CIS Controls v8.

1 Implementation Groups
The CIS Critical Security Controls® (CIS Controls®) are internationally Essential Cyber Hygiene
recognized for bringing together expert insight about threats, business
technology, and defensive options into an effective, coherent, and simpler CIS Controls v8.1 defines
way to manage an organization’s security improvement program. But in our Implementation Group 1 (IG1)
experience, organizations of every size and complexity still need more help to as essential cyber hygiene and
get started and to focus their attention and resources. represents an emerging minimum
standard of information security for
To that end, we developed Implementation Groups (IGs). IGs are the all enterprises. IG1 is the on-ramp
recommended guidance to prioritize implementation of the CIS Controls. In to the CIS Controls and consists
an effort to assist enterprises of every size, IGs are divided into three groups. of a foundational set of 56 cyber
They are based on the risk profile and resources an enterprise has available defense Safeguards. The Safeguards
to them to implement the CIS Controls. Each IG identifies a set of Safeguards included in IG1 are what every
(previously referred to as CIS Sub-Controls), that they need to implement. enterprise should apply to defend
There are 153 Safeguards in CIS Controls v8.1. against the most common attacks.

Every enterprise should start with IG1. IG1 provides effective security value with For more information, visit
technology and processes that are generally already available while providing www.cisecurity.org/controls.
a basis for more tailored and sophisticated action if that is warranted. Building
upon IG1, we then identified an additional set of Safeguards for organizations
with more resources and expertise, but also greater risk exposure. This is IG2.
Finally, the rest of the Safeguards make up IG3.

These IGs provide a simple and accessible way to help organizations of

different classes focus their scarce security resources, and still leverage the
value of the CIS Controls program, community, and complementary tools and
working aids.

IG1 is the definition of essential cyber hygiene and

represents a minimum standard of information security for all
enterprises. IG1 assists enterprises with limited cybersecurity
56
Cyber defense
expertise thwart general, non-targeted attacks. Safeguards

IG2 assists enterprises managing IT infrastructure

of multiple departments with differing risk profiles.
IG2 aims to help enterprises cope with increased
74
Additional cyber
operational complexity. defense Safeguards

IG3 assists enterprises with IT security experts secure

sensitive and confidential data. IG3 aims to prevent and/or
lessen the impact of sophisticated attacks.
23
Additional cyber
defense Safeguards

Total Safeguards
153
CIS Controls v8.1 Implementation Groups 1
Number Control/Safeguard IG1 IG2 IG3 Number Control/Safeguard IG1 IG2 IG3

01 Inventory and Control of

Enterprise Assets 04 Secure Configuration of
Enterprise Assets and Software
1.1 Establish and Maintain Detailed Enterprise ••• 4.1 Establish and Maintain a Secure Configuration Process •••
Asset Inventory
4.2 Establish and Maintain a Secure Configuration Process •••
1.2 Address Unauthorized Assets ••• for Network Infrastructure
1.3 Utilize an Active Discovery Tool •• 4.3 Configure Automatic Session Locking on •••
Enterprise Assets
1.4 Use Dynamic Host Configuration Protocol (DHCP) ••
Logging to Update Enterprise Asset Inventory 4.4 Implement and Manage a Firewall on Servers • • •
1.5 Use a Passive Asset Discovery Tool • 4.5 Implement and Manage a Firewall on End-User Devices • • •
4.6 Securely Manage Enterprise Assets and Software • • •
02 Inventory and Control of
Software Assets 4.7 Manage Default Accounts on Enterprise Assets
and Software
• • •
2.1 Establish and Maintain a Software Inventory ••• 4.8 Uninstall or Disable Unnecessary Services on Enterprise ••
2.2 Ensure Authorized Software is Currently Supported ••• Assets and Software
2.3 Address Unauthorized Software ••• 4.9 Configure Trusted DNS Servers on Enterprise Assets ••
2.4 Utilize Automated Software Inventory Tools •• 4.10 Enforce Automatic Device Lockout on Portable ••
End-User Devices
2.5 Allowlist Authorized Software ••
2.6 Allowlist Authorized Libraries •• 4.11 Enforce Remote Wipe Capability on Portable ••
End-User Devices
2.7 Allowlist Authorized Scripts • 4.12 Separate Enterprise Workspaces on Mobile •
End-User Devices

