This document contains mappings of the CIS Critical Security Controls (CIS Controls) and CIS Safeguards t

Cloud Controls Matrix (CCM) v4

Last updated January 2023

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
[email protected]

Editors
Thomas Sager

Contributors
The Cloud Security Alliance team and volunteers
License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Publi
https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy a
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit
you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing th
subject to the prior approval of CIS® (Center for Internet Security, Inc.).
atives 4.0 International Public License (the link can be found at

you are authorized to copy and redistribute the content as a framework for use by you, within your
ed that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if
materials. Users of the CIS Controls framework are also required to refer to
e that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is
Mapping Methodology
Mapping Methodology

This page describes the methodology used to map the CIS Critical Security Controls to the Cloud Security
Reference link for : CSA CCM v4
https://cloudsecurityalliance.org/research/cloud-controls-matrix/

The methodology used to create the mapping can be useful to anyone attempting to understand the relatio
Mappings are available from a variety of sources online, and different individuals will make their own decis
The overall goal for CIS mappings is to be as specific as possible, leaning towards under-mapping versus
It is not enough for two Controls to be related, it must be clear that implementing one Control will contribute
The general strategy used is to identify all of the aspects within a Control and attempt to discern if both item

CIS Control 10.1

Ensure that all system data is automatically backed up on a regular basis.

For a defensive mitigation to map to this CIS Sub-Control it must have the following features:
• Be able to back up information.
• The backed up information must be system data.
• Automated tools must be used to perform the back up.
• The back ups must occur on a regular basis, meaning a time component must be involved.

If the two concepts are effectively equal, they are mapped with the relationship "equivalent". If they are not
The relationships can be further analyzed to understand how similar or different the two defensive mitigatio
The relationship column will contain one of four possible values:
• Equivalent: The defensive mitigation contains the exact same security concept as the CIS Control.
• Superset: The CIS Control is partially or mostly related to the defensive mitigation in question, but the CIS
• Subset: The CIS Safeguard is partially or mostly related, yet is still subsumed within the defensive mitigat
• No relationship: This will be represented by a blank cell.

The relationships should be read from left to right, like a sentence. CIS Sub-Control X is Equal to this < > .
Examples:
CIS Safeguard 16.8 "Separate Production and Non-Production Systems" is EQUIVALENT to NIST CSF PR
CIS Safeguard 3.5 "Securely Dispose of Data" is a SUBSET of NIST CSF PR.DS-3 "Assets are formally m

Many of the < > contain what could be considered multiple CIS Sub-Controls within the same line item, me
Finally, these relationships can also be read in a machine readable manner, for instance to graph relations

If you have comments, questions, or would like to report an error, please join the CIS Controls Mappings c
https://workbench.cisecurity.org/communities/94
 CIS CIS Security
Asset Type Title
Control Safeguard Function
1 Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct)
network devices; non-computing/Internet of Th
virtually, remotely, and those within cloud envi
monitored and protected within the enterprise.
remove or remediate.

Establish and Maintain Detailed

1 1.1 Devices Identify
Enterprise Asset Inventory

1 1.2 Devices Respond Address Unauthorized Assets

1 1.3 Devices Detect Utilize an Active Discovery Tool

Use Dynamic Host Configuration

1 1.4 Devices Identify Protocol (DHCP) Logging to
Update Enterprise Asset Inventory

Use a Passive Asset Discovery

1 1.5 Devices Detect
Tool

2 Inventory and Control of Software Assets

Actively manage (inventory, track, and correct)

only authorized software is installed and can ex
prevented from installation or execution.

Establish and Maintain a Software

2 2.1 Applications Identify
Inventory
 Ensure Authorized Software is
2 2.2 Applications Identify
Currently Supported

2 2.3 Applications Respond Address Unauthorized Software

Utilize Automated Software

2 2.4 Applications Detect
Inventory Tools

2 2.5 Applications Protect Allowlist Authorized Software

2 2.6 Applications Protect Allowlist Authorized Libraries

2 2.7 Applications Protect Allowlist Authorized Scripts

3 Data Protection

Develop processes and technical controls to id

Establish and Maintain a Data

3 3.1 Data Identify
Management Process

Establish and Maintain a Data

3 3.2 Data Identify
Inventory

Configure Data Access Control

3 3.3 Data Protect
Lists

3 3.4 Data Protect Enforce Data Retention

3 3.5 Data Protect Securely Dispose of Data

3 3.6 Devices Protect Encrypt Data on End-User Devices

Establish and Maintain a Data

3 3.7 Data Identify
Classification Scheme

3 3.8 Data Identify Document Data Flows

3 3.9 Data Protect Encrypt Data on Removable Media

3 3.10 Data Protect Encrypt Sensitive Data in Transit

3 3.11 Data Protect Encrypt Sensitive Data At Rest

Segment Data Processing and

3 3.12 Network Protect
Storage Based on Sensitivity

Deploy a Data Loss Prevention

3 3.13 Data Protect
Solution

3 3.14 Data Detect Log Sensitive Data Access

4 Secure Configuration of Enterprise Assets and

Establish and maintain the secure configuratio

network devices; non-computing/IoT devices; a

Establish and Maintain a Secure

4 4.1 Applications Protect
Configuration Process
 Establish and Maintain a Secure
4 4.2 Network Protect Configuration Process for Network
Infrastructure

Configure Automatic Session

4 4.3 Users Protect
Locking on Enterprise Assets

Implement and Manage a Firewall

4 4.4 Devices Protect
on Servers

Implement and Manage a Firewall

4 4.5 Devices Protect
on End-User Devices

Securely Manage Enterprise

4 4.6 Network Protect
Assets and Software

Manage Default Accounts on

4 4.7 Users Protect
Enterprise Assets and Software

Uninstall or Disable Unnecessary

4 4.8 Devices Protect Services on Enterprise Assets and
Software

Configure Trusted DNS Servers on

4 4.9 Devices Protect
Enterprise Assets

Enforce Automatic Device Lockout

4 4.10 Devices Respond
on Portable End-User Devices

Enforce Remote Wipe Capability

4 4.11 Devices Protect
on Portable End-User Devices

Separate Enterprise Workspaces

4 4.12 Devices Protect
on Mobile End-User Devices

5 Account Management

Use processes and tools to assign and manage

accounts, as well as service accounts, to enter

Establish and Maintain an

5 5.1 Users Identify
 Establish and Maintain an
5 5.1 Users Identify
Inventory of Accounts

5 5.2 Users Protect Use Unique Passwords

5 5.3 Users Respond Disable Dormant Accounts

Restrict Administrator Privileges to

5 5.4 Users Protect
Dedicated Administrator Accounts

Establish and Maintain an

5 5.5 Users Identify
Inventory of Service Accounts

5 5.6 Users Protect Centralize Account Management

6 Access Control Management

The processes and tools used to create, assign

administrator, and service accounts for enterpr

Establish an Access Granting

6 6.1 Users Protect
Process

Establish an Access Revoking

6 6.2 Users Protect
Process
 Establish an Access Revoking
6 6.2 Users Protect
Process

Require MFA for Externally-

6 6.3 Users Protect
Exposed Applications

Require MFA for Remote Network

6 6.4 Users Protect
Access

Require MFA for Administrative

6 6.5 Users Protect
Access

Establish and Maintain an

6 6.6 Users Identify Inventory of Authentication and
Authorization Systems

6 6.7 Users Protect Centralize Access Control

Define and Maintain Role-Based

6 6.8 Data Protect
Access Control

7 Continuous Vulnerability Management

Develop a plan to continuously assess and trac
infrastructure, in order to remediate, and minim
industry sources for new threat and vulnerabili
 Establish and Maintain a
7 7.1 Applications Protect
Vulnerability Management Process

Establish and Maintain a

7 7.2 Applications Respond
Remediation Process

Perform Automated Operating

7 7.3 Applications Protect
System Patch Management

Perform Automated Application

7 7.4 Applications Protect
Patch Management

Perform Automated Vulnerability

7 7.5 Applications Identify Scans of Internal Enterprise
Assets
Perform Automated Vulnerability
7 7.6 Applications Identify Scans of Externally-Exposed
Enterprise Assets

7 7.7 Applications Respond Remediate Detected Vulnerabilities

8 Audit Log Management

Collect, alert, review, and retain audit logs of ev

Establish and Maintain an Audit

8 8.1 Network Protect
Log Management Process
 Establish and Maintain an Audit
8 8.1 Network Protect
Log Management Process

8 8.2 Network Detect Collect Audit Logs

Ensure Adequate Audit Log

8 8.3 Network Protect
Storage

8 8.4 Network Protect Standardize Time Synchronization

8 8.5 Network Detect Collect Detailed Audit Logs

8 8.6 Network Detect Collect DNS Query Audit Logs

8 8.7 Network Detect Collect URL Request Audit Logs

8 8.8 Devices Detect Collect Command-Line Audit Logs

8 8.9 Network Detect Centralize Audit Logs

8 8.10 Network Protect Retain Audit Logs

8 8.11 Network Detect Conduct Audit Log Reviews

8 8.12 Data Detect Collect Service Provider Logs

9 Email and Web Browser Protections

 Improve protections and detections of threats f
manipulate human behavior through direct eng

Ensure Use of Only Fully

9 9.1 Applications Protect Supported Browsers and Email
Clients

9 9.2 Network Protect Use DNS Filtering Services

Maintain and Enforce Network-

9 9.3 Network Protect
Based URL Filters

Restrict Unnecessary or
9 9.4 Applications Protect Unauthorized Browser and Email
Client Extensions

9 9.5 Network Protect Implement DMARC

9 9.6 Network Protect Block Unnecessary File Types

Deploy and Maintain Email Server

9 9.7 Network Protect
Anti-Malware Protections

10 Malware Defenses

Prevent or control the installation, spread, and

Deploy and Maintain Anti-Malware

10 10.1 Devices Protect
Software

Configure Automatic Anti-Malware

10 10.2 Devices Protect
Signature Updates

Disable Autorun and Autoplay for

10 10.3 Devices Protect
Removable Media

Configure Automatic Anti-Malware

10 10.4 Devices Detect
Scanning of Removable Media

10 10.5 Devices Protect Enable Anti-Exploitation Features

Centrally Manage Anti-Malware

10 10.6 Devices Protect
Software
 Use Behavior-Based Anti-Malware
10 10.7 Devices Detect
Software
11 Data Recovery
Establish and maintain data recovery practices
trusted state.

