Earlier this year, the Center for Internet Security (CIS) realeased the newest edition of their Critical Security Controls, CIS Controls v7.1. For many institutions, the implementation of these new protocols requires adaptation to other frameworks and compliance obligations, like mapping onto the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
While both of these systems are complex and difficult to implement in their own right, this blog will make mapping one onto the other simple by breaking down each one into its component parts.
How to Map CIS Controls v7.1 to NIST CSF
At their core, the CIS Controls and NIST CSF are similar: robust, flexible frameworks that give direction to your organization’s overall approach to cybersecurity. CIS tends to be more prescriptive, whereas NIST is more flexible. Ultimately, they’re more similar than different.
As such, CIS Controls v7 1 mapping to NIST CSF comes down to two simple steps:
- Learning the CIS Controls inside and out
- Learning the NIST CSF and how they relate
By cultivating a deep understanding of what each system requires, you’ll be able to easily isolate ways in which one leads into the other. For example, what CIS calls “controls” or “subcontrols” map more or less directly onto what NIST calls “categories” or “subcategories.”
Let’s take a deep dive into each, beginning with CIS.
Understanding the CIS v7.1 Controls
The CIS Controls consists of 20 general categories of cybersecurity practices spread across three levels (basic, foundational, and organizational). Each control breaks down into subcontrols (171 total), specifying required practices and technologies.
- Implementation group (IG) 1 – Smaller companies with modest budgets for IT and cybersecurity, must follow just 43 subcontrols, most of which are relatively simple.
- Implementation group (IG) 2 – Enterprises with moderate IT budgets, must follow all of IG1’s subcontrols, plus an additional 96 more complex ones, for 139 total.
- Implementation group (IG) 3 – Organizations with the most robust IT budgets, must follow all the subcontrols above, plus an additional 32 of the most burdensome, for all 171.
The subsections that immediately follow will break down each control in detail and link to its individual page, accessible via the controls and resources list. We’ll also provide a synopsis of the subcontrols for each control, including at least one example per control level.
CIS Controls 1-6: Basic
The first tier of controls comprises the most fundamental practices required for baseline cybersecurity. Across 47 subcontrols, 11 apply to IG1, IG2 must follow 38, and IG3 must abide by all 47.
The basic controls break down as follows:
- 1: Hardware Asset Control and Inventory – Active monitoring of hardware with active discovery tools, comprising 8 subcontrols (2 for IG1, 6 for IG2).
- 2: Software Asset Control and Inventory – Active monitoring of software, including ensuring vendor support. There are 10 subcontrols (3 for IG1, 5 for IG2).
- 3: Vulnerability Management (Continuous) – Ongoing monitoring for vulnerabilities and acting upon them, comprising 7 subcontrols (1 for IG1, all 7 for IG2).
- 4: Administrative Privilege Control – Limit access to administrative privileges and prevent misuse thereof. There are 9 subcontrols (just 2 for IG1, 8 for IG2).
- 5: Hardware and Software Configurations – Establish and monitor security settings on all software and hardware, including 5 subcontrols (just 1 for IG1, all 5 for IG2).
- 6: Audit Log Maintenance and Analysis – Codify specific procedures for auditing and logging audits, including 8 subcontrols (just 1 for IG1, 7 for IG2).
A representative subcontrol for the basic level is 2.1, “Maintain Inventory of Authorized Software,” which applies to all 3 IGs. It requires that the organization keep detailed records pertaining to all software authorized for use. For a taste of how complex and robust basic controls get, consider 2.7, “Utilize Application Whitelisting,” which applies only to IG3.
CIS Controls 7-16: Foundational
Foundational controls involve more complication than the basic ones, but they’re still fundamental. Of the 88 total subcontrols, just 22 are required for IG1, but IG2 must follow 70, and IG3 all 88.
Here’s a breakdown of the foundational controls:
- 7: Browser and Email Protection – Safeguard web browser and email clients, treating them as distinct from other software. There are 10 subcontrols (2 for IG1, 9 for IG2).
- 8: Malware Safeguards – Install and maintain antivirus and antimalware software across all software and hardware. There are 8 subcontrols (3 for IG1, all 8 for IG2).
- 9: Network Port Control – Limit access to and exercise control over network ports, services, and protocols, comprising 5 subcontrols (just 1 for IG1, 4 for IG2).
