collect service provider logs, where supported. Example implementations include
8.12 collecting authentication and authorization events, data creation and disposal events, Detect 3 Log Management System No Policy Not Implemented Not Automated Not Reported
and user management events.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #9: Email and Web Browser Protections

Total Implementation of CSC #9

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Ensure only fully supported browsers and email clients are allowed to execute in the
9.1 enterprise, only using the latest version of browsers and email clients provided through Protect 1,2,3 Application Control System No Policy Not Implemented Not Automated Not Reported
the vendor.

9.2 Use DNS filtering services on all enterprise assets to block access to known malicious Protect 1,2,3 Web Filtering System No Policy Not Implemented Not Automated Not Reported
domains.
Enforce and update network-based URL filters to limit an enterprise asset from
9.3 connecting to potentially malicious or unapproved websites. Example implementations Protect 2,3 Web Filtering System No Policy Not Implemented Not Automated Not Reported
include category-based filtering, reputation-based filtering, or through the use of block
lists. Enforce filters for all enterprise assets.

9.4 Restrict, either through uninstalling or disabling, any unauthorized or unnecessary Protect 2,3 Application Control System No Policy Not Implemented Not Automated Not Reported
browser or email client plugins, extensions, and add-on applications.
To lower the chance of spoofed or modified emails from valid domains, implement
9.5 DMARC policy and verification, starting with implementing the Sender Policy Protect 2,3 Email Filtering System No Policy Not Implemented Not Automated Not Reported
Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
9.6 Block unnecessary file types attempting to enter the enterprise’s email gateway. Protect 2,3 Email Filtering System No Policy Not Implemented Not Automated Not Reported
9.7 Deploy and maintain email server anti-malware protections, such as attachment Protect 3 Email Filtering System No Policy Not Implemented Not Automated Not Reported
scanning and/or sandboxing.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #10: Malware Defenses

Total Implementation of CSC #10

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business
10.1 Deploy and maintain anti-malware software on all enterprise assets. Protect 1,2,3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
10.2 Configure automatic updates for anti-malware signature files on all enterprise assets. Protect 1,2,3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
10.3 Disable autorun and autoplay auto-execute functionality for removable media. Protect 1,2,3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
10.4 Configure anti-malware software to automatically scan removable media. Detect 2,3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported

Enable anti-exploitation features on enterprise assets and software, where possible,

10.5 such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard Protect 2,3 Configuration Management System No Policy Not Implemented Not Automated Not Reported
(WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.

10.6 Centrally manage anti-malware software. Protect 2,3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
10.7 Use behavior-based anti-malware software. Detect 2,3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #11: Data Recovery

Total Implementation of CSC #11

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Establish and maintain a data recovery process. In the process, address the scope of
data recovery activities, recovery prioritization, and the security of backup data. Review
11.1 and update documentation annually, or when significant enterprise changes occur that Recover 1,2,3 Backup and Recovery System No Policy Not Implemented Not Applicable Not Applicable
could impact this Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or
11.2 more frequently, based on the sensitivity of the data. Recover 1,2,3 Backup and Recovery System No Policy Not Implemented Not Automated Not Reported

11.3 Protect recovery data with equivalent controls to the original data. Reference Protect 1,2,3 Backup and Recovery System No Policy Not Implemented Not Automated Not Reported
encryption or data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations
11.4 include version controlling backup destinations through offline, cloud, or off-site Recover 1,2,3 Backup and Recovery System No Policy Not Implemented Not Automated Not Reported
systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope
11.5 enterprise assets. Recover 2,3 Backup and Recovery System No Policy Not Implemented Not Automated Not Reported

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #12: Network Infrastructure Management

Total Implementation of CSC #12

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Control Reported to Business
Groups Technically Enforced
Ensure network infrastructure is kept up-to-date. Example implementations include
running the latest stable release of software and/or using currently supported network-
12.1 Protect 1,2,3 Network Device Management System No Policy Not Implemented Not Automated Not Reported
as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to
verify software support.

Establish and maintain a secure network architecture. A secure network architecture

12.2 Protect 2,3 Network Segmentation and Control System No Policy Not Implemented Not Applicable Not Applicable
must address segmentation, least privilege, and availability, at a minimum.