Establish and Maintain a Data

11 11.1 Data Recover
Recovery Process

11 11.2 Data Recover Perform Automated Backups

11 11.3 Data Protect Protect Recovery Data

Establish and Maintain an Isolated

11 11.4 Data Recover
Instance of Recovery Data

11 11.5 Data Recover Test Data Recovery

Network Infrastructure
12
Management

Establish, implement, and actively manage (tra

exploiting vulnerable network services and acc

Ensure Network Infrastructure is

12 12.1 Network Protect
Up-to-Date

Establish and Maintain a Secure

12 12.2 Network Protect
Network Architecture

Securely Manage Network

12 12.3 Network Protect
Infrastructure

Establish and Maintain

12 12.4 Network Identify
Architecture Diagram(s)
 Centralize Network Authentication,
12 12.5 Network Protect
Authorization, and Auditing (AAA)

Use of Secure Network

12 12.6 Network Protect Management and Communication
Protocols

Ensure Remote Devices Utilize a

12 12.7 Devices Protect VPN and are Connecting to an
Enterprise’s AAA Infrastructure

Establish and Maintain Dedicated

12 12.8 Devices Protect Computing Resources for All
Administrative Work

Network Monitoring and

13
Defense

Operate processes and tooling to establish and

security threats across the enterprise’s networ

13 13.1 Network Detect Centralize Security Event Alerting

Deploy a Host-Based Intrusion

13 13.2 Devices Detect
Detection Solution

Deploy a Network Intrusion

13 13.3 Network Detect
Detection Solution
 Perform Traffic Filtering Between
13 13.4 Network Protect
Network Segments

Manage Access Control for

13 13.5 Devices Protect
Remote Assets

13 13.6 Network Detect Collect Network Traffic Flow Logs

Deploy a Host-Based Intrusion

13 13.7 Devices Protect
Prevention Solution

Deploy a Network Intrusion

13 13.8 Network Protect
Prevention Solution

13 13.9 Devices Protect Deploy Port-Level Access Control

13 13.10 Network Protect Perform Application Layer Filtering

Tune Security Event Alerting

13 13.11 Network Detect
Thresholds
14 Security Awareness and Skills Training
Establish and maintain a security awareness pr
conscious and properly skilled to reduce cyber

Establish and Maintain a Security

14 14.1 N/A Protect
Awareness Program

Train Workforce Members to

14 14.2 N/A Protect Recognize Social Engineering
Attacks
 Train Workforce Members on
14 14.3 N/A Protect
Authentication Best Practices

Train Workforce on Data Handling

14 14.4 N/A Protect
Best Practices

Train Workforce Members on

14 14.5 N/A Protect Causes of Unintentional Data
Exposure

Train Workforce Members on

14 14.6 N/A Protect Recognizing and Reporting
Security Incidents

Train Workforce on How to Identify

and Report if Their Enterprise
14 14.7 N/A Protect
Assets are Missing Security
Updates

Train Workforce on the Dangers of

Connecting to and Transmitting
14 14.8 N/A Protect
Enterprise Data Over Insecure
Networks
 Train Workforce on the Dangers of
Connecting to and Transmitting
14 14.8 N/A Protect
Enterprise Data Over Insecure
Networks

Conduct Role-Specific Security

14 14.9 N/A Protect
Awareness and Skills Training

15 Service Provider Management

Develop a process to evaluate service provider

platforms or processes, to ensure these provid

Establish and Maintain an

15 15.1 N/A Identify
Inventory of Service Providers

Establish and Maintain a Service

15 15.2 N/A Identify
Provider Management Policy

15 15.3 N/A Identify Classify Service Providers

Ensure Service Provider Contracts

15 15.4 N/A Protect
Include Security Requirements
 Ensure Service Provider Contracts
15 15.4 N/A Protect
Include Security Requirements

15 15.5 N/A Identify Assess Service Providers

15 15.6 Data Detect Monitor Service Providers

Securely Decommission Service

15 15.7 Data Protect
Providers

16 Application Software Security

Manage the security life cycle of in-house deve
security weaknesses before they can impact th

Establish and Maintain a Secure

16 16.1 Applications Protect
Application Development Process

Establish and Maintain a Process

16 16.2 Applications Protect to Accept and Address Software
Vulnerabilities

Perform Root Cause Analysis on

16 16.3 Applications Protect
Security Vulnerabilities
 Establish and Manage an
16 16.4 Applications Protect Inventory of Third-Party Software
Components

Use Up-to-Date and Trusted Third-

16 16.5 Applications Protect
Party Software Components

Establish and Maintain a Severity

16 16.6 Applications Protect Rating System and Process for
Application Vulnerabilities

Use Standard Hardening

16 16.7 Applications Protect Configuration Templates for
Application Infrastructure

Separate Production and Non-

16 16.8 Applications Protect
Production Systems

Train Developers in Application

16 16.9 Applications Protect Security Concepts and Secure
Coding

Apply Secure Design Principles in

16 16.10 Applications Protect
Application Architectures

Leverage Vetted Modules or

16 16.11 Applications Protect Services for Application Security
Components
 Implement Code-Level Security
16 16.12 Applications Protect
Checks

Conduct Application Penetration

16 16.13 Applications Protect
Testing

16 16.14 Applications Protect Conduct Threat Modeling

17 Incident Response Management

Establish a program to develop and maintain a
roles, training, and communications) to prepare

Designate Personnel to Manage

17 17.1 N/A Respond
Incident Handling
 Establish and Maintain Contact
17 17.2 N/A Respond Information for Reporting Security
Incidents

Establish and Maintain an

17 17.3 N/A Respond Enterprise Process for Reporting
Incidents

Establish and Maintain an Incident

17 17.4 N/A Respond
Response Process

Assign Key Roles and

17 17.5 N/A Respond
Responsibilities

Define Mechanisms for

17 17.6 N/A Respond Communicating During Incident
Response
 Conduct Routine Incident
17 17.7 N/A Recover
Response Exercises

17 17.8 N/A Recover Conduct Post-Incident Reviews

Establish and Maintain Security

17 17.9 N/A Recover
Incident Thresholds

18 Penetration Testing
Test the effectiveness and resiliency of enterpr
(people, processes, and technology), and simu

Establish and Maintain a

18 18.1 N/A Identify
Penetration Testing Program

Perform Periodic External

18 18.2 Network Identify
Penetration Tests

Remediate Penetration Test

18 18.3 Network Protect
Findings

18 18.4 Network Protect Validate Security Measures

Perform Periodic Internal

18 18.5 N/A Identify
Penetration Tests
 Description

of Hardware Assets
tory, track, and correct) all enterprise assets (end-user devices, including portable and mobile;
omputing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically,
those within cloud environments, to accurately know the totality of assets that need to be
ed within the enterprise. This will also support identifying unauthorized and unmanaged assets to

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets
with the potential to store or process data, to include: end-user devices (including portable and
mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory
records the network address (if static), hardware address, machine name, data asset owner,
department for each asset, and whether the asset has been approved to connect to the
network. For mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure physically, virtually,
remotely, and those within cloud environments. Additionally, it includes assets that are
regularly connected to the enterprise’s network infrastructure, even if they are not under control
of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more
frequently.

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise
may choose to remove the asset from the network, deny the asset from connecting remotely to
the network, or quarantine the asset.

Utilize an active discovery tool to identify assets connected to the enterprise’s network.
Configure the active discovery tool to execute daily, or more frequently.

Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to
update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset
inventory weekly, or more frequently.

Use a passive discovery tool to identify assets connected to the enterprise’s network. Review
and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.

of Software Assets

tory, track, and correct) all software (operating systems and applications) on the network so that
re is installed and can execute, and that unauthorized and unmanaged software is found and
tion or execution.

Establish and maintain a detailed inventory of all licensed software installed on enterprise
assets. The software inventory must document the title, publisher, initial install/use date, and
business purpose for each entry; where appropriate, include the Uniform Resource Locator
(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and
update the software inventory bi-annually, or more frequently.
 Ensure that only currently supported software is designated as authorized in the software
inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of
the enterprise’s mission, document an exception detailing mitigating controls and residual risk
acceptance. For any unsupported software without an exception documentation, designate as
unauthorized. Review the software list to verify software support at least monthly, or more
frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives
a documented exception. Review monthly, or more frequently.
Utilize software inventory tools, when possible, throughout the enterprise to automate the
discovery and documentation of installed software.
Use technical controls, such as application allowlisting, to ensure that only authorized software
can execute or be accessed. Reassess bi-annually, or more frequently.

Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized
libraries from loading into a system process. Reassess bi-annually, or more frequently.

Use technical controls, such as digital signatures and version control, to ensure that only
authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block
unauthorized scripts from executing. Reassess bi-annually, or more frequently.

d technical controls to identify, classify, securely handle, retain, and dispose of data.

Establish and maintain a data management process. In the process, address data sensitivity,
data owner, handling of data, data retention limits, and disposal requirements, based on
sensitivity and retention standards for the enterprise. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.

Establish and maintain a data inventory, based on the enterprise’s data management process.
Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,
with a priority on sensitive data.

Configure data access control lists based on a user’s need to know. Apply data access control
lists, also known as access permissions, to local and remote file systems, databases, and
applications.

Retain data according to the enterprise’s data management process. Data retention must
include both minimum and maximum timelines.
Securely dispose of data as outlined in the enterprise’s data management process. Ensure the
disposal process and method are commensurate with the data sensitivity.

Encrypt data on end-user devices containing sensitive data. Example implementations can
include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.

Establish and maintain an overall data classification scheme for the enterprise. Enterprises
may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data
according to those labels. Review and update the classification scheme annually, or when
significant enterprise changes occur that could impact this Safeguard.

Document data flows. Data flow documentation includes service provider data flows and should
be based on the enterprise’s data management process. Review and update documentation
annually, or when significant enterprise changes occur that could impact this Safeguard.

Encrypt data on removable media.

Encrypt sensitive data in transit. Example implementations can include: Transport Layer
Security (TLS) and Open Secure Shell (OpenSSH).
 Encrypt sensitive data at rest on servers, applications, and databases containing sensitive
data. Storage-layer encryption, also known as server-side encryption, meets the minimum
requirement of this Safeguard. Additional encryption methods may include application-layer
encryption, also known as client-side encryption, where access to the data storage device(s)
does not permit access to the plain-text data.

Segment data processing and storage based on the sensitivity of the data. Do not process
sensitive data on enterprise assets intended for lower sensitivity data.

Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to
identify all sensitive data stored, processed, or transmitted through enterprise assets, including
those located onsite or at a remote service provider, and update the enterprise's sensitive data
inventory.

Log sensitive data access, including modification and disposal.

f Enterprise Assets and Software

the secure configuration of enterprise assets (end-user devices, including portable and mobile;
omputing/IoT devices; and servers) and software (operating systems and applications).

Establish and maintain a secure configuration process for enterprise assets (end-user devices,
including portable and mobile, non-computing/IoT devices, and servers) and software
(operating systems and applications). Review and update documentation annually, or when
significant enterprise changes occur that could impact this Safeguard.
 Establish and maintain a secure configuration process for network devices. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.

Configure automatic session locking on enterprise assets after a defined period of inactivity.
For general purpose operating systems, the period must not exceed 15 minutes. For mobile
end-user devices, the period must not exceed 2 minutes.

Implement and manage a firewall on servers, where supported. Example implementations

include a virtual firewall, operating system firewall, or a third-party firewall agent.

Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a
default-deny rule that drops all traffic except those services and ports that are explicitly
allowed.

Securely manage enterprise assets and software. Example implementations include managing
configuration through version-controlled-infrastructure-as-code and accessing administrative
interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer
Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet
(Teletype Network) and HTTP, unless operationally essential.

Manage default accounts on enterprise assets and software, such as root, administrator, and
other pre-configured vendor accounts. Example implementations can include: disabling default
accounts or making them unusable.

Uninstall or disable unnecessary services on enterprise assets and software, such as an

unused file sharing service, web application module, or service function.

Configure trusted DNS servers on enterprise assets. Example implementations include:

configuring assets to use enterprise-controlled DNS servers and/or reputable externally
accessible DNS servers.
Enforce automatic device lockout following a predetermined threshold of local failed
authentication attempts on portable end-user devices, where supported. For laptops, do not
allow more than 20 failed authentication attempts; for tablets and smartphones, no more than
10 failed authentication attempts. Example implementations include Microsoft® InTune Device
Lock and Apple® Configuration Profile maxFailedAttempts.
Remotely wipe enterprise data from enterprise-owned portable end-user devices when
deemed appropriate such as lost or stolen devices, or when an individual no longer supports
the enterprise.

Ensure separate enterprise workspaces are used on mobile end-user devices, where
supported. Example implementations include using an Apple® Configuration Profile or
Android™ Work Profile to separate enterprise applications and data from personal applications
and data.

ls to assign and manage authorization to credentials for user accounts, including administrator
rvice accounts, to enterprise assets and software.

Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should
 Establish and maintain an inventory of all accounts managed in the enterprise. The inventory
must include both user and administrator accounts. The inventory, at a minimum, should
contain the person’s name, username, start/stop dates, and department. Validate that all active
accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

Use unique passwords for all enterprise assets. Best practice implementation includes, at a
minimum, an 8-character password for accounts using MFA and a 14-character password for
accounts not using MFA.

Delete or disable any dormant accounts after a period of 45 days of inactivity, where
supported.

Restrict administrator privileges to dedicated administrator accounts on enterprise assets.

Conduct general computing activities, such as internet browsing, email, and productivity suite
use, from the user’s primary, non-privileged account.

Establish and maintain an inventory of service accounts. The inventory, at a minimum, must
contain department owner, review date, and purpose. Perform service account reviews to
validate that all active accounts are authorized, on a recurring schedule at a minimum
quarterly, or more frequently.

Centralize account management through a directory or identity service.

ls used to create, assign, manage, and revoke access credentials and privileges for user,
ice accounts for enterprise assets and software.

Establish and follow a process, preferably automated, for granting access to enterprise assets
upon new hire, rights grant, or role change of a user.

Establish and follow a process, preferably automated, for revoking access to enterprise assets,
through disabling accounts immediately upon termination, rights revocation, or role change of a
user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit
trails.
 Establish and follow a process, preferably automated, for revoking access to enterprise assets,
through disabling accounts immediately upon termination, rights revocation, or role change of a
user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit
trails.

Require all externally-exposed enterprise or third-party applications to enforce MFA, where

supported. Enforcing MFA through a directory service or SSO provider is a satisfactory
implementation of this Safeguard.

Require MFA for remote network access.

Require MFA for all administrative access accounts, where supported, on all enterprise assets,
whether managed on-site or through a third-party provider.

Establish and maintain an inventory of the enterprise’s authentication and authorization

systems, including those hosted on-site or at a remote service provider. Review and update the
inventory, at a minimum, annually, or more frequently.

Centralize access control for all enterprise assets through a directory service or SSO provider,
where supported.

Define and maintain role-based access control, through determining and documenting the
access rights necessary for each role within the enterprise to successfully carry out its
assigned duties. Perform access control reviews of enterprise assets to validate that all
privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.

ty Management
nuously assess and track vulnerabilities on all enterprise assets within the enterprise’s
to remediate, and minimize, the window of opportunity for attackers. Monitor public and private
w threat and vulnerability information.
 Establish and maintain a documented vulnerability management process for enterprise assets.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.

Establish and maintain a risk-based remediation strategy documented in a remediation

process, with monthly, or more frequent, reviews.

Perform operating system updates on enterprise assets through automated patch management
on a monthly, or more frequent, basis.

Perform application updates on enterprise assets through automated patch management on a

monthly, or more frequent, basis.

Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more

frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-
compliant vulnerability scanning tool.

Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-

compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.

Remediate detected vulnerabilities in software through processes and tooling on a monthly, or

more frequent, basis, based on the remediation process.

nd retain audit logs of events that could help detect, understand, or recover from an attack.

Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
 Establish and maintain an audit log management process that defines the enterprise’s logging
requirements. At a minimum, address the collection, review, and retention of audit logs for
enterprise assets. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has
been enabled across enterprise assets.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s
audit log management process.

Standardize time synchronization. Configure at least two synchronized time sources across
enterprise assets, where supported.

Configure detailed audit logging for enterprise assets containing sensitive data. Include event
source, date, username, timestamp, source addresses, destination addresses, and other
useful elements that could assist in a forensic investigation.

Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.

Collect command-line audit logs. Example implementations include collecting audit logs from
PowerShell®, BASH™, and remote administrative terminals.

Centralize, to the extent possible, audit log collection and retention across enterprise assets.

Retain audit logs across enterprise assets for a minimum of 90 days.

Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a
potential threat. Conduct reviews on a weekly, or more frequent, basis.

Collect service provider logs, where supported. Example implementations include collecting
authentication and authorization events, data creation and disposal events, and user
management events.
r Protections
d detections of threats from email and web vectors, as these are opportunities for attackers to
avior through direct engagement.

Ensure only fully supported browsers and email clients are allowed to execute in the
enterprise, only using the latest version of browsers and email clients provided through the
vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious
domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to
potentially malicious or unapproved websites. Example implementations include category-
based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all
enterprise assets.

Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or

email client plugins, extensions, and add-on applications.

To lower the chance of spoofed or modified emails from valid domains, implement DMARC
policy and verification, starting with implementing the Sender Policy Framework (SPF) and the
DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.

Deploy and maintain email server anti-malware protections, such as attachment scanning
and/or sandboxing.

nstallation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Deploy and maintain anti-malware software on all enterprise assets.

Configure automatic updates for anti-malware signature files on all enterprise assets.

Disable autorun and autoplay auto-execute functionality for removable media.

Configure anti-malware software to automatically scan removable media.

Enable anti-exploitation features on enterprise assets and software, where possible, such as
Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or
Apple® System Integrity Protection (SIP) and Gatekeeper™.

Centrally manage anti-malware software.

 Use behavior-based anti-malware software.

data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and

Establish and maintain a data recovery process. In the process, address the scope of data
recovery activities, recovery prioritization, and the security of backup data. Review and update
documentation annually, or when significant enterprise changes occur that could impact this
Safeguard.
Perform automated backups of in-scope enterprise assets. Run backups weekly, or more
frequently, based on the sensitivity of the data.
Protect recovery data with equivalent controls to the original data. Reference encryption or
data separation, based on requirements.
Establish and maintain an isolated instance of recovery data. Example implementations
include, version controlling backup destinations through offline, cloud, or off-site systems or
services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise
assets.

and actively manage (track, report, correct) network devices, in order to prevent attackers from
etwork services and access points.

Ensure network infrastructure is kept up-to-date. Example implementations include running the
latest stable release of software and/or using currently supported network-as-a-service (NaaS)
offerings. Review software versions monthly, or more frequently, to verify software support.

Establish and maintain a secure network architecture. A secure network architecture must
address segmentation, least privilege, and availability, at a minimum.

Securely manage network infrastructure. Example implementations include version-controlled-

infrastructure-as-code, and the use of secure network protocols, such as SSH and HTTPS.

Establish and maintain architecture diagram(s) and/or other network system documentation.
Review and update documentation annually, or when significant enterprise changes occur that
could impact this Safeguard.
 Centralize network AAA.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected
Access 2 (WPA2) Enterprise or greater).

Require users to authenticate to enterprise-managed VPN and authentication services prior to

accessing enterprise resources on end-user devices.

Establish and maintain dedicated computing resources, either physically or logically separated,
for all administrative tasks or tasks requiring administrative access. The computing resources
should be segmented from the enterprise's primary network and not be allowed internet
access.

tooling to establish and maintain comprehensive network monitoring and defense against
the enterprise’s network infrastructure and user base.

Centralize security event alerting across enterprise assets for log correlation and analysis. Best
practice implementation requires the use of a SIEM, which includes vendor-defined event
correlation alerts. A log analytics platform configured with security-relevant correlation alerts
also satisfies this Safeguard.

Deploy a host-based intrusion detection solution on enterprise assets, where appropriate

and/or supported.
Deploy a network intrusion detection solution on enterprise assets, where appropriate.
Example implementations include the use of a Network Intrusion Detection System (NIDS) or
equivalent cloud service provider (CSP) service.
 Perform traffic filtering between network segments, where appropriate.

Manage access control for assets remotely connecting to enterprise resources. Determine
amount of access to enterprise resources based on: up-to-date anti-malware software
installed, configuration compliance with the enterprise’s secure configuration process, and
ensuring the operating system and applications are up-to-date.

Collect network traffic flow logs and/or network traffic to review and alert upon from network
devices.

Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate

and/or supported. Example implementations include use of an Endpoint Detection and
Response (EDR) client or host-based IPS agent.

Deploy a network intrusion prevention solution, where appropriate. Example implementations

include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.

Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network
access control protocols, such as certificates, and may incorporate user and/or device
authentication.

Perform application layer filtering. Example implementations include a filtering proxy,

application layer firewall, or gateway.

Tune security event alerting thresholds monthly, or more frequently.

d Skills Training
a security awareness program to influence behavior among the workforce to be security
y skilled to reduce cybersecurity risks to the enterprise.

Establish and maintain a security awareness program. The purpose of a security awareness
program is to educate the enterprise’s workforce on how to interact with enterprise assets and
data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and
update content annually, or when significant enterprise changes occur that could impact this
Safeguard.

Train workforce members to recognize social engineering attacks, such as phishing, pre-
texting, and tailgating.
Train workforce members on authentication best practices. Example topics include MFA,
password composition, and credential management.

Train workforce members on how to identify and properly store, transfer, archive, and destroy
sensitive data. This also includes training workforce members on clear screen and desk best
practices, such as locking their screen when they step away from their enterprise asset,
erasing physical and virtual whiteboards at the end of meetings, and storing data and assets
securely.

Train workforce members to be aware of causes for unintentional data exposure. Example
topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing
data to unintended audiences.

Train workforce members to be able to recognize a potential incident and be able to report
such an incident.

Train workforce to understand how to verify and report out-of-date software patches or any
failures in automated processes and tools. Part of this training should include notifying IT
personnel of any failures in automated processes and tools.

Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.
 Train workforce members on the dangers of connecting to, and transmitting data over, insecure
networks for enterprise activities. If the enterprise has remote workers, training must include
guidance to ensure that all users securely configure their home network infrastructure.

Conduct role-specific security awareness and skills training. Example implementations include
secure system administration courses for IT professionals, (OWASP® Top 10 vulnerability
awareness and prevention training for web application developers, and advanced social
engineering awareness training for high-profile roles.

valuate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT
, to ensure these providers are protecting those platforms and data appropriately.

Establish and maintain an inventory of service providers. The inventory is to list all known
service providers, include classification(s), and designate an enterprise contact for each
service provider. Review and update the inventory annually, or when significant enterprise
changes occur that could impact this Safeguard.
Establish and maintain a service provider management policy. Ensure the policy addresses the
classification, inventory, assessment, monitoring, and decommissioning of service providers.
Review and update the policy annually, or when significant enterprise changes occur that could
impact this Safeguard.

Classify service providers. Classification consideration may include one or more

characteristics, such as data sensitivity, data volume, availability requirements, applicable
regulations, inherent risk, and mitigated risk. Update and review classifications annually, or
when significant enterprise changes occur that could impact this Safeguard.

Ensure service provider contracts include security requirements. Example requirements may
include minimum security program requirements, security incident and/or data breach
notification and response, data encryption requirements, and data disposal commitments.
These security requirements must be consistent with the enterprise’s service provider
management policy. Review service provider contracts annually to ensure contracts are not
missing security requirements.
 notification and response, data encryption requirements, and data disposal commitments.
These security requirements must be consistent with the enterprise’s service provider
management policy. Review service provider contracts annually to ensure contracts are not
missing security requirements.

Assess service providers consistent with the enterprise’s service provider management policy.
Assessment scope may vary based on classification(s), and may include review of
standardized assessment reports, such as Service Organization Control 2 (SOC 2) and
Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or
other appropriately rigorous processes. Reassess service providers annually, at a minimum, or
with new and renewed contracts.

Monitor service providers consistent with the enterprise’s service provider management policy.
Monitoring may include periodic reassessment of service provider compliance, monitoring
service provider release notes, and dark web monitoring.
Securely decommission service providers. Example considerations include user and service
account deactivation, termination of data flows, and secure disposal of enterprise data within
service provider systems.
ecurity
e cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate
efore they can impact the enterprise.

