CIS Controls Version 8.1: What you need to know

The latest version of the CIS Controls was released in June 2024. The new version, 8.1, introduces some minor updates via design principles.

• Context
  • New asset classes are updated to better match the specific parts of an enterprise’s infrastructure that each Safeguard applies to. New classes require new definitions, so CIS has also enhanced the descriptions of several Safeguards for greater detail, practicality, and clarity.
• Coexistence
  • CIS Controls has always maintained alignment with evolving industry standards and frameworks and will continue to do so. This assists all users of the Controls and is a core principle of how the Controls operate. The release of NIST’s CSF 2.0 necessitated updated mappings and updated security functions
• Consistency
  • Traditionally, any iterative update to the CIS Controls should minimize disruption to Controls users. This means that no Implementation Groups were modified in this update, and the spirit of any given Safeguard remains the same. Additionally, the new asset classes and definitions needed to be consistently applied throughout the Controls, and in doing so, some minor updates were added.

With these changes in design principles, CIS Controls v8.1 has made updates to the following:

• Added clarification to a few anemic Safeguard descriptions.
• Revised asset classes alongside new mappings to Safeguards.
• Realigned NIST CSF security function mappings to match NIST CSF 2.0.
• Fixed minor typos in Safeguard descriptions.
• Included new and expanded glossary definitions for reserved words used throughout the Controls.

The most notable improvement for the CIS Controls v8.1 is the addition of “Governance” as a security function. CIS states, “Effective governance provides the structure needed to steer a cybersecurity program toward achieving their enterprise goals.”

With the addition of Governance, topics will now be easier to identify and implement, improving the governance of a cyber security program. This will help adopters better identify the governing pieces of the program as well as equip them with the evidence needed to demonstrate compliance.

18 CIS Controls for Version 8.1

CIS Control 18: Penetration Testing

Proactive security evaluation through penetration testing is vital to uncover vulnerabilities before attackers do. CIS Control 18 distinguishes penetration testing from vulnerability scanning, advocating for both external and internal tests annually.

These tests simulate real-world attacks, allowing organizations to remediate weaknesses and validate security measures. By integrating findings into continuous improvement processes, businesses can maintain a fortified security posture​.

CIS Control 17: Incident Response Management

Incident response readiness is non-negotiable in today’s threat landscape. CIS Control 17 outlines the necessity of designated response teams, clear communication plans, and routine incident simulations.

Establishing thresholds for incidents and conducting post-incident reviews ensures organizations learn and improve from each event. This control focuses on limiting intrusion duration and ensuring coordinated, effective responses to breaches​.

CIS Control 16: Application Software Security

With attackers increasingly targeting applications, secure development practices are critical. CIS Control 16 emphasizes adopting frameworks like NIST SP 800-218 to integrate security into every phase of the software development lifecycle.

From using trusted third-party components to conducting root cause analyses and penetration testing, this control ensures robust application defenses. Training developers on secure coding and applying principles like least privilege further enhance application resilience​.

CIS Control 15: Service Provider Management

Modern enterprises increasingly depend on service providers to handle critical operations and data. CIS Control 15 focuses on ensuring the secure and effective management of these relationships. The control emphasizes maintaining an updated inventory of service providers, classifying them based on factors like data sensitivity and inherent risk, and ensuring contracts include robust security requirements.

Regular assessments and monitoring ensure compliance with enterprise policies while secure decommissioning procedures prevent data exposure when terminating partnerships. By implementing these safeguards, organizations can mitigate risks and maintain control over their extended supply chain​.

CIS Control 14: Security Awareness and Skills Training

Human error remains a significant security risk, making user education crucial. CIS Control 14 advocates for comprehensive security awareness programs, covering phishing recognition, data handling best practices, and social engineering defenses.

Regularly updated, role-specific training ensures employees are prepared for evolving threats. Simulated phishing tests and secure authentication training build a culture of vigilance, minimizing the chances of inadvertent breaches​

CIS Control 13: Network Monitoring and Defense

Continuous monitoring and defense are essential, as no system is immune to cyberattacks. CIS Control 13 highlights the importance of centralized alerting, intrusion detection systems, traffic filtering, and port-level access control. By leveraging real-time and historical data, organizations can analyze attacker behavior and refine their defense strategies.

This proactive approach ensures rapid detection and response to network threats, reducing the potential damage from automated or sophisticated attacks.

CIS Control 12: Network Infrastructure Management

Network infrastructure is the backbone of modern enterprises, but default configurations and overlooked vulnerabilities can weaken security. CIS Control 12 provides a roadmap for maintaining secure networks by updating devices, implementing segmentation, centralizing authentication, and requiring VPNs for remote access.

Regularly updated architecture diagrams and adherence to secure protocols, such as WPA2, further strengthen defenses. These measures promote a resilient, secure, and manageable network environment.

