Under active development — Content is continuously updated and improved

Home / Frameworks / CIS Controls / IG2

CIS Controls v8.1

Critical Security Controls for Effective Cyber Defense

153 All 56 IG1 130 IG2 153 IG3

Showing 130 safeguards in IG2

For organizations with greater risk exposure or more resources

1 — Inventory and Control of Enterprise Assets (4 safeguards)

1.1Establish and Maintain Detailed Enterprise Asset Inventory

1.2Address Unauthorized Assets

1.3Utilize an Active Discovery Tool

1.4Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory

2 — Inventory and Control of Software Assets (6 safeguards)

2.1Establish and Maintain a Software Inventory

2.2Ensure Authorized Software is Currently Supported

2.3Address Unauthorized Software

2.4Utilize Automated Software Inventory Tools

2.5Allowlist Authorized Software

2.6Allowlist Authorized Libraries

3 — Data Protection (12 safeguards)

3.1Establish and Maintain a Data Management Process

3.2Establish and Maintain a Data Inventory

3.3Configure Data Access Control Lists

3.4Enforce Data Retention

3.5Securely Dispose of Data

3.6Encrypt Data on End-User Devices

3.7Establish and Maintain a Data Classification Scheme

3.8Document Data Flows

3.9Encrypt Data on Removable Media

3.10Encrypt Sensitive Data in Transit

3.11Encrypt Sensitive Data at Rest

3.12Segment Data Processing and Storage Based on Sensitivity

4 — Secure Configuration of Enterprise Assets and Software (11 safeguards)

4.1Establish and Maintain a Secure Configuration Process

4.2Establish and Maintain a Secure Configuration Process for Network Infrastructure

4.3Configure Automatic Session Locking on Enterprise Assets

4.4Implement and Manage a Firewall on Servers

4.5Implement and Manage a Firewall on End-User Devices

4.6Securely Manage Enterprise Assets and Software

4.7Manage Default Accounts on Enterprise Assets and Software

4.8Uninstall or Disable Unnecessary Services on Enterprise Assets and Software

4.9Configure Trusted DNS Servers on Enterprise Assets

4.10Enforce Automatic Device Lockout on Portable End-User Devices

4.11Enforce Remote Wipe Capability on Portable End-User Devices

5 — Account Management (6 safeguards)

5.1Establish and Maintain an Inventory of Accounts

5.2Use Unique Passwords

5.3Disable Dormant Accounts

5.4Restrict Administrator Privileges to Dedicated Administrator Accounts

5.5Establish and Maintain an Inventory of Service Accounts

5.6Centralize Account Management

6 — Access Control Management (7 safeguards)

6.1Establish an Access Granting Process

6.2Establish an Access Revoking Process

6.3Require MFA for Externally-Exposed Applications

6.4Require MFA for Remote Network Access

6.5Require MFA for Administrative Access

6.6Establish and Maintain an Inventory of Authentication and Authorization Systems

6.7Centralize Access Control

7 — Continuous Vulnerability Management (7 safeguards)

7.1Establish and Maintain a Vulnerability Management Process

7.2Establish and Maintain a Remediation Process

7.3Perform Automated Operating System Patch Management

7.4Perform Automated Application Patch Management

7.5Perform Automated Vulnerability Scans of Internal Enterprise Assets

7.6Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets

7.7Remediate Detected Vulnerabilities

8 — Audit Log Management (11 safeguards)

8.1Establish and Maintain an Audit Log Management Process

8.2Collect Audit Logs

8.3Ensure Adequate Audit Log Storage

8.4Standardize Time Synchronization

8.5Collect Detailed Audit Logs

8.6Collect DNS Query Audit Logs

8.7Collect URL Request Audit Logs

8.8Collect Command-Line Audit Logs

8.9Centralize Audit Logs

8.10Retain Audit Logs

8.11Conduct Audit Log Reviews

9 — Email and Web Browser Protections (6 safeguards)

