diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9f11b75 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea/ diff --git a/.gitmodules b/.gitmodules index 05731c2..a5ff78f 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ [submodule "OSCAL"] path = OSCAL url = https://github.com/usnistgov/OSCAL.git +[submodule "OSCAL-CLI"] + path = OSCAL-CLI + url = https://github.com/usnistgov/oscal-cli.git diff --git a/.sdkmanrc b/.sdkmanrc new file mode 100644 index 0000000..7fa392b --- /dev/null +++ b/.sdkmanrc @@ -0,0 +1 @@ +java=19-open diff --git a/OSCAL b/OSCAL index aad9038..fee6dd1 160000 --- a/OSCAL +++ b/OSCAL @@ -1 +1 @@ -Subproject commit aad90386bd4bc63d2c2525378c27b5acf5ef6440 +Subproject commit fee6dd14ca534213c8aa6da540ef5c0c1958f428 diff --git a/OSCAL-CLI b/OSCAL-CLI new file mode 160000 index 0000000..b204ede --- /dev/null +++ b/OSCAL-CLI @@ -0,0 +1 @@ +Subproject commit b204ede4fa6b5898617a4e295c5364b89ee89251 diff --git a/Taskfile.yaml b/Taskfile.yaml new file mode 100644 index 0000000..650bb5d --- /dev/null +++ b/Taskfile.yaml @@ -0,0 +1,46 @@ +version: "3" + +vars: + PROJECT_ROOT: + sh: echo $PWD + +env: + PROJECT_ROOT: "{{.PROJECT_ROOT}}" + OSCAL_CLI_BIN: "{{.PROJECT_ROOT}}/OSCAL-CLI/cli-core/target/cli-core-0.3.1-oscal-cli/bin" + CATALOGS_DIR: "{{.PROJECT_ROOT}}/src/catalogs" + MAPPINGS_DIR: "{{.PROJECT_ROOT}}/src/mappings" + OSCAL_XML_SCHEMA_DIR: "{{.PROJECT_ROOT}}/OSCAL/xml/schema" + +tasks: + sub-init: + cmds: + - git submodule update --init --recursive + build-oscal-cli: + dir: OSCAL-CLI + cmds: + - mvn clean install + oscal-cli: + cmds: + - $OSCAL_CLI_BIN/oscal-cli {{.CLI_ARGS}} + convert-catalogs: + cmds: + - task oscal-cli -- catalog convert --overwrite --to json "$CATALOGS_DIR/xml/cis-controls-v8_OSCAL-1.0.xml" "$CATALOGS_DIR/json/cis-controls-v8_OSCAL-1.0.json" + - task oscal-cli -- catalog convert --overwrite --to yaml "$CATALOGS_DIR/xml/cis-controls-v8_OSCAL-1.0.xml" "$CATALOGS_DIR/yaml/cis-controls-v8_OSCAL-1.0.yaml" + convert-mappings: + cmds: + - task oscal-cli -- mapping-collection convert --overwrite --to json "$MAPPINGS_DIR/xml/CCM_CISControlsv8_Mapping.xml" "$MAPPINGS_DIR/json/CCM_CISControlsv8_Mapping.json" + - task oscal-cli -- mapping-collection convert --overwrite --to yaml "$MAPPINGS_DIR/xml/CCM_CISControlsv8_Mapping.xml" "$MAPPINGS_DIR/yaml/CCM_CISControlsv8_Mapping.yaml" + - task oscal-cli -- mapping-collection convert --overwrite --to json "$MAPPINGS_DIR/SP_800_53MOD_CISControlsv8_Mapping.xml" "$MAPPINGS_DIR/SP_800_53MOD_CISControlsv8_Mapping.json" + - task oscal-cli -- mapping-collection convert --overwrite --to yaml "$MAPPINGS_DIR/SP_800_53MOD_CISControlsv8_Mapping.xml" "$MAPPINGS_DIR/SP_800_53MOD_CISControlsv8_Mapping.yaml" + validate-catalogs: + cmds: + - xmllint --noout --schema "$OSCAL_XML_SCHEMA_DIR/oscal_catalog_schema.xsd" "$CATALOGS_DIR/xml/cis-controls-v8_OSCAL-1.0.xml" +# - task oscal-cli -- catalog validate --as xml "$CATALOGS_DIR/xml/cis-controls-v8_OSCAL-1.0.xml" + - task oscal-cli -- catalog validate --as json "$CATALOGS_DIR/json/cis-controls-v8_OSCAL-1.0.json" + - task oscal-cli -- catalog validate --as yaml "$CATALOGS_DIR/yaml/cis-controls-v8_OSCAL-1.0.yaml" + validate-mappings: + cmds: + - xmllint --noout --schema "$OSCAL_XML_SCHEMA_DIR/oscal_mapping_schema.xsd" "$MAPPINGS_DIR/xml/CCM_CISControlsv8_Mapping.xml" + - xmllint --noout --schema "$OSCAL_XML_SCHEMA_DIR/oscal_mapping_schema.xsd" "$MAPPINGS_DIR/SP_800_53MOD_CISControlsv8_Mapping.xml" +# - task oscal-cli -- mapping-collection validate --as xml "$MAPPINGS_DIR/xml/CCM_CISControlsv8_Mapping.xml" +# - task oscal-cli -- mapping-collection validate --as xml "$MAPPINGS_DIR/SP_800_53MOD_CISControlsv8_Mapping.xml" diff --git a/src/catalogs/json/cis-controls-v8_OSCAL-1.0.json b/src/catalogs/json/cis-controls-v8_OSCAL-1.0.json new file mode 100644 index 0000000..d023994 --- /dev/null +++ b/src/catalogs/json/cis-controls-v8_OSCAL-1.0.json @@ -0,0 +1,6061 @@ +{ + "catalog" : { + "uuid" : "e95fb23c-57d2-495f-8ab5-2c6b3152bcee", + "metadata" : { + "title" : "CIS Controls", + "last-modified" : "2020-09-20T12:10:00.001-04:00", + "version" : "8.0", + "oscal-version" : "1.0.4", + "props" : [ { + "name" : "keywords", + "value" : "control, assessment" + } ], + "links" : [ { + "href" : "https://controls-assessment-specification.readthedocs.io/en/stable/index.html", + "rel" : "alternate", + "media-type" : "text/html" + } ] + }, + "controls" : [ { + "id" : "cisc-1", + "title" : "Inventory and Control of Enterprise Assets", + "props" : [ { + "name" : "label", + "value" : "CIS Control 1" + }, { + "name" : "sort-id", + "value" : "cisc-01" + } ], + "parts" : [ { + "id" : "cisc-1_stmt", + "name" : "statement", + "prose" : "Actively manage (inventory, track, and correct) all enterprise assets (end-user devices,\nincluding portable and mobile; network devices; non-computing/Internet of Things (IoT) devices;\nand servers) connected to the infrastructure, physically, virtually, remotely, and those within\ncloud environments, to accurately know the totality of assets that need to be monitored and\nprotected within the enterprise. This will also support identifying unauthorized and unmanaged\nassets to remove or remediate." + }, { + "id" : "cisc-1_gdn", + "name" : "guidance", + "prose" : "Enterprises cannot defend what they do not know they have. Managed control of all enterprise\nassets also plays a critical role in security monitoring, incident response, system backup, and\nrecovery. Enterprises should know what data is critical to them, and proper asset management\nwill help identify those enterprise assets that hold or manage this critical data, so\nappropriate security controls can be applied.\n\nExternal attackers are continuously scanning the internet address space of target enterprises,\npremise-based or in the cloud, identifying possibly unprotected assets attached to enterprises’\nnetworks. Attackers can take advantage of new assets that are installed, yet not securely\nconfigured and patched. Internally, unidentified assets can also have weak security\nconfigurations that can make them vulnerable to web or email-based malware; and adversaries can\nleverage weak security configurations for traversing the network, once they are inside.\n\nAdditional assets that connect to the enterprise’s network (e.g., demonstration systems,\ntemporary test systems, guest networks, etc.) should be identified and/or isolated, in order to\nprevent adversarial access from affecting the security of enterprise operations.\n\nLarge, complex, dynamic enterprises understandably struggle with the challenge of managing\nintricate, fast-changing environments. However, attackers have shown the ability, patience, and\nwillingness to \"inventory and control\" our enterprise assets at very large scale in order to\nsupport their opportunities.\n\nAnother challenge is that portable end-user devices will periodically join a network and then\ndisappear, making the inventory of currently available assets very dynamic. Likewise, cloud\nenvironments and virtual machines can be difficult to track in asset inventories when they are\nshut down or paused. Another benefit of complete enterprise asset management is supporting\nincident response. Both when investigating the origination of network traffic from an asset on\nthe network, and to be able to identify all potentially vulnerable, or impacted, assets of\nsimilar type or location during an incident." + } ], + "controls" : [ { + "id" : "cisc-1.1", + "title" : "Establish and Maintain Detailed Enterprise Asset Inventory", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 1.1" + }, { + "name" : "sort-id", + "value" : "cisc-01.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-1.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise\nassets with the potential to store or process data, to include: end-user devices (including\nportable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the\ninventory records the network address (if static), hardware address, machine name, data asset\nowner, department for each asset, and whether the asset has been approved to connect to the\nnetwork. For mobile end-user devices, MDM type tools can support this process, where\nappropriate. This inventory includes assets connected to the infrastructure physically,\nvirtually, remotely, and those within cloud environments. Additionally, it includes assets that\nare regularly connected to the enterprise’s network infrastructure, even if they are not under\ncontrol of the enterprise. Review and update the inventory of all enterprise assets\nbi-annually, or more frequently." + } ] + }, { + "id" : "cisc-1.2", + "title" : "Address Unauthorized Assets", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 1.2" + }, { + "name" : "sort-id", + "value" : "cisc-01.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-1.2_stmt", + "name" : "statement", + "prose" : "Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise\nmay choose to remove the asset from the network, deny the asset from connecting remotely to the\nnetwork, or quarantine the asset." + } ] + }, { + "id" : "cisc-1.3", + "title" : "Utilize an Active Discovery Tool", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 1.3" + }, { + "name" : "sort-id", + "value" : "cisc-01.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-1.3_stmt", + "name" : "statement", + "prose" : "Utilize an active discovery tool to identify assets connected to the enterprise’s network.\nConfigure the active discovery tool to execute daily, or more frequently." + } ] + }, { + "id" : "cisc-1.4", + "title" : "Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 1.4" + }, { + "name" : "sort-id", + "value" : "cisc-01.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-1.4_stmt", + "name" : "statement", + "prose" : "Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to\nupdate the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset\ninventory weekly, or more frequently." + } ] + }, { + "id" : "cisc-1.5", + "title" : "Use a Passive Asset Discovery Tool", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 1.5" + }, { + "name" : "sort-id", + "value" : "cisc-01.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-4.2", + "rel" : "dependency" + }, { + "href" : "cisc-12.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-1.5_stmt", + "name" : "statement", + "prose" : "Use a passive discovery tool to identify assets connected to the enterprise’s network. Review\nand use scans to update the enterprise’s asset inventory at least weekly, or more\nfrequently." + } ] + } ] + }, { + "id" : "cisc-2", + "title" : "Inventory and Control of Software Assets", + "props" : [ { + "name" : "label", + "value" : "CIS Control 2" + }, { + "name" : "sort-id", + "value" : "cisc-02" + } ], + "parts" : [ { + "id" : "cisc-2_stmt", + "name" : "statement", + "prose" : "Actively manage (inventory, track, and correct) all software (operating systems and\napplications) on the network so that only authorized software is installed and can execute, and\nthat unauthorized and unmanaged software is found and prevented from installation or\nexecution." + }, { + "id" : "cisc-2_gdn", + "name" : "guidance", + "prose" : "A complete software inventory is a critical foundation for preventing attacks. Attackers\ncontinuously scan target enterprises looking for vulnerable versions of software that can be\nremotely exploited. For example, if a user opens a malicious website or attachment with a\nvulnerable browser, an attacker can often install backdoor programs and bots that give the\nattacker long-term control of the system. Attackers can also use this access to move laterally\nthrough the network. One of the key defenses against these attacks is updating and patching\nsoftware. However, without a complete inventory of software assets, an enterprise cannot\ndetermine if they have vulnerable software, or if there are potential licensing violations.\n\nEven if a patch is not yet available, a complete software inventory list allows an enterprise\nto guard against known attacks until the patch is released. Some sophisticated attackers use\n\"zero-day exploits\", which take advantage of previously unknown vulnerabilities that have yet to\nhave a patch released by the software vendor. Depending on the severity of the exploit, an\nenterprise can implement temporary mitigation measures to guard against attacks until the patch\nis released.\n\nManagement of software assets is also important to identify unnecessary security risks. An\nenterprise should review their software inventory to identify any enterprise assets running\nsoftware that is not needed for business purposes. For example, an enterprise asset may come\ninstalled with default software that creates a potential security risk and provides no benefit\nto the enterprise. It is critical to inventory, understand, assess, and manage all software\nconnected to an enterprise’s infrastructure." + } ], + "controls" : [ { + "id" : "cisc-2.1", + "title" : "Establish and Maintain a Software Inventory", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 2.1" + }, { + "name" : "sort-id", + "value" : "cisc-02.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-2.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain a detailed inventory of all licensed software installed on enterprise\nassets. The software inventory must document the title, publisher, initial install/use date,\nand business purpose for each entry; where appropriate, include the Uniform Resource Locator\n(URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update\nthe software inventory bi-annually, or more frequently." + } ] + }, { + "id" : "cisc-2.2", + "title" : "Ensure Authorized Software is Currently Supported", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 2.2" + }, { + "name" : "sort-id", + "value" : "cisc-02.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-1.2_stmt", + "name" : "statement", + "prose" : "Ensure that only currently supported software is designated as authorized in the software\ninventory for enterprise assets. If software is unsupported yet necessary for the fulfillment\nof the enterprise’s mission, document an exception detailing mitigating controls and residual\nrisk acceptance. For any unsupported software without an exception documentation, designate as\nunauthorized. Review the software list to verify software support at least monthly, or more\nfrequently." + } ] + }, { + "id" : "cisc-2.3", + "title" : "Address Unauthorized Software", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 2.3" + }, { + "name" : "sort-id", + "value" : "cisc-02.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-2.3_stmt", + "name" : "statement", + "prose" : "Ensure that unauthorized software is either removed from use on enterprise assets or receives\na documented exception. Review monthly, or more frequently." + } ] + }, { + "id" : "cisc-2.4", + "title" : "Utilize Automated Software Inventory Tools", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 2.4" + }, { + "name" : "sort-id", + "value" : "cisc-02.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.3", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-2.4_stmt", + "name" : "statement", + "prose" : "Utilize software inventory tools, when possible, throughout the enterprise to automate the\ndiscovery and documentation of installed software." + } ] + }, { + "id" : "cisc-2.5", + "title" : "Allowlist Authorized Software", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 2.5" + }, { + "name" : "sort-id", + "value" : "cisc-02.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.3", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-2.5_stmt", + "name" : "statement", + "prose" : "Use technical controls, such as application allowlisting, to ensure that only authorized\nsoftware can execute or be accessed. Reassess bi-annually, or more frequently." + } ] + }, { + "id" : "cisc-2.6", + "title" : "Allowlist Authorized Libraries", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 2.6" + }, { + "name" : "sort-id", + "value" : "cisc-02.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.5", + "rel" : "dependency" + }, { + "href" : "cisc-4.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-2.6_stmt", + "name" : "statement", + "prose" : "Use technical controls to ensure that only authorized software libraries, such as specific\n.dll, .ocx, .so, etc. files, are allowed to load into a system process. Block unauthorized\nlibraries from loading into a system process. Reassess bi-annually, or more frequently." + } ] + }, { + "id" : "cisc-2.7", + "title" : "Allowlist Authorized Scripts", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 2.7" + }, { + "name" : "sort-id", + "value" : "cisc-02.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-2.7_stmt", + "name" : "statement", + "prose" : "Use technical controls, such as digital signatures and version control, to ensure that only\nauthorized scripts, such as specific .ps1, .py, etc. files, are allowed to execute. Block\nunauthorized scripts from executing. Reassess bi-annually, or more frequently." + } ] + } ] + }, { + "id" : "cisc-3", + "title" : "Data Protection", + "props" : [ { + "name" : "label", + "value" : "CIS Control 3" + }, { + "name" : "sort-id", + "value" : "cisc-03" + } ], + "parts" : [ { + "id" : "cisc-3_stmt", + "name" : "statement", + "prose" : "Develop processes and technical controls to identify, classify, securely handle, retain, and\ndispose of data." + }, { + "id" : "cisc-3_gdn", + "name" : "guidance", + "prose" : "Data is no longer only contained within an enterprise’s border, it is in the cloud, on\nportable end-user devices where users work from home, and is often shared with partners or\nonline services who might have it anywhere in the world. In addition to sensitive data an\nenterprise holds related to finances, intellectual property, and customer data, there also might\nbe numerous international regulations for protection of personal data. Data privacy has become\nincreasingly important, and enterprises are learning that privacy is about the appropriate use\nand management of data, not just encryption. Data must be appropriately managed through its\nentire lifecycle. These privacy rules can be complicated for multi-national enterprises, of any\nsize, however there are fundamentals that can apply to all.\n\nOnce attackers have penetrated an enterprise’s infrastructure, one of their first tasks is to\nfind and exfiltrate data. Enterprises might not be aware that sensitive data is leaving their\nenvironment because they are not monitoring data outflows.\n\nWhile many attacks occur on the network, others involve physical theft of portable end-user\ndevices, attacks on service providers or other partners holding sensitive data. Other sensitive\nenterprise assets may also include non-computing devices that provide management and control of\nphysical systems, such as Supervisory Control and Data Acquisition (SCADA) systems.\n\nThe enterprise’s loss of control over protected or sensitive data is a serious and often\nreportable business impact. While some data is compromised or lost as a result of theft or\nespionage, the vast majority are a result of poorly understood data management rules, and user\nerror. The adoption of data encryption, both in transit and at rest, can provide mitigation\nagainst data compromise, and more importantly, is a regulatory requirement for most controlled\ndata." + } ], + "controls" : [ { + "id" : "cisc-3.1", + "title" : "Establish and Maintain a Data Management Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.1" + }, { + "name" : "sort-id", + "value" : "cisc-03.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-3.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain a data management process. In the process, address data sensitivity,\ndata owner, handling of data, data retention limits, and disposal requirements, based on\nsensitivity and retention standards for the enterprise. Review and update documentation\nannually, or when significant enterprise changes occur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-3.2", + "title" : "Establish and Maintain a Data Inventory", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.2" + }, { + "name" : "sort-id", + "value" : "cisc-03.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.2_stmt", + "name" : "statement", + "prose" : "Establish and maintain a data inventory, based on the enterprise’s data management process.\nInventory sensitive data, at a minimum. Review and update inventory annually, at a minimum,\nwith a priority on sensitive data." + } ] + }, { + "id" : "cisc-3.3", + "title" : "Configure Data Access Control Lists", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.3" + }, { + "name" : "sort-id", + "value" : "cisc-03.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-3.2", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + }, { + "href" : "cisc-5.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.3_stmt", + "name" : "statement", + "prose" : "Configure data access control lists based on a user’s need to know. Apply data access control\nlists, also known as access permissions, to local and remote file systems, databases, and\napplications." + } ] + }, { + "id" : "cisc-3.4", + "title" : "Enforce Data Retention", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.4" + }, { + "name" : "sort-id", + "value" : "cisc-03.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-3.1", + "rel" : "dependency" + }, { + "href" : "cisc-3.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.4_stmt", + "name" : "statement", + "prose" : "Retain data according to the enterprise’s data management process. Data retention must\ninclude both minimum and maximum timelines." + } ] + }, { + "id" : "cisc-3.5", + "title" : "Securely Dispose of Data", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.5" + }, { + "name" : "sort-id", + "value" : "cisc-03.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-3.1", + "rel" : "dependency" + }, { + "href" : "cisc-3.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.5_stmt", + "name" : "statement", + "prose" : "Securely dispose of data as outlined in the enterprise’s data management process. Ensure the\ndisposal process and method are commensurate with the data sensitivity." + } ] + }, { + "id" : "cisc-3.6", + "title" : "Encrypt Data on End-User Devices", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.6" + }, { + "name" : "sort-id", + "value" : "cisc-03.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.6_stmt", + "name" : "statement", + "prose" : "Encrypt data on end-user devices containing sensitive data. Example implementations can\ninclude, Windows BitLocker®, Apple FileVault®, Linux® dm-crypt." + } ] + }, { + "id" : "cisc-3.7", + "title" : "Establish and Maintain a Data Classification Scheme", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.7" + }, { + "name" : "sort-id", + "value" : "cisc-03.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-3.1", + "rel" : "dependency" + }, { + "href" : "cisc-3.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.7_stmt", + "name" : "statement", + "prose" : "Establish and maintain an overall data classification scheme for the enterprise. Enterprises\nmay use labels, such as \"Sensitive\", \"Confidential\" and \"Public\", and classify their data\naccording to those labels. Review and update the classification scheme annually, or when\nsignificant enterprise changes occur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-3.8", + "title" : "Document Data Flows", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.8" + }, { + "name" : "sort-id", + "value" : "cisc-03.08" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-3.1", + "rel" : "dependency" + }, { + "href" : "cisc-3.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.8_stmt", + "name" : "statement", + "prose" : "Document data flows. Data flow documentation includes service provider data flows and should\nbe based on the enterprise?s data management process. Review and update documentation annually,\nor when significant enterprise changes occur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-3.9", + "title" : "Encrypt Data on Removable Media", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.9" + }, { + "name" : "sort-id", + "value" : "cisc-03.09" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.9_stmt", + "name" : "statement", + "prose" : "Encrypt data on removable media." + } ] + }, { + "id" : "cisc-3.10", + "title" : "Encrypt Sensitive Data in Transit", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.10" + }, { + "name" : "sort-id", + "value" : "cisc-03.10" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-3.2", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.10_stmt", + "name" : "statement", + "prose" : "Encrypt sensitive data in transit. Example implementations can include, Transport Layer\nSecurity (TLS) and Open Secure Shell (OpenSSH)." + } ] + }, { + "id" : "cisc-3.11", + "title" : "Encrypt Sensitive Data At Rest", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.11" + }, { + "name" : "sort-id", + "value" : "cisc-03.11" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.11_stmt", + "name" : "statement", + "prose" : "Encrypt sensitive data at rest on servers, applications, and databases containing sensitive\ndata. Storage-layer encryption, also known as server-side encryption, meets the minimum\nrequirement of this Safeguard. Additional encryption methods may include application-layer\nencryption, also known as client-side encryption, where access to the data storage device(s)\ndoes not permit access to the plain-text data." + } ] + }, { + "id" : "cisc-3.12", + "title" : "Segment Data Processing and Storage Based on Sensitivity", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.12" + }, { + "name" : "sort-id", + "value" : "cisc-03.12" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "nhttps://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-3.2", + "rel" : "dependency" + }, { + "href" : "cisc-12.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.12_stmt", + "name" : "statement", + "prose" : "Segment data processing and storage, based on the sensitivity of the data. Do not process\nsensitive data on enterprise assets intended for lower sensitivity data." + } ] + }, { + "id" : "cisc-3.13", + "title" : "Segment Data Processing and Storage Based on Sensitivity", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.13" + }, { + "name" : "sort-id", + "value" : "cisc-03.13" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "nhttps://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-3.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.13_stmt", + "name" : "statement", + "prose" : "Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify\nall sensitive data stored, processed, or transmitted through enterprise assets, including those\nlocated onsite or at a remote service provider, and update the enterprise’s sensitive data\ninventory." + } ] + }, { + "id" : "cisc-3.14", + "title" : "Log Sensitive Data Access", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 3.14" + }, { + "name" : "sort-id", + "value" : "cisc-03.14" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "nhttps://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-3.14_stmt", + "name" : "statement", + "prose" : "Log sensitive data access, including modification and disposal." + } ] + } ] + }, { + "id" : "cisc-4", + "title" : "Secure Configuration of Enterprise Assets and Software", + "props" : [ { + "name" : "label", + "value" : "CIS Control 4" + }, { + "name" : "sort-id", + "value" : "cisc-04" + } ], + "parts" : [ { + "id" : "cisc-4_stmt", + "name" : "statement", + "prose" : "Establish and maintain the secure configuration of enterprise assets (end-user devices,\nincluding portable and mobile; network devices; non-computing/IoT devices; and servers) and\nsoftware (operating systems and applications)." + }, { + "id" : "cisc-4_gdn", + "name" : "guidance", + "prose" : "As delivered from manufacturers and resellers, the default configurations for enterprise\nassets and software are normally geared towards ease-of-deployment and ease-of-use rather than\nsecurity. Basic controls, open services and ports, default accounts or passwords, pre-configured\nDomain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of\nunnecessary software can all be exploitable if left in their default state. Further, these\nsecurity configuration updates need to be managed and maintained over the life cycle of\nenterprise assets and software. Configuration updates need to be tracked and approved through\nconfiguration management workflow process to maintain a record that can be reviewed for\ncompliance, leveraged for incident response, and to support audits. This CIS Control is\nimportant to on-premises devices, as well as remote devices, network devices, and cloud\nenvironments.\n\nService providers play a key role in modern infrastructures, especially for smaller\nenterprises. They often are not set up by default in the most secure configuration to provide\nflexibility for their customers to apply their own security policies. Therefore, the presence of\ndefault accounts or passwords, excessive access, or unnecessary services are common in default\nconfigurations. These could introduce weaknesses that are under the responsibility of the\nenterprise that is using the software, rather than the service provider. This extends to ongoing\nmanagement and updates, as some Platform as a Service (PaaS) only extend to the operating\nsystem, so patching and updating hosted applications are under the responsibility of the\nenterprise.\n\nEven after a strong initial configuration is developed and applied, it must be continually\nmanaged to avoid degrading security as software is updated or patched, new security\nvulnerabilities are reported, and configurations are \"tweaked,\" to allow the installation of new\nsoftware or to support new operational requirements." + } ], + "controls" : [ { + "id" : "cisc-4.1", + "title" : "Establish and Maintain a Secure Configuration Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.1" + }, { + "name" : "sort-id", + "value" : "cisc-04.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain a secure configuration process for enterprise assets (end-user\ndevices, including portable and mobile, non-computing/IoT devices, and servers) and software\n(operating systems and applications). Review and update documentation annually, or when\nsignificant enterprise changes occur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-4.2", + "title" : "Establish and Maintain a Secure Configuration Process for Network Infrastructure", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.2" + }, { + "name" : "sort-id", + "value" : "cisc-04.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.2_stmt", + "name" : "statement", + "prose" : "Establish and maintain a secure configuration process for network devices. Review and update\ndocumentation annually, or when significant enterprise changes occur that could impact this\nSafeguard." + } ] + }, { + "id" : "cisc-4.3", + "title" : "Configure Automatic Session Locking on Enterprise Assets", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.3" + }, { + "name" : "sort-id", + "value" : "cisc-04.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.3_stmt", + "name" : "statement", + "prose" : "Configure automatic session locking on enterprise assets after a defined period of\ninactivity. For general purpose operating systems, the period must not exceed 15 minutes. For\nmobile end-user devices, the period must not exceed 2 minutes." + } ] + }, { + "id" : "cisc-4.4", + "title" : "Implement and Manage a Firewall on Servers", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.4" + }, { + "name" : "sort-id", + "value" : "cisc-04.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.4_stmt", + "name" : "statement", + "prose" : "Implement and manage a firewall on servers, where supported. Example implementations include\na virtual firewall, operating system firewall, or a third-party firewall agent." + } ] + }, { + "id" : "cisc-4.5", + "title" : "Implement and Manage a Firewall on End-User Devices", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.5" + }, { + "name" : "sort-id", + "value" : "cisc-04.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.5_stmt", + "name" : "statement", + "prose" : "Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a\ndefault-deny rule that drops all traffic except those services and ports that are explicitly\nallowed." + } ] + }, { + "id" : "cisc-4.6", + "title" : "Securely Manage Enterprise Assets and Software", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.6" + }, { + "name" : "sort-id", + "value" : "cisc-04.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.6_stmt", + "name" : "statement", + "prose" : "Securely manage enterprise assets and software. Example implementations include managing\nconfiguration through version-controlled-infrastructure-as-code and accessing administrative\ninterfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer\nProtocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype\nNetwork) and HTTP, unless operationally essential." + } ] + }, { + "id" : "cisc-4.7", + "title" : "Manage Default Accounts on Enterprise Assets and Software", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.7" + }, { + "name" : "sort-id", + "value" : "cisc-04.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "potect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-5.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.7_stmt", + "name" : "statement", + "prose" : "Manage default accounts on enterprise assets and software, such as root, administrator, and\nother pre-configured vendor accounts. Example implementations can include: disabling default\naccounts or making them unusable." + } ] + }, { + "id" : "cisc-4.8", + "title" : "Uninstall or Disable Unnecessary Services on Enterprise Assets and Software", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.8" + }, { + "name" : "sort-id", + "value" : "cisc-04.08" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.8_stmt", + "name" : "statement", + "prose" : "Uninstall or disable unnecessary services on enterprise assets and software, such as an\nunused file sharing service, web application module, or service function." + } ] + }, { + "id" : "cisc-4.9", + "title" : "Configure Trusted DNS Servers on Enterprise Assets", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.9" + }, { + "name" : "sort-id", + "value" : "cisc-04.09" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.9_stmt", + "name" : "statement", + "prose" : "Configure trusted DNS servers on enterprise assets. Example implementations include:\nconfiguring assets to use enterprise-controlled DNS servers and/or reputable externally\naccessible DNS servers." + } ] + }, { + "id" : "cisc-4.10", + "title" : "Enforce Automatic Device Lockout on Portable End-User Devices", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.10" + }, { + "name" : "sort-id", + "value" : "cisc-04.10" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.10_stmt", + "name" : "statement", + "prose" : "Enforce automatic device lockout following a predetermined threshold of local failed\nauthentication attempts on portable end-user devices, where supported. For laptops, do not\nallow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10\nfailed authentication attempts. Example implementations include Microsoft? InTune Device Lock\nand Apple? Configuration Profile maxFailedAttempts." + } ] + }, { + "id" : "cisc-4.11", + "title" : "Enforce Remote Wipe Capability on Portable End-User Devices", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.11" + }, { + "name" : "sort-id", + "value" : "cisc-04.11" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.11_stmt", + "name" : "statement", + "prose" : "Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed\nappropriate such as lost or stolen devices, or when an individual no longer supports the\nenterprise." + } ] + }, { + "id" : "cisc-4.12", + "title" : "Separate Enterprise Workspaces on Mobile End-User Devices", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 4.12" + }, { + "name" : "sort-id", + "value" : "cisc-04.12" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "nhttps://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-4.12_stmt", + "name" : "statement", + "prose" : "Ensure separate enterprise workspaces are used on mobile end-user devices, where supported.\nExample implementations include using an Apple? Configuration Profile or Android? Work Profile\nto separate enterprise applications and data from personal applications and data." + } ] + } ] + }, { + "id" : "cisc-5", + "title" : "Account Management", + "props" : [ { + "name" : "label", + "value" : "CIS Control 5" + }, { + "name" : "sort-id", + "value" : "cisc-05" + } ], + "parts" : [ { + "id" : "cisc-5_stmt", + "name" : "statement", + "prose" : "Use processes and tools to assign and manage authorization to credentials for user accounts,\nincluding administrator accounts, as well as service accounts, to enterprise assets and\nsoftware." + }, { + "id" : "cisc-5_gdn", + "name" : "guidance", + "prose" : "It is easier for an external or internal threat actor to gain unauthorized access to\nenterprise assets or data through using valid user credentials than through \"hacking\" the\nenvironment. There are many ways to covertly obtain access to user accounts, including: weak\npasswords, accounts still valid after a user leaves the enterprise, dormant or lingering test\naccounts, shared accounts that have not been changed in months or years, service accounts\nembedded in applications for scripts, a user having the same password as one they use for an\nonline account that has been compromised (in a public password dump), social engineering a user\nto give their password, or using malware to capture passwords or tokens in memory or over the\nnetwork.\n\nAdministrative, or highly privileged, accounts are a particular target, because they allow\nattackers to add other accounts, or make changes to assets that could make them more vulnerable\nto other attacks. Service accounts are also sensitive, as they are often shared among teams,\ninternal and external to the enterprise, and sometimes not known about, only to be revealed in\nstandard account management audits.\n\nFinally, account logging and monitoring is a critical component of security operations. While\naccount logging and monitoring are covered in CIS Control 8 (Audit Log Management), it is\nimportant in the development of a comprehensive Identity and Access Management (IAM)\nprogram." + } ], + "controls" : [ { + "id" : "cisc-5.1", + "title" : "Establish and Maintain an Inventory of Accounts", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 5.1" + }, { + "name" : "sort-id", + "value" : "cisc-05.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-5.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain an inventory of all accounts managed in the enterprise. The inventory\nmust include both user and administrator accounts. The inventory, at a minimum, should contain\nthe person’s name, username, start/stop dates, and department. Validate that all active\naccounts are authorized, on a recurring schedule at a minimum quarterly, or more\nfrequently." + } ] + }, { + "id" : "cisc-5.2", + "title" : "Use Unique Passwords", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 5.2" + }, { + "name" : "sort-id", + "value" : "cisc-05.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-5.2_stmt", + "name" : "statement", + "prose" : "Use unique passwords for all enterprise assets. Best practice implementation includes, at a\nminimum, an 8-character password for accounts using MFA and a 14-character password for\naccounts not using MFA." + } ] + }, { + "id" : "cisc-5.3", + "title" : "Disable Dormant Accounts", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 5.3" + }, { + "name" : "sort-id", + "value" : "cisc-05.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-5.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-5.3_stmt", + "name" : "statement", + "prose" : "Delete or disable any dormant accounts after a period of 45 days of inactivity, where\nsupported" + } ] + }, { + "id" : "cisc-5.4", + "title" : "Restrict Administrator Privileges to Dedicated Administrator Accounts", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 5.4" + }, { + "name" : "sort-id", + "value" : "cisc-05.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-5.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-5.4_stmt", + "name" : "statement", + "prose" : "Restrict administrator privileges to dedicated administrator accounts on enterprise assets.\nConduct general computing activities, such as internet browsing, email, and productivity suite\nuse, from the user’s primary, non-privileged account." + } ] + }, { + "id" : "cisc-5.5", + "title" : "Establish and Maintain an Inventory of Service Accounts", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 5.5" + }, { + "name" : "sort-id", + "value" : "cisc-05.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-6.6", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-5.5_stmt", + "name" : "statement", + "prose" : "Establish and maintain an inventory of service accounts. The inventory, at a minimum, must\ncontain department owner, review date, and purpose. Perform service account reviews to validate\nthat all active accounts are authorized, on a recurring schedule at a minimum quarterly, or\nmore frequently." + } ] + }, { + "id" : "cisc-5.6", + "title" : "Centralize Account Management", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 5.6" + }, { + "name" : "sort-id", + "value" : "cisc-05.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-5.6_stmt", + "name" : "statement", + "prose" : "Centralize account management through a directory or identity service." + } ] + } ] + }, { + "id" : "cisc-6", + "title" : "Access Control Management", + "props" : [ { + "name" : "label", + "value" : "CIS Control 6" + }, { + "name" : "sort-id", + "value" : "cisc-06" + } ], + "parts" : [ { + "id" : "cisc-6_stmt", + "name" : "statement", + "prose" : "Use processes and tools to create, assign, manage, and revoke access credentials and\nprivileges for user, administrator, and service accounts for enterprise assets and software." + }, { + "id" : "cisc-6_gdn", + "name" : "guidance", + "prose" : "Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on\nmanaging what access these accounts have, ensuring users only have access to the data or\nenterprise assets appropriate for their role, and ensuring that there is strong authentication\nfor critical or sensitive enterprise data or functions. Accounts should only have the minimal\nauthorization needed for the role. Developing consistent access rights for each role and\nassigning roles to users is a best practice. Developing a program for complete provision and\nde-provisioning access is also important. Centralizing this function is ideal.\n\nThere are some user activities that pose greater risk to an enterprise, either because they\nare accessed from untrusted networks, or performing administrator functions that allow the\nability to add, change, or remove other accounts, or make configuration changes to operating\nsystems or applications to make them less secure. This also enforces the importance of using MFA\nand Privileged Access Management (PAM) tools.\n\nSome users have access to enterprise assets or data they do not need for their role; this\nmight be due to an immature process that gives all users all access, or lingering access as\nusers change roles within the enterprise over time. Local administrator privileges to users’\nlaptops is also an issue, as any malicious code installed or downloaded by the user can have\ngreater impact on the enterprise asset running as administrator. User, administrator, and\nservice account access should be based on enterprise role and need." + } ], + "controls" : [ { + "id" : "cisc-6.1", + "title" : "Establish an Access Granting Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 6.1" + }, { + "name" : "sort-id", + "value" : "cisc-06.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-6.1_stmt", + "name" : "statement", + "prose" : "Establish and follow a process, preferably automated, for granting access to enterprise\nassets upon new hire, rights grant, or role change of a user." + } ] + }, { + "id" : "cisc-6.2", + "title" : "Establish an Access Revoking Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 6.2" + }, { + "name" : "sort-id", + "value" : "cisc-06.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-6.2_stmt", + "name" : "statement", + "prose" : "Establish and follow a process, preferably automated, for revoking access to enterprise\nassets, through disabling accounts immediately upon termination, rights revocation, or role\nchange of a user. Disabling accounts, instead of deleting accounts, may be necessary to\npreserve audit trails." + } ] + }, { + "id" : "cisc-6.3", + "title" : "Require MFA for Externally-Exposed Applications", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 6.3" + }, { + "name" : "sort-id", + "value" : "cisc-06.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + }, { + "href" : "cisc-5.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-6.3_stmt", + "name" : "statement", + "prose" : "Require all externally-exposed enterprise or third-party applications to enforce MFA, where\nsupported. Enforcing MFA through a directory service or SSO provider is a satisfactory\nimplementation of this Safeguard." + } ] + }, { + "id" : "cisc-6.4", + "title" : "Require MFA for Remote Network Access", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 6.4" + }, { + "name" : "sort-id", + "value" : "cisc-06.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-6.4_stmt", + "name" : "statement", + "prose" : "Require MFA for remote network access." + } ] + }, { + "id" : "cisc-6.5", + "title" : "Require MFA for Administrative Access", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 6.5" + }, { + "name" : "sort-id", + "value" : "cisc-06.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-4.1", + "rel" : "dependency" + }, { + "href" : "cisc-5.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-6.5_stmt", + "name" : "statement", + "prose" : "Require MFA for all administrative access accounts, where supported, on all enterprise\nassets, whether managed on-site or through a third-party provider." + } ] + }, { + "id" : "cisc-6.6", + "title" : "Establish and Maintain an Inventory of Authentication and Authorization Systems", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 6.6" + }, { + "name" : "sort-id", + "value" : "cisc-06.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-6.6_stmt", + "name" : "statement", + "prose" : "Establish and maintain an inventory of the enterprise’s authentication and authorization\nsystems, including those hosted on-site or at a remote service provider. Review and update the\ninventory, at a minimum, annually, or more frequently." + } ] + }, { + "id" : "cisc-6.7", + "title" : "Centralize Access Control", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 6.7" + }, { + "name" : "sort-id", + "value" : "cisc-06.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "users" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-6.7_stmt", + "name" : "statement", + "prose" : "Centralize access control for all enterprise assets through a directory service or SSO\nprovider, where supported." + } ] + }, { + "id" : "cisc-6.8", + "title" : "Centralize Access Control", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 6.8" + }, { + "name" : "sort-id", + "value" : "cisc-06.08" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-5.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-6.8_stmt", + "name" : "statement", + "prose" : "Define and maintain role-based access control, through determining and documenting the access\nrights necessary for each role within the enterprise to successfully carry out its assigned\nduties. Perform access control reviews of enterprise assets to validate that all privileges are\nauthorized, on a recurring schedule at a minimum annually, or more frequently." + } ] + } ] + }, { + "id" : "cisc-7", + "title" : "Continuous Vulnerability Management", + "props" : [ { + "name" : "label", + "value" : "CIS Control 7" + }, { + "name" : "sort-id", + "value" : "cisc-07" + } ], + "parts" : [ { + "id" : "cisc-7_stmt", + "name" : "statement", + "prose" : "Develop a plan to continuously assess and track vulnerabilities on all enterprise assets\nwithin the enterprise’s infrastructure, in order to remediate, and minimize, the window of\nopportunity for attackers. Monitor public and private industry sources for new threat and\nvulnerability information." + }, { + "id" : "cisc-7_gdn", + "name" : "guidance", + "prose" : "Cyber defenders are constantly being challenged from attackers who are looking for\nvulnerabilities within their infrastructure to exploit and gain access. Defenders must have\ntimely threat information available to them about: software updates, patches, security\nadvisories, threat bulletins, etc., and they should regularly review their environment to\nidentify these vulnerabilities before the attackers do. Understanding and managing\nvulnerabilities is a continuous activity, requiring focus of time, attention, and resources.\n\nAttackers have access to the same information and can often take advantage of vulnerabilities\nmore quickly than an enterprise can remediate. While there is a gap in time from a vulnerability\nbeing known to when it is patched, defenders can prioritize which vulnerabilities are most\nimpactful to the enterprise, or likely to be exploited first due to ease of use. For example,\nwhen researchers or the community report new vulnerabilities, vendors have to develop and deploy\npatches, indicators of compromise (IOCs), and updates. Defenders need to assess the risk of the\nnew vulnerability to the enterprise, regression-test patches , and install the patch.\n\nThere is never perfection in this process. Attackers might be using an exploit to a\nvulnerability that is not known within the security community. They might have developed an\nexploit to this vulnerability referred to as a \"zero-day\" exploit. Once the vulnerability is\nknown in the community, the process mentioned above starts. Therefore, defenders must keep in\nmind that an exploit might already exist when the vulnerability is widely socialized. Sometimes\nvulnerabilities might be known within a closed community (e.g., vendor still developing a fix)\nfor weeks, months, or years before it is disclosed publicly. Defenders have to be aware that\nthere might always be vulnerabilities they cannot remediate, and therefore need to use other\ncontrols to mitigate.\n\nEnterprises that do not assess their infrastructure for vulnerabilities and proactively\naddress discovered flaws face a significant likelihood of having their enterprise assets\ncompromised. Defenders face particular challenges in scaling remediation across an entire\nenterprise, and prioritizing actions with conflicting priorities, while not impacting the\nenterprise’s business or mission." + } ], + "controls" : [ { + "id" : "cisc-7.1", + "title" : "Establish and Maintain a Vulnerability Management Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 7.1" + }, { + "name" : "sort-id", + "value" : "cisc-07.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-7.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain a documented vulnerability management process for enterprise assets.\nReview and update documentation annually, or when significant enterprise changes occur that\ncould impact this Safeguard." + } ] + }, { + "id" : "cisc-7.2", + "title" : "Establish and Maintain a Remediation Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 7.2" + }, { + "name" : "sort-id", + "value" : "cisc-07.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-7.2_stmt", + "name" : "statement", + "prose" : "Establish and maintain a risk-based remediation strategy documented in a remediation process,\nwith monthly, or more frequent, reviews." + } ] + }, { + "id" : "cisc-7.3", + "title" : "Perform Automated Operating System Patch Management", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 7.3" + }, { + "name" : "sort-id", + "value" : "cisc-07.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-7.3_stmt", + "name" : "statement", + "prose" : "Perform operating system updates on enterprise assets through automated patch management on a\nmonthly, or more frequent, basis." + } ] + }, { + "id" : "cisc-7.4", + "title" : "Perform Automated Application Patch Management", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 7.4" + }, { + "name" : "sort-id", + "value" : "cisc-07.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-7.4_stmt", + "name" : "statement", + "prose" : "Perform application updates on enterprise assets through automated patch management on a\nmonthly, or more frequent, basis." + } ] + }, { + "id" : "cisc-7.5", + "title" : "Perform Automated Vulnerability Scans of Internal Enterprise Assets", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 7.5" + }, { + "name" : "sort-id", + "value" : "cisc-07.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-7.5_stmt", + "name" : "statement", + "prose" : "Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more\nfrequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant\nvulnerability scanning tool." + } ] + }, { + "id" : "cisc-7.6", + "title" : "Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 7.6" + }, { + "name" : "sort-id", + "value" : "cisc-07.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-7.6_stmt", + "name" : "statement", + "prose" : "Perform automated vulnerability scans of externally-exposed enterprise assets using a\nSCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent,\nbasis." + } ] + }, { + "id" : "cisc-7.7", + "title" : "Remediate Detected Vulnerabilities", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 7.7" + }, { + "name" : "sort-id", + "value" : "cisc-07.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-7.7_stmt", + "name" : "statement", + "prose" : "Remediate detected vulnerabilities in software through processes and tooling on a monthly, or\nmore frequent, basis, based on the remediation process." + } ] + } ] + }, { + "id" : "cisc-8", + "title" : "Audit Log Management", + "props" : [ { + "name" : "label", + "value" : "CIS Control 8" + }, { + "name" : "sort-id", + "value" : "cisc-08" + } ], + "parts" : [ { + "id" : "cisc-8_stmt", + "name" : "statement", + "prose" : "Collect, alert, review, and retain audit logs of events that could help detect, understand, or\nrecover from an attack." + }, { + "id" : "cisc-8_gdn", + "name" : "guidance", + "prose" : "Log collection and analysis is critical for an enterprise’s ability to detect malicious\nactivity quickly. Sometimes audit records are the only evidence of a successful attack.\nAttackers know that many enterprises keep audit logs for compliance purposes, but rarely analyze\nthem. Attackers use this knowledge to hide their location, malicious software, and activities on\nvictim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control\nvictim machines for months or years without anyone in the target enterprise knowing.\n\nThere are two types of logs that are generally treated and often configured independently:\nsystem logs and audit logs. System logs typically provide system-level events that show various\nsystem process start/end times, crashes, etc. These are native to systems, and take less\nconfiguration to turn on. Audit logs typically include user-level events – when a user logged\nin, accessed a file, etc. – and take more planning and effort to set up.\n\nLogging records are also critical for incident response. After an attack has been detected,\nlog analysis can help enterprises understand the extent of an attack. Complete logging records\ncan show, for example, when and how the attack occurred, what information was accessed, and if\ndata was exfiltrated. Retention of logs is also critical in case a follow-up investigation is\nrequired or if an attack remained undetected for a long period of time." + } ], + "controls" : [ { + "id" : "cisc-8.1", + "title" : "Establish and Maintain an Audit Log Management Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.1" + }, { + "name" : "sort-id", + "value" : "cisc-08.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-8.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain an audit log management process that defines the enterprise’s logging\nrequirements. At a minimum, address the collection, review, and retention of audit logs for\nenterprise assets. Review and update documentation annually, or when significant enterprise\nchanges occur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-8.2", + "title" : "Collect Audit Logs", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.2" + }, { + "name" : "sort-id", + "value" : "cisc-08.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + }, { + "href" : "cisc-8.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.2_stmt", + "name" : "statement", + "prose" : "Collect audit logs. Ensure that logging, per the enterprise’s audit log management process,\nhas been enabled across enterprise assets." + } ] + }, { + "id" : "cisc-8.3", + "title" : "Ensure Adequate Audit Log Storage", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.3" + }, { + "name" : "sort-id", + "value" : "cisc-08.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.3_stmt", + "name" : "statement", + "prose" : "Ensure that logging destinations maintain adequate storage to comply with the enterprise’s\naudit log management process." + } ] + }, { + "id" : "cisc-8.4", + "title" : "Standardize Time Synchronization", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.4" + }, { + "name" : "sort-id", + "value" : "cisc-08.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.4_stmt", + "name" : "statement", + "prose" : "Standardize time synchronization. Configure at least two synchronized time sources across\nenterprise assets, where supported." + } ] + }, { + "id" : "cisc-8.5", + "title" : "Collect Detailed Audit Logs", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.5" + }, { + "name" : "sort-id", + "value" : "cisc-08.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.5_stmt", + "name" : "statement", + "prose" : "Configure detailed audit logging for enterprise assets containing sensitive data. Include\nevent source, date, username, timestamp, source addresses, destination addresses, and other\nuseful elements that could assist in a forensic investigation." + } ] + }, { + "id" : "cisc-8.6", + "title" : "Collect DNS Query Audit Logs", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.6" + }, { + "name" : "sort-id", + "value" : "cisc-08.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.6_stmt", + "name" : "statement", + "prose" : "Collect DNS query audit logs on enterprise assets, where appropriate and supported." + } ] + }, { + "id" : "cisc-8.7", + "title" : "Collect URL Request Audit Logs", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.7" + }, { + "name" : "sort-id", + "value" : "cisc-08.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.7_stmt", + "name" : "statement", + "prose" : "Collect URL request audit logs on enterprise assets, where appropriate and supported." + } ] + }, { + "id" : "cisc-8.8", + "title" : "Collect Command-Line Audit Logs", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.8" + }, { + "name" : "sort-id", + "value" : "cisc-08.08" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.8_stmt", + "name" : "statement", + "prose" : "Collect command-line audit logs. Example implementations include collecting audit logs from\nPowerShell®, BASH™, and remote administrative terminals." + } ] + }, { + "id" : "cisc-8.9", + "title" : "Centralize Audit Logs", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.9" + }, { + "name" : "sort-id", + "value" : "cisc-08.09" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.9_stmt", + "name" : "statement", + "prose" : "Centralize, to the extent possible, audit log collection and retention across enterprise\nassets." + } ] + }, { + "id" : "cisc-8.10", + "title" : "Retain Audit Logs", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.10" + }, { + "name" : "sort-id", + "value" : "cisc-08.10" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-4.1", + "rel" : "dependency" + }, { + "href" : "cisc-8.9", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.10_stmt", + "name" : "statement", + "prose" : "Retain audit logs across enterprise assets for a minimum of 90 days." + } ] + }, { + "id" : "cisc-8.11", + "title" : "Conduct Audit Log Reviews", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.11" + }, { + "name" : "sort-id", + "value" : "cisc-08.11" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-8.11_stmt", + "name" : "statement", + "prose" : "Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a\npotential threat. Conduct reviews on a weekly, or more frequent, basis." + } ] + }, { + "id" : "cisc-8.12", + "title" : "Collect Service Provider Logs", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 8.12" + }, { + "name" : "sort-id", + "value" : "cisc-08.12" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-4.1", + "rel" : "dependency" + }, { + "href" : "cisc-15.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-8.12_stmt", + "name" : "statement", + "prose" : "Collect service provider logs, where supported. Example implementations include collecting\nauthentication and authorization events, data creation and disposal events, and user management\nevents." + } ] + } ] + }, { + "id" : "cisc-9", + "title" : "Email and Web Browser Protections", + "props" : [ { + "name" : "label", + "value" : "CIS Control 9" + }, { + "name" : "sort-id", + "value" : "cisc-09" + } ], + "parts" : [ { + "id" : "cisc-9_stmt", + "name" : "statement", + "prose" : "Improve protections and detections of threats from email and web vectors, as these are\nopportunities for attackers to manipulate human behavior through direct engagement." + }, { + "id" : "cisc-9_gdn", + "name" : "guidance", + "prose" : "Web browsers and email clients are very common points of entry for attackers because of their\ndirect interaction with users inside an enterprise. Content can be crafted to entice or spoof\nusers into disclosing credentials, providing sensitive data, or providing an open channel to\nallow attackers to gain access, thus increasing risk to the enterprise. Since email and web are\nthe main means that users interact with external and untrusted users and environments, these are\nprime targets for both malicious code and social engineering. Additionally, as enterprises move\nto web-based email, or mobile email access, users no longer use traditional full-featured email\nclients, which provide embedded security controls like connection encryption, strong\nauthentication, and phishing reporting buttons." + } ], + "controls" : [ { + "id" : "cisc-9.1", + "title" : "Ensure Use of Only Fully Supported Browsers and Email Clients", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 9.1" + }, { + "name" : "sort-id", + "value" : "cisc-09.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-9.1_stmt", + "name" : "statement", + "prose" : "Ensure only fully supported browsers and email clients are allowed to execute in the\nenterprise, only using the latest version of browsers and email clients provided through the\nvendor." + } ] + }, { + "id" : "cisc-9.2", + "title" : "Use DNS Filtering Services", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 9.2" + }, { + "name" : "sort-id", + "value" : "cisc-09.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-9.2_stmt", + "name" : "statement", + "prose" : "Use DNS filtering services on all enterprise assets to block access to known malicious\ndomains." + } ] + }, { + "id" : "cisc-9.3", + "title" : "Maintain and Enforce Network-Based URL Filters", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 9.3" + }, { + "name" : "sort-id", + "value" : "cisc-09.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-9.3_stmt", + "name" : "statement", + "prose" : "Enforce and update network-based URL filters to limit an enterprise asset from connecting to\npotentially malicious or unapproved websites. Example implementations include category-based\nfiltering, reputation-based filtering, or through the use of block lists. Enforce filters for\nall enterprise assets." + } ] + }, { + "id" : "cisc-9.4", + "title" : "Restrict Unnecessary or Unauthorized Browser and Email Client Extensions", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 9.4" + }, { + "name" : "sort-id", + "value" : "cisc-09.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-9.4_stmt", + "name" : "statement", + "prose" : "Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser\nor email client plugins, extensions, and add-on applications." + } ] + }, { + "id" : "cisc-9.5", + "title" : "Implement DMARC", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 9.5" + }, { + "name" : "sort-id", + "value" : "cisc-09.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-9.5_stmt", + "name" : "statement", + "prose" : "To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy\nand verification, starting with implementing the Sender Policy Framework (SPF) and the\nDomainKeys Identified Mail (DKIM) standards." + } ] + }, { + "id" : "cisc-9.6", + "title" : "Block Unnecessary File Types", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 9.6" + }, { + "name" : "sort-id", + "value" : "cisc-09.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-9.6_stmt", + "name" : "statement", + "prose" : "Block unnecessary file types attempting to enter the enterprise's email gateway." + } ] + }, { + "id" : "cisc-9.7", + "title" : "Deploy and Maintain Email Server Anti-Malware Protections", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 9.7" + }, { + "name" : "sort-id", + "value" : "cisc-09.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-9.7_stmt", + "name" : "statement", + "prose" : "Deploy and maintain email server anti-malware protections, such as attachment scanning and/or\nsandboxing." + } ] + } ] + }, { + "id" : "cisc-10", + "title" : "Malware Defenses", + "props" : [ { + "name" : "label", + "value" : "CIS Control 10" + }, { + "name" : "sort-id", + "value" : "cisc-10" + } ], + "parts" : [ { + "id" : "cisc-10_stmt", + "name" : "statement", + "prose" : "Prevent or control the installation, spread, and execution of malicious applications, code, or\nscripts on enterprise assets." + }, { + "id" : "cisc-10_gdn", + "name" : "guidance", + "prose" : "Malicious software (sometimes categorized as viruses or Trojans) is an integral and dangerous\naspect of internet threats. They can have many purposes, from capturing credentials, stealing\ndata, identifying other targets within the network, and encrypting or destroying data. Malware\nis ever-evolving and adaptive, as modern variants leverage machine learning techniques.\n\nMalware enters an enterprise through vulnerabilities within the enterprise on end-user\ndevices, email attachments, webpages, cloud services, mobile devices, and removable media.\nMalware often relies on insecure end-user behavior, such as clicking links, opening attachments,\ninstalling software or profiles, or inserting Universal Serial Bus (USB) flash drives. Modern\nmalware is designed to avoid, deceive, or disable defenses.\n\nMalware defenses must be able to operate in this dynamic environment through automation,\ntimely and rapid updating, and integration with other processes like vulnerability management\nand incident response. They must be deployed at all possible entry points and enterprise assets\nto detect, prevent spread, or control the execution of malicious software or code." + } ], + "controls" : [ { + "id" : "cisc-10.1", + "title" : "Deploy and Maintain Anti-Malware Software", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 10.1" + }, { + "name" : "sort-id", + "value" : "cisc-10.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-10.1_stmt", + "name" : "statement", + "prose" : "Deploy and maintain anti-malware software on all enterprise assets." + } ] + }, { + "id" : "cisc-10.2", + "title" : "Configure Automatic Anti-Malware Signature Updates", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 10.2" + }, { + "name" : "sort-id", + "value" : "cisc-10.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-10.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-10.2_stmt", + "name" : "statement", + "prose" : "Configure automatic updates for anti-malware signature files on all enterprise assets." + } ] + }, { + "id" : "cisc-10.3", + "title" : "Disable Autorun and Autoplay for Removable Media", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 10.3" + }, { + "name" : "sort-id", + "value" : "cisc-10.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-10.3_stmt", + "name" : "statement", + "prose" : "Disable autorun and autoplay auto-execute functionality for removable media." + } ] + }, { + "id" : "cisc-10.4", + "title" : "Configure Automatic Anti-Malware Scanning of Removable Media", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 10.4" + }, { + "name" : "sort-id", + "value" : "cisc-10.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-4.1", + "rel" : "dependency" + }, { + "href" : "cisc-10.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-10.4_stmt", + "name" : "statement", + "prose" : "Configure anti-malware software to automatically scan removable media." + } ] + }, { + "id" : "cisc-10.5", + "title" : "Enable Anti-Exploitation Features", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 10.5" + }, { + "name" : "sort-id", + "value" : "cisc-10.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-10.5_stmt", + "name" : "statement", + "prose" : "Enable anti-exploitation features on enterprise assets and software, where possible, such as\nMicrosoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple®\nSystem Integrity Protection (SIP) and Gatekeeper™." + } ] + }, { + "id" : "cisc-10.6", + "title" : "Centrally Manage Anti-Malware Software", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 10.6" + }, { + "name" : "sort-id", + "value" : "cisc-10.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-10.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-10.6_stmt", + "name" : "statement", + "prose" : "Centrally manage anti-malware software." + } ] + }, { + "id" : "cisc-10.7", + "title" : "Use Behavior-Based Anti-Malware Software", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 10.7" + }, { + "name" : "sort-id", + "value" : "cisc-10.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-10.7_stmt", + "name" : "statement", + "prose" : "Use behavior-based anti-malware software." + } ] + } ] + }, { + "id" : "cisc-11", + "title" : "Data Recovery", + "props" : [ { + "name" : "label", + "value" : "CIS Control 11" + }, { + "name" : "sort-id", + "value" : "cisc-11" + } ], + "parts" : [ { + "id" : "cisc-11_stmt", + "name" : "statement", + "prose" : "Establish and maintain data recovery practices sufficient to restore in-scope enterprise\nassets to a pre-incident and trusted state." + }, { + "id" : "cisc-11_gdn", + "name" : "guidance", + "prose" : "In the cybersecurity triad – Confidentiality, Integrity, and Availability (CIA) – the\navailability of data is, in some cases, more critical than its confidentiality. Enterprises need\nmany types of data to make business decisions, and when that data is not available or is\nuntrusted, then it could impact the enterprise. An easy example is weather information to a\ntransportation enterprise.\n\nWhen attackers compromise assets, they make changes to configurations, add accounts, and often\nadd software or scripts. These changes are not always easy to identify, as attackers might have\ncorrupted or replaced trusted applications with malicious versions, or the changes might appear\nto be standard-looking account names. Configuration changes can include adding or changing\nregistry entries, opening ports, turning off security services, deleting logs, or other\nmalicious actions that make a system insecure. These actions do not have to be malicious; human\nerror can cause each of these as well. Therefore, it is important to have an ability to have\nrecent backups or mirrors to recover enterprise assets and data back to a known trusted\nstate.\n\nThere has been an exponential rise in ransomware over the last few years. It is not a new\nthreat, though it has become more commercialized and organized as a reliable method for\nattackers to make money. If an attacker encrypts an enterprise’s data and demands ransom for its\nrestoration, having a recent backup to recover to a known, trusted state can be helpful.\nHowever, as ransomware has evolved, it has also become an extortion technique, where data is\nexfiltrated before being encrypted, and the attacker asks for payment to restore the\nenterprise’s data, as well as to keep it from being sold or publicized. In this case,\nrestoration would only solve the issue of restoring systems to a trusted state and continuing\noperations. Leveraging the guidance within the CIS Controls will help reduce the risk of\nransomware through improved cyber hygiene, as attackers usually use older or basic exploits on\ninsecure systems." + } ], + "controls" : [ { + "id" : "cisc-11.1", + "title" : "Establish and Maintain a Data Recovery Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 11.1" + }, { + "name" : "sort-id", + "value" : "cisc-11.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "recovery" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-11.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain a data recovery process. In the process, address the scope of data\nrecovery activities, recovery prioritization, and the security of backup data. Review and\nupdate documentation annually, or when significant enterprise changes occur that could impact\nthis Safeguard." + } ] + }, { + "id" : "cisc-11.2", + "title" : "Perform Automated Backups", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 11.2" + }, { + "name" : "sort-id", + "value" : "cisc-11.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "recovery" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-11.2_stmt", + "name" : "statement", + "prose" : "Perform automated backups of in-scope enterprise assets. Run backups weekly, or more\nfrequently, based on the sensitivity of the data." + } ] + }, { + "id" : "cisc-11.3", + "title" : "Protect Recovery Data", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 11.3" + }, { + "name" : "sort-id", + "value" : "cisc-11.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-11.3_stmt", + "name" : "statement", + "prose" : "Protect recovery data with equivalent controls to the original data. Reference encryption or\ndata separation, based on requirements." + } ] + }, { + "id" : "cisc-11.4", + "title" : "Establish and Maintain an Isolated Instance of Recovery Data", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 11.4" + }, { + "name" : "sort-id", + "value" : "cisc-11.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "recovery" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-11.4_stmt", + "name" : "statement", + "prose" : "Establish and maintain an isolated instance of recovery data. Example implementations\ninclude, version controlling backup destinations through offline, cloud, or off-site systems or\nservices." + } ] + }, { + "id" : "cisc-11.5", + "title" : "Test Data Recovery", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 11.5" + }, { + "name" : "sort-id", + "value" : "cisc-11.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "recover" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-11.5_stmt", + "name" : "statement", + "prose" : "Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise\nassets." + } ] + } ] + }, { + "id" : "cisc-12", + "title" : "Network Infrastructure Management", + "props" : [ { + "name" : "label", + "value" : "CIS Control 12" + }, { + "name" : "sort-id", + "value" : "cisc-12" + } ], + "parts" : [ { + "id" : "cisc-12_stmt", + "name" : "statement", + "prose" : "Establish, implement, and actively manage (track, report, correct) network devices, in order\nto prevent attackers from exploiting vulnerable network services and access points." + }, { + "id" : "cisc-12_gdn", + "name" : "guidance", + "prose" : "Secure network infrastructure is an essential defense against attacks. This includes an\nappropriate security architecture, addressing vulnerabilities that are, often times, introduced\nwith default settings, monitoring for changes, and reassessment of current configurations.\nNetwork infrastructure includes devices such as physical and virtualized gateways, firewalls,\nwireless access points, routers, and switches.\n\nDefault configurations for network devices are geared for ease-of-deployment and ease-of-use –\nnot security. Potential default vulnerabilities include open services and ports, default\naccounts and passwords (including service accounts), support for older vulnerable protocols, and\npre-installation of unneeded software. Attackers search for vulnerable default settings, gaps or\ninconsistencies in firewall rule sets, routers, and switches and use those holes to penetrate\ndefenses. They exploit flaws in these devices to gain access to networks, redirect traffic on a\nnetwork, and intercept data while in transmission.\n\nNetwork security is a constantly changing environment that necessitates regular re-evaluation\nof architecture diagrams, configurations, access controls, and allowed traffic flows. Attackers\ntake advantage of network device configurations becoming less secure over time as users demand\nexceptions for specific business needs. Sometimes the exceptions are deployed, but not removed\nwhen they are no longer applicable to the business’s needs. In some cases, the security risk of\nan exception is neither properly analyzed nor measured against the associated business need and\ncan change over time." + } ], + "controls" : [ { + "id" : "cisc-12.1", + "title" : "Ensure Network Infrastructure is Up-to-Date", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 12.1" + }, { + "name" : "sort-id", + "value" : "cisc-12.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-12.1_stmt", + "name" : "statement", + "prose" : "Ensure network infrastructure is kept up-to-date. Example implementations include running the\nlatest stable release of software and/or using currently supported network-as-a-service (NaaS)\nofferings. Review software versions monthly, or more frequently, to verify software\nsupport." + } ] + }, { + "id" : "cisc-12.2", + "title" : "Establish and Maintain a Secure Network Architecture", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 12.2" + }, { + "name" : "sort-id", + "value" : "cisc-12.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-12.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-12.2_stmt", + "name" : "statement", + "prose" : "Establish and maintain a secure network architecture. A secure network architecture must\naddress segmentation, least privilege, and availability, at a minimum." + } ] + }, { + "id" : "cisc-12.3", + "title" : "Securely Manage Network Infrastructure", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 12.3" + }, { + "name" : "sort-id", + "value" : "cisc-12.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.2", + "rel" : "dependency" + }, { + "href" : "cisc-12.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-12.3_stmt", + "name" : "statement", + "prose" : "Securely manage network infrastructure. Example implementations include\nversion-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH\nand HTTPS." + } ] + }, { + "id" : "cisc-12.4", + "title" : "Establish and Maintain Architecture Diagram(s)", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 12.4" + }, { + "name" : "sort-id", + "value" : "cisc-12.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-12.4_stmt", + "name" : "statement", + "prose" : "Establish and maintain architecture diagram(s) and/or other network system documentation.\nReview and update documentation annually, or when significant enterprise changes occur that\ncould impact this Safeguard." + } ] + }, { + "id" : "cisc-12.5", + "title" : "Centralize Network Authentication, Authorization, and Auditing (AAA)", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 12.5" + }, { + "name" : "sort-id", + "value" : "cisc-12.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-12.5_stmt", + "name" : "statement", + "prose" : "Centralize network AAA" + } ] + }, { + "id" : "cisc-12.6", + "title" : "Use of Secure Network Management and Communication Protocols", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 12.6" + }, { + "name" : "sort-id", + "value" : "cisc-12.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-4.2", + "rel" : "dependency" + }, { + "href" : "cisc-12.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-12.6_stmt", + "name" : "statement", + "prose" : "Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected\nAccess 2 (WPA2) Enterprise or greater)." + } ] + }, { + "id" : "cisc-12.7", + "title" : "Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 12.7" + }, { + "name" : "sort-id", + "value" : "cisc-12.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + }, { + "href" : "cisc-12.5", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-12.7_stmt", + "name" : "statement", + "prose" : "Require users to authenticate to enterprise-managed VPN and authentication services prior to\naccessing enterprise resources on end-user devices." + } ] + }, { + "id" : "cisc-12.8", + "title" : "Establish and Maintain Dedicated Computing Resources for All Administrative Work", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 12.8" + }, { + "name" : "sort-id", + "value" : "cisc-12.08" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-12.8_stmt", + "name" : "statement", + "prose" : "Establish and maintain dedicated computing resources, either physically or logically\nseparated, for all administrative tasks or tasks requiring administrative access. The computing\nresources should be segmented from the enterprise’s primary network and not be allowed internet\naccess." + } ] + } ] + }, { + "id" : "cisc-13", + "title" : "Network Monitoring and Defense", + "props" : [ { + "name" : "label", + "value" : "CIS Control 13" + }, { + "name" : "sort-id", + "value" : "cisc-13" + } ], + "parts" : [ { + "id" : "cisc-13_stmt", + "name" : "statement", + "prose" : "Operate processes and tooling to establish and maintain comprehensive network monitoring and\ndefense against security threats across the enterprise’s network infrastructure and user\nbase." + }, { + "id" : "cisc-13_gdn", + "name" : "guidance", + "prose" : "We cannot rely on network defenses to be perfect. Adversaries continue to evolve and mature,\nas they share, or sell, information among their community on exploits and bypasses to security\ncontrols. Even if security tools work \"as advertised,\" it takes an understanding of the\nenterprise risk posture to configure, tune, and log them to be effective. Often,\nmisconfigurations due to human error or lack of knowledge of tool capabilities give enterprises\na false sense of security.\n\nSecurity tools can only be effective if they are supporting a process of continuous monitoring\nthat allows staff the ability to be alerted and respond to security incidents quickly.\nEnterprises that adopt a purely technology-driven approach will also experience more false\npositives, due to their over-reliance on alerts from tools. Identifying and responding to these\nthreats requires visibility into all threat vectors of the infrastructure and leveraging humans\nin the process of detection, analysis, and response. It is critical for large or heavily\ntargeted enterprises to have a security operations capability to prevent, detect, and quickly\nrespond to cyber threats before they can impact the enterprise. This process will generate\nactivity reports and metrics that will help enhance security policies, and support regulatory\ncompliance for many enterprises.\n\nAs we have seen many times in the press, enterprises have been compromised for weeks, months,\nor years before discovery. The primary benefit of having comprehensive situational awareness is\nto increase the speed of detection and response. This is critical to respond quickly when\nmalware is discovered, credentials are stolen, or when sensitive data is compromised to reduce\nimpact to the enterprise.\n\nThrough good situational awareness (i.e., security operations), enterprises will identify and\ncatalog Tactics, Techniques, and Procedures (TTPs) of attackers, including their IOCs that will\nhelp the enterprise become more proactive in identifying future threats or incidents. Recovery\ncan be achieved faster when the response has access to complete information about the\nenvironment and enterprise structure to develop efficient response strategies." + } ], + "controls" : [ { + "id" : "cisc-13.1", + "title" : "Centralize Security Event Alerting", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.1" + }, { + "name" : "sort-id", + "value" : "cisc-13.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.1_stmt", + "name" : "statement", + "prose" : "Centralize security event alerting across enterprise assets for log correlation and analysis.\nBest practice implementation requires the use of a SIEM, which includes vendor-defined event\ncorrelation alerts. A log analytics platform configured with security-relevant correlation\nalerts also satisfies this Safeguard." + } ] + }, { + "id" : "cisc-13.2", + "title" : "Deploy a Host-Based Intrusion Detection Solution", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.2" + }, { + "name" : "sort-id", + "value" : "cisc-13.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.2_stmt", + "name" : "statement", + "prose" : "Deploy a host-based intrusion detection solution on enterprise assets, where appropriate\nand/or supported." + } ] + }, { + "id" : "cisc-13.3", + "title" : "Deploy a Network Intrusion Detection Solution", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.3" + }, { + "name" : "sort-id", + "value" : "cisc-13.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-12.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.3_stmt", + "name" : "statement", + "prose" : "Deploy a network intrusion detection solution on enterprise assets, where appropriate.\nExample implementations include the use of a Network Intrusion Detection System (NIDS) or\nequivalent cloud service provider (CSP) service." + } ] + }, { + "id" : "cisc-13.4", + "title" : "Perform Traffic Filtering Between Network Segments", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.4" + }, { + "name" : "sort-id", + "value" : "cisc-13.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-13.4_stmt", + "name" : "statement", + "prose" : "Perform traffic filtering between network segments, where appropriate." + } ] + }, { + "id" : "cisc-13.5", + "title" : "Manage Access Control for Remote Assets", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.5" + }, { + "name" : "sort-id", + "value" : "cisc-13.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.1", + "rel" : "dependency" + }, { + "href" : "cisc-6.6", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.5_stmt", + "name" : "statement", + "prose" : "Manage access control for assets remotely connecting to enterprise resources. Determine\namount of access to enterprise resources based on: up-to-date anti-malware software installed,\nconfiguration compliance with the enterprise’s secure configuration process, and ensuring the\noperating system and applications are up-to-date." + } ] + }, { + "id" : "cisc-13.6", + "title" : "Collect Network Traffic Flow Logs", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.6" + }, { + "name" : "sort-id", + "value" : "cisc-13.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.2", + "rel" : "dependency" + }, { + "href" : "cisc-12.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.6_stmt", + "name" : "statement", + "prose" : "Collect network traffic flow logs and/or network traffic to review and alert upon from\nnetwork devices." + } ] + }, { + "id" : "cisc-13.7", + "title" : "Deploy a Host-Based Intrusion Prevention Solution", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.7" + }, { + "name" : "sort-id", + "value" : "cisc-13.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.7_stmt", + "name" : "statement", + "prose" : "Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate\nand/or supported. Example implementations include use of an Endpoint Detection and Response\n(EDR) client or host-based IPS agent." + } ] + }, { + "id" : "cisc-13.8", + "title" : "Deploy a Network Intrusion Prevention Solutions", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.8" + }, { + "name" : "sort-id", + "value" : "cisc-13.08" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-12.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.8_stmt", + "name" : "statement", + "prose" : "Deploy a network intrusion prevention solution, where appropriate. Example implementations\ninclude the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service." + } ] + }, { + "id" : "cisc-13.9", + "title" : "Deploy Port-Level Access Control", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.9" + }, { + "name" : "sort-id", + "value" : "cisc-13.09" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "devices" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.9_stmt", + "name" : "statement", + "prose" : "Deploy port-level access control. Port-level access control utilizes 802.1x, or similar\nnetwork access control protocols, such as certificates, and may incorporate user and/or device\nauthentication." + } ] + }, { + "id" : "cisc-13.10", + "title" : "Perform Application Layer Filtering", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.10" + }, { + "name" : "sort-id", + "value" : "cisc-13.10" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-1.1", + "rel" : "dependency" + }, { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.10_stmt", + "name" : "statement", + "prose" : "Perform application layer filtering. Example implementations include a filtering proxy,\napplication layer firewall, or gateway." + } ] + }, { + "id" : "cisc-13.11", + "title" : "Tune Security Event Alerting Thresholds", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.11" + }, { + "name" : "sort-id", + "value" : "cisc-13.11" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-13.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-13.11_stmt", + "name" : "statement", + "prose" : "Tune security event alerting thresholds monthly, or more frequently." + } ] + } ] + }, { + "id" : "cisc-14", + "title" : "Security Awareness and Skills Training", + "props" : [ { + "name" : "label", + "value" : "CIS Control 14" + }, { + "name" : "sort-id", + "value" : "cisc-14" + } ], + "parts" : [ { + "id" : "cisc-14_stmt", + "name" : "statement", + "prose" : "Establish and maintain a security awareness program to influence behavior among the workforce\nto be security conscious and properly skilled to reduce cybersecurity risks to the\nenterprise." + }, { + "id" : "cisc-14_gdn", + "name" : "guidance", + "prose" : "The actions of people play a critical part in the success or failure of an enterprise’s\nsecurity program. It is easier for an attacker to entice a user to click a link or open an email\nattachment to install malware in order to get into an enterprise, than to find a network exploit\nto do it directly.\n\nUsers themselves, both intentionally and unintentionally, can cause incidents as a result of\nmishandling sensitive data, sending an email with sensitive data to the wrong recipient, losing\na portable end-user device, using weak passwords, or using the same password they use on public\nsites.\n\nNo security program can effectively address cyber risk without a means to address this\nfundamental human vulnerability. Users at every level of the enterprise have different risks.\nFor example: executives manage more sensitive data; system administrators have the ability to\ncontrol access to systems and applications; and users in finance, human resources, and contracts\nall have access to different types of sensitive data that can make them targets.\n\nThe training should be updated regularly. This will increase the culture of security and\ndiscourage risky workarounds." + } ], + "controls" : [ { + "id" : "cisc-14.1", + "title" : "Establish and Maintain a Security Awareness Program", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 14.1" + }, { + "name" : "sort-id", + "value" : "cisc-14.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-14.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain a security awareness program. The purpose of a security awareness\nprogram is to educate the enterprise’s workforce on how to interact with enterprise assets and\ndata in a secure manner. Conduct training at hire and, at a minimum, annually. Review and\nupdate content annually, or when significant enterprise changes occur that could impact this\nSafeguard." + } ] + }, { + "id" : "cisc-14.2", + "title" : "Train Workforce Members to Recognize Social Engineering Attacks", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 14.2" + }, { + "name" : "sort-id", + "value" : "cisc-14.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-14.2_stmt", + "name" : "statement", + "prose" : "Train workforce members to recognize social engineering attacks, such as phishing,\npre-texting, and tailgating." + } ] + }, { + "id" : "cisc-14.3", + "title" : "Train Workforce Members on Authentication Best Practices", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 14.3" + }, { + "name" : "sort-id", + "value" : "cisc-14.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-14.3_stmt", + "name" : "statement", + "prose" : "Train workforce members on authentication best practices. Example topics include MFA,\npassword composition, and credential management." + } ] + }, { + "id" : "cisc-14.4", + "title" : "Train Workforce on Data Handling Best Practices", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 14.4" + }, { + "name" : "sort-id", + "value" : "cisc-14.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-14.4_stmt", + "name" : "statement", + "prose" : "Train workforce members on how to identify and properly store, transfer, archive, and destroy\nsensitive data. This also includes training workforce members on clear screen and desk best\npractices, such as locking their screen when they step away from their enterprise asset,\nerasing physical and virtual whiteboards at the end of meetings, and storing data and assets\nsecurely." + } ] + }, { + "id" : "cisc-14.5", + "title" : "Train Workforce Members on Causes of Unintentional Data Exposure", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 14.5" + }, { + "name" : "sort-id", + "value" : "cisc-14.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-14.5_stmt", + "name" : "statement", + "prose" : "Train workforce members to be aware of causes for unintentional data exposure. Example topics\ninclude mis-delivery of sensitive data, losing a portable end-user device, or publishing data\nto unintended audiences." + } ] + }, { + "id" : "cisc-14.6", + "title" : "Train Workforce Members on Recognizing and Reporting Security Incidents", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 14.6" + }, { + "name" : "sort-id", + "value" : "cisc-14.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-14.6_stmt", + "name" : "statement", + "prose" : "Train workforce members to be able to recognize a potential incident and be able to report\nsuch an incident." + } ] + }, { + "id" : "cisc-14.7", + "title" : "Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 14.7" + }, { + "name" : "sort-id", + "value" : "cisc-14.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-14.7_stmt", + "name" : "statement", + "prose" : "Train workforce to understand how to verify and report out-of-date software patches or any\nfailures in automated processes and tools. Part of this training should include notifying IT\npersonnel of any failures in automated processes and tools." + } ] + }, { + "id" : "cisc-14.8", + "title" : "Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 14.8" + }, { + "name" : "sort-id", + "value" : "cisc-14.08" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-14.8_stmt", + "name" : "statement", + "prose" : "Train workforce members on the dangers of connecting to, and transmitting data over, insecure\nnetworks for enterprise activities. If the enterprise has remote workers, training must include\nguidance to ensure that all users securely configure their home network infrastructure." + } ] + }, { + "id" : "cisc-14.9", + "title" : "Conduct Role-Specific Security Awareness and Skills Training", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 14.9" + }, { + "name" : "sort-id", + "value" : "cisc-14.09" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-14.9_stmt", + "name" : "statement", + "prose" : "Conduct role-specific security awareness and skills training. Example implementations include\nsecure system administration courses for IT professionals, (OWASP® Top 10 vulnerability\nawareness and prevention training for web application developers, and advanced social\nengineering awareness training for high-profile roles." + } ] + } ] + }, { + "id" : "cisc-15", + "title" : "Service Provider Management", + "props" : [ { + "name" : "label", + "value" : "CIS Control 15" + }, { + "name" : "sort-id", + "value" : "cisc-15" + } ], + "parts" : [ { + "id" : "cisc-15_stmt", + "name" : "statement", + "prose" : "Develop a process to evaluate service providers who hold sensitive data, or are responsible\nfor an enterprise’s critical IT platforms or processes, to ensure these providers are protecting\nthose platforms and data appropriately." + }, { + "id" : "cisc-15_gdn", + "name" : "guidance", + "prose" : "In our modern, connected world, enterprises rely on vendors and partners to help manage their\ndata or rely on third-party infrastructure for core applications or functions.\n\nThere have been numerous examples where third-party breaches have significantly impacted an\nenterprise; for example, as early as the late 2000s, payment cards were compromised after\nattackers infiltrated smaller third-party vendors in the retail industry. More recent examples\ninclude ransomware attacks that impact an enterprise indirectly, due to one of their service\nproviders being locked down, causing disruption to business. Or worse, if directly connected, a\nransomware attack could encrypt data on the main enterprise.\n\nMost data security and privacy regulations require their protection extend to third-party\nservice providers, such as with Health Insurance Portability and Accountability Act (HIPAA)\nBusiness Associate agreements in healthcare, Federal Financial Institutions Examination Council\n(FFIEC) requirements for the financial industry, and the United Kingdom (U.K.) Cyber Essentials.\nThird-party trust is a core Governance Risk and Compliance (GRC) function, as risks that are not\nmanaged within the enterprise are transferred to entities outside the enterprise.\n\nWhile reviewing the security of third-parties has been a task performed for decades, there is\nnot a universal standard for assessing security; and, many service providers are being audited\nby their customers multiple times a month, causing impacts to their own productivity. This is\nbecause every enterprise has a different \"checklist\" or set of standards to grade the service\nprovider. There are only a few industry standards, such as in finance, with the Shared\nAssessments program, or in higher education, with their Higher Education Community Vendor\nAssessment Toolkit (HECVAT). Insurance companies selling cybersecurity policies also have their\nown measurements.\n\nWhile an enterprise might put a lot of scrutiny into large cloud or application hosting\ncompanies because they are hosting their email or critical business applications, smaller firms\nare often a greater risk. Often times, a third-party service provider contracts with additional\nparties to provide other plugins or services, such as when a third-party uses a fourth-party\nplatform or product to support the main enterprise." + } ], + "controls" : [ { + "id" : "cisc-15.1", + "title" : "Establish and Maintain an Inventory of Service Providers", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 15.1" + }, { + "name" : "sort-id", + "value" : "cisc-15.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-15.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain an inventory of service providers. The inventory is to list all known\nservice providers, include classification(s), and designate an enterprise contact for each\nservice provider. Review and update the inventory annually, or when significant enterprise\nchanges occur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-15.2", + "title" : "Establish and Maintain a Service Provider Management Policy", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 15.2" + }, { + "name" : "sort-id", + "value" : "cisc-15.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-15.2_stmt", + "name" : "statement", + "prose" : "Establish and maintain a service provider management policy. Ensure the policy addresses the\nclassification, inventory, assessment, monitoring, and decommissioning of service providers.\nReview and update the policy annually, or when significant enterprise changes occur that could\nimpact this Safeguard." + } ] + }, { + "id" : "cisc-15.3", + "title" : "Classify Service Providers", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 15.3" + }, { + "name" : "sort-id", + "value" : "cisc-15.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-15.1", + "rel" : "dependency" + }, { + "href" : "cisc-15.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-15.3_stmt", + "name" : "statement", + "prose" : "Classify service providers. Classification consideration may include one or more\ncharacteristics, such as data sensitivity, data volume, availability requirements, applicable\nregulations, inherent risk, and mitigated risk. Update and review classifications annually, or\nwhen significant enterprise changes occur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-15.4", + "title" : "Ensure Service Provider Contracts Include Security Requirements", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 15.4" + }, { + "name" : "sort-id", + "value" : "cisc-15.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-15.1", + "rel" : "dependency" + }, { + "href" : "cisc-15.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-15.4_stmt", + "name" : "statement", + "prose" : "Ensure service provider contracts include security requirements. Example requirements may\ninclude minimum security program requirements, security incident and/or data breach\nnotification and response, data encryption requirements, and data disposal commitments. These\nsecurity requirements must be consistent with the enterprise’s service provider management\npolicy. Review service provider contracts annually to ensure contracts are not missing security\nrequirements." + } ] + }, { + "id" : "cisc-15.5", + "title" : "Assess Service Providers", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 13.5" + }, { + "name" : "sort-id", + "value" : "cisc-13.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-15.1", + "rel" : "dependency" + }, { + "href" : "cisc-15.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-15.5_stmt", + "name" : "statement", + "prose" : "Assess service providers consistent with the enterprise’s service provider management policy.\nAssessment scope may vary based on classification(s), and may include review of standardized\nassessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry\n(PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately\nrigorous processes. Reassess service providers annually, at a minimum, or with new and renewed\ncontracts." + } ] + }, { + "id" : "cisc-15.6", + "title" : "Monitor Service Providers", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 15.6" + }, { + "name" : "sort-id", + "value" : "cisc-15.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "detect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-15.1", + "rel" : "dependency" + }, { + "href" : "cisc-15.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-15.6_stmt", + "name" : "statement", + "prose" : "Monitor service providers consistent with the enterprise’s service provider management\npolicy. Monitoring may include periodic reassessment of service provider compliance, monitoring\nservice provider release notes, and dark web monitoring." + } ] + }, { + "id" : "cisc-15.7", + "title" : "Securely Decommission Service Providers", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 15.7" + }, { + "name" : "sort-id", + "value" : "cisc-15.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "data" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-15.1", + "rel" : "dependency" + }, { + "href" : "cisc-15.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-15.7_stmt", + "name" : "statement", + "prose" : "Securely decommission service providers. Example considerations include user and service\naccount deactivation, termination of data flows, and secure disposal of enterprise data within\nservice provider systems" + } ] + } ] + }, { + "id" : "cisc-16", + "title" : "Application Software Security", + "props" : [ { + "name" : "label", + "value" : "CIS Control 16" + }, { + "name" : "sort-id", + "value" : "cisc-16" + } ], + "parts" : [ { + "id" : "cisc-16_stmt", + "name" : "statement", + "prose" : "Manage the security life cycle of in-house developed, hosted, or acquired software to prevent,\ndetect, and remediate security weaknesses before they can impact the enterprise." + }, { + "id" : "cisc-16_gdn", + "name" : "guidance", + "prose" : "Applications provide a human-friendly interface to allow users to access and manage data in a\nway that is aligned to business functions. They also minimize the need for users to deal\ndirectly with complex (and potentially error-prone) system functions, like logging into a\ndatabase to insert or modify files. Enterprises use applications to manage their most sensitive\ndata and control access to system resources, and so an attacker can use the application itself\nto compromise the data, instead of an elaborate network and system hacking sequence, attempting\nto bypass network security controls and sensors. This is why protecting user credentials\n(specifically application credentials), defined in CIS Control 6, is so important.Applications\nprovide a human-friendly interface to allow users to access and manage data in a way that is\naligned to business functions. They also minimize the need for users to deal directly with\ncomplex (and potentially error-prone) system functions, like logging into a database to insert\nor modify files. Enterprises use applications to manage their most sensitive data and control\naccess to system resources, and so an attacker can use the application itself to compromise the\ndata, instead of an elaborate network and system hacking sequence, attempting to bypass network\nsecurity controls and sensors. This is why protecting user credentials (specifically application\ncredentials), defined in CIS Control 6, is so important.\n\nLacking credentials, application flaws are the attack vector of choice. However, today’s\napplications are developed, operated, and maintained in a highly complex, diverse, and dynamic\nenvironment. Applications run on multiple platforms; web, mobile, cloud, etc., with application\narchitectures that are more complex than legacy client-server or database-web server structures.\nDevelopment life cycles have become shorter, transitioning from months or years in long\nwaterfall methodologies, to DevOps cycles with frequent code updates. Also, applications are\nrarely created from scratch, and are often \"assembled\" from a complex mix of development\nframeworks, libraries, existing code, and new code. There are also modern and evolving data\nprotection regulations dealing with user privacy. These may require compliance to regional or\nsector-specific data protection requirements.\n\nThese factors make traditional approaches to security, like control (of processes, code\nsources, run-time environment, etc.), inspection, and testing, much more challenging. Also, the\nrisk that an application vulnerability introduces might not be understood, except in a specific\noperational setting or context.\n\nApplication vulnerabilities can be present for many reasons; insecure design, insecure\ninfrastructure, coding mistakes, weak authentication, and failure to test for unusual or\nunexpected conditions. Attackers can exploit specific vulnerabilities, including buffer\noverflows, exposure to Structured Query Language (SQL) injection, cross-site scripting,\ncross-site request forgery, and click-jacking of code to gain access to sensitive data, or take\ncontrol over vulnerable assets within the infrastructure as a launching point for further\nattacks.\n\nApplications and websites can also be used to harvest credentials, data, or attempt to install\nmalware onto the users who access them.\n\nFinally, it is now more common to acquire Software as a Service (SaaS) platforms, where\nsoftware is developed and managed entirely through a third-party. These might be hosted anywhere\nin the world. This brings challenges to enterprises who need to know what risks they are\naccepting with using these platforms; and they often do not have visibility into the development\nand application security practices of these platforms. Some of these SaaS platforms allow for\ncustomizing of their interfaces and databases. Enterprises who extend these applications should\nfollow this CIS Control, similar to if they were doing ground-up customer development." + } ], + "controls" : [ { + "id" : "cisc-16.1", + "title" : "Establish and Maintain a Secure Application Development Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.1" + }, { + "name" : "sort-id", + "value" : "cisc-16.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-16.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain a secure application development process. In the process, address such\nitems as: secure application design standards, secure coding practices, developer training,\nvulnerability management, security of third-party code, and application security testing\nprocedures. Review and update documentation annually, or when significant enterprise changes\noccur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-16.2", + "title" : "Establish and Maintain a Process to Accept and Address Software Vulnerabilities", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.2" + }, { + "name" : "sort-id", + "value" : "cisc-16.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-16.2_stmt", + "name" : "statement", + "prose" : "Establish and maintain a process to accept and address reports of software vulnerabilities,\nincluding providing a means for external entities to report. The process is to include such\nitems as: a vulnerability handling policy that identifies reporting process, responsible party\nfor handling vulnerability reports, and a process for intake, assignment, remediation, and\nremediation testing. As part of the process, use a vulnerability tracking system that includes\nseverity ratings, and metrics for measuring timing for identification, analysis, and\nremediation of vulnerabilities. Review and update documentation annually, or when significant\nenterprise changes occur that could impact this Safeguard.\n\nThird-party application developers need to consider this an externally-facing policy that\nhelps to set expectations for outside stakeholders." + } ] + }, { + "id" : "cisc-16.3", + "title" : "Perform Root Cause Analysis on Security Vulnerabilities", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.3" + }, { + "name" : "sort-id", + "value" : "cisc-16.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-16.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.3_stmt", + "name" : "statement", + "prose" : "Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root\ncause analysis is the task of evaluating underlying issues that create vulnerabilities in code,\nand allows development teams to move beyond just fixing individual vulnerabilities as they\narise." + } ] + }, { + "id" : "cisc-16.4", + "title" : "Establish and Manage an Inventory of Third-Party Software Components", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.4" + }, { + "name" : "sort-id", + "value" : "cisc-16.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.4_stmt", + "name" : "statement", + "prose" : "Establish and manage an updated inventory of third-party components used in development,\noften referred to as a \"bill of materials,\" as well as components slated for future use. This\ninventory is to include any risks that each third-party component could pose. Evaluate the list\nat least monthly to identify any changes or updates to these components, and validate that the\ncomponent is still supported." + } ] + }, { + "id" : "cisc-16.5", + "title" : "Use Up-to-Date and Trusted Third-Party Software Components", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.5" + }, { + "name" : "sort-id", + "value" : "cisc-16.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-16.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.5_stmt", + "name" : "statement", + "prose" : "Use up-to-date and trusted third-party software components. When possible, choose established\nand proven frameworks and libraries that provide adequate security. Acquire these components\nfrom trusted sources or evaluate the software for vulnerabilities before use." + } ] + }, { + "id" : "cisc-16.6", + "title" : "Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.6" + }, { + "name" : "sort-id", + "value" : "cisc-16.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-16.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.6_stmt", + "name" : "statement", + "prose" : "Establish and maintain a severity rating system and process for application vulnerabilities\nthat facilitates prioritizing the order in which discovered vulnerabilities are fixed. This\nprocess includes setting a minimum level of security acceptability for releasing code or\napplications. Severity ratings bring a systematic way of triaging vulnerabilities that improves\nrisk management and helps ensure the most severe bugs are fixed first. Review and update the\nsystem and process annually." + } ] + }, { + "id" : "cisc-16.7", + "title" : "Use Standard Hardening Configuration Templates for Application Infrastructure", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.7" + }, { + "name" : "sort-id", + "value" : "cisc-16.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-4.1", + "rel" : "dependency" + }, { + "href" : "cisc-4.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.7_stmt", + "name" : "statement", + "prose" : "Use standard, industry-recommended hardening configuration templates for application\ninfrastructure components. This includes underlying servers, databases, and web servers, and\napplies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do\nnot allow in-house developed software to weaken configuration hardening." + } ] + }, { + "id" : "cisc-16.8", + "title" : "Separate Production and Non-Production Systems", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.8" + }, { + "name" : "sort-id", + "value" : "cisc-16.08" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-16.8_stmt", + "name" : "statement", + "prose" : "