Establish and maintain a secure application development process. In the process, address
such items as: secure application design standards, secure coding practices, developer
training, vulnerability management, security of third-party code, and application security testing
procedures. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

as: a vulnerability handling policy that identifies reporting process, responsible party for
handling vulnerability reports, and a process for intake, assignment, remediation, and
remediation testing. As part of the process, use a vulnerability tracking system that includes
severity ratings, and metrics for measuring timing for identification, analysis, and remediation of
vulnerabilities. Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root
cause analysis is the task of evaluating underlying issues that create vulnerabilities in code,
and allows development teams to move beyond just fixing individual vulnerabilities as they
arise.
Establish and manage an updated inventory of third-party components used in development,
often referred to as a “bill of materials,” as well as components slated for future use. This
inventory is to include any risks that each third-party component could pose. Evaluate the list at
least monthly to identify any changes or updates to these components, and validate that the
component is still supported.

Use up-to-date and trusted third-party software components. When possible, choose
established and proven frameworks and libraries that provide adequate security. Acquire these
components from trusted sources or evaluate the software for vulnerabilities before use.

Establish and maintain a severity rating system and process for application vulnerabilities that
facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process
includes setting a minimum level of security acceptability for releasing code or applications.
Severity ratings bring a systematic way of triaging vulnerabilities that improves risk
management and helps ensure the most severe bugs are fixed first. Review and update the
system and process annually.

Use standard, industry-recommended hardening configuration templates for application

infrastructure components. This includes underlying servers, databases, and web servers, and
applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components.
Do not allow in-house developed software to weaken configuration hardening.

Maintain separate environments for production and non-production systems.

Ensure that all software development personnel receive training in writing secure code for their
specific development environment and responsibilities. Training can include general security
principles and application security standard practices. Conduct training at least annually and
design in a way to promote security within the development team, and build a culture of
security among the developers.

Apply secure design principles in application architectures. Secure design principles include
the concept of least privilege and enforcing mediation to validate every operation that the user
makes, promoting the concept of "never trust user input." Examples include ensuring that
explicit error checking is performed and documented for all input, including for size, data type,
and acceptable ranges or formats. Secure design also means minimizing the application
infrastructure attack surface, such as turning off unprotected ports and services, removing
unnecessary programs and files, and renaming or removing default accounts.

Leverage vetted modules or services for application security components, such as identity
management, encryption, and auditing and logging. Using platform features in critical security
functions will reduce developers’ workload and minimize the likelihood of design or
implementation errors. Modern operating systems provide effective mechanisms for
identification, authentication, and authorization and make those mechanisms available to
applications. Use only standardized, currently accepted, and extensively reviewed encryption
algorithms. Operating systems also provide mechanisms to create and maintain secure audit
logs.
 Apply static and dynamic analysis tools within the application life cycle to verify that secure
coding practices are being followed.

Conduct application penetration testing. For critical applications, authenticated penetration

testing is better suited to finding business logic vulnerabilities than code scanning and
automated security testing. Penetration testing relies on the skill of the tester to manually
manipulate an application as an authenticated and unauthenticated user.

Conduct threat modeling. Threat modeling is the process of identifying and addressing
application security design flaws within a design, before code is created. It is conducted
through specially trained individuals who evaluate the application design and gauge security
risks for each entry point and access level. The goal is to map out the application, architecture,
and infrastructure in a structured way to understand its weaknesses.

develop and maintain an incident response capability (e.g., policies, plans, procedures, defined
mmunications) to prepare, detect, and quickly respond to an attack.

Designate one key person, and at least one backup, who will manage the enterprise’s incident
handling process. Management personnel are responsible for the coordination and
documentation of incident response and recovery efforts and can consist of employees internal
to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor,
designate at least one person internal to the enterprise to oversee any third-party work. Review
annually, or when significant enterprise changes occur that could impact this Safeguard.
Establish and maintain contact information for parties that need to be informed of security
incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber
insurance providers, relevant government agencies, Information Sharing and Analysis Center
(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is
up-to-date.

Establish and maintain an enterprise process for the workforce to report security incidents. The
process includes reporting timeframe, personnel to report to, mechanism for reporting, and the
minimum information to be reported. Ensure the process is publicly available to all of the
workforce. Review annually, or when significant enterprise changes occur that could impact
this Safeguard.

Establish and maintain an incident response process that addresses roles and responsibilities,
compliance requirements, and a communication plan. Review annually, or when significant
enterprise changes occur that could impact this Safeguard.

Assign key roles and responsibilities for incident response, including staff from legal, IT,
information security, facilities, public relations, human resources, incident responders, and
analysts, as applicable. Review annually, or when significant enterprise changes occur that
could impact this Safeguard.

Determine which primary and secondary mechanisms will be used to communicate and report
during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in
mind that certain mechanisms, such as emails, can be affected during a security incident.
Review annually, or when significant enterprise changes occur that could impact this
Safeguard.
 Plan and conduct routine incident response exercises and scenarios for key personnel involved
in the incident response process to prepare for responding to real-world incidents. Exercises
need to test communication channels, decision making, and workflows. Conduct testing on an
annual basis, at a minimum.
Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through
identifying lessons learned and follow-up action.

Establish and maintain security incident thresholds, including, at a minimum, differentiating

between an incident and an event. Examples can include: abnormal activity, security
vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when
significant enterprise changes occur that could impact this Safeguard.

and resiliency of enterprise assets through identifying and exploiting weaknesses in controls
d technology), and simulating the objectives and actions of an attacker.

Establish and maintain a penetration testing program appropriate to the size, complexity, and
maturity of the enterprise. Penetration testing program characteristics include scope, such as
network, web application, Application Programming Interface (API), hosted services, and
physical premise controls; frequency; limitations, such as acceptable hours, and excluded
attack types; point of contact information; remediation, such as how findings will be routed
internally; and retrospective requirements.

Perform periodic external penetration tests based on program requirements, no less than
annually. External penetration testing must include enterprise and environmental
reconnaissance to detect exploitable information. Penetration testing requires specialized skills
and experience and must be conducted through a qualified party. The testing may be clear box
or opaque box.

Remediate penetration test findings based on the enterprise’s policy for remediation scope and
prioritization.

Validate security measures after each penetration test. If deemed necessary, modify rulesets
and capabilities to detect the techniques used during testing.
Perform periodic internal penetration tests based on program requirements, no less than
annually. The testing may be clear box or opaque box.
IG1 IG2 IG3 Relationship Control Title CCM V4 Control ID

Endpoint
X X X Equivalent UEM-04
Inventory

X X X

Endpoint
X X Subset UEM-05
Management

X X

Application and
X X X Superset UEM-02
Service Approval
X X X

X X X

X X

X X

X X

Security and
Equivalent Privacy Policy DSP-01
and Procedures

x x x
Data Ownership
Superset DSP-06
and Stewardship

Organizational
Superset GRC-03
Policy Reviews

x x x Superset Data Inventory DSP-03

Sensitive Data
Subset DSP-17
Protection
x x x
Equivalent Least Privilege IAM-05

Data Retention
x x x Subset DSP-16
and Deletion
 Equivalent Secure Disposal DSP-02
x x x
Data Retention
Subset DSP-16
and Deletion

Subset Data Encryption CEK-03

x x x
Storage
Equivalent UEM-08
Encryption

Security and
Subset Privacy Policy DSP-01
x x and Procedures

Data
Equivalent DSP-04
Classification

Data Flow
Equivalent DSP-05
Documentation

x x

Subset Network Security IVS-03

x x

Subset Data Encryption CEK-03

Sensitive Data
Subset DSP-10
Transfer
x x

Subset Network Security IVS-03

 x x Subset Data Encryption CEK-03

Sensitive Data
x x Subset DSP-17
Protection

Sensitive Data
Superset DSP-10
Transfer
x

Data Loss
Equivalent UEM-11
Prevention

Sensitive Data
Subset DSP-17
Protection

Safeguard Logs
x Subset IAM-12
Integrity

Audit Logs
Superset Access and LOG-04
Accountability

Change
Management
Superset CCC-01
Policy and
Procedures

x x x

Organizational
Superset GRC-03
Policy Reviews

OS Hardening
Superset and Base IVS-04
Controls
 OS Hardening
x x x Superset and Base IVS-04
Controls

Automatic Lock
x x x Equivalent UEM-06
Screen

x x x

x x x Equivalent Software Firewall UEM-10

x x x

x x x

x x

x x

x x

x x Equivalent Remote Wipe UEM-13

Remote and
Home Working
x Subset HRS-04
Policy and
Procedures

Equivalent Identity Inventory IAM-03

x x x
 User Access
Superset IAM-08
Review

x x x Management of
Superset Privileged IAM-10
Access Roles

Authorization
Subset IAM-16
Mechanisms

Strong Password
x x x Equivalent Policy and IAM-02
Procedures

x x x

Segregation of
x x x Subset Privileged IAM-09
Access Roles

x x Subset Identity Inventory IAM-03

x x

Identity and
Access
Subset Management IAM-01
Policy and
Procedures

x x x User Access
Subset IAM-06
Provisioning

User Access
Subset Changes and IAM-07
Revocation

Employment
Subset HRS-06
Termination

x x x
 Identity and
Access
Subset Management IAM-01
x x x Policy and
Procedures

User Access
Equivalent Changes and IAM-07
Revocation

X x x

Remote and
Home Working
x x x Subset HRS-04
Policy and
Procedures

Management of
Subset Privileged IAM-10
Access Roles

x x x

Strong
Subset IAM-14
Authentication

Identity and
Access
x x Subset Management IAM-01
Policy and
Procedures

x x

Separation of
Equivalent IAM-04
Duties

Equivalent Least Privilege IAM-05

x

Authorization
Superset IAM-16
Mechanisms
 Threat and
Vulnerability
Equivalent Management TVM-01
Policy and
Procedures
x x x
Vulnerability
Equivalent TVM-07
Identification

Vulnerability
Superset Management TVM-09
Reporting
Risk Based
Subset Planning A&A-03
Assessment

Vulnerability
x x x Superset TVM-08
Prioritization

Vulnerability
Superset Management TVM-10
Metrics

Operating
x x x Superset UEM-07
Systems

x x x Superset Compatibility UEM-03

Vulnerability
x x Subset TVM-07
Identification

Vulnerability
x x Subset TVM-07
Identification

Vulnerability
x x Equivalent Remediation TVM-03
Schedule

Audit and
Subset Assurance Policy A&A-01
and Procedures

x x x
 Logging and
x x x Equivalent Monitoring Policy LOG-01
and Procedures

Superset Logging Scope LOG-07

x x x Equivalent Log Records LOG-08

x x x

Clock
x x Equivalent LOG-06
Synchronization

Sensitive Data
Subset DSP-17
Protection

x x
Security
Subset Monitoring and LOG-03
Alerting

x x
x x

x x

x x

Audit Logs
x x Subset LOG-02
Protection

Audit Logs
Equivalent Monitoring and LOG-05
Response
x x
Failures and
Superset Anomalies LOG-13
Reporting

x
x x x

x x x

x x

x x

x x

x x

Malware
x Subset Protection Policy TVM-02
and Procedures

Malware
Subset Protection Policy TVM-02
and Procedures
x x x
Anti-Malware
Superset Detection and UEM-09
Prevention

