The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. They are developed, refined, validated, and supported by a large volunteer community of security experts under the stewardship of the Center for Internet Security (www.cisecurity.org). Contributors, adopters, and supporters are found around the world and come from all types of roles, backgrounds, missions, and businesses. State and local governments, power distributors, transportation agencies, academic institutions, financial services, federal government, and
defense contractors are among the hundreds of organizations that have adopted the Controls. They have all implemented the Controls to address the key question: “What needs to be done right now to protect my organization from advanced and targeted attacks?”
The Controls do not attempt to replace comprehensive frameworks such as NIST SP 800-53, ISO 27001, and the NIST Cybersecurity Framework. In fact, the Controls are specifically mentioned in the Cybersecurity Framework, and they align with many other compliance approaches. A key benefit of the Controls is that they prioritize and focus a smaller number of actions with a high pay-off, aiming for a “must do first” philosophy. Further, the Controls are derived from the most common attack patterns highlighted in the leading threat reports and vetted across a broad community of government and industry practitioners. As a result of the strong consensus
upon which they are based, the Controls serve as the basis for immediate high-value action. Enterprises can use the Controls to rapidly define the starting point to assess and improve their defenses, direct their scarce
resources toward actions with an immediate and high value pay-off, and then focus their attention and resources on additional risk issues that are unique to their mission or business. An underlying theme of the Controls is
support for large-scale, standards-based security automation for the management of cyber defenses.
The Controls illustrate the kind of large-scale, public-private voluntary cooperation needed to improve individual and collective security in cyberspace. Too often in cybersecurity, it seems the “bad guys” collaborate more closely and are better organized than the “good guys.” The Controls provide a means to turn that around.