Skip to main content
CIS Critical Controls

What are CIS Critical Controls?

The CIS Critical Security Controls are a recommended set of cyber defense actions that provide specific and actionable ways to stop today's attacks. The Critical controls were created by NSA Red and Blue teams, the US Department of Energy, and some of the top forensics and incident response organizations. The resulting controls' primary goal is to identify what needs to be done to stop any known attacks.

The Controls take the best-in-class threat data and turn it into a form of actionable guidance, to improve security in cyberspace. Too often in Cybersecurity, the "attackers" are more organized than the "good guys." These controls attempt to provide a means to change that outcome and provide maximum security for an organization. 

The list of twenty controls is as follows, and each has its subset of guidance. 

  • Inventory and Control of Hardware Assets
  • Inventory and Control of Software Assets
  • Continuous Vulnerability Assessment and Remediation
  • Controlled Use of Administrative Privileges
  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Maintenance, Monitoring, and Analysis of Audit Logs
  • Email and Web Browser Protections
  • Malware Defenses
  • Limitation and Control of Network Ports, Protocols, and Services
  • Data Recovery Capabilities
  • Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • Boundary Defense
  • Data Protection
  • Controlled Access Based on the Need to Know
  • Wireless Access Control
  • Account Monitoring and Control
  • Implement a Security Awareness and Training Program
  • Application Software Security
  • Incident Response and Management
  • Penetration Tests and Red Team Exercises

As of April 2019, the version of guidance introduced breaks these controls into "Implementation Groups," dividing the Controls into three sections: 

  • Implementation Group 1: Applicable to all companies (small to large) 
  • Implementation Group 2: Additional Controls for storing sensitive information 
  • Implementation Group 3: Additional Controls for very sensitive information

With the advent of implementation groups, smaller companies do not need to comply with all CIS Controls; however, the maximum coverage is more easily achieved by implementing as many as possible.

Get a Customized Proposal

Use our Scoping Questionnaire to provide us with the necessary information to put together a proposal for you. Please be as thorough as possible with your responses, as it helps us ensure an accurate and complete proposal.
If you're interested in application penetration testing, you may find this article helpful when formulating your responses: Understanding Application Complexity For Penetration Testing.

If you have any questions, contact us at (952) 836-2770 or schedule a meeting. We will follow up promptly once we receive your responses. We look forward to speaking with you soon.

Having trouble viewing the Scoping Questionnaire? Check to see if an ad-blocker is keeping the page from loading properly.

Dedicated Client Portal

Interact in real-time with your RedTeam security professionals on our user-friendly client portal and see firsthand as the team closes in on your company data.

Certified Security Experts

Our trusted security professionals hold certifications from the leading industry organizations, including OSCP, CASS, CPT, CISSP and more.

Research-Focused Approach

We hold industry-leading certifications and dedicate part of every day to research the latest exploit techniques to ensure our clients remain protected from evolving online attacks.

Free Remediation Testing

Once your team addresses remediation recommendations, RedTeam will schedule your retest at no additional charge.
Contact Us