03 Data
Protection
05 Account
Management
3.1 Establish and Maintain a Data Management Process • • •
3.2 Establish and Maintain a Data Inventory • • • 5.1 Establish and Maintain an Inventory of Accounts • • •
3.3 Configure Data Access Control Lists • • • 5.2 Use Unique Passwords • • •
3.4 Enforce Data Retention • • • 5.3 Disable Dormant Accounts • • •
3.5 Securely Dispose of Data • • • 5.4 Restrict Administrator Privileges to Dedicated • • •
Administrator Accounts
3.6 Encrypt Data on End-User Devices • • •
3.7 Establish and Maintain a Data Classification Scheme • • 5.5 Establish and Maintain an Inventory of Service Accounts ••
3.8 Document Data Flows • • 5.6 Centralize Account Management ••
3.9
3.10
Encrypt Data on Removable Media
Encrypt Sensitive Data in Transit
•
•
•
• 06 Access Control
Management
3.11 Encrypt Sensitive Data at Rest • • 6.1 Establish an Access Granting Process • • •
3.12 Segment Data Processing and Storage Based • • 6.2 Establish an Access Revoking Process • • •
on Sensitivity 6.3 Require MFA for Externally-Exposed Applications • • •
3.13 Deploy a Data Loss Prevention Solution • 6.4 Require MFA for Remote Network Access • • •
3.14 Log Sensitive Data Access • 6.5 Require MFA for Administrative Access • • •
6.6 Establish and Maintain an Inventory of Authentication • •
and Authorization Systems
6.7 Centralize Access Control ••
6.8 Define and Maintain Role-Based Access Control •

2 CIS Controls v8.1 Implementation Groups

Number Control/Safeguard IG1 IG2 IG3 Number Control/Safeguard IG1 IG2 IG3

07 Continuous Vulnerability
Management 10 Malware
Defenses
7.1 Establish and Maintain a Vulnerability ••• 10.1 Deploy and Maintain Anti-Malware Software •••
Management Process
10.2 Configure Automatic Anti-Malware Signature Updates •••
7.2 Establish and Maintain a Remediation Process ••• 10.3 Disable Autorun and Autoplay for Removable Media •••
7.3 Perform Automated Operating System ••• 10.4 Configure Automatic Anti-Malware Scanning of ••
Patch Management
Removable Media
7.4 Perform Automated Application Patch Management ••• 10.5 Enable Anti-Exploitation Features ••
7.5 Perform Automated Vulnerability Scans of Internal •• 10.6 Centrally Manage Anti-Malware Software ••
Enterprise Assets
7.6 Perform Automated Vulnerability Scans of Externally- •• 10.7 Use Behavior-Based Anti-Malware Software ••
Exposed Enterprise Assets
7.7 Remediate Detected Vulnerabilities •• 11 Data
Recovery

08 Audit Log
Management
11.1
11.2
Establish and Maintain a Data Recovery Process
Perform Automated Backups
•
•
•
•
•
•
8.1 Establish and Maintain an Audit Log ••• 11.3 Protect Recovery Data • • •
Management Process
11.4 Establish and Maintain an Isolated Instance of • • •
8.2 Collect Audit Logs ••• Recovery Data
8.3 Ensure Adequate Audit Log Storage ••• 11.5 Test Data Recovery ••
8.4 Standardize Time Synchronization ••
8.5
8.6
Collect Detailed Audit Logs
Collect DNS Query Audit Logs
••
••
12 Network Infrastructure
Management
12.1 Ensure Network Infrastructure is Up-to-Date •• •
8.7 Collect URL Request Audit Logs •• 12.2 Establish and Maintain a Secure Network Architecture • •
8.8 Collect Command-Line Audit Logs •• 12.3 Securely Manage Network Infrastructure • •
8.9 Centralize Audit Logs •• 12.4 Establish and Maintain Architecture Diagram(s) • •
8.10 Retain Audit Logs •• 12.5 Centralize Network Authentication, Authorization, and • •
8.11 Conduct Audit Log Reviews •• Auditing (AAA)
8.12 Collect Service Provider Logs • 12.6 Use of Secure Network Management and ••
Communication Protocols