Detection
x x x Subset TVM-04
Updates

x x x

x x

x x

x x
 x x

x x x

x x x

x x x

x x x

x x

x x x

Data Protection
Superset by Design and DSP-07
Default

x x
Subset Network Security IVS-03

x x

Network
x x Equivalent Architecture IVS-08
Documentation
 Strong
x x Subset IAM-14
Authentication

x x

Remote and
Home Working
Subset HRS-04
Policy and
Procedures

x x

Strong
Subset IAM-14
Authentication

Security
Superset Monitoring and LOG-03
Alerting

x x
Security Incident
Management
Subset SEF-01
Policy and
Procedures

x x

x x Subset Network Defense IVS-09

 x x

Remote and
Home Working
x x Subset HRS-04
Policy and
Procedures

x x Subset Network Security IVS-03

x Subset Network Defense IVS-09

x Subset Network Security IVS-03

Information
Equivalent GRC-05
Security Program

Security
x x x Equivalent Awareness HRS-11
Training

Organizational
Superset GRC-03
Policy Reviews

Security
x x x Subset Awareness HRS-11
Training
 Information
Subset GRC-05
Security Program

x x x
Security
Subset Awareness HRS-11
Training

Sensitive Data
Subset DSP-17
Protection

Governance
Subset Program Policy GRC-01
and Procedures

x x x
Clean Desk
Superset Policy and HRS-03
Procedures

Personal and
Sensitive Data
Equivalent HRS-12
Awareness and
Training

Governance
Subset Program Policy GRC-01
and Procedures
x x x

Security
Subset Awareness HRS-11
Training

Security
x x x Subset Awareness HRS-11
Training

Security
x x x Subset Awareness HRS-11
Training

Governance
Subset Program Policy GRC-01
and Procedures

x x x
x x x
Remote and
Home Working
Subset HRS-04
Policy and
Procedures

Personnel Roles
Equivalent and HRS-09
Responsibilities

x x Personal and
Sensitive Data
Subset HRS-12
Awareness and
Training

Supply Chain
x x x Equivalent STA-07
Inventory

x x

Risk
Subset Management GRC-02
Program
x x

Supply Chain
Subset Risk STA-08
Management

Primary Service
Subset and Contractual STA-09
Agreement

x x
x x

Supply Chain
Superset Agreement STA-10
Review

Third-Party
Superset Endpoint UEM-14
Security Posture

Supply Chain
Service
Equivalent STA-12
Agreement
x Compliance
Supply Chain
Superset Governance STA-13
Review
Supply Chain
x Equivalent Data Security STA-14
Assessment

Application and
Interface Security
Superset AIS-01
Policy and
Procedures
x x

Secure
Application
Equivalent AIS-04
Design and
Development
Application
Superset Vulnerability AIS-07
Remediation
X X
Application
Superset AIS-03
Security Metrics

x x
 Risk
x x Subset Management GRC-02
Program

x x

Application
Superset Vulnerability AIS-07
Remediation
x x
Vulnerability
Subset TVM-08
Prioritization

Application
x x Equivalent Security Baseline AIS-02
Requirements

Production and
x x Equivalent Non-Production IVS-05
Environments

x x

Data Protection
x x Subset by Design and DSP-07
Default

x x
 Automated
x Subset Application AIS-05
Security Testing

Automated
x Superset Application AIS-05
Security Testing

Business
Continuity
Management &
Operational
Subset BCR-01
Resilience
Business
Continuity
x x x Planning

Incident
Subset SEF-03
Response Plans
 Points of Contact
Equivalent SEF-08
Maintenance

x x x
Security Breach
Subset SEF-07
Notification

x x x

Security Incident
Management
Superset SEF-01
Policy and
Procedures

Service
Management
Superset SEF-02
Policy and
Procedures

Organizational
x x Superset GRC-03
Policy Reviews

Incident
Equivalent SEF-03
Response Plans

Event Triage
Superset SEF-06
Processes

Incident
x x Subset SEF-03
Response Plans

x x
 Incident
x x Equivalent Response SEF-04
Testing

x x

Incident
x Equivalent Response SEF-05
Metrics

Penetration
x x Equivalent TVM-06
Testing

x x

Vulnerability
x x Subset TVM-08
Prioritization

x
 Control Specification

Maintain an inventory of all endpoints used to store and access

company data.

Define, implement and evaluate processes, procedures and

technical measures to enforce policies and controls for all
endpoints permitted to access systems and/or store, transmit,
or process organizational data.

Define, document, apply and evaluate a list of approved

services, applications and sources of applications (stores)
acceptable for use by endpoints when accessing or storing
organization-managed data.
Establish, document, approve, communicate, apply, evaluate
and maintain policies and procedures for the classification,
protection and handling of data throughout its lifecycle, and
according to all applicable laws and regulations, standards, and
risk level. Review and update the policies and procedures at
least annually.
Document ownership and stewardship of all relevant
documented personal and sensitive data. Perform review at
least annually.
Review all relevant organizational policies and associated
procedures at least annually or when a substantial change
occurs within the organization.

Create and maintain a data inventory, at least for any sensitive

data and personal data.

Define and implement, processes, procedures and technical

measures to protect sensitive data throughout it's lifecycle.

Employ the least privilege principle when implementing

information system access.
Data retention, archiving and deletion is managed in
accordance with business requirements, applicable laws and
regulations.
Apply industry accepted methods for the secure disposal of
data from storage media such that data is not recoverable by
any forensic means.
Data retention, archiving and deletion is managed in
accordance with business requirements, applicable laws and
regulations.

Provide cryptographic protection to data at-rest and in-transit,

using cryptographic libraries certified to approved standards.

Protect information from unauthorized disclosure on managed

endpoint devices with storage encryption.
Establish, document, approve, communicate, apply, evaluate
and maintain policies and procedures for the classification,
protection and handling of data throughout its lifecycle, and
according to all applicable laws and regulations, standards, and
risk level. Review and update the policies and procedures at
least annually.

Classify data according to its type and sensitivity level.

Create data flow documentation to identify what data is

processed, stored or transmitted where. Review data flow
documentation at defined intervals, at least annually, and after
any change.

Monitor, encrypt and restrict communications between

environments to only authenticated and authorized
connections, as justified by the business. Review these
configurations at least annually, and support them by a
documented justification of all allowed services, protocols,
ports, and compensating controls.

Provide cryptographic protection to data at-rest and in-transit,

using cryptographic libraries certified to approved standards.

Define, implement and evaluate processes, procedures and

technical measures that ensure any transfer of personal or
sensitive data is protected from unauthorized access and only
processed within scope as permitted by the respective laws and
regulations.

Monitor, encrypt and restrict communications between

environments to only authenticated and authorized
connections, as justified by the business. Review these
configurations at least annually, and support them by a
documented justification of all allowed services, protocols,
ports, and compensating controls.
Provide cryptographic protection to data at-rest and in-transit,
using cryptographic libraries certified to approved standards.

Define and implement, processes, procedures and technical

measures to protect sensitive data throughout it's lifecycle.

Define, implement and evaluate processes, procedures and

technical measures that ensure any transfer of personal or
sensitive data is protected from unauthorized access and only
processed within scope as permitted by the respective laws and
regulations.

Configure managed endpoints with Data Loss Prevention (DLP)

technologies and rules in accordance with a risk assessment.

Define and implement, processes, procedures and technical

measures to protect sensitive data throughout it's lifecycle.

Define, implement and evaluate processes, procedures and

technical measures to ensure the logging infrastructure is read-
only for all with write access, including privileged access roles,
and that the ability to disable it is controlled through a
procedure that ensures the segregation of duties and break
glass procedures.

Restrict audit logs access to authorized personnel and maintain

records that provide unique access accountability.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures for managing the risks
associated with applying changes to organization assets,
including application, systems, infrastructure, configuration,
etc., regardless of whether the assets are managed internally or
externally (i.e., outsourced). Review and update the policies
and procedures at least annually.

Review all relevant organizational policies and associated

procedures at least annually or when a substantial change
occurs within the organization.

Harden host and guest OS, hypervisor or infrastructure control

plane according to their respective best practices, and
supported by technical controls, as part of a security baseline.
Harden host and guest OS, hypervisor or infrastructure control
plane according to their respective best practices, and
supported by technical controls, as part of a security baseline.

Configure all relevant interactive-use endpoints to require an

automatic lock screen.

Configure managed endpoints with properly configured

software firewalls.

Define, implement and evaluate processes, procedures and

technical measures to enable the deletion of company data
remotely on managed endpoint devices.
Establish, document, approve, communicate, apply, evaluate
and maintain policies and procedures to protect information
accessed, processed or stored at remote sites and locations.
Review and update the policies and procedures at least
annually.

Manage, store, and review the information of system identities,

and level of access.
Review and revalidate user access for least privilege and
separation of duties with a frequency that is commensurate with
organizational risk tolerance.
Define and implement an access process to ensure privileged
access roles and rights are granted for a time limited period,
and implement procedures to prevent the culmination of
segregated privileged access.
Define, implement and evaluate processes, procedures and
technical measures to verify access to data and system
functions is authorized.
Establish, document, approve, communicate, implement, apply,
evaluate and maintain strong password policies and
procedures. Review and update the policies and procedures at
least annually.

Define, implement and evaluate processes, procedures and

technical measures for the segregation of privileged access
roles such that administrative access to data, encryption and
key management capabilities and logging capabilities are
distinct and separated.

Manage, store, and review the information of system identities,

and level of access.

Establish, document, approve, communicate, implement, apply,

evaluate and maintain policies and procedures for identity and
access management. Review and update the policies and
procedures at least annually.

Define and implement a user access provisioning process

which authorizes, records, and communicates access changes
to data and assets.
De-provision or respectively modify access of movers / leavers
or system identity changes in a timely manner in order to
effectively adopt and communicate identity and access
management policies.
Establish, document, and communicate to all personnel the
procedures outlining the roles and responsibilities concerning
changes in employment.
Establish, document, approve, communicate, implement, apply,
evaluate and maintain policies and procedures for identity and
access management. Review and update the policies and
procedures at least annually.

De-provision or respectively modify access of movers / leavers

or system identity changes in a timely manner in order to
effectively adopt and communicate identity and access
management policies.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures to protect information
accessed, processed or stored at remote sites and locations.
Review and update the policies and procedures at least
annually.
Define and implement an access process to ensure privileged
access roles and rights are granted for a time limited period,
and implement procedures to prevent the culmination of
segregated privileged access.

Define, implement and evaluate processes, procedures and

technical measures for authenticating access to systems,
application and data assets, including multifactor authentication
for at least privileged user and sensitive data access. Adopt
digital certificates or alternatives which achieve an equivalent
level of security for system identities.

Establish, document, approve, communicate, implement, apply,

evaluate and maintain policies and procedures for identity and
access management. Review and update the policies and
procedures at least annually.

Employ the separation of duties principle when implementing

information system access.
Employ the least privilege principle when implementing
information system access.
Define, implement and evaluate processes, procedures and
technical measures to verify access to data and system
functions is authorized.
Establish, document, approve, communicate, apply, evaluate
and maintain policies and procedures to identify, report and
prioritize the remediation of vulnerabilities, in order to protect
systems against vulnerability exploitation. Review and update
the policies and procedures at least annually.

Define, implement and evaluate processes, procedures and

technical measures for the detection of vulnerabilities on
organizationally managed assets at least monthly.
Define and implement a process for tracking and reporting
vulnerability identification and remediation activities that
includes stakeholder notification.

Perform independent audit and assurance assessments

according to risk-based plans and policies.

Use a risk-based model for effective prioritization of

vulnerability remediation using an industry recognized
framework.

Establish, monitor and report metrics for vulnerability

identification and remediation at defined intervals.

Manage changes to endpoint operating systems, patch levels,

and/or applications through the company's change
management processes.
Define and implement a process for the validation of the
endpoint device's compatibility with operating systems and
applications.
Define, implement and evaluate processes, procedures and
technical measures for the detection of vulnerabilities on
organizationally managed assets at least monthly.
Define, implement and evaluate processes, procedures and
technical measures for the detection of vulnerabilities on
organizationally managed assets at least monthly.
Define, implement and evaluate processes, procedures and
technical measures to enable both scheduled and emergency
responses to vulnerability identifications, based on the identified
risk.

Establish, document, approve, communicate, apply, evaluate

and maintain audit and assurance policies and procedures and
standards. Review and update the policies and procedures at
least annually.
Establish, document, approve, communicate, apply, evaluate
and maintain policies and procedures for logging and
monitoring. Review and update the policies and procedures at
least annually.
Establish, document and implement which information
meta/data system events should be logged. Review and update
the scope at least annually or whenever there is a change in
the threat environment.

