ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
CIS ControlCIS SafeguardAsset TypeSecurity FunctionTitleDescriptionIG1IG2IG3
2
Inventory and Control of Enterprise AssetsActively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.
3
11.1DevicesIdentifyEstablish and Maintain Detailed Enterprise Asset InventoryEstablish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently.xxx
4
11.2DevicesRespondAddress Unauthorized AssetsEnsure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset.xxx
5
11.3DevicesDetectUtilize an Active Discovery ToolUtilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently.xx
6
 11.4DevicesIdentifyUse Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset InventoryUse DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset inventory weekly, or more frequently.xx
7
 11.5DevicesDetectUse a Passive Asset Discovery ToolUse a passive discovery tool to identify assets connected to the enterprise’s network. Review and use scans to update the enterprise’s asset inventory at least weekly, or more frequently.x
8
Inventory and Control of Software AssetsActively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
9
22.1ApplicationsIdentifyEstablish and Maintain a Software InventoryEstablish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently.xxx
10
22.2ApplicationsIdentifyEnsure Authorized Software is Currently Supported Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise’s mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently.xxx
11
22.3ApplicationsRespondAddress Unauthorized SoftwareEnsure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently.xxx
12
 22.4ApplicationsDetectUtilize Automated Software Inventory ToolsUtilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software. xx
13
2.5ApplicationsProtectAllowlist Authorized SoftwareUse technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.xx
14
2.6ApplicationsProtectAllowlist Authorized Libraries Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, .so, etc., files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently.xx
15
 22.7ApplicationsProtectAllowlist Authorized ScriptsUse technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, .py, etc., files, are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently.x
16
 3Data ProtectionDevelop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
17
33.1DataIdentifyEstablish and Maintain a Data Management ProcessEstablish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.xxx
18
33.2DataIdentifyEstablish and Maintain a Data InventoryEstablish and maintain a data inventory, based on the enterprise’s data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data.xxx
19
33.3DataProtectConfigure Data Access Control ListsConfigure data access control lists based on a user’s need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.xxx
20
33.4DataProtectEnforce Data RetentionRetain data according to the enterprise’s data management process. Data retention must include both minimum and maximum timelines.xxx
21
33.5DataProtectSecurely Dispose of DataSecurely dispose of data as outlined in the enterprise’s data management process. Ensure the disposal process and method are commensurate with the data sensitivity.xxx
22
33.6DevicesProtectEncrypt Data on End-User DevicesEncrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt.xxx
23
33.7DataIdentifyEstablish and Maintain a Data Classification SchemeEstablish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as “Sensitive,” “Confidential,” and “Public,” and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard.xx
24
 33.8DataIdentifyDocument Data FlowsDocument data flows. Data flow documentation includes service provider data flows and should be based on the enterprise’s data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.xx
25
33.9DataProtectEncrypt Data on Removable MediaEncrypt data on removable media.xx
26
3.10DataProtectEncrypt Sensitive Data in TransitEncrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH).xx
27
33.11DataProtectEncrypt Sensitive Data at RestEncrypt sensitive data at rest on servers, applications, and databases containing sensitive data. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data. xx
28
 33.12NetworkProtectSegment Data Processing and Storage Based on SensitivitySegment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data.xx
29
33.13DataProtectDeploy a Data Loss Prevention SolutionImplement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's sensitive data inventory.x
30
 33.14DataDetectLog Sensitive Data AccessLog sensitive data access, including modification and disposal. x
31
Secure Configuration of Enterprise Assets and SoftwareEstablish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
32
44.1ApplicationsProtectEstablish and Maintain a Secure Configuration ProcessEstablish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.xxx
33
44.2NetworkProtectEstablish and Maintain a Secure Configuration Process for Network InfrastructureEstablish and maintain a secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.xxx
34
44.3UsersProtectConfigure Automatic Session Locking on Enterprise AssetsConfigure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes.xxx
35
44.4DevicesProtectImplement and Manage a Firewall on ServersImplement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent.xxx
36
44.5DevicesProtectImplement and Manage a Firewall on End-User DevicesImplement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.xxx
37
44.6NetworkProtectSecurely Manage Enterprise Assets and SoftwareSecurely manage enterprise assets and software. Example implementations include managing configuration through version-controlled-infrastructure-as-code and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential.xxx
38
44.7UsersProtectManage Default Accounts on Enterprise Assets and SoftwareManage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.xxx
39
4.8DevicesProtectUninstall or Disable Unnecessary Services on Enterprise Assets and SoftwareUninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function.xx
40
44.9DevicesProtectConfigure Trusted DNS Servers on Enterprise AssetsConfigure trusted DNS servers on enterprise assets. Example implementations include: configuring assets to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers. xx
41
4.10DevicesRespondEnforce Automatic Device Lockout on Portable End-User DevicesEnforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts.xx
42
44.11DevicesProtectEnforce Remote Wipe Capability on Portable End-User DevicesRemotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise.xx
43
44.12DevicesProtectSeparate Enterprise Workspaces on Mobile End-User DevicesEnsure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data.x
44
Account ManagementUse processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.