Securely manage network infrastructure. Example implementations include version-

12.3 controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH Protect 2,3 Network Device Management System No Policy Not Implemented Not Automated Not Reported
and HTTPS.
Establish and maintain architecture diagram(s) and/or other network system
12.4 documentation. Review and update documentation annually, or when significant Identify 2,3 Network Segmentation and Control System No Policy Not Implemented Not Applicable Not Applicable
enterprise changes occur that could impact this Safeguard.
12.5 Centralize network AAA. Protect 2,3 Network Segmentation and Control System No Policy Not Implemented Not Automated Not Reported
Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi
12.6 Protect 2,3 Network Segmentation and Control System No Policy Not Implemented Not Automated Not Reported
Protected Access 2 (WPA2) Enterprise or greater).
Require users to authenticate to enterprise-managed VPN and authentication services
12.7 Protect 2,3 Remote Access System No Policy Not Implemented Not Automated Not Reported
prior to accessing enterprise resources on end-user devices.
Establish and maintain dedicated computing resources, either physically or logically
separated, for all administrative tasks or tasks requiring administrative access. The
12.8 Protect 3 Privileged Account Management System No Policy Not Implemented Not Automated Not Reported
computing resources should be segmented from the enterprise's primary network and
not be allowed internet access.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #13: Network Monitoring and Defense

Total Implementation of CSC #13

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Sensor or Baseline Policy Defined Control Implemented Control Reported to Business
Groups Technically Enforced
Centralize security event alerting across enterprise assets for log correlation and
analysis. Best practice implementation requires the use of a SIEM, which includes
13.1 Detect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
vendor-defined event correlation alerts. A log analytics platform configured with
security-relevant correlation alerts also satisfies this Safeguard.
Deploy a host-based intrusion detection solution on enterprise assets, where
13.2 Detect 2,3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
appropriate and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
13.3 Example implementations include the use of a Network Intrusion Detection System Detect 2,3 Boundary Filtering System No Policy Not Implemented Not Automated Not Reported
(NIDS) or equivalent cloud service provider (CSP) service.
13.4 Perform traffic filtering between network segments, where appropriate. Protect 2,3 Network Segmentation and Control System No Policy Not Implemented Not Automated Not Reported
Manage access control for assets remotely connecting to enterprise resources.
Determine amount of access to enterprise resources based on: up-to-date anti-
13.5 malware software installed, configuration compliance with the enterprise’s secure Protect 2,3 Remote Access System No Policy Not Implemented Not Automated Not Reported
configuration process, and ensuring the operating system and applications are up-to-
date.

Collect network traffic flow logs and/or network traffic to review and alert upon from
13.6 Detect 2,3 Log Management System No Policy Not Implemented Not Automated Not Reported
network devices.
Deploy a host-based intrusion prevention solution on enterprise assets, where
13.7 appropriate and/or supported. Example implementations include use of an Endpoint Protect 3 Endpoint Protection System No Policy Not Implemented Not Automated Not Reported
Detection and Response (EDR) client or host-based IPS agent.
Deploy a network intrusion prevention solution, where appropriate. Example
13.8 implementations include the use of a Network Intrusion Prevention System (NIPS) or Protect 3 Boundary Filtering System No Policy Not Implemented Not Automated Not Reported
equivalent CSP service.
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar
13.9 network access control protocols, such as certificates, and may incorporate user and/or Protect 3 Network Segmentation and Control System No Policy Not Implemented Not Automated Not Reported
device authentication.
Perform application layer filtering. Example implementations include a filtering proxy,
13.10 Protect 3 Boundary Filtering System No Policy Not Implemented Not Automated Not Reported
application layer firewall, or gateway.
13.11 Tune security event alerting thresholds monthly, or more frequently. Detect 3 Log Management System No Policy Not Implemented Not Applicable Not Applicable

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #14: Security Awareness and Skills Training

Total Implementation of CSC #14

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Establish and maintain a security awareness program. The purpose of a security

awareness program is to educate the enterprise’s workforce on how to interact with
14.1 enterprise assets and data in a secure manner. Conduct training at hire and, at a Protect 1,2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable
minimum, annually. Review and update content annually, or when significant
enterprise changes occur that could impact this Safeguard.

14.2 Train workforce members to recognize social engineering attacks, such as phishing, pre- Protect 1,2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable
texting, and tailgating. 
Train workforce members on authentication best practices. Example topics include
14.3 MFA, password composition, and credential management. Protect 1,2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable

Train workforce members on how to identify and properly store, transfer, archive, and
destroy sensitive data. This also includes training workforce members on clear screen
14.4 and desk best practices, such as locking their screen when they step away from their Protect 1,2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable
enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and
storing data and assets securely.

