A nonprofit organization and trusted resource for public and private sector security
A cybersecurity framework is a structured set of guidelines, best practices, standards, and methodologies designed to help organizations manage and mitigate cybersecurity risks effectively. These frameworks serve as a blueprint for organizations to establish, implement, and improve their security posture, overall cybersecurity readiness, and continuous improvement of that posture.. This structure provides measurable threat prevention by forcing organizations to tackle the highest‑frequency attack patterns first.
There are several cybersecurity frameworks available, developed by various organizations and governments, widely adopted by government entities, enterprises, and the nonprofit sector alike, each with its own focus, approach, and target audience. Unlike many standalone cybersecurity standards, the CIS Controls prescribe exactly how to implement each requirement, not just what to do. These frameworks are not mutually exclusive, and organizations often choose to adopt elements from multiple frameworks based on their specific needs, industry regulations, and compliance requirements. The adoption of a cybersecurity framework helps organizations establish a systematic approach to identifying, protecting against, detecting, responding to, and recovering from cybersecurity threats and incidents. When executed well, it transforms abstract guidance into day‑to‑day cyber threat prevention actions that block adversaries early.
The CIS Controls Framework is a model for codifying and promoting cybersecurity best practices offering prescriptive benchmark profiles and prioritized controls for modern threat-landscape defense. The Center for Internet Security, Inc. (CIS) created and maintained the framework. The CIS Controls Framework is the result of input from global subject matter experts around the world. The framework includes CIS benchmarks and best practices based on their experience defending their organizations against a broad set of cyber threats. Many teams operationalize those best practices by launching cloud workloads from CIS hardened images and by following detailed configuration policy benchmarks for every OS and service layer. Together, these artifacts establish a defensible security baseline that auditors can measure for drift.
The CIS Framework helps organizations better anticipate shifts in the threat landscape and assess threats and rapidly adapt to new advanced threats. By prioritizing Safeguards in order of risk, the Controls shrink an organization’s overall attack surface in measurable increments. As a result, your security operations center can better share information and ultimately faster select and implement the best defensive mitigations. It is also essential that cyber defenders can share their tools.
The SANS Institute released the framework in 2008 in response to cyberattacks targeting the U.S. Department of Defense and military contractors. The SANS Institute is a private U.S.-based company specializing in information security, cybersecurity training, and selling certification. SANS training topics include penetration testing, cyber and network defenses, digital forensics, incident response, and auditing. In 2013 SANS approved transferring the framework to the Council on Cybersecurity. It was then moved again to the Center for Internet Security in 2015. Today, thousands of government entities and critical-infrastructure providers rely on CIS guidance. Those who adopt the Benchmarks can advertise that their assets run in a verified CIS secure state.
It might surprise you that in 2008 the very first version of the framework was known as the Consensus Audit Guidelines. Many other names and acronyms describe the framework. You may have heard of it as the CIS Critical Security Controls (CSC), the SANS Top 20, and more. More important is that the CIS CSC is used by over 30 percent of organizations today.
The CIS CSC Framework defines five critical areas to build a robust cybersecurity defensive posture. The first area is based upon the experience of using information from actual attacks. By better understanding how the cyberattacks compromised the targeted systems, cyber defenders will benefit from these critical learnings and be better able to design and deploy a comprehensive and highly effective defense. The second area is about prioritizing the critical security control necessary to provide the best risk reduction against the threats likely in your environment. The third area is about metrics. Standard metrics allow the entire cyber defense team to understand how security measures should perform. CIS CSC also brings visibility to the importance of continuous measurement and mitigation. You need to understand the relative performance of your security controls and then adjust your plans accordingly. Finally, the rapid speed of response and future growth and scale won’t be achievable without automation.
All in all, the CIS CSC includes 20 critical security controls. You will find that each of these security controls, in turn, consists of various sub-controls. All of these together support the five crucial areas defined above. The broad set of capabilities offered by the CIS CSC provides your cyber defense team with one of the best practices available to identify, meet, and defeat dangerous cyber attackers and their tools.
The first step in utilizing CIS CSC is to decide on the specific selection and use of the controls based upon the cybersecurity attributes of the organization which will use them. CIS CSC uses the concept of controls implementation groups (IGs) which enable your organization to match the critical characteristics of your organization and then map the priority of how you implement controls to fit your risk profile.
The criteria for the self-classification include how the data used by the organization must be managed, the relative sensitivity and privacy required by that data, and the available services that must be offered and delivered by that organization. Further, the specific technical capabilities of the organization’s cybersecurity team may limit the ability of any organization to implement certain types of controls and the complex automation and integration that they require. Funding and available personnel are also critical limiting factors to be considered carefully. Finally, the CIS Controls Framework requires that organizations perform a risk assessment – it is preferred that organizations use the risk model provided by CIS. The CIS calls its model the CIS Risk Assessment Model (RAM).