Generate audit records containing relevant security information.

Use a reliable time source across all relevant information

processing systems.

Define and implement, processes, procedures and technical

measures to protect sensitive data throughout it's lifecycle.

Identify and monitor security-related events within applications

and the underlying infrastructure. Define and implement a
system to generate alerts to responsible stakeholders based on
such events and corresponding metrics.

Define, implement and evaluate processes, procedures and

technical measures to ensure the security and retention of audit
logs.
Monitor security audit logs to detect activity outside of typical or
expected patterns. Establish and follow a defined process to
review and take appropriate and timely actions on detected
anomalies.
Define, implement and evaluate processes, procedures and
technical measures for the reporting of anomalies and failures
of the monitoring system and provide immediate notification to
the accountable party.
Establish, document, approve, communicate, apply, evaluate
and maintain policies and procedures to protect against
malware on managed assets. Review and update the policies
and procedures at least annually.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures to protect against
malware on managed assets. Review and update the policies
and procedures at least annually.

Configure managed endpoints with anti-malware detection and

prevention technology and services.

Define, implement and evaluate processes, procedures and

technical measures to update detection tools, threat signatures,
and indicators of compromise on a weekly, or more frequent
basis.
Develop systems, products, and business practices based upon
a principle of security by design and industry best practices.

Monitor, encrypt and restrict communications between

environments to only authenticated and authorized
connections, as justified by the business. Review these
configurations at least annually, and support them by a
documented justification of all allowed services, protocols,
ports, and compensating controls.

Identify and document high-risk environments.

Define, implement and evaluate processes, procedures and
technical measures for authenticating access to systems,
application and data assets, including multifactor authentication
for at least privileged user and sensitive data access. Adopt
digital certificates or alternatives which achieve an equivalent
level of security for system identities.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures to protect information
accessed, processed or stored at remote sites and locations.
Review and update the policies and procedures at least
annually.

Define, implement and evaluate processes, procedures and

technical measures for authenticating access to systems,
application and data assets, including multifactor authentication
for at least privileged user and sensitive data access. Adopt
digital certificates or alternatives which achieve an equivalent
level of security for system identities.

Identify and monitor security-related events within applications

and the underlying infrastructure. Define and implement a
system to generate alerts to responsible stakeholders based on
such events and corresponding metrics.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures for Security Incident
Management, E-Discovery, and Cloud Forensics. Review and
update the policies and procedures at least annually.

Define, implement and evaluate processes, procedures and

defense-in-depth techniques for protection, detection, and
timely response to network-based attacks.
Establish, document, approve, communicate, apply, evaluate
and maintain policies and procedures to protect information
accessed, processed or stored at remote sites and locations.
Review and update the policies and procedures at least
annually.

Monitor, encrypt and restrict communications between

environments to only authenticated and authorized
connections, as justified by the business. Review these
configurations at least annually, and support them by a
documented justification of all allowed services, protocols,
ports, and compensating controls.

Define, implement and evaluate processes, procedures and

defense-in-depth techniques for protection, detection, and
timely response to network-based attacks.
Monitor, encrypt and restrict communications between
environments to only authenticated and authorized
connections, as justified by the business. Review these
configurations at least annually, and support them by a
documented justification of all allowed services, protocols,
ports, and compensating controls.

Develop and implement an Information Security Program,

which includes programs for all the relevant domains of the
CCM.
Establish, document, approve, communicate, apply, evaluate
and maintain a security awareness training program for all
employees of the organization and provide regular training
updates.
Review all relevant organizational policies and associated
procedures at least annually or when a substantial change
occurs within the organization.
Establish, document, approve, communicate, apply, evaluate
and maintain a security awareness training program for all
employees of the organization and provide regular training
updates.
Develop and implement an Information Security Program,
which includes programs for all the relevant domains of the
CCM.
Establish, document, approve, communicate, apply, evaluate
and maintain a security awareness training program for all
employees of the organization and provide regular training
updates.

Define and implement, processes, procedures and technical

measures to protect sensitive data throughout it's lifecycle.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures for an information
governance program, which is sponsored by the leadership of
the organization. Review and update the policies and
procedures at least annually.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures that require unattended
workspaces to not have openly visible confidential data. Review
and update the policies and procedures at least annually.

Provide all employees with access to sensitive organizational

and personal data with appropriate security awareness training
and regular updates in organizational procedures, processes,
and policies relating to their professional function relative to the
organization.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures for an information
governance program, which is sponsored by the leadership of
the organization. Review and update the policies and
procedures at least annually.
Establish, document, approve, communicate, apply, evaluate
and maintain a security awareness training program for all
employees of the organization and provide regular training
updates.
Establish, document, approve, communicate, apply, evaluate
and maintain a security awareness training program for all
employees of the organization and provide regular training
updates.
Establish, document, approve, communicate, apply, evaluate
and maintain a security awareness training program for all
employees of the organization and provide regular training
updates.
Establish, document, approve, communicate, apply, evaluate
and maintain policies and procedures for an information
governance program, which is sponsored by the leadership of
the organization. Review and update the policies and
procedures at least annually.
Establish, document, approve, communicate, apply, evaluate
and maintain policies and procedures to protect information
accessed, processed or stored at remote sites and locations.
Review and update the policies and procedures at least
annually.

Document and communicate roles and responsibilities of

employees, as they relate to information assets and security.

Provide all employees with access to sensitive organizational

and personal data with appropriate security awareness training
and regular updates in organizational procedures, processes,
and policies relating to their professional function relative to the
organization.

Develop and maintain an inventory of all supply chain

relationships.

Establish a formal, documented, and leadership-sponsored

Enterprise Risk Management (ERM) program that includes
policies and procedures for identification, evaluation,
ownership, treatment, and acceptance of cloud security and
privacy risks.

CSPs periodically review risk factors associated with all

organizations within their supply chain.

Service agreements between CSPs and CSCs (tenants) must

incorporate at least the following mutually-agreed upon
provisions and/or terms:
• Scope, characteristics and location of business relationship
and services offered
• Information security requirements (including SSRM)
• Change management process
• Logging and monitoring capability
• Incident management and communication procedures
• Right to audit and third party assessment
• Service termination
• Interoperability and portability requirements
• Data privacy
Review supply chain agreements between CSPs and CSCs at
least annually.

Define, implement and evaluate processes, procedures and

technical and/or contractual measures to maintain proper
security of third-party endpoints with access to organizational
assets.
Implement policies requiring all CSPs throughout the supply
chain to comply with information security, confidentiality, access
control, privacy, audit, personnel policy and service level
requirements and standards.

Periodically review the organization's supply chain partners' IT

governance policies and procedures.

Define and implement a process for conducting security

assessments periodically for all organizations within the supply
chain.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures for application security to
provide guidance to the appropriate planning, delivery and
support of the organization's application security capabilities.
Review and update the policies and procedures at least
annually.

Define and implement a SDLC process for application design,

development, deployment, and operation in accordance with
security requirements defined by the organization.

Define and implement a process to remediate application

security vulnerabilities, automating remediation when possible.

Define and implement technical and operational metrics in

alignment with business objectives, security requirements, and
compliance obligations.
Establish a formal, documented, and leadership-sponsored
Enterprise Risk Management (ERM) program that includes
policies and procedures for identification, evaluation,
ownership, treatment, and acceptance of cloud security and
privacy risks.

Define and implement a process to remediate application

security vulnerabilities, automating remediation when possible.

Use a risk-based model for effective prioritization of

vulnerability remediation using an industry recognized
framework.

Establish, document and maintain baseline requirements for

securing different applications.

Separate production and non-production environments.

Develop systems, products, and business practices based upon

a principle of security by design and industry best practices.
Implement a testing strategy, including criteria for acceptance
of new information systems, upgrades and new versions, which
provides application security assurance and maintains
compliance while enabling organizational speed of delivery
goals. Automate when applicable and possible.

Implement a testing strategy, including criteria for acceptance

of new information systems, upgrades and new versions, which
provides application security assurance and maintains
compliance while enabling organizational speed of delivery
goals. Automate when applicable and possible.

A consistent unified framework for business continuity planning

and plan development shall be established, documented, and
adopted to ensure all business continuity plans are consistent in
addressing priorities for testing, maintenance, and information
security requirements.
Requirements for business continuity plans include the
following:
• Defined purpose and scope, aligned with relevant
dependencies
• Accessible to and understood by those who will use them
• Owned by a named person(s) who is responsible for their
review, update, and approval
• Defined lines of communication, roles, and responsibilities
• Detailed recovery procedures, manual work-around, and
reference information
• Method for plan invocation

Establish, document, approve, communicate, apply, evaluate

and maintain a security incident response plan, which includes
but is not limited to: relevant internal departments, impacted
CSCs, and other business critical relationships (such as supply-
chain) that may be impacted.
Maintain points of contact for applicable regulation authorities,
national and local law enforcement, and other legal
jurisdictional authorities.
Define and implement, processes, procedures and technical
measures for security breach notifications. Report security
breaches and assumed security breaches including any
relevant supply chain breaches, as per applicable SLAs, laws
and regulations.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures for Security Incident
Management, E-Discovery, and Cloud Forensics. Review and
update the policies and procedures at least annually.

Establish, document, approve, communicate, apply, evaluate

and maintain policies and procedures for the timely
management of security incidents. Review and update the
policies and procedures at least annually.
Review all relevant organizational policies and associated
procedures at least annually or when a substantial change
occurs within the organization.

Establish, document, approve, communicate, apply, evaluate

and maintain a security incident response plan, which includes
but is not limited to: relevant internal departments, impacted
CSCs, and other business critical relationships (such as supply-
chain) that may be impacted.

Define, implement and evaluate processes, procedures and

technical measures supporting business processes to triage
security-related events.

Establish, document, approve, communicate, apply, evaluate

and maintain a security incident response plan, which includes
but is not limited to: relevant internal departments, impacted
CSCs, and other business critical relationships (such as supply-
chain) that may be impacted.
Test and update as necessary incident response plans at
planned intervals or upon significant organizational or
environmental changes for effectiveness.

Establish and monitor information security incident metrics.

Define, implement and evaluate processes, procedures and

technical measures for the periodic performance of penetration
testing by independent third parties.