Train workforce members to be aware of causes for unintentional data exposure.

14.5 Example topics include mis-delivery of sensitive data, losing a portable end-user device, Protect 1,2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable
or publishing data to unintended audiences.
Train workforce members to be able to recognize a potential incident and be able to
14.6 report such an incident.  Protect 1,2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable

Train workforce to understand how to verify and report out-of-date software patches
14.7 or any failures in automated processes and tools. Part of this training should include Protect 1,2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable
notifying IT personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over,
14.8 insecure networks for enterprise activities. If the enterprise has remote workers, Protect 1,2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable
training must include guidance to ensure that all users securely configure their home
network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations

14.9 include secure system administration courses for IT professionals, (OWASP ® Top 10 Protect 2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable
vulnerability awareness and prevention training for web application developers, and
advanced social engineering awareness training for high-profile roles.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #15: Service Provider Management

Total Implementation of CSC #15

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Establish and maintain an inventory of service providers. The inventory is to list all
known service providers, include classification(s), and designate an enterprise contact
15.1 for each service provider. Review and update the inventory annually, or when Identify 1,2,3 Third Party Management Program No Policy Not Implemented Not Applicable Not Applicable
significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a service provider management policy. Ensure the policy
15.2 addresses the classification, inventory, assessment, monitoring, and decommissioning Identify 2,3 Third Party Management Program No Policy Not Implemented Not Applicable Not Applicable
of service providers. Review and update the policy annually, or when significant
enterprise changes occur that could impact this Safeguard.

Classify service providers. Classification consideration may include one or more

characteristics, such as data sensitivity, data volume, availability requirements,
15.3 applicable regulations, inherent risk, and mitigated risk. Update and review Identify 2,3 Third Party Management Program No Policy Not Implemented Not Applicable Not Applicable
classifications annually, or when significant enterprise changes occur that could impact
this Safeguard.

Ensure service provider contracts include security requirements. Example requirements

may include minimum security program requirements, security incident and/or data
breach notification and response, data encryption requirements, and data disposal
15.4 commitments. These security requirements must be consistent with the enterprise’s Protect 2,3 Third Party Management Program No Policy Not Implemented Not Applicable Not Applicable
service provider management policy. Review service provider contracts annually to
ensure contracts are not missing security requirements.

Assess service providers consistent with the enterprise’s service provider management
policy. Assessment scope may vary based on classification(s), and may include review of
15.5 standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Identify 3 Third Party Management Program No Policy Not Implemented Not Applicable Not Applicable
Payment Card Industry (PCI) Attestation of Compliance (AoC), customized
questionnaires, or other appropriately rigorous processes. Reassess service providers
annually, at a minimum, or with new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider

15.6 management policy. Monitoring may include periodic reassessment of service provider Detect 3 Third Party Management Program No Policy Not Implemented Not Applicable Not Applicable
compliance, monitoring service provider release notes, and dark web monitoring.

Securely decommission service providers. Example considerations include user and

15.7 service account deactivation, termination of data flows, and secure disposal of Protect 3 Third Party Management Program No Policy Not Implemented Not Applicable Not Applicable
enterprise data within service provider systems.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #16: Application Software Security

Total Implementation of CSC #16

Risk Addressed: 0%

Risk Accepted: 100%

ID CIS Control Detail NIST CSF Implementation Sensor or Baseline Policy Defined Control Implemented Control Automated or Control Reported to Business
Groups Technically Enforced

Establish and maintain a secure application development process. In the process,

address such items as: secure application design standards, secure coding practices,
16.1 developer training, vulnerability management, security of third-party code, and Protect 2,3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
application security testing procedures. Review and update documentation annually, or
when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a process to accept and address reports of software

vulnerabilities, including providing a means for external entities to report. The process
is to include such items as: a vulnerability handling policy that identifies reporting
process, responsible party for handling vulnerability reports, and a process for intake,
16.2 assignment, remediation, and remediation testing. As part of the process, use a Protect 2,3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
vulnerability tracking system that includes severity ratings, and metrics for measuring
timing for identification, analysis, and remediation of vulnerabilities. Review and update
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard. Third-party application developers need to consider this an
externally-facing policy that helps to set expectations for outside stakeholders.