CIS Control user organizations must self-select their implementation group. There are three implementation groups as follows:
CIS Controls are assigned into several categories. Because every Control is cross‑mapped to frameworks such as ISO 27001, they give teams a head‑start on wider cybersecurity compliance efforts. Categories include the basic controls (1-6), foundational controls (7-16), and organizational controls (17-20). Basic controls are those that should be implemented in every organization. Basic controls are defined as necessary for essential cyber defense readiness. Foundational controls sharpen your technical defenses. Foundational controls provide technical best practices, deliver more security benefits, and are highly recommended by CIS. Finally, organizational controls are often used by larger enterprises. They focus on people and processes supporting, delivering, and maintaining security controls. These controls act as a comprehensive cybersecurity readiness checklist for any organization, from startups to large nonprofit organizations.
The 18 controls are:
Each Safeguard aligns to one or more MITRE ATT&CK techniques, helping blue‑teamers validate real‑world defensive coverage.
The growth brought by the digital transformation makes it almost impossible for organizations to secure these devices with legacy architectures.Integrating live cyber threat intelligence feeds ensures those protections evolve as attacker tradecraft shifts. The challenge is that too many tools exist in separate and incomplete security stacks. In addition, security policies are often misaligned between these varying security stacks. As a result, while the digital transformation has been significant for enterprises, it has also introduced many new network vulnerabilities for threat actors to compromise.
CISOs are struggling to protect their organizations. For many boards, this also demonstrates tangible progress toward mandated cybersecurity compliance benchmarks. The CIS Controls Framework provides the guidance and scale they need to scale up more effective protection. In addition, they need to move quickly to protect their enterprise’s brand and reputation. As a result, CIS compliance will bring compelling value to most commercial and government organizations. Practitioners pursuing GIAC Certification reference the Controls as a hands‑on study framework.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.
What is the Center for Internet Security (CIS)?
The Center for Internet Security is a nonprofit organization focused on improving cybersecurity globally through collaboration and innovation. It provides a suite of best practice solutions, tools, and services to secure organizations against cyber threats.
What are the CIS Controls?
The CIS Controls are a set of best practices and actions for cyber defense that help organizations prevent and respond to cybersecurity threats. These controls prioritize actions in a way that provides clear guidance to improve an organization’s security posture.
Who can benefit from CIS resources?
CIS resources are beneficial to a wide range of audiences, including small to medium-sized businesses, large enterprises, government agencies, and educational institutions looking to enhance their cybersecurity strategies.
How do CIS Controls contribute to cybersecurity today?
By providing a prioritized set of actions and practices, CIS Controls help organizations to systematically protect themselves against cyber threats, ensuring a more secure environment for data management and network usage.
What is the CIS Benchmarks?
The CIS Benchmarks are consensus-based, globally recognized standards for securing IT systems and data against cyber attacks. They are developed through a process involving cybersecurity professionals and practitioners from various industries.
Why are CIS Benchmarks important?
CIS Benchmarks provide detailed configuration guidelines for securely setting up IT systems, which help organizations mitigate the risk of security breaches and ensure compliance with industry and regulatory standards.
How does CIS help in developing cybersecurity policies?
CIS offers frameworks and guidelines that organizations can reference when developing internal cybersecurity policies, ensuring these policies are comprehensive, robust, and up to standard with current cyber threats.
What is the Multi-State Information Sharing and Analysis Center (MS-ISAC)?
MS-ISAC is a division of CIS offering support to state, local, tribal, and territorial (SLTT) governments in the United States. It provides threat intelligence, incident response, and cybersecurity best practices.
How does the CIS SecureSuite Membership work?
The CIS SecureSuite Membership provides organizations with access to advanced resources and tools, including automated configuration assessment tools, CIS Controls Pro, and other valuable cybersecurity materials.
What is the role of CIS in election security?
CIS plays a crucial role in election security by working with election officials to ensure the integrity, availability, and confidentiality of election systems. They offer resources, guidelines, and technical support to secure the electoral process.
How can organizations implement CIS Controls and Benchmarks?
Organizations can start by reviewing CIS Controls and Benchmarks to understand their requirements. Using tools and resources from CIS, they can then tailor the implementation process according to their specific risk management needs and cybersecurity goals.
What are the challenges in adopting CIS Controls?
Some of the challenges include resource constraints, lack of expertise, and the complexity of integrating new practices into existing IT environments. However, CIS provides guidance and assistance to help overcome these barriers.
Is CIS alignment recognized in compliance standards?
Many regulatory and compliance standards recognize CIS Controls and Benchmarks as effective frameworks for enhancing security and achieving compliance, including standards like NIST, ISO, and PCI DSS.
What role does community play in developing CIS resources?
CIS resources are developed through an open IT Community process led by volunteer CIS Communities, ensuring recommendations keep pace with emerging threats.
By using the recommended CIS resources, best practices, and community support, organizations strengthen their cybersecurity infrastructure, making it more resilient against current and future cyber threats.
Threat actors aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.