Use a risk-based model for effective prioritization of

vulnerability remediation using an industry recognized
framework.
The following CCM Controls are NOT mapped to the CIS Controls

Independent Assessments A&A-02

Requirements Compliance A&A-04

Audit Management
Process A&A-05

Automated Secure
Application Deployment AIS-06

Business Continuity
Management Policy and
Procedures BCR-01

Risk Assessment and

Impact Analysis BCR-02

Business Continuity
Strategy BCR-03

Business Continuity
Planning BCR-04

Documentation BCR-05

Business Continuity
Exercises BCR-06

Communication BCR-07

Backup BCR-08
Disaster Response Plan BCR-09

Response Plan Exercise BCR-10

Equipment Redundancy BCR-11

Quality Testing CCC-02

Change Management
Technology CCC-03

Unauthorized Change
Protection CCC-04

Change Agreements CCC-05

Change Management
Baseline CCC-06

Detection of Baseline
Deviation CCC-07

Exception Management CCC-08

Change Restoration CCC-09

Encryption and Key

Management Policy and
Procedures CEK-01

CEK Roles and

Responsibilities CEK-02
Encryption Algorithm CEK-04

Encryption Change
Management CEK-05

Encryption Change Cost

Benefit Analysis CEK-06

Encryption Risk
Management CEK-07

CSC Key Management

Capabiility CEK-08

Encryption and Key

Management Audit CEK-09

Key Generation CEK-10

Key Purpose CEK-11

Key Rotation CEK-12

Key Revocation CEK-13

Key Destruction CEK-14

Key Activation CEK-15

Key Suspension CEK-16

Key Deactivation CEK-17

Key Archival CEK-18

Key Compromise CEK-19

Key Recovery CEK-20

Key Inventory
Management CEK-21

Off-Site Equipment
Disposal Policy and
Procedures DCS-01

Off-Site Transfer
Authorization Policy and
Procedures DCS-02

Secure Area Policy and

Procedures DCS-03

Secure Media
Transportation Policy and
Procedures DCS-04

Assets Classification DCS-05

Assets Cataloguing and

Tracking DCS-06

Controlled Access Points DCS-07

Equipment Identification DCS-08

Secure Area Authorization DCS-09

Surveillance System DCS-10

Unauthorized Access
Response Training DCS-11

Cabling Security DCS-12

Environmental Systems DCS-13

Secure Utilities DCS-14

Equipment Location DCS-15

Data Privacy by Design

and Default DSP-08

Data Protection Impact

Assessment DSP-09

Personal Data Access,

Reversal, Rectification and
Deletion DSP-11

Limitation of Purpose in
Personal Data Processing DSP-12

Personal Data Sub-

processing DSP-13

Disclosure of Data Sub-

processors DSP-14
Limitation of Production
Data Use DSP-15

Disclosure Notification DSP-18

Data Location DSP-19

Policy Exception Process GRC-04

Governance Responsibility
Model GRC-06

Information System
Regulatory Mapping GRC-07

Special Interest Groups GRC-08

Background Screening
Policy and Procedures HRS-01

Acceptable Use of
Technology Policy and
Procedures HRS-02

Asset returns HRS-05

Employment Agreement
Process HRS-07

Employment Agreement
Content HRS-08

Non-Disclosure
Agreements HRS-10
Compliance User
Responsibility HRS-13

CSCs Approval for Agreed

Privileged Access Roles IAM-11

Uniquely Identifiable Users IAM-13

Passwords Management IAM-15

Interoperability and
Portability Policy and
Procedures IPY-01

Application Interface
Availability IPY-02

Secure Interoperability
and Portability
Management IPY-03

Data Portability
Contractual Obligations IPY-04

Infrastructure and
Virtualization Security
Policy and Procedures IVS-01

Capacity and Resource

Planning IVS-02

Segmentation and
Segregation IVS-06

Migration to Cloud
Environments IVS-07

Log Protection LOG-09

Encryption Monitoring and
Reporting LOG-10

Transaction/Activity
Logging LOG-11

Access Control Logs LOG-12

SSRM Policy and

Procedures STA-01

SSRM Supply Chain STA-02

SSRM Guidance STA-03

SSRM Control Ownership STA-04

SSRM Documentation
Review STA-05

SSRM Control
Implementation STA-06

Internal Compliance
Testing STA-11

External Library
Vulnerabilities TVM-05

Endpoint Devices Policy

and Procedures UEM-01

Remote Locate UEM-12

e NOT mapped to the CIS Controls

Conduct independent audit and assurance assessments according to relevant standards at least annually.

Verify compliance with all relevant standards, regulations, legal/contractual, and statutory requirements
applicable to the audit.

Define and implement an Audit Management process to support audit planning, risk analysis, security control
assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting
evidence.

Establish and implement strategies and capabilities for secure, standardized, and compliant application
deployment. Automate where possible.

Establish, document, approve, communicate, apply, evaluate and maintain business continuity management and
operational resilience policies and procedures. Review and update the policies and procedures at least annually.

Determine the impact of business disruptions and risks to establish criteria for developing business continuity and
operational resilience strategies and capabilities.

Establish strategies to reduce the impact of, withstand, and recover from business disruptions within risk appetite.

Establish, document, approve, communicate, apply, evaluate and maintain a business continuity plan based on
the results of the operational resilience strategies and capabilities.

Develop, identify, and acquire documentation that is relevant to support the business continuity and operational
resilience programs. Make the documentation available to authorized stakeholders and review periodically.

Exercise and test business continuity and operational resilience plans at least annually or upon significant
changes.

Establish communication with stakeholders and participants in the course of business continuity and resilience
procedures.

Periodically backup data stored in the cloud. Ensure the confidentiality, integrity and availability of the backup,
and verify data restoration from backup for resiliency.
Establish, document, approve, communicate, apply, evaluate and maintain a disaster response plan to recover
from natural and man-made disasters. Update the plan at least annually or upon significant changes.

Exercise the disaster response plan annually or upon significant changes, including if possible local emergency
authorities.

Supplement business-critical equipment with redundant equipment independently located at a reasonable

minimum distance in accordance with applicable industry standards.

Follow a defined quality change control, approval and testing process with established baselines, testing, and
release standards.

Manage the risks associated with applying changes to organization assets, including application, systems,
infrastructure, configuration, etc., regardless of whether the assets are managed internally or externally (i.e.,
outsourced).

Restrict the unauthorized addition, removal, update, and management of organization assets.

Include provisions limiting changes directly impacting CSCs owned environments/tenants to explicitly authorized
requests within service level agreements between CSPs and CSCs.

Establish change management baselines for all relevant authorized changes on organization assets.

Implement detection measures with proactive notification in case of changes deviating from the established
baseline.

Implement a procedure for the management of exceptions, including emergencies, in the change and
configuration process. Align the procedure with the requirements of GRC-04: Policy Exception Process.

Define and implement a process to proactively roll back changes to a previous known good state in case of errors
or security concerns.

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for
Cryptography, Encryption and Key Management. Review and update the policies and procedures at least
annually.

Define and implement cryptographic, encryption and key management roles and responsibilities.
Use encryption algorithms that are appropriate for data protection, considering the classification of data,
associated risks, and usability of the encryption technology.

Establish a standard change management procedure, to accommodate changes from internal and external
sources, for review, approval, implementation and communication of cryptographic, encryption and key
management technology changes.

Manage and adopt changes to cryptography-, encryption-, and key management-related systems (including
policies and procedures) that fully account for downstream effects of proposed changes, including residual risk,
cost, and benefits analysis.

Establish and maintain an encryption and key management risk program that includes provisions for risk
assessment, risk treatment, risk context, monitoring, and feedback.

CSPs must provide the capability for CSCs to manage their own data encryption keys.

Audit encryption and key management systems, policies, and processes with a frequency that is proportional to
the risk exposure of the system with audit occurring preferably continuously but at least annually and after any
security event(s).

Generate Cryptographic keys using industry accepted cryptographic libraries specifying the algorithm strength
and the random number generator used.

Manage cryptographic secret and private keys that are provisioned for a unique purpose.

Rotate cryptographic keys in accordance with the calculated cryptoperiod, which includes provisions for
considering the risk of information disclosure and legal and regulatory requirements.

Define, implement and evaluate processes, procedures and technical measures to revoke and remove
cryptographic keys prior to the end of its established cryptoperiod, when a key is compromised, or an entity is no
longer part of the organization, which include provisions for legal and regulatory requirements.

Define, implement and evaluate processes, procedures and technical measures to destroy keys stored outside a
secure environment and revoke keys stored in Hardware Security Modules (HSMs) when they are no longer
needed, which include provisions for legal and regulatory requirements.

Define, implement and evaluate processes, procedures and technical measures to create keys in a pre-activated
state when they have been generated but not authorized for use, which include provisions for legal and
regulatory requirements.

Define, implement and evaluate processes, procedures and technical measures to monitor, review and approve
key transitions from any state to/from suspension, which include provisions for legal and regulatory requirements.
Define, implement and evaluate processes, procedures and technical measures to deactivate keys at the time of
their expiration date, which include provisions for legal and regulatory requirements.

Define, implement and evaluate processes, procedures and technical measures to manage archived keys in a
secure repository requiring least privilege access, which include provisions for legal and regulatory requirements.

Define, implement and evaluate processes, procedures and technical measures to use compromised keys to
encrypt information only in controlled circumstance, and thereafter exclusively for decrypting data and never for
encrypting data, which include provisions for legal and regulatory requirements.

Define, implement and evaluate processes, procedures and technical measures to assess the risk to operational
continuity versus the risk of the keying material and the information it protects being exposed if control of the
keying material is lost, which include provisions for legal and regulatory requirements.

Define, implement and evaluate processes, procedures and technical measures in order for the key management
system to track and report all cryptographic materials and changes in status, which include provisions for legal
and regulatory requirements.
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the
secure disposal of equipment used outside the organization's premises. If the equipment is not physically
destroyed a data destruction procedure that renders recovery of information impossible must be applied. Review
and update the policies and procedures at least annually.
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the
relocation or transfer of hardware, software, or data/information to an offsite or alternate location. The relocation
or transfer request requires the written or cryptographically verifiable authorization. Review and update the
policies and procedures at least annually.

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for
maintaining a safe and secure working environment in offices, rooms, and facilities. Review and update the
policies and procedures at least annually.

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the
secure transportation of physical media. Review and update the policies and procedures at least annually.

Classify and document the physical, and logical assets (e.g., applications) based on the organizational business
risk.

Catalogue and track all relevant physical and logical assets located at all of the CSP's sites within a secured
system.

Implement physical security perimeters to safeguard personnel, data, and information systems. Establish
physical security perimeters between the administrative and business areas and the data storage and processing
facilities areas.

Use equipment identification as a method for connection authentication.

Allow only authorized personnel access to secure areas, with all ingress and egress points restricted,
documented, and monitored by physical access control mechanisms. Retain access control records on a periodic
basis as deemed appropriate by the organization.

Implement, maintain, and operate datacenter surveillance systems at the external perimeter and at all the ingress
and egress points to detect unauthorized ingress and egress attempts.

Train datacenter personnel to respond to unauthorized ingress or egress attempts.

Define, implement and evaluate processes, procedures and technical measures that ensure a risk-based
protection of power and telecommunication cables from a threat of interception, interference or damage at all
facilities, offices and rooms.

Implement and maintain data center environmental control systems that monitor, maintain and test for continual
effectiveness the temperature and humidity conditions within accepted industry standards.

Secure, monitor, maintain, and test utilities services for continual effectiveness at planned intervals.

Keep business-critical equipment away from locations subject to high probability for environmental risk events.

Develop systems, products, and business practices based upon a principle of privacy by design and industry best
practices. Ensure that systems' privacy settings are configured by default, according to all applicable laws and
regulations.

Conduct a Data Protection Impact Assessment (DPIA) to evaluate the origin, nature, particularity and severity of
the risks upon the processing of personal data, according to any applicable laws, regulations and industry best
practices.

Define and implement, processes, procedures and technical measures to enable data subjects to request access
to, modification, or deletion of their personal data, according to any applicable laws and regulations.

Define, implement and evaluate processes, procedures and technical measures to ensure that personal data is
processed according to any applicable laws and regulations and for the purposes declared to the data subject.

Define, implement and evaluate processes, procedures and technical measures for the transfer and sub-
processing of personal data within the service supply chain, according to any applicable laws and regulations.

Define, implement and evaluate processes, procedures and technical measures to disclose the details of any
personal or sensitive data access by sub-processors to the data owner prior to initiation of that processing.
Obtain authorization from data owners, and manage associated risk before replicating or using production data in
non-production environments.
The CSP must have in place, and describe to CSCs the procedure to manage and respond to requests for
disclosure of Personal Data by Law Enforcement Authorities according to applicable laws and regulations. The
CSP must give special attention to the notification procedure to interested CSCs, unless otherwise prohibited,
such as a prohibition under criminal law to preserve confidentiality of a law enforcement investigation.

Define and implement, processes, procedures and technical measures to specify and document the physical
locations of data, including any locations in which data is processed or backed up.

Establish and follow an approved exception process as mandated by the governance program whenever a
deviation from an established policy occurs.

Define and document roles and responsibilities for planning, implementing, operating, assessing, and improving
governance programs.