9.1Ensure Use of Only Fully Supported Browsers and Email Clients

9.2Use DNS Filtering Services

9.3Maintain and Enforce Network-Based URL Filters

9.4Restrict Unnecessary or Unauthorized Browser and Email Client Extensions

9.5Implement DMARC

9.6Block Unnecessary File Types

10 — Malware Defenses (7 safeguards)

10.1Deploy and Maintain Anti-Malware Software

10.2Configure Automatic Anti-Malware Signature Updates

10.3Disable Autorun and Autoplay for Removable Media

10.4Configure Automatic Anti-Malware Scanning of Removable Media

10.5Enable Anti-Exploitation Features

10.6Centrally Manage Anti-Malware Software

10.7Use Behavior-Based Anti-Malware Software

11 — Data Recovery (5 safeguards)

11.1Establish and Maintain a Data Recovery Process

11.2Perform Automated Backups

11.3Protect Recovery Data

11.4Establish and Maintain an Isolated Instance of Recovery Data

11.5Test Data Recovery

12 — Network Infrastructure Management (7 safeguards)

12.1Ensure Network Infrastructure is Up-to-Date

12.2Establish and Maintain a Secure Network Architecture

12.3Securely Manage Network Infrastructure

12.4Establish and Maintain Architecture Diagram(s)

12.5Centralize Network Authentication, Authorization, and Auditing (AAA)

12.6Use of Secure Network Management and Communication Protocols

12.7Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

13 — Network Monitoring and Defense (6 safeguards)

13.1Centralize Security Event Alerting

13.2Deploy a Host-Based Intrusion Detection Solution

13.3Deploy a Network Intrusion Detection Solution

13.4Perform Traffic Filtering Between Network Segments

13.5Manage Access Control for Remote Assets

13.6Collect Network Traffic Flow Logs

14 — Security Awareness and Skills Training (9 safeguards)

14.1Establish and Maintain a Security Awareness Program

14.2Train Workforce Members to Recognize Social Engineering Attacks

14.3Train Workforce Members on Authentication Best Practices

14.4Train Workforce on Data Handling Best Practices

14.5Train Workforce Members on Causes of Unintentional Data Exposure

14.6Train Workforce Members on Recognizing and Reporting Security Incidents

14.7Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates

14.8Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks

14.9Conduct Role-Specific Security Awareness and Skills Training

15 — Service Provider Management (4 safeguards)

15.1Establish and Maintain an Inventory of Service Providers

15.2Establish and Maintain a Service Provider Management Policy

15.3Classify Service Providers

15.4Ensure Service Provider Contracts Include Security Requirements

16 — Application Software Security (11 safeguards)

16.1Establish and Maintain a Secure Application Development Process

16.2Establish and Maintain a Process to Accept and Address Software Vulnerabilities

16.3Perform Root Cause Analysis on Security Vulnerabilities

16.4Establish and Manage an Inventory of Third-Party Software Components

16.5Use Up-to-Date and Trusted Third-Party Software Components

16.6Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities

16.7Use Standard Hardening Configuration Templates for Application Infrastructure

16.8Separate Production and Non-Production Systems

16.9Train Developers in Application Security Concepts and Secure Coding

16.10Apply Secure Design Principles in Application Architectures

16.11Leverage Vetted Modules or Services for Application Security Components

17 — Incident Response Management (8 safeguards)

17.1Designate Personnel to Manage Incident Handling

17.2Establish and Maintain Contact Information for Reporting Security Incidents

17.3Establish and Maintain an Enterprise Process for Reporting Incidents

17.4Establish and Maintain an Incident Response Process

17.5Assign Key Roles and Responsibilities

17.6Define Mechanisms for Communicating During Incident Response

17.7Conduct Routine Incident Response Exercises

17.8Conduct Post-Incident Reviews

18 — Penetration Testing (3 safeguards)

18.1Establish and Maintain a Penetration Testing Program

18.2Perform Periodic External Penetration Tests

18.3Remediate Penetration Test Findings