Tenable Security Center CAS Dashboard

To help bring all of the CAS controls together under one view, Tenable has created the Implementing the CIS Control Assessment Specification (CAS) dashboard and report for Tenable Security Center. In this dashboard and report, all the controls are brought together with corresponding audit files. A single matrix component exists for each control capturing the defined measures. For each measure there is a corresponding cell that has the vulnerability count and/or host count for each sub-control. Setting the focus allows the security team to use these numbers or queries to generate the needed information for each of the metric calculations.

To install the CAS Implementation Group 1 (IG1) dashboard:

  1. Navigate to the Dashboard page.

  2. Select Add Dashboard under options.

  3. Search for “Implementing the CIS Control Assessment Specification (CAS)”.

    Note: Use quotes when searching for the dashboard.

  4. After selecting the Dashboard, select Add at the bottom of the page.

After installing the dashboard from the feed, take a minute to review the contents in each matrix. This dashboard is specifically designed to work with this guide. For each control, where data can be displayed, there is a corresponding matrix. These cells provide the queries for a specific metric or input. The column or row headers indicate the sub-control or the focus related to the sub-control. The first component in the upper left hand corner is crafted to take full use of the questionnaire file CAS Implementation Group 1 Audit File.

Taking into consideration working active scanning and passive monitoring activities, the dashboard initially populates with valuable information that will assist with understanding of the IG1 requirements. As mentioned throughout the document, the data collected is often beneficial for all IG levels, and for completeness we show the data in IG1, even though the requirement is IG2. For example, focusing on Control 1, the requirement is to maintain an inventory. Shown below in the CAS IG1 - Control 1 matrix, the counts provide data that helps to populate the inventory, but is not actually the organization's inventory.

Note: For information about scanning and collecting data, see the Tenable Security Center Large Enterprise Deployment Guide and the Tenable Professional Services Scan Strategy Guide.

The results from the CAS Implementation Group 1 Audit File help drive focus on more administrative controls, such as the existence of a policy and where it is located. Risk managers are frequently asked to provide a single report to auditors, and to provide all the data related to the audit. The audit file feature allows risk managers and the security team to provide answers to the audit questions. The first cells provide an indicator of the data collection process. If the answers are any value other than the default of “None” or “No”, the “Data Collected” indicator will be enabled. For any of the questions that are still the default, the “Data Missing” indicator will be enabled. For each of the controls with questions that are present in the audit file, there is a separate question.

The Implementing the CIS Control Assessment Specification (CAS) report will provide all the queries listed in the dashboard in a more expanded format. For example, all the indicators will list detailed tables with the content presented in an easy to understand format. The dashboard and report facilitates cybersecurity success by guiding the organization though the CIS CAS IG1. Risk managers and CISO’s are able to review the IG1 steps in CAS, and then focus the operations team to implement the required controls.

Tenable provides organizations with the means to effectively address a number of the security challenges with implementing the CIS Controls v7 and assists with navigating the CAS. Tenable Security Center Continuous View is the most strategic source to start cyber hygiene for both public and private sector organizations, making foundational cybersecurity more affordable, accessible, and actionable. By providing this guide, dashboard, and report, Tenable is the first and only vendor to automate both the implementation and auditing of an organization’s adherence to IG1, maximizing limited budgets and resource-constrained teams. Tenable Security Center and CAS together helps organizations transform the Controls into actionable cybersecurity recommendations and integrate basic cyber hygiene across their operations.