- 10: Data Recovery Protocols – Automate backup and recovery, for routine use and in the event of a cybersecurity event, including 5 subcontrols (4 for IG1, all 5 for IG2).
- 11: Network Device Configuration – Ensure proper cybersecurity settings for all network devices (routers, etc.). There are 7 subcontrols (just 1 for IG, all 7 for IG2).
- 12: Boundary Protections – Build and maintain strong perimeter defenses against proximal threats. There are 12 subcontrols (2 for IG1, 8 for IG2).
- 13: Overall Data Security – Classify sensitive information as such and take special measures to protect it, including 9 subcontrols (3 for IG1, 5 for IG2).
- 14: Access Control (Need to Know) – Limit access to sensitive data based on individuals’ (business’) need to know. There are 9 subcontrols (just 1 for IG1, 5 for IG2).
- 15: Access Control (Wireless) – Control and limit all wireless access to digital assets and systems, including 10 subcontrols (2 for IG1, 7 for IG2).
- 16: Account Control and Monitoring – Granular maintenance of all ID accounts, ensuring fidelity and authenticity. There are 13 subcontrols (3 for IG1, 12 for IG2).
Foundational subcontrols typically look like 9.4: “Apply Host-Based Firewalls or Port-Filtering,” which applies across all 3 IGs. At their most complex, they require intense attention to detail, with practices like encrypting all data stored on USB devices (13.9) or disabling wireless access on devices for which it’s not required (15.4), both of which apply to IG3 only.
CIS Controls 17-20: Organizational
Finally, the third level includes controls that mainly detail governance and overall, company-wide protocols. There are 36 subcontrols; 10 apply to IG1, 31 apply to IG2, and all 36 apply to IG3.
- 17: Security Awareness and Training – Implement a program to train personnel across the organization on cybersecurity. There are 9 subcontrols (6 for IG1, all 9 for IG2).
- 18: Application and Software Safeguards – Protect any and all applications developed and distributed, including 11 subcontrols (0 for IG1, 10 for IG2).
- 19: Incident Management Protocols – Implement an incident management program for systematic response and recovery, including 8 subcontrols (4 for IG1, 7 for IG2).
- 20: Penetration Testing and Analysis – Conduct regular penetration testing to fully understand depth of vulnerabilities. There are 8 subcontrols (0 for IG1, 7 for IG2).
Interestingly, this level contains the only controls with no particular subcontrols for IG1: controls 18 and 20. A typical organizational control is 17.5: “Train Workforce on Secure Authorization,” which applies to all 3 IGs. The most complex subcontrols, applying only to IG3, include practices like “Create Incident Scoring and Prioritization Schema” (19.8).
Understanding the NIST CSF v1.1
The most recent update to the NIST CSF, CSF version 1.1 (v1.1), was published in April of 2018. As with the prior versions thereof, the current CSF is intended to provide a set of general guidelines that complement an organization’s existing cybersecurity infrastructure.
This means that, unlike the CIS Controls, it dosn’t presrcibe or require particular practices. Incidentally, that looseness makes it easier to map the CIS (or any other framework) onto it.
The NIST CSF is made up of a few key components:
- Core functions (analogous to CIS Control levels)
- Implementation tiers (analogous to CIS implementation groups)
- Institutional profiles, for customizing a company’s implementation plan
As with the CIS Controls above, the subsections below will first describe the NIST’s codified scheme, then briefly touch on how CIS’s maps onto it.
NIST Cybersecurity Framework: Core Functions
The biggest component of the CSF comprises the core functions into which its various security outcomes are organized. Namely, there are 5 functions, which break down into 23 categories of security outcomes recommended for businesses to implement or map practices onto.
