What are CIS Critical Controls?
The CIS Critical Security Controls are a recommended set of cyber defense actions that provide specific and actionable ways to stop today's attacks. The Critical controls were created by NSA Red and Blue teams, the US Department of Energy, and some of the top forensics and incident response organizations. The resulting controls' primary goal is to identify what needs to be done to stop any known attacks.
The Controls take the best-in-class threat data and turn it into a form of actionable guidance, to improve security in cyberspace. Too often in Cybersecurity, the "attackers" are more organized than the "good guys." These controls attempt to provide a means to change that outcome and provide maximum security for an organization.
The list of twenty controls is as follows, and each has its subset of guidance.
As of April 2019, the version of guidance introduced breaks these controls into "Implementation Groups," dividing the Controls into three sections:
With the advent of implementation groups, smaller companies do not need to comply with all CIS Controls; however, the maximum coverage is more easily achieved by implementing as many as possible.