Mapping & Analysis: CIS Critical Security Controls - NIST Risk Management Framework 800-53 Security Controls

Sources:

• Organizations:
• National Institute of Technology (NIST)
• Center for Internet Security (CIS)

• Data Sources:
• SP 800-53 (r5) Security and Privacy Controls for information Systems and Organzations
• CIS Critical Security Controls (v8)

The Center for Internet Security recently released the latest version of the CIS Critical Security Controls (v8). Although the NIST Risk Management Framework (RMF) is still the most comprehensive library of security controls, I've always appreciated the CIS controls as an overlay for the NIST controls. The CIS controls provide a method to prioritize the sequential implementation of system-level security controls.

The CIS Critical Security Controls are comprised of the following 18 controls:

1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data Protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protections
10. Malware Defenses
11. Data Recovery
12. Network Infrastructure Management
13. Network Monitoring and Defense
14. Security Awareness and Skills Training
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing

The bar chart below provides the number of NIST security controls to implement each of the 18 CIS Critical Security Controls. Here's some summary baseline count info:

• LOW = 85 NIST security controls
• MODERATE = 159 NIST security controls
• HIGH = 161 NIST security controls

Link to corresponding table chart - here.