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities,

root cause analysis is the task of evaluating underlying issues that create vulnerabilities
16.3 Protect 2,3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
in code, and allows development teams to move beyond just fixing individual
vulnerabilities as they arise.

Establish and manage an updated inventory of third-party components used in

development, often referred to as a “bill of materials,” as well as components slated for
16.4 future use. This inventory is to include any risks that each third-party component could Protect 2,3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
pose. Evaluate the list at least monthly to identify any changes or updates to these
components, and validate that the component is still supported. 

Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate
16.5 Protect 2,3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
security. Acquire these components from trusted sources or evaluate the software for
vulnerabilities before use.

Establish and maintain a severity rating system and process for application
vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities
are fixed. This process includes setting a minimum level of security acceptability for
16.6 Protect 2,3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
releasing code or applications. Severity ratings bring a systematic way of triaging
vulnerabilities that improves risk management and helps ensure the most severe bugs
are fixed first. Review and update the system and process annually.

Use standard, industry-recommended hardening configuration templates for

application infrastructure components. This includes underlying servers, databases, and
16.7 web servers, and applies to cloud containers, Platform as a Service (PaaS) components, Protect 2,3 Configuration Management System No Policy Not Implemented Not Applicable Not Applicable
and SaaS components. Do not allow in-house developed software to weaken
configuration hardening.
16.8 Maintain separate environments for production and non-production systems. Protect 2,3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
Ensure that all software development personnel receive training in writing secure code
for their specific development environment and responsibilities. Training can include
16.9 general security principles and application security standard practices. Conduct training Protect 2,3 Education and Awareness Program No Policy Not Implemented Not Applicable Not Applicable
at least annually and design in a way to promote security within the development
team, and build a culture of security among the developers.

Apply secure design principles in application architectures. Secure design principles

include the concept of least privilege and enforcing mediation to validate every
operation that the user makes, promoting the concept of "never trust user input."
Examples include ensuring that explicit error checking is performed and documented
16.10 Protect 2,3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
for all input, including for size, data type, and acceptable ranges or formats. Secure
design also means minimizing the application infrastructure attack surface, such as
turning off unprotected ports and services, removing unnecessary programs and files,
and renaming or removing default accounts.

Leverage vetted modules or services for application security components, such as

identity management, encryption, and auditing and logging. Using platform features in
critical security functions will reduce developers’ workload and minimize the likelihood
16.11 of design or implementation errors. Modern operating systems provide effective Protect 2,3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
mechanisms for identification, authentication, and authorization and make those
mechanisms available to applications. Use only standardized, currently accepted, and
extensively reviewed encryption algorithms. Operating systems also provide
mechanisms to create and maintain secure audit logs.

16.12 Apply static and dynamic analysis tools within the application life cycle to verify that Protect 3 Static Code Analysis System No Policy Not Implemented Not Automated Not Reported
secure coding practices are being followed.

Conduct application penetration testing. For critical applications, authenticated

penetration testing is better suited to finding business logic vulnerabilities than code
16.13 scanning and automated security testing. Penetration testing relies on the skill of the Protect 3 Audit Management Program No Policy Not Implemented Not Applicable Not Applicable
tester to manually manipulate an application as an authenticated and unauthenticated
user. 

Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is conducted
through specially trained individuals who evaluate the application design and gauge
16.14 Protect 3 Software Development Standards No Policy Not Implemented Not Applicable Not Applicable
security risks for each entry point and access level. The goal is to map out the
application, architecture, and infrastructure in a structured way to understand its
weaknesses.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #17: Incident Response Management

Total Implementation of CSC #17

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Designate one key person, and at least one backup, who will manage the enterprise’s
incident handling process. Management personnel are responsible for the coordination
and documentation of incident response and recovery efforts and can consist of
17.1 employees internal to the enterprise, third-party vendors, or a hybrid approach. If using  Respond 1,2,3 Incident Management Program No Policy Not Implemented Not Applicable Not Applicable
a third-party vendor, designate at least one person internal to the enterprise to oversee
any third-party work. Review annually, or when significant enterprise changes occur
that could impact this Safeguard.

Establish and maintain contact information for parties that need to be informed of
security incidents. Contacts may include internal staff, third-party vendors, law
17.2 enforcement, cyber insurance providers, relevant government agencies, Information  Respond 1,2,3 Incident Management Program No Policy Not Implemented Not Applicable Not Applicable
Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts
annually to ensure that information is up-to-date.