CIS Control 11: Data Recovery

Data loss is inevitable, but recovery preparedness can make all the difference. CIS Control 11 emphasizes a systematic approach to data recovery, starting with prioritizing critical data, automating backups, and safeguarding stored recovery data.

Isolated backup instances and routine recovery tests are vital for resilience against hardware failures, ransomware, or natural disasters. This control aligns with the cybersecurity triad of Confidentiality, Integrity, and Availability, ensuring organizations can restore both data and system integrity post-incident.

CIS Control 10: Malware Defenses

Ransomware and malware continue to challenge enterprises, making robust malware defenses indispensable. CIS Control 10 underscores the criticality of anti-malware solutions and outlines essential steps for effective implementation.

Core measures include deploying centrally managed anti-malware software, ensuring automatic updates, disabling autorun for removable media, and leveraging behavior-based detection systems. These safeguards act as the last line of defense against malware infiltration, reinforcing basic security hygiene while integrating advanced protective measures like anti-exploitation tools. By prioritizing proactive management and maintenance, organizations can significantly mitigate malware risk.

CIS Control 9: Email and Web Browser Protections

Control 9 targets web browsers and email clients as critical entry points for attacks. Organizations should use updated software, enable DNS filtering, and manage extensions. Email security is bolstered by spam filtering, DMARC policies, file-type blocking, and malware scanning. These measures protect users from phishing and other malicious activities​.

CIS Control 8: Audit Log Management

Audit logs are essential for detecting and analyzing security incidents. This control stresses centralized logging, time synchronization, and routine reviews. Logs should detail events, sources, and users. Safeguards include retaining logs for at least 90 days, capturing DNS and command-line activity, and protecting logs from tampering.

Implement centralized logging tools like SIEM systems to automate anomaly detection and support compliance-driven retention requirements​. These practices ensure efficient detection and forensic analysis​.

CIS Control 7: Continuous Vulnerability Management

Vulnerability management involves continuous discovery, prioritization, and remediation of risks. Control 7 emphasizes automated patching for systems and applications, regular vulnerability scans, and robust remediation strategies.

Adopting a cyclical approach ensures known vulnerabilities are addressed promptly, minimizing the attack surface​.

CIS Control 6: Access Control Management

Access control is key to safeguarding assets. Control 6 recommends systematic granting and revocation of access, multi-factor authentication for privileged accounts, and centralized role-based access management.

Maintaining an inventory of authorization systems and enforcing automated processes enhances consistency. Organizations handling sensitive data or subject to regulations benefit greatly from this control.

CIS Control 5: Account Management

Account management underpins security by enforcing strict control over user and service accounts. Enterprises should maintain a centralized inventory, use unique passwords, disable dormant accounts, and restrict administrative privileges.

Multi-factor authentication and regular reviews ensure accounts remain secure and compliant. These measures mitigate the risk of persistent access by attackers.

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Control 4 stresses secure configuration for enterprise devices, software, and networks. Organizations should maintain secure baselines, manage firewalls, enforce automatic session locking, and remove unnecessary services.

Emphasizing layered security, this control also highlights the importance of trusted DNS configurations and remote device management. Regular updates and leveraging frameworks like CIS Benchmarks strengthen overall security​.

CIS Control 3: Data Protection

CIS Control 3 highlights safeguarding sensitive data by answering the “Five Ws” of data management. Enterprises should classify data based on sensitivity, enforce data retention policies, and apply encryption for data at rest and in transit. Other safeguards include securely disposing of data, logging sensitive data access, and deploying data loss prevention tools.

Proper segmentation of data storage ensures robust protection against unauthorized access. Enterprises should also ensure that data flow documentation reflects real-time changes, enhancing segmentation and mitigating exposure risks​.

CIS Control 2: Inventory and Control of Software Assets

Control 2 focuses on tracking and securing software used across enterprise assets. Organizations should maintain a detailed software inventory, ensure authorized software is supported, and address unauthorized software promptly.

Application allowlisting ensures only approved software executes, while automated tools simplify inventory management. This control supports regulatory compliance, reduces risk, and establishes secure baselines for managing software vulnerabilities​.

CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 1 emphasizes maintaining a comprehensive inventory of all enterprise assets, including devices, network components, and servers. Regular updates and active/passive discovery tools ensure accuracy. Addressing unauthorized assets promptly minimizes security risks. Leveraging DHCP logging and configuration tools supports efficient management.

This foundational control is crucial for understanding an organization’s asset landscape and serves as a stepping stone for subsequent controls. Open-source tools can support smaller enterprises, while larger organizations may benefit from advanced commercial solutions.

If you’d like to learn more about how Tripwire can help you with CIS controls, click here!