Skip to main content

CIS Critical Security Controls: Unpacking the Significant Changes in the Latest Version

“May you live in interesting times.”

Cybersecurity professionals live this phrase every day. From supply-chain attacks, pervasive exposure from zero-day vulnerabilities, or the dramatic rise in ransomware, we undoubtedly live—and work—in interesting times.

That’s why non-profit organizations like the Center for Internet Security (CIS) provide cyber safety tips, guidelines, instructional videos, and advice for cybersecurity policy development at both national and international levels.

The CIS Critical Security Controls are a prioritized set of actions to protect organizations and their data from cyber attacks. These controls recently underwent a significant update (from v.7 to v.8) to better address recent changes in the overall cybersecurity ecosystem, including the widespread adoption of cloud-first principles, the prevalence of remote work during a global pandemic, and the variety and veracity of modern cyber attacks.

Here is a quick look at the major changes in version 8.

  • The controls are now combined by activities, rather than by who manages the devices, which has decreased the number of controls from 20 to 18. The change was made to simplify how organizations work to adopt and incorporate the controls.
  • The CIS Controls are now task-focused
  • They contain 153 “safeguards”—formerly known as “sub-controls”
  • The latest version includes a section on Cloud and Mobile Technologies
  • The version reflects the mind shift of data being the new perimeter, and the increased importance of Identity and Access Management

Additionally, the latest version of the CIS Critical Security Controls includes the following additions and revisions:

  • New control
    • Control 15, Service Provider Management, provides guidance on how organizations can manage their cloud services
  • Control re-order
    • Data Protection has been moved from Control 13 to Control 3
    • Account Monitoring and Control has been moved from Control 16 to Control 5 and renamed Account Management
  • Control removal
    • Control 9, Limitation of Ports and Protocols
    • Control 12, Boundary Defense
    • Control 15, Wireless Access Control
  • Control merge
    • Control 4, Control of Admin Privileges, and Control 14, Controlled Access Based on Need to Know, have become Control 6, Access Control Management
    • Control 5, Secure Configuration, and Control 11, Security Configuration of Network Devices, have become Control 4, Secure Configuration of Enterprise Assets and Software

The latest update to the CIS Critical Security Controls also recognizes that many of the security concerns that exist within an enterprise data center are shared with cloud environments, stating that “the main challenge in applying best practices is tied to the fact that these systems typically operate software and hardware under different assumed security responsibilities.”

Therefore, they have included a Cloud Companion Guide. This guide aims to help security professionals understand the cybersecurity implications of the cloud, as well as how the CIS Controls are applied to the different deployment models of IaaS, PaaS, SaaS, and FaaS. In other words, it hopes to answer this common question: “In the cloud, who is responsible for what?”

For each of the CIS Controls, it provides the following information:

  • Cloud Applicability — Which assesses the degree to which a CIS Control functions within the cloud space and which service model to consider
  • Cloud Service and Deployment Considerations — Which further defines who is responsible for the Controls within the service model to which it applies, and outlines the CSP consumer’s responsibilities
  • Cloud Additional Considerations — Which offers additional guidance on the relevant tools, products, or threat information to consider

Whether you are a large enterprise with a mature security program or a small business on a limited budget, the CIS Controls and Cloud Companion Guide add structure, consistency, and efficacy to your overall security posture.

To see how Arctic Wolf can help you meet many of the CIS Controls, visit our compliance solutions page.

About the Author

Tyler Desjardins is a seasoned Cyber Security and IT Professional with 19 years of experience. In those years, he has seen the industry evolve from the days of his first cyber security experience dealing with the Mydoom and Sobig virus outbreaks. With a deep and broad expertise in the cybersecurity field, Tyler has held a variety of roles from pre-sales, telecommunications, network operations, security architecture, and security operations. For the last two years, Tyler has been the Senior Manager of Concierge Services at Arctic Wolf where he is responsible for the delivery of their Concierge Security® Model. Tyler has also been a contributor towards CIS Controls and various Companion Guides for over 5 years.

Profile Photo of Tyler Desjardins