Establish and maintain an enterprise process for the workforce to report security
incidents. The process includes reporting timeframe, personnel to report to,
17.3 mechanism for reporting, and the minimum information to be reported. Ensure the  Respond 1,2,3 Incident Management Program No Policy Not Implemented Not Applicable Not Applicable
process is publicly available to all of the workforce. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

Establish and maintain an incident response process that addresses roles and
17.4 responsibilities, compliance requirements, and a communication plan. Review annually,  Respond 2,3 Incident Management Program No Policy Not Implemented Not Applicable Not Applicable
or when significant enterprise changes occur that could impact this Safeguard.

Assign key roles and responsibilities for incident response, including staff from legal, IT,
17.5 information security, facilities, public relations, human resources, incident responders,  Respond 2,3 Incident Management Program No Policy Not Implemented Not Applicable Not Applicable
and analysts, as applicable. Review annually, or when significant enterprise changes
occur that could impact this Safeguard.

Determine which primary and secondary mechanisms will be used to communicate and
report during a security incident. Mechanisms can include phone calls, emails, or
17.6 letters. Keep in mind that certain mechanisms, such as emails, can be affected during a Respond 2,3 Incident Management Program No Policy Not Implemented Not Applicable Not Applicable
security incident. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.

Plan and conduct routine incident response exercises and scenarios for key personnel
17.7 involved in the incident response process to prepare for responding to real-world Recover 2,3 Incident Management Program No Policy Not Implemented Not Applicable Not Applicable
incidents. Exercises need to test communication channels, decision-making, and
workflows. Conduct testing on an annual basis, at a minimum.

17.8 Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence Recover 2,3 Incident Management Program No Policy Not Implemented Not Applicable Not Applicable
through identifying lessons learned and follow-up action.

Establish and maintain security incident thresholds, including, at a minimum,

differentiating between an incident and an event. Examples can include: abnormal
17.9 activity, security vulnerability, security weakness, data breach, privacy incident, etc. Recover 3 Incident Management Program No Policy Not Implemented Not Applicable Not Applicable
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
 CIS Control #18: Penetration Testing

Total Implementation of CSC #18

Risk Addressed: 0%

Risk Accepted: 100%

Implementation Control Automated or

ID CIS Control Detail NIST CSF Groups Sensor or Baseline Policy Defined Control Implemented Technically Enforced Control Reported to Business

Establish and maintain a penetration testing program appropriate to the size,

complexity, and maturity of the enterprise. Penetration testing program characteristics
include scope, such as network, web application, Application Programming Interface
18.1 (API), hosted services, and physical premise controls; frequency; limitations, such as Identify 2,3 Audit Management Program No Policy Not Implemented Not Applicable Not Applicable
acceptable hours, and excluded attack types; point of contact information; remediation,
such as how findings will be routed internally; and retrospective requirements.

Perform periodic external penetration tests based on program requirements, no less

than annually. External penetration testing must include enterprise and environmental
18.2 reconnaissance to detect exploitable information. Penetration testing requires Identify 2,3 Audit Management Program No Policy Not Implemented Not Applicable Not Applicable
specialized skills and experience and must be conducted through a qualified party. The
testing may be clear box or opaque box.

18.3 Remediate penetration test findings based on the enterprise’s policy for remediation Protect 2,3 Audit Management Program No Policy Not Implemented Not Applicable Not Applicable
scope and prioritization.
Validate security measures after each penetration test. If deemed necessary, modify
18.4 rulesets and capabilities to detect the techniques used during testing. Protect 3 Audit Management Program No Policy Not Implemented Not Applicable Not Applicable

18.5 Perform periodic internal penetration tests based on program requirements, no less Identify 3 Audit Management Program No Policy Not Implemented Not Applicable Not Applicable
than annually. The testing may be clear box or opaque box.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
DO NOT CHANGE THESE VALUES

Policy Status
No Policy
Informal Policy
Partial Written Policy
Written Policy
Approved Written Policy

Implementation Status
Not Implemented
Parts of Policy Implemented
Implemented on Some Systems
Implemented on Most Systems
Implemented on All Systems

Automation Status
Not Automated
Parts of Policy Automated
Automated on Some Systems
Automated on Most Systems
Automated on All Systems

Reporting Status
Not Reported
Parts of Policy Reported
Reported on Some Systems
Reported on Most Systems
Reported on All Systems