45
55.1UsersIdentifyEstablish and Maintain an Inventory of AccountsEstablish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.xxx
46
55.2UsersProtectUse Unique PasswordsUse unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using MFA and a 14-character password for accounts not using MFA. xxx
47
55.3UsersRespondDisable Dormant AccountsDelete or disable any dormant accounts after a period of 45 days of inactivity, where supported.xxx
48
55.4UsersProtectRestrict Administrator Privileges to Dedicated Administrator AccountsRestrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.xxx
49
 55.5UsersIdentifyEstablish and Maintain an Inventory of Service AccountsEstablish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.xx
50
55.6UsersProtectCentralize Account ManagementCentralize account management through a directory or identity service.xx
51
 6Access Control ManagementUse processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
52
66.1UsersProtectEstablish an Access Granting ProcessEstablish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.xxx
53
66.2UsersProtectEstablish an Access Revoking ProcessEstablish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.xxx
54
66.3UsersProtectRequire MFA for Externally-Exposed ApplicationsRequire all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.xxx
55
66.4UsersProtectRequire MFA for Remote Network AccessRequire MFA for remote network access.xxx
56
66.5UsersProtectRequire MFA for Administrative AccessRequire MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.xxx
57
66.6UsersIdentifyEstablish and Maintain an Inventory of Authentication and Authorization SystemsEstablish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.xx
58
66.7UsersProtectCentralize Access ControlCentralize access control for all enterprise assets through a directory service or SSO provider, where supported.xx
59
66.8DataProtectDefine and Maintain Role-Based Access ControlDefine and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.x
60
 7Continuous Vulnerability ManagementDevelop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
61
77.1ApplicationsProtectEstablish and Maintain a Vulnerability Management ProcessEstablish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.xxx
62
77.2ApplicationsRespondEstablish and Maintain a Remediation ProcessEstablish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.xxx
63
77.3ApplicationsProtectPerform Automated Operating System Patch ManagementPerform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.xxx
64
77.4ApplicationsProtectPerform Automated Application Patch ManagementPerform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.xxx
65
77.5ApplicationsIdentifyPerform Automated Vulnerability Scans of Internal Enterprise AssetsPerform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.xx
66
77.6ApplicationsIdentifyPerform Automated Vulnerability Scans of Externally-Exposed Enterprise AssetsPerform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis. xx
67
77.7ApplicationsRespondRemediate Detected VulnerabilitiesRemediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.xx
68
Audit Log ManagementCollect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
69
88.1NetworkProtectEstablish and Maintain an Audit Log Management ProcessEstablish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.xxx
70
88.2NetworkDetectCollect Audit LogsCollect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.xxx
71
88.3NetworkProtectEnsure Adequate Audit Log StorageEnsure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.xxx
72
8.4NetworkProtectStandardize Time SynchronizationStandardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.xx
73
88.5NetworkDetectCollect Detailed Audit LogsConfigure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.xx
74
8.6NetworkDetectCollect DNS Query Audit LogsCollect DNS query audit logs on enterprise assets, where appropriate and supported.xx
75
8.7NetworkDetectCollect URL Request Audit LogsCollect URL request audit logs on enterprise assets, where appropriate and supported.xx
76
8.8DevicesDetectCollect Command-Line Audit LogsCollect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH, and remote administrative terminals.xx
77
8.9NetworkDetectCentralize Audit LogsCentralize, to the extent possible, audit log collection and retention across enterprise assets.xx
78
8.10NetworkProtectRetain Audit LogsRetain audit logs across enterprise assets for a minimum of 90 days.xx
79
8.11NetworkDetectConduct Audit Log ReviewsConduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.xx
80
88.12DataDetectCollect Service Provider LogsCollect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.x
81
Email and Web Browser ProtectionsImprove protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
82
99.1ApplicationsProtectEnsure Use of Only Fully Supported Browsers and Email ClientsEnsure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor.xxx
83
99.2NetworkProtectUse DNS Filtering ServicesUse DNS filtering services on all enterprise assets to block access to known malicious domains.xxx
84
99.3NetworkProtectMaintain and Enforce Network-Based URL FiltersEnforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.xx
85
9.4ApplicationsProtectRestrict Unnecessary or Unauthorized Browser and Email Client ExtensionsRestrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications.xx
86
9.5NetworkProtectImplement DMARCTo lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards.xx
87
9.6NetworkProtectBlock Unnecessary File TypesBlock unnecessary file types attempting to enter the enterprise’s email gateway.xx
88
9.7NetworkProtectDeploy and Maintain Email Server Anti-Malware ProtectionsDeploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing.x
89
 10Malware DefensesPrevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
90
1010.1DevicesProtectDeploy and Maintain Anti-Malware SoftwareDeploy and maintain anti-malware software on all enterprise assets.xxx
91
1010.2DevicesProtectConfigure Automatic Anti-Malware Signature UpdatesConfigure automatic updates for anti-malware signature files on all enterprise assets.xxx
92
1010.3DevicesProtectDisable Autorun and Autoplay for Removable MediaDisable autorun and autoplay auto-execute functionality for removable media.xxx
93
1010.4DevicesDetectConfigure Automatic Anti-Malware Scanning of Removable MediaConfigure anti-malware software to automatically scan removable media.xx
94
1010.5DevicesProtectEnable Anti-Exploitation FeaturesEnable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.xx
95
 1010.6DevicesProtectCentrally Manage Anti-Malware SoftwareCentrally manage anti-malware software.xx
96
10 10.7DevicesDetectUse Behavior-Based Anti-Malware SoftwareUse behavior-based anti-malware software.xx
97
 11Data RecoveryEstablish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
98
1111.1DataRecoverEstablish and Maintain a Data Recovery Process Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. xxx
99
1111.2DataRecoverPerform Automated Backups Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data.xxx
100
1111.3DataProtectProtect Recovery DataProtect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements.xxx