09 Email and Web Browser

Protections
12.7 Ensure Remote Devices Utilize a VPN and are
Connecting to an Enterprise’s AAA Infrastructure
••
9.1 Ensure Use of Only Fully Supported Browsers and ••• 12.8 Establish and Maintain Dedicated Computing Resources •
Email Clients for All Administrative Work
9.2 Use DNS Filtering Services •••
9.3
9.4
Maintain and Enforce Network-Based URL Filters
Restrict Unnecessary or Unauthorized Browser and
••
••
13 Network Monitoring
and Defense
Email Client Extensions 13.1 Centralize Security Event Alerting • •
9.5 Implement DMARC •• 13.2 Deploy a Host-Based Intrusion Detection Solution • •
9.6 Block Unnecessary File Types •• 13.3 Deploy a Network Intrusion Detection Solution • •
9.7 Deploy and Maintain Email Server Anti- • 13.4 Perform Traffic Filtering Between Network Segments • •
Malware Protections 13.5 Manage Access Control for Remote Assets • •
13.6 Collect Network Traffic Flow Logs • •
13.7 Deploy a Host-Based Intrusion Prevention Solution •
13.8 Deploy a Network Intrusion Prevention Solution •
13.9 Deploy Port-Level Access Control •
13.10 Perform Application Layer Filtering •
13.11 Tune Security Event Alerting Thresholds •

CIS Controls v8.1 Implementation Groups 3

Number Control/Safeguard IG1 IG2 IG3 Number Control/Safeguard IG1 IG2 IG3

14 Security Awareness
and Skills Training 16 Application Software
Security
14.1 Establish and Maintain a Security Awareness Program ••• 16.1 Establish and Maintain a Secure Application ••
Development Process
14.2 Train Workforce Members to Recognize Social •••
Engineering Attacks 16.2 Establish and Maintain a Process to Accept and Address ••
Software Vulnerabilities
14.3 Train Workforce Members on Authentication •••
Best Practices 16.3 Perform Root Cause Analysis on Security Vulnerabilities ••
14.4 Train Workforce on Data Handling Best Practices ••• 16.4 Establish and Manage an Inventory of Third-Party ••
Software Components
14.5 Train Workforce Members on Causes of Unintentional •••
Data Exposure 16.5 Use Up-to-Date and Trusted Third-Party ••
Software Components
14.6 Train Workforce Members on Recognizing and •••
Reporting Security Incidents 16.6 Establish and Maintain a Severity Rating System and ••
Process for Application Vulnerabilities
14.7 Train Workforce on How to Identify and Report if Their •••
Enterprise Assets are Missing Security Updates 16.7 Use Standard Hardening Configuration Templates for ••
Application Infrastructure
14.8 Train Workforce on the Dangers of Connecting to and •••
Transmitting Enterprise Data Over Insecure Networks 16.8 Separate Production and Non-Production Systems ••
14.9 Conduct Role-Specific Security Awareness and •• 16.9 Train Developers in Application Security Concepts and ••
Skills Training Secure Coding
16.10 Apply Secure Design Principles in Application ••
15 Service Provider
Management 16.11
Architectures
Leverage Vetted Modules or Services for Application ••
15.1 Establish and Maintain an Inventory of Service Providers ••• Security Components
15.2 Establish and Maintain a Service Provider •• 16.12 Implement Code-Level Security Checks •
Management Policy 16.13 Conduct Application Penetration Testing •
15.3 Classify Service Providers •• 16.14 Conduct Threat Modeling •
15.4 Ensure Service Provider Contracts Include Security ••
15.5
Requirements
Assess Service Providers • 17 Incident Response
Management
15.6 Monitor Service Providers • 17.1 Designate Personnel to Manage Incident Handling •••
15.7 Securely Decommission Service Providers • 17.2 Establish and Maintain Contact Information for •••
Reporting Security Incidents
17.3 Establish and Maintain an Enterprise Process for •••
Reporting Incidents
17.4 Establish and Maintain an Incident Response Process ••
17.5 Assign Key Roles and Responsibilities ••
17.6 Define Mechanisms for Communicating During ••
Incident Response
17.7 Conduct Routine Incident Response Exercises ••
17.8 Conduct Post-Incident Reviews ••
17.9 Establish and Maintain Security Incident Thresholds •

18 Penetration
Testing
18.1 Establish and Maintain a Penetration Testing Program ••
18.2 Perform Periodic External Penetration Tests ••
18.3 Remediate Penetration Test Findings ••
18.4 Validate Security Measures •
18.5 Perform Periodic Internal Penetration Tests •

4 CIS Controls v8.1 Implementation Groups