CIS Controls Assessment Specification

The Center for Internet Security (CIS) and Tenable partnered together to create a guide to help customers understand how to implement the CIS Controls. Starting with the SANS Top 20 Controls published several years ago, Tenable has continuously helped our customers leverage Tenable Security Center to understand their security posture using these controls. CIS Controls version 7.1 introduced the concept of Implementation Groups (IGs), which are self-assessed categories for organizations based on specific cybersecurity attributes. The security community has assessed the Controls and identified these 20 controls to be reasonable for an organization to implement. Other standards such as Cybersecurity Maturity Model Certification (CMMC) and Cyber Security Framework (CSF) also have a tiered approach to deployment. By grouping the controls into three categories, the implementation is easier to understand and integrate into security operations.

This guide is focused on Implementation Groups 1 (IG1); however, many of the controls have requirements for input that come from active or passive network scanning. As Tenable is a Cyber Exposure and Vulnerability Management company, any guidance provided will best serve the organization with Tenable Security Center Continuous View deployed using active and passive scanning. For controls that Tenable is not able to directly assist with, suggestions on how to use Tenable products will be provided to aid in the successful completion of the control.

The 20 CIS Controls are broken down into three categories: Basic, Foundational, and Organizational. The Basic Controls (first six controls) are commonly referred to as the “cyber hygiene” controls. These controls focus on basic security guidelines; for example, Configuration Management, Vulnerability Assessment, and Continuous Monitoring. The next group, Foundational Controls (7 - 16), enable an organization to build a framework for a good security program. The last category, Organizational Controls (final four controls) provide more guidance with respect to people and process.

Tenable assists organizations in taking charge of their cybersecurity program with five steps to successful cybersecurity. These five steps are Discover, Assess, Analyze, Fix, and Measure. For IG1 organizations, these five steps align closely with efforts across the Basic and Foundational categories. With Cyber Hygiene being the focus of the first six controls, these actions align closely with the Discover step. Starting with controls 1 & 2, organizations begin to discover hardware and software assets. The remaining steps Assess, Analyze, Fix and Measure are seen throughout the remaining controls. Controls 3, 4, 5, 8, and 11 are all key aspects to Tenable’s core ability to help assess risk. For the other categories, Tenable can often aid in the understanding of configuration problems or situational context based on discovered vulnerabilities.

By combining Tenable's Five Steps To Cybersecurity Success and the CIS Controls into a unified process, an organization can more easily secure their network. Using the CIS Control Assessment Specification (CAS) as a detailed guide, the security team can easily align their efforts in vulnerability management to meet the CIS Control requirements. Using the inputs and measures found in the CAS, the security team can operationalize the controls and use Tenable Security Center as the source of truth for many controls, and for other controls the data within Tenable Security Center will add value.

This guide provides a section for each CIS Control, and sub-sections for each Sub-Control. Examples of queries and dashboard use cases are provided. The security team can follow the CAS and this guide for a more successful deployment of the CIS Controls.