Mapping & Analysis: CIS Critical Security Controls - NIST Risk Management Framework 800-53 Security Controls

  • Organizations:
    • National Institute of Technology (NIST)
    • Center for Internet Security (CIS)
The Center for Internet Security recently released the latest version of the CIS Critical Security Controls (v8). Although the NIST Risk Management Framework (RMF) is still the most comprehensive library of security controls, I've always appreciated the CIS controls as an overlay for the NIST controls. The CIS controls provide a method to prioritize the sequential implementation of system-level security controls.

The CIS Critical Security Controls are comprised of the following 18 controls:

  1. Inventory and Control of Enterprise Assets
  2. Inventory and Control of Software Assets
  3. Data Protection
  4. Secure Configuration of Enterprise Assets and Software
  5. Account Management
  6. Access Control Management
  7. Continuous Vulnerability Management
  8. Audit Log Management
  9. Email and Web Browser Protections
  10. Malware Defenses
  11. Data Recovery
  12. Network Infrastructure Management
  13. Network Monitoring and Defense
  14. Security Awareness and Skills Training
  15. Service Provider Management
  16. Application Software Security
  17. Incident Response Management
  18. Penetration Testing
The bar chart below provides the number of NIST security controls to implement each of the 18 CIS Critical Security Controls. Here's some summary baseline count info:
  • LOW = 85 NIST security controls
  • MODERATE = 159 NIST security controls
  • HIGH = 161 NIST security controls
Link to corresponding table chart - here.