Understanding these functions is key to mapping CIS controls, and any other cybersecurity architecture, onto them. The functions break down as follows:
- Identify – By understanding the landscape of your business’ resources, networks, environment, and overall risk profile, you set yourself up to adequately plan out and implement protections. Outcome categories include:
- ID.AM: Identifying asset management
- ID.BE: Identifying business environment
- ID.GV: Identifying governance practices
- ID.RA: Identifying risk assessment measures
- ID.RM: Identifying overall risk management
- ID.SC: Identifying supply chain risk management
- Protect – Specifying the particular areas that most need to be safeguarded, as well as how they should be protected, this function is arguably the most important of all. It comprises the following outcome categories:
- PR.AC: Protecting access with identification
- PR.AT: Empowering staff awareness via training
- PR.DS: Ensuring data security protocols
- PR.IP: Protecting sensitive information
- PR.MA: Maintaining protections routinely
- PR.PT: Managing protective technologies
- Detect – Detailing the various monitoring and assessment protocols you need to implement in order to identify cybersecurity events as they happen, in order to properly respond to and recover from them. Outcome categories include:
- DE.AE: Detecting anomalous cybersecurity events
- DE.CM: Monitoring systems continuously
- DE.DP: Maintaining ongoing detection protocols
- Respond – Immediately reacting to breaches and other cybersecurity events as they occur and limiting or eliminating hackers’ access to systems and resources, setting the stage for recovery. Outcome categories include:
- RS.RP: Planning and management for response
- RS.CO: Communicating before, during, and after response
- RS.AN: Analyzing impact of incident and response
- RS.MI: Mitigating risk and impact of incidents
- RS.IM: Improving response protocols constantly
- Recover – Regaining control of systems and restoring resources and services to their prior conditions, pre-attack, including the following security outcomes:
- RC.RP: Planning for recovery practices
- RC.IM: Improving recovery plan through assessment
- RC.CO: Communicating before, during, and after recovery
Across this system of functions and categories, there is one further level: subcategories of individual controls or practices, of which there are 108 in total. For example, subcategory ID.BE-3 specifies that a business’ organizational priorities are communicated.
In the most basic mapping, NIST functions correspond to the levels of CIS Controls, outcome categories to the controls themselves, and subcategories to subcontrols.
In practice, that correspondence makes mapping as simple as tracing the particular practices you have in place to meet a CIS subcontrol and finding a corresponding subcategory in the NIST scheme. For example, subcontrols within CIS control 17 (Security Awareness and Training) map more or less directly onto subcategories within PR.AT, detailed above.
NIST Cybersecurity Framework: Implementation Tiers
One layer of complication in mapping involves both frameworks’ reliance on a distributed implementation. Similar to the CIS implementation groups detailed above, the NIST CSF groups into tiers. However, its tiered implementation matrix is less defined than that of CIS.
Rather than flagging subcategories by tier, NIST implementation tiers correspond to an institution’s overall rigor with respect to implementing outcomes across functions:
- Tier 1, Partial – Featuring informal cybersecurity practices, including ad-hoc and reactive (rather than proactive) risk management, as well as limited integration of cybersecurity practices company-wide and poor understanding of the environment.
- Tier 2, Risk informed – Featuring more uniform and formal risk management procedures, as well as a greater, company-wide understanding of and commitment to cybersecurity, both internally and in the greater digital ecosystem.
- Tier 3, Repeatable – Formalized risk management and general cyberdefense practices are commonplace across the entire organization, and there is a sense of responsibility and willingness to contribute to the broader cybersecurity environment.
- Tier 4, Adaptive – Robust and proactive risk assessment and management practices that adjust to upcoming threats as they happen; the company’s cyberdefense is fully integrated into business practices, and it contributes greatly to the security ecosystem.
Importantly, unlike CIS, these tiers are not measures of maturity. While institutions are encouraged to progress toward tier 4, doing so is optional. Depending on the nature and means of a company, it may elect to remain at a lower tier if its security needs are satisfied there.
Generally speaking, CIS’s implementation groups map onto NIST’s implementation tiers rather intuitively. For example, controls for CIS group 1 are relatively baseline, so they map loosely onto NIST tiers 1 and 2. As institutions mature into CIS groups 2 and 3, their infrastructure approaches NIST tiers 3 and 4. Ultimately, you can map onto the tiers however you see fit.
Professional Cybersecurity You Can Trust
Here at RSI Security, we have an in-depth knowledge of every element of cybersecurity. That includes not just compliance with CIS and NIST, but also every step of planning, construction, and implementation of your entire cyberdefense architecture. Our experts have over a decade of keeping companies of all shapes and sizes safe from the dangers of cybercrime.
We’re happy to help you with things like:
- Threat and vulnerability management
- Managed detection and response
- Cybersecurity technical writing
- Incident management
For all that and more, we’re your first and best option. Contact RSI Security today for help mapping CIS Controls v7.1 to the NIST CSF v1.1, as well as all other cybersecurity solutions.