18 is the New 20

If you are already aware that the Center for Internet Security (CIS) has release a new version of their recommendations, then you will know the headline for this article is taken from their own announcement. The previous version 7 of their so-called “CIS 20” recommendations comprised 20 controls, with various sub controls underneath. The new version 8 has been reduced to only 18 main controls, plus sub controls.

Along with this reduction, some of the major controls and sub controls have been moved around in the list. Conveniently, CIS has created a useful Excel sheet with the differences between v7 and the new v8 listed in a very intuitive manner, which you can download along with the new recommendations.

The CIS has changed the controls to better align with the current threats that we see on the Internet and changes to the regulations and other governance and threat frameworks. To hear CIS tell it, the principles that have governed the creation of the CIS controls v8 include the following (this is a direct quote from the controls document that provides further details):

Our design principles include:

• Offense Informs Defense

– CIS Controls are selected, dropped, and prioritized based on data, and on specific knowledge of attacker behavior and how to stop it

• Focus

– Help defenders identify the most critical things they need to do to stop the most important attacks

– Avoid being tempted to solve every security problem—avoid adding “good things to do” or “things you could do”

• Feasible

– All individual recommendations (Safeguards) must be specific and practical to implement

• Measurable

– All CIS Controls, especially for Implementation Group 1, must be measurable

– Simplify or remove ambiguous language to avoid inconsistent interpretation

– Some Safeguards may have a threshold

• Align

– Create and demonstrate “peaceful co-existence” with other governance, regulatory, process management schemes, framework, and structures

– Cooperate with and point to existing, independent standards and security recommendations where they exist, e.g., National Institute of Standards and Technology® (NIST®), Cloud Security Alliance (CSA), Software Assurance Forum for Excellence in Code (SAFECode), ATT&CK, Open Web Application Security Project® (OWASP®)

What is new?

Last time CIS released a new version of the controls was three years ago. Since then, much has happened in the threat landscape and how businesses operate. Cloud has become, almost, the default choice for new development efforts. Virtualization, mobility, and work from home have all been given a stronger focus in v8 of the CIS controls.

The format of the individual controls has also changed slightly, describing the actions that should be performed by businesses to protect themselves, without specifying who should be the responsible team or individuals. The reason behind this change is essentially borderless networks that are now the norm in most businesses and are mandating a new approach to securing users applications and data.

The streamlining that the new v8 of the controls brings to the table also extends to the naming scheme. In v7 there were sub-controls, which are now termed safeguards, and v8 of the CIS controls includes 153 of them overall. Like before, there are three implementation groups called IG1, IG2, and IG3. However, the designations, such as “basic” and “foundational” are no longer mentioned, although this does not change the way these groups relate to each other. Just as in the previous version, if you want to implement IG2, you first must implement IG1 and be compliant with the CIS controls within the respective groups.

If you are already using CIS in your operational approach to security in your organization, then migrating to v8 should not be that big of an effort on your part. If you are new to the CIS controls, then I highly recommend that you take a look at the updated recommendations, since CIS is much more hands-on than, for instance, ISO 27001.