Identify and document all relevant standards, regulations, legal/contractual, and statutory requirements, which
are applicable to your organization.

Establish and maintain contact with cloud-related special interest groups and other relevant entities in line with
business context.
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for
background verification of all new employees (including but not limited to remote employees, contractors, and
third parties) according to local laws, regulations, ethics, and contractual constraints and proportional to the data
classification to be accessed, the business requirements, and acceptable risk. Review and update the policies
and procedures at least annually.

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for defining
allowances and conditions for the acceptable use of organizationally-owned or managed assets. Review and
update the policies and procedures at least annually.

Establish and document procedures for the return of organization-owned assets by terminated employees.
Employees sign the employee agreement prior to being granted access to organizational information systems,
resources and assets.

The organization includes within the employment agreements provisions and/or terms for adherence to
established information governance and security policies.

Identify, document, and review, at planned intervals, requirements for non-disclosure/confidentiality agreements
reflecting the organization's needs for the protection of data and operational details.
Make employees aware of their roles and responsibilities for maintaining awareness and compliance with
established policies and procedures and applicable legal, statutory, or regulatory compliance obligations.

Define, implement and evaluate processes and procedures for customers to participate, where applicable, in the
granting of access for agreed, high risk (as defined by the organizational risk assessment) privileged access
roles.

Define, implement and evaluate processes, procedures and technical measures that ensure users are identifiable
through unique IDs or which can associate individuals to the usage of user IDs.

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for
Define, implement
interoperability andand evaluate
portability processes,
including procedures
requirements for:and technical measures for the secure management of
passwords.
a. Communications between application interfaces
b. Information processing interoperability
c. Application development portability
d. Information/Data exchange, usage, portability, integrity, and persistence
Review and update the policies and procedures at least annually.

Provide application interface(s) to CSCs so that they programmatically retrieve their data to enable
interoperability and portability.

Implement cryptographically secure and standardized network protocols for the management, import and export
of data.
Agreements must include provisions specifying CSCs access to data upon contract termination and will include:
a. Data format
b. Length of time the data will be stored
c. Scope of the data retained and made available to the CSCs
d. Data deletion policy

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for
infrastructure and virtualization security. Review and update the policies and procedures at least annually.

Plan and monitor the availability, quality, and adequate capacity of resources in order to deliver the required
system performance as determined by the business.

Design, develop, deploy and configure applications and infrastructures such that CSP and CSC (tenant) user
access and intra-tenant access is appropriately segmented and segregated, monitored and restricted from other
tenants.

Use secure and encrypted communication channels when migrating servers, services, applications, or data to
cloud environments. Such channels must include only up-to-date and approved protocols.

The information system protects audit records from unauthorized access, modification, and deletion.
Establish and maintain a monitoring and internal reporting capability over the operations of cryptographic,
encryption and key management policies, processes, procedures, and controls.

Log and monitor key lifecycle management events to enable auditing and reporting on usage of cryptographic
keys.

Monitor and log physical access using an auditable access control system.

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for the
application of the Shared Security Responsibility Model (SSRM) within the organization. Review and update the
policies and procedures at least annually.

Apply, document, implement and manage the SSRM throughout the supply chain for the cloud service offering.

Provide SSRM Guidance to the CSC detailing information about the SSRM applicability throughout the supply
chain.

Delineate the shared ownership and applicability of all CSA CCM controls according to the SSRM for the cloud
service offering.

Review and validate SSRM documentation for all cloud services offerings the organization uses.

Implement, operate, and audit or assess the portions of the SSRM which the organization is responsible for.

Define and implement a process for conducting internal assessments to confirm conformance and effectiveness
of standards, policies, procedures, and service level agreement activities at least annually.

Define, implement and evaluate processes, procedures and technical measures to identify updates for
applications which use third party or open source libraries according to the organization's vulnerability
management policy.

Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for all
endpoints. Review and update the policies and procedures at least annually.

Enable remote geo-location capabilities for all managed mobile endpoints.

3 Audit & Assurance Unmapped

1 Application & Interface Security

Unmapped
Business Continuity Domain unmapped

8 Change Control and Configuration

Management Unmapped
20 Cryptography, Encryption & Key
Management Unmapped
Datacenter Security domain unmapped
9 Data Security & Privacy Lifecycle
Management Unmapped

4 Governance, Risk Management &

Compliance Unmapped
7 Human Resources Unmapped

3 Identity & Access Management

Unmapped

Interoperability & Portability domain

Unmapped

4 Infrastructure & Virtualization Security

Unmapped
4 Logging and Monitoring Unmapped

7 Supply Chain Management,

Transparency, and Accountability
Unmapped

1 Threat & Vulnerability Management

Unmapped

2 Universal Endpoint Management

Unmapped
The following CIS Safeguards are NOT mapped to CSA CCM v4

1.2

1.4

1.5

2.2

2.3

2.4

2.5

2.6

2.7
3.9

4.4

4.6

4.7

4.8

4.9

4.10
5.3
5.6

6.3
6.7
8.3
8.6
8.7
 8.8
8.9

8.12

9.1
9.2

9.3

9.4

9.5
9.6
10.3
10.4

10.5
10.6
10.7

11.1

11.2
11.3

11.4
11.5

12.1

12.3

12.6

12.8
13.2
13.4

13.7
13.10
13.11
 15.2

15.7

16.3

16.5

16.9

16.11

16.14

17.3

17.6

17.8

18.2

18.4

18.5
The following CIS Safeguards are NOT mapped to CSA CCM v4

Address Unauthorized Assets

Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

Use a Passive Asset Discovery Tool

Ensure Authorized Software is Currently Supported

Address Unauthorized Software

Utilize Automated Software Inventory Tools

Allowlist Authorized Software

Allowlist Authorized Libraries

Allowlist Authorized Scripts

Encrypt Data on Removable Media

Implement and Manage a Firewall on Servers

Securely Manage Enterprise Assets and Software

Manage Default Accounts on Enterprise Assets and Software

Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

Configure Trusted DNS Servers on Enterprise Assets

Enforce Automatic Device Lockout on Portable End-User Devices

Disable Dormant Accounts
Centralize Account Management

Require MFA for Externally-Exposed Applications

Centralize Access Control
Ensure Adequate Audit Log Storage
Collect DNS Query Audit Logs
Collect URL Request Audit Logs
Collect Command-Line Audit Logs
Centralize Audit Logs

Collect Service Provider Logs

Ensure Use of Only Fully Supported Browsers and Email Clients

Use DNS Filtering Services

Maintain and Enforce Network-Based URL Filters

Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

Implement DMARC
Block Unnecessary File Types
Disable Autorun and Autoplay for Removable Media
Configure Automatic Anti-Malware Scanning of Removable Media

Enable Anti-Exploitation Features

Centrally Manage Anti-Malware Software
Use Behavior-Based Anti-Malware Software

Establish and Maintain a Data Recovery Process

Perform Automated Backups

Protect Recovery Data

Establish and Maintain an Isolated Instance of Recovery Data

Test Data Recovery

Ensure Network Infrastructure is Up-to-Date

Securely Manage Network Infrastructure

Use of Secure Network Management and Communication Protocols

Establish and Maintain Dedicated Computing Resources for All Administrative Work
Deploy a Host-Based Intrusion Detection Solution
Perform Traffic Filtering Between Network Segments

Deploy a Host-Based Intrusion Prevention Solution

Perform Application Layer Filtering
Tune Security Event Alerting Thresholds
Establish and Maintain a Service Provider Management Policy

Securely Decommission Service Providers

Perform Root Cause Analysis on Security Vulnerabilities

Use Up-to-Date and Trusted Third-Party Software Components

Train Developers in Application Security Concepts and Secure Coding

Leverage Vetted Modules or Services for Application Security Components

Conduct Threat Modeling

Establish and Maintain an Enterprise Process for Reporting Incidents

Define Mechanisms for Communicating During Incident Response

Conduct Post-Incident Reviews

Perform Periodic External Penetration Tests

Validate Security Measures

Perform Periodic Internal Penetration Tests

Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remo
deny the asset from connecting remotely to the network, or quarantine the asset.
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterpris
and use logs to update the enterprise’s asset inventory weekly, or more frequently.
Use a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to upda
inventory at least weekly, or more frequently.
Ensure that only currently supported software is designated as authorized in the software inventory for enterprise as
unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating
acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review
software support at least monthly, or more frequently.
Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented excep
frequently.

Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documenta
Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be ac
or more frequently.
Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are
process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.
Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as
are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.
Encrypt data on removable media.
Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, o
third-party firewall agent.
Securely manage enterprise assets and software. Example implementations include managing configuration through
infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell
Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTT
essential.
Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured v
implementations can include: disabling default accounts or making them unusable.
Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service
service function.
Configure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use en
servers and/or reputable externally accessible DNS servers.

Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on porta
supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no m
authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuratio
Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.
Centralize account management through a directory or identity service.
Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MF
or SSO provider is a satisfactory implementation of this Safeguard.
Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.
Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management p
Collect DNS query audit logs on enterprise assets, where appropriate and supported.
Collect URL request audit logs on enterprise assets, where appropriate and supported.
Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™
terminals.
Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Collect service provider logs, where supported. Example implementations include collecting authentication and auth
and disposal events, and user management events.
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest
clients provided through the vendor.
Use DNS filtering services on all enterprise assets to block access to known malicious domains.
Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious o
Example implementations include category-based filtering, reputation-based filtering, or through the use of block list
enterprise assets.
Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, ex
applications.
To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, st
Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.
Block unnecessary file types attempting to enter the enterprise’s email gateway.
Disable autorun and autoplay auto-execute functionality for removable media.
Configure anti-malware software to automatically scan removable media.
Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execu
Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
Centrally manage anti-malware software.
Use behavior-based anti-malware software.
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recov
security of backup data. Review and update documentation annually, or when significant enterprise changes occur t
Safeguard.

Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the s
Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based o
Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling b
offline, cloud, or off-site systems or services.
Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets.

Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release
currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to
Securely manage network infrastructure. Example implementations include version-controlled-infrastructure-as-code
network protocols, such as SSH and HTTPS.

Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected Access 2 (WPA2) En

Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative
administrative access. The computing resources should be segmented from the enterprise's primary network and no
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Perform traffic filtering between network segments, where appropriate.
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Examp
of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or ga
Tune security event alerting thresholds monthly, or more frequently.
Establish and maintain a service provider management policy. Ensure the policy addresses the classification, invent
and decommissioning of service providers. Review and update the policy annually, or when significant enterprise ch
this Safeguard.
Securely decommission service providers. Example considerations include user and service account deactivation, te
secure disposal of enterprise data within service provider systems.

Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the tas
issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulner
Use up-to-date and trusted third-party software components. When possible, choose established and proven framew
adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before
Ensure that all software development personnel receive training in writing secure code for their specific developmen
responsibilities. Training can include general security principles and application security standard practices. Conduc
design in a way to promote security within the development team, and build a culture of security among the develop

Leverage vetted modules or services for application security components, such as identity management, encryption
Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of d
errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization a
available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms
provide mechanisms to create and maintain secure audit logs.

Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design fla
code is created. It is conducted through specially trained individuals who evaluate the application design and gauge
point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to
Establish and maintain an enterprise process for the workforce to report security incidents. The process includes rep
report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly avail
Review annually, or when significant enterprise changes occur that could impact this Safeguard.
Determine which primary and secondary mechanisms will be used to communicate and report during a security incid
phone calls, emails, or letters. Keep in mind that certain mechanisms, such as emails, can be affected during a secu
or when significant enterprise changes occur that could impact this Safeguard.

Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons le
Perform periodic external penetration tests based on program requirements, no less than annually. External penetra
enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specializ
must be conducted through a qualified party. The testing may be clear box or opaque box.
Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to dete
testing.

Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may