\n\nMaintain separate environments for production and non-production systems." + } ] + }, { + "id" : "cisc-16.9", + "title" : "Train Developers in Application Security Concepts and Secure Coding", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.9" + }, { + "name" : "sort-id", + "value" : "cisc-16.09" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-16.9_stmt", + "name" : "statement", + "prose" : "Ensure that all software development personnel receive training in writing secure code for\ntheir specific development environment and responsibilities. Training can include general\nsecurity principles and application security standard practices. Conduct training at least\nannually and design in a way to promote security within the development team, and build a\nculture of security among the developers." + } ] + }, { + "id" : "cisc-16.10", + "title" : "Apply Secure Design Principles in Application Architectures", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.10" + }, { + "name" : "sort-id", + "value" : "cisc-16.10" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-16.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.10_stmt", + "name" : "statement", + "prose" : "Apply secure design principles in application architectures. Secure design principles include\nthe concept of least privilege and enforcing mediation to validate every operation that the\nuser makes, promoting the concept of \"never trust user input.\" Examples include ensuring that\nexplicit error checking is performed and documented for all input, including for size, data\ntype, and acceptable ranges or formats. Secure design also means minimizing the application\ninfrastructure attack surface, such as turning off unprotected ports and services, removing\nunnecessary programs and files, and renaming or removing default accounts." + } ] + }, { + "id" : "cisc-16.11", + "title" : "Leverage Vetted Modules or Services for Application Security Components", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.11" + }, { + "name" : "sort-id", + "value" : "cisc-16.11" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.11_stmt", + "name" : "statement", + "prose" : "Leverage vetted modules or services for application security components, such as identity\nmanagement, encryption, and auditing and logging. Using platform features in critical security\nfunctions will reduce developers’ workload and minimize the likelihood of design or\nimplementation errors. Modern operating systems provide effective mechanisms for\nidentification, authentication, and authorization and make those mechanisms available to\napplications. Use only standardized, currently accepted, and extensively reviewed encryption\nalgorithms. Operating systems also provide mechanisms to create and maintain secure audit\nlogs." + } ] + }, { + "id" : "cisc-16.12", + "title" : "Implement Code-Level Security Checks", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.12" + }, { + "name" : "sort-id", + "value" : "cisc-16.12" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.12_stmt", + "name" : "statement", + "prose" : "Apply static and dynamic analysis tools within the application life cycle to verify that\nsecure coding practices are being followed." + } ] + }, { + "id" : "cisc-16.13", + "title" : "Conduct Application Penetration Testing", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.13" + }, { + "name" : "sort-id", + "value" : "cisc-16.13" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.13_stmt", + "name" : "statement", + "prose" : "Conduct application penetration testing. For critical applications, authenticated penetration\ntesting is better suited to finding business logic vulnerabilities than code scanning and\nautomated security testing. Penetration testing relies on the skill of the tester to manually\nmanipulate an application as an authenticated and unauthenticated user." + } ] + }, { + "id" : "cisc-16.14", + "title" : "Conduct Threat Modeling", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 16.14" + }, { + "name" : "sort-id", + "value" : "cisc-16.14" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "applications" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-2.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-16.14_stmt", + "name" : "statement", + "prose" : "Conduct threat modeling. Threat modeling is the process of identifying and addressing\napplication security design flaws within a design, before code is created. It is conducted\nthrough specially trained individuals who evaluate the application design and gauge security\nrisks for each entry point and access level. The goal is to map out the application,\narchitecture, and infrastructure in a structured way to understand its weaknesses." + } ] + } ] + }, { + "id" : "cisc-17", + "title" : "Incident Response Management", + "props" : [ { + "name" : "label", + "value" : "CIS Control 17" + }, { + "name" : "sort-id", + "value" : "cisc-17" + } ], + "parts" : [ { + "id" : "cisc-17_stmt", + "name" : "statement", + "prose" : "Establish a program to develop and maintain an incident response capability (e.g., policies,\nplans, procedures, defined roles, training, and communications) to prepare, detect, and quickly\nrespond to an attack." + }, { + "id" : "cisc-17_gdn", + "name" : "guidance", + "prose" : "A comprehensive cybersecurity program includes protections, detections, response, and recovery\ncapabilities. Often, the final two get overlooked in immature enterprises, or the response\ntechnique to compromised systems is just to re-image them to original state, and move on. The\nprimary goal of incident response is to identify threats on the enterprise, respond to them\nbefore they can spread, and remediate them before they can cause harm. Without understanding the\nfull scope of an incident, how it happened, and what can be done to prevent it from happening\nagain, defenders will just be in a perpetual \"whack-a-mole\" pattern.\n\nWe cannot expect our protections to be effective 100% of the time. When an incident occurs, if\nan enterprise does not have a documented plan – even with good people – it is almost impossible\nto know the right investigative procedures, reporting, data collection, management\nresponsibility, legal protocols, and communications strategy that will allow the enterprise to\nsuccessfully understand, manage, and recover.\n\nAlong with detection, containment, and eradication, communication to stakeholders is key. If\nwe are to reduce the probability of material impact due to a cyber event, the enterprise’s\nleadership must know what potential impact there could be, so that they can help prioritize\nremediation or restoration decisions that best support the enterprise. These business decisions\ncould be based on regulatory compliance, disclosure rules, service-level agreements with\npartners or customers, revenue, or mission impacts.\n\nDwell time from when an attack happens to when it is identified can be days, weeks, or months.\nThe longer the attacker is in the enterprise’s infrastructure, the more embedded they become and\nthey will develop more ways to maintain persistent access for when they are eventually\ndiscovered. With the rise of ransomware, which is a stable moneymaker for attackers, this dwell\ntime is critical, especially with modern tactics of stealing data before encrypting it for\nransom." + } ], + "controls" : [ { + "id" : "cisc-17.1", + "title" : "Designate Personnel to Manage Incident Handling", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 17.1" + }, { + "name" : "sort-id", + "value" : "cisc-17.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-17.1_stmt", + "name" : "statement", + "prose" : "Designate one key person, and at least one backup, who will manage the enterprise’s incident\nhandling process. Management personnel are responsible for the coordination and documentation\nof incident response and recovery efforts and can consist of employees internal to the\nenterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate\nat least one person internal to the enterprise to oversee any third-party work. Review\nannually, or when significant enterprise changes occur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-17.2", + "title" : "Establish and Maintain Contact Information for Reporting Security Incidents", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 17.2" + }, { + "name" : "sort-id", + "value" : "cisc-17.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-17.2_stmt", + "name" : "statement", + "prose" : "Establish and maintain contact information for parties that need to be informed of security\nincidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber\ninsurance providers, relevant government agencies, Information Sharing and Analysis Center\n(ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is\nup-to-date." + } ] + }, { + "id" : "cisc-17.3", + "title" : "Establish and Maintain an Enterprise Process for Reporting Incidents", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 17.3" + }, { + "name" : "sort-id", + "value" : "cisc-17.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "1" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-17.3_stmt", + "name" : "statement", + "prose" : "Establish and maintain an enterprise process for the workforce to report security incidents.\nThe process includes reporting timeframe, personnel to report to, mechanism for reporting, and\nthe minimum information to be reported. Ensure the process is publicly available to all of the\nworkforce. Review annually, or when significant enterprise changes occur that could impact this\nSafeguard." + } ] + }, { + "id" : "cisc-17.4", + "title" : "Establish and Maintain an Incident Response Process", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 17.4" + }, { + "name" : "sort-id", + "value" : "cisc-17.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-17.4_stmt", + "name" : "statement", + "prose" : "Establish and maintain an incident response process that addresses roles and\nresponsibilities, compliance requirements, and a communication plan. Review annually, or when\nsignificant enterprise changes occur that could impact this Safeguard." + } ] + }, { + "id" : "cisc-17.5", + "title" : "Assign Key Roles and Responsibilities", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 17.5" + }, { + "name" : "sort-id", + "value" : "cisc-17.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-17.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-17.5_stmt", + "name" : "statement", + "prose" : "Assign key roles and responsibilities for incident response, including staff from legal, IT,\ninformation security, facilities, public relations, human resources, incident responders, and\nanalysts, as applicable. Review annually, or when significant enterprise changes occur that\ncould impact this Safeguard." + } ] + }, { + "id" : "cisc-17.6", + "title" : "Define Mechanisms for Communicating During Incident Response", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 17.6" + }, { + "name" : "sort-id", + "value" : "cisc-17.06" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "respond" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-17.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-17.6_stmt", + "name" : "statement", + "prose" : "Determine which primary and secondary mechanisms will be used to communicate and report\nduring a security incident. Mechanisms can include phone calls, emails, or letters. Keep in\nmind that certain mechanisms, such as emails, can be affected during a security incident.\nReview annually, or when significant enterprise changes occur that could impact this\nSafeguard." + } ] + }, { + "id" : "cisc-17.7", + "title" : "Conduct Routine Incident Response Exercises", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 17.7" + }, { + "name" : "sort-id", + "value" : "cisc-17.07" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "recover" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-17.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-17.7_stmt", + "name" : "statement", + "prose" : "Plan and conduct routine incident response exercises and scenarios for key personnel involved\nin the incident response process to prepare for responding to real-world incidents. Exercises\nneed to test communication channels, decision making, and workflows. Conduct testing on an\nannual basis, at a minimum." + } ] + }, { + "id" : "cisc-17.8", + "title" : "Conduct Post-Incident Reviews", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 17.8" + }, { + "name" : "sort-id", + "value" : "cisc-17.08" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "recover" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-17.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-17.8_stmt", + "name" : "statement", + "prose" : "Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through\nidentifying lessons learned and follow-up action." + } ] + }, { + "id" : "cisc-17.9", + "title" : "Establish and Maintain Security Incident Thresholds", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 17.9" + }, { + "name" : "sort-id", + "value" : "cisc-17.09" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-17.4", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-17.9_stmt", + "name" : "statement", + "prose" : "Establish and maintain security incident thresholds, including, at a minimum, differentiating\nbetween an incident and an event. Examples can include: abnormal activity, security\nvulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when\nsignificant enterprise changes occur that could impact this Safeguard." + } ] + } ] + }, { + "id" : "cisc-18", + "title" : "Penetration Testing", + "props" : [ { + "name" : "label", + "value" : "CIS Control 18" + }, { + "name" : "sort-id", + "value" : "cisc-18" + } ], + "parts" : [ { + "id" : "cisc-18_stmt", + "name" : "statement", + "prose" : "Test the effectiveness and resiliency of enterprise assets through identifying and exploiting\nweaknesses in controls (people, processes, and technology), and simulating the objectives and\nactions of an attacker." + }, { + "id" : "cisc-18_gdn", + "name" : "guidance", + "prose" : "A successful defensive posture requires a comprehensive program of effective policies and\ngovernance, strong technical defenses, combined with appropriate action from people. However, it\nis rarely perfect. In a complex environment where technology is constantly evolving and new\nattacker tradecraft appears regularly, enterprises should periodically test their controls to\nidentify gaps and to assess their resiliency. This test may be from external network, internal\nnetwork, application, system, or device perspective. It may include social engineering of users,\nor physical access control bypasses.\n\nOften, penetration tests are performed for specific purposes: • As a \"dramatic\" demonstration\nof an attack, usually to convince decision-makers of their enterprise’s weaknesses • As a means\nto test the correct operation of enterprise defenses (\"verification\") • To test that the\nenterprise has built the right defenses in the first place (\"validation\")\n\nIndependent penetration testing can provide valuable and objective insights about the\nexistence of vulnerabilities in enterprise assets and humans, and the efficacy of defenses and\nmitigating controls to protect against adverse impacts to the enterprise. They are part of a\ncomprehensive, ongoing program of security management and improvement. They can also reveal\nprocess weaknesses, such as incomplete or inconsistent configuration management, or end-user\ntraining.\n\nPenetration testing differs from vulnerability testing, described in CIS Control 7.\nVulnerability testing just checks for presence of known, insecure enterprise assets, and stops\nthere. Penetration testing goes further to exploit those weaknesses to see how far an attacker\ncould get, and what business process or data might be impacted through exploitation of that\nvulnerability. This is an important detail, and often penetration testing and vulnerability\ntesting are incorrectly used interchangeably. Vulnerability testing is exclusively automated\nscanning with sometimes manual validation of false positives, whereas penetration testing\nrequires more human involvement and analysis, sometimes supported through the use of custom\ntools or scripts. However, vulnerability testing is often a starting point for a penetration\ntest.\n\nAnother common term is \"Red Team\" exercises. These are similar to penetration tests in that\nvulnerabilities are exploited; however, the difference is the focus. Red Teams simulate specific\nattacker TTPs to evaluate how an enterprise’s environment would withstand an attack from a\nspecific adversary, or category of adversaries." + } ], + "controls" : [ { + "id" : "cisc-18.1", + "title" : "Establish and Maintain a Penetration Testing Program", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 18.1" + }, { + "name" : "sort-id", + "value" : "cisc-18.01" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "parts" : [ { + "id" : "cisc-18.1_stmt", + "name" : "statement", + "prose" : "Establish and maintain a penetration testing program appropriate to the size, complexity, and\nmaturity of the enterprise. Penetration testing program characteristics include scope, such as\nnetwork, web application, Application Programming Interface (API), hosted services, and\nphysical premise controls; frequency; limitations, such as acceptable hours, and excluded\nattack types; point of contact information; remediation, such as how findings will be routed\ninternally; and retrospective requirements." + } ] + }, { + "id" : "cisc-18.2", + "title" : "Perform Periodic External Penetration Tests", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 18.2" + }, { + "name" : "sort-id", + "value" : "cisc-18.02" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-18.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-18.2_stmt", + "name" : "statement", + "prose" : "Perform periodic external penetration tests based on program requirements, no less than\nannually. External penetration testing must include enterprise and environmental reconnaissance\nto detect exploitable information. Penetration testing requires specialized skills and\nexperience and must be conducted through a qualified party. The testing may be clear box or\nopaque box." + } ] + }, { + "id" : "cisc-18.3", + "title" : "Remediate Penetration Test Findings", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 18.3" + }, { + "name" : "sort-id", + "value" : "cisc-18.03" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "2" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-18.2", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-18.3_stmt", + "name" : "statement", + "prose" : "Remediate penetration test findings based on the enterprise’s policy for remediation scope\nand prioritization." + } ] + }, { + "id" : "cisc-18.4", + "title" : "Validate Security Measures", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 18.4" + }, { + "name" : "sort-id", + "value" : "cisc-18.04" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "network" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "protect" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-18.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-18.4_stmt", + "name" : "statement", + "prose" : "Validate security measures after each penetration test. If deemed necessary, modify rulesets\nand capabilities to detect the techniques used during testing." + } ] + }, { + "id" : "cisc-18.5", + "title" : "Perform Periodic Internal Penetration Tests", + "props" : [ { + "name" : "label", + "value" : "CIS Safeguard 18.5" + }, { + "name" : "sort-id", + "value" : "cisc-18.05" + }, { + "name" : "asset-type", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "N/A" + }, { + "name" : "security-function", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "identify" + }, { + "name" : "implementation-group", + "ns" : "https://cisecurity.org/ns/oscal", + "value" : "3" + } ], + "links" : [ { + "href" : "cisc-18.1", + "rel" : "dependency" + } ], + "parts" : [ { + "id" : "cisc-18.5_stmt", + "name" : "statement", + "prose" : "Perform periodic internal penetration tests based on program requirements, no less than\nannually. The testing may be clear box or opaque box." + } ] + } ] + } ] + } +} \ No newline at end of file diff --git a/src/catalogs/xml/cis-controls-v8_OSCAL-1.0.xml b/src/catalogs/xml/cis-controls-v8_OSCAL-1.0.xml index fb53946..672c2fa 100644 --- a/src/catalogs/xml/cis-controls-v8_OSCAL-1.0.xml +++ b/src/catalogs/xml/cis-controls-v8_OSCAL-1.0.xml @@ -9,7 +9,7 @@ 2020-09-20T12:10:00.001-04:00 8.0 1.0.4 - + diff --git a/src/catalogs/yaml/cis-controls-v8_OSCAL-1.0.yaml b/src/catalogs/yaml/cis-controls-v8_OSCAL-1.0.yaml new file mode 100644 index 0000000..52c13f2 --- /dev/null +++ b/src/catalogs/yaml/cis-controls-v8_OSCAL-1.0.yaml @@ -0,0 +1,5444 @@ +--- +catalog: + uuid: e95fb23c-57d2-495f-8ab5-2c6b3152bcee + metadata: + title: CIS Controls + last-modified: 2020-09-20T12:10:00.001-04:00 + version: "8.0" + oscal-version: 1.0.4 + props: + - name: keywords + value: "control, assessment" + links: + - href: https://controls-assessment-specification.readthedocs.io/en/stable/index.html + rel: alternate + media-type: text/html + controls: + - id: cisc-1 + title: Inventory and Control of Enterprise Assets + props: + - name: label + value: CIS Control 1 + - name: sort-id + value: cisc-01 + parts: + - id: cisc-1_stmt + name: statement + prose: |- + Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, + including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; + and servers) connected to the infrastructure, physically, virtually, remotely, and those within + cloud environments, to accurately know the totality of assets that need to be monitored and + protected within the enterprise. This will also support identifying unauthorized and unmanaged + assets to remove or remediate. + - id: cisc-1_gdn + name: guidance + prose: |- + Enterprises cannot defend what they do not know they have. Managed control of all enterprise + assets also plays a critical role in security monitoring, incident response, system backup, and + recovery. Enterprises should know what data is critical to them, and proper asset management + will help identify those enterprise assets that hold or manage this critical data, so + appropriate security controls can be applied. + + External attackers are continuously scanning the internet address space of target enterprises, + premise-based or in the cloud, identifying possibly unprotected assets attached to enterprises’ + networks. Attackers can take advantage of new assets that are installed, yet not securely + configured and patched. Internally, unidentified assets can also have weak security + configurations that can make them vulnerable to web or email-based malware; and adversaries can + leverage weak security configurations for traversing the network, once they are inside. + + Additional assets that connect to the enterprise’s network (e.g., demonstration systems, + temporary test systems, guest networks, etc.) should be identified and/or isolated, in order to + prevent adversarial access from affecting the security of enterprise operations. + + Large, complex, dynamic enterprises understandably struggle with the challenge of managing + intricate, fast-changing environments. However, attackers have shown the ability, patience, and + willingness to "inventory and control" our enterprise assets at very large scale in order to + support their opportunities. + + Another challenge is that portable end-user devices will periodically join a network and then + disappear, making the inventory of currently available assets very dynamic. Likewise, cloud + environments and virtual machines can be difficult to track in asset inventories when they are + shut down or paused. Another benefit of complete enterprise asset management is supporting + incident response. Both when investigating the origination of network traffic from an asset on + the network, and to be able to identify all potentially vulnerable, or impacted, assets of + similar type or location during an incident. + controls: + - id: cisc-1.1 + title: Establish and Maintain Detailed Enterprise Asset Inventory + props: + - name: label + value: CIS Safeguard 1.1 + - name: sort-id + value: cisc-01.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-1.1_stmt + name: statement + prose: |- + Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise + assets with the potential to store or process data, to include: end-user devices (including + portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the + inventory records the network address (if static), hardware address, machine name, data asset + owner, department for each asset, and whether the asset has been approved to connect to the + network. For mobile end-user devices, MDM type tools can support this process, where + appropriate. This inventory includes assets connected to the infrastructure physically, + virtually, remotely, and those within cloud environments. Additionally, it includes assets that + are regularly connected to the enterprise’s network infrastructure, even if they are not under + control of the enterprise. Review and update the inventory of all enterprise assets + bi-annually, or more frequently. + - id: cisc-1.2 + title: Address Unauthorized Assets + props: + - name: label + value: CIS Safeguard 1.2 + - name: sort-id + value: cisc-01.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-1.2_stmt + name: statement + prose: |- + Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise + may choose to remove the asset from the network, deny the asset from connecting remotely to the + network, or quarantine the asset. + - id: cisc-1.3 + title: Utilize an Active Discovery Tool + props: + - name: label + value: CIS Safeguard 1.3 + - name: sort-id + value: cisc-01.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-1.3_stmt + name: statement + prose: |- + Utilize an active discovery tool to identify assets connected to the enterprise’s network. + Configure the active discovery tool to execute daily, or more frequently. + - id: cisc-1.4 + title: Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory + props: + - name: label + value: CIS Safeguard 1.4 + - name: sort-id + value: cisc-01.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-1.4_stmt + name: statement + prose: |- + Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to + update the enterprise’s asset inventory. Review and use logs to update the enterprise’s asset + inventory weekly, or more frequently. + - id: cisc-1.5 + title: Use a Passive Asset Discovery Tool + props: + - name: label + value: CIS Safeguard 1.5 + - name: sort-id + value: cisc-01.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-4.2 + rel: dependency + - href: cisc-12.4 + rel: dependency + parts: + - id: cisc-1.5_stmt + name: statement + prose: |- + Use a passive discovery tool to identify assets connected to the enterprise’s network. Review + and use scans to update the enterprise’s asset inventory at least weekly, or more + frequently. + - id: cisc-2 + title: Inventory and Control of Software Assets + props: + - name: label + value: CIS Control 2 + - name: sort-id + value: cisc-02 + parts: + - id: cisc-2_stmt + name: statement + prose: |- + Actively manage (inventory, track, and correct) all software (operating systems and + applications) on the network so that only authorized software is installed and can execute, and + that unauthorized and unmanaged software is found and prevented from installation or + execution. + - id: cisc-2_gdn + name: guidance + prose: |- + A complete software inventory is a critical foundation for preventing attacks. Attackers + continuously scan target enterprises looking for vulnerable versions of software that can be + remotely exploited. For example, if a user opens a malicious website or attachment with a + vulnerable browser, an attacker can often install backdoor programs and bots that give the + attacker long-term control of the system. Attackers can also use this access to move laterally + through the network. One of the key defenses against these attacks is updating and patching + software. However, without a complete inventory of software assets, an enterprise cannot + determine if they have vulnerable software, or if there are potential licensing violations. + + Even if a patch is not yet available, a complete software inventory list allows an enterprise + to guard against known attacks until the patch is released. Some sophisticated attackers use + "zero-day exploits", which take advantage of previously unknown vulnerabilities that have yet to + have a patch released by the software vendor. Depending on the severity of the exploit, an + enterprise can implement temporary mitigation measures to guard against attacks until the patch + is released. + + Management of software assets is also important to identify unnecessary security risks. An + enterprise should review their software inventory to identify any enterprise assets running + software that is not needed for business purposes. For example, an enterprise asset may come + installed with default software that creates a potential security risk and provides no benefit + to the enterprise. It is critical to inventory, understand, assess, and manage all software + connected to an enterprise’s infrastructure. + controls: + - id: cisc-2.1 + title: Establish and Maintain a Software Inventory + props: + - name: label + value: CIS Safeguard 2.1 + - name: sort-id + value: cisc-02.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-2.1_stmt + name: statement + prose: |- + Establish and maintain a detailed inventory of all licensed software installed on enterprise + assets. The software inventory must document the title, publisher, initial install/use date, + and business purpose for each entry; where appropriate, include the Uniform Resource Locator + (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update + the software inventory bi-annually, or more frequently. + - id: cisc-2.2 + title: Ensure Authorized Software is Currently Supported + props: + - name: label + value: CIS Safeguard 2.2 + - name: sort-id + value: cisc-02.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-1.2_stmt + name: statement + prose: |- + Ensure that only currently supported software is designated as authorized in the software + inventory for enterprise assets. If software is unsupported yet necessary for the fulfillment + of the enterprise’s mission, document an exception detailing mitigating controls and residual + risk acceptance. For any unsupported software without an exception documentation, designate as + unauthorized. Review the software list to verify software support at least monthly, or more + frequently. + - id: cisc-2.3 + title: Address Unauthorized Software + props: + - name: label + value: CIS Safeguard 2.3 + - name: sort-id + value: cisc-02.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-2.3_stmt + name: statement + prose: |- + Ensure that unauthorized software is either removed from use on enterprise assets or receives + a documented exception. Review monthly, or more frequently. + - id: cisc-2.4 + title: Utilize Automated Software Inventory Tools + props: + - name: label + value: CIS Safeguard 2.4 + - name: sort-id + value: cisc-02.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.3 + rel: dependency + parts: + - id: cisc-2.4_stmt + name: statement + prose: |- + Utilize software inventory tools, when possible, throughout the enterprise to automate the + discovery and documentation of installed software. + - id: cisc-2.5 + title: Allowlist Authorized Software + props: + - name: label + value: CIS Safeguard 2.5 + - name: sort-id + value: cisc-02.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-2.3 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-2.5_stmt + name: statement + prose: |- + Use technical controls, such as application allowlisting, to ensure that only authorized + software can execute or be accessed. Reassess bi-annually, or more frequently. + - id: cisc-2.6 + title: Allowlist Authorized Libraries + props: + - name: label + value: CIS Safeguard 2.6 + - name: sort-id + value: cisc-02.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + - href: cisc-2.5 + rel: dependency + - href: cisc-4.2 + rel: dependency + parts: + - id: cisc-2.6_stmt + name: statement + prose: |- + Use technical controls to ensure that only authorized software libraries, such as specific + .dll, .ocx, .so, etc. files, are allowed to load into a system process. Block unauthorized + libraries from loading into a system process. Reassess bi-annually, or more frequently. + - id: cisc-2.7 + title: Allowlist Authorized Scripts + props: + - name: label + value: CIS Safeguard 2.7 + - name: sort-id + value: cisc-02.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-2.7_stmt + name: statement + prose: |- + Use technical controls, such as digital signatures and version control, to ensure that only + authorized scripts, such as specific .ps1, .py, etc. files, are allowed to execute. Block + unauthorized scripts from executing. Reassess bi-annually, or more frequently. + - id: cisc-3 + title: Data Protection + props: + - name: label + value: CIS Control 3 + - name: sort-id + value: cisc-03 + parts: + - id: cisc-3_stmt + name: statement + prose: |- + Develop processes and technical controls to identify, classify, securely handle, retain, and + dispose of data. + - id: cisc-3_gdn + name: guidance + prose: |- + Data is no longer only contained within an enterprise’s border, it is in the cloud, on + portable end-user devices where users work from home, and is often shared with partners or + online services who might have it anywhere in the world. In addition to sensitive data an + enterprise holds related to finances, intellectual property, and customer data, there also might + be numerous international regulations for protection of personal data. Data privacy has become + increasingly important, and enterprises are learning that privacy is about the appropriate use + and management of data, not just encryption. Data must be appropriately managed through its + entire lifecycle. These privacy rules can be complicated for multi-national enterprises, of any + size, however there are fundamentals that can apply to all. + + Once attackers have penetrated an enterprise’s infrastructure, one of their first tasks is to + find and exfiltrate data. Enterprises might not be aware that sensitive data is leaving their + environment because they are not monitoring data outflows. + + While many attacks occur on the network, others involve physical theft of portable end-user + devices, attacks on service providers or other partners holding sensitive data. Other sensitive + enterprise assets may also include non-computing devices that provide management and control of + physical systems, such as Supervisory Control and Data Acquisition (SCADA) systems. + + The enterprise’s loss of control over protected or sensitive data is a serious and often + reportable business impact. While some data is compromised or lost as a result of theft or + espionage, the vast majority are a result of poorly understood data management rules, and user + error. The adoption of data encryption, both in transit and at rest, can provide mitigation + against data compromise, and more importantly, is a regulatory requirement for most controlled + data. + controls: + - id: cisc-3.1 + title: Establish and Maintain a Data Management Process + props: + - name: label + value: CIS Safeguard 3.1 + - name: sort-id + value: cisc-03.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-3.1_stmt + name: statement + prose: |- + Establish and maintain a data management process. In the process, address data sensitivity, + data owner, handling of data, data retention limits, and disposal requirements, based on + sensitivity and retention standards for the enterprise. Review and update documentation + annually, or when significant enterprise changes occur that could impact this Safeguard. + - id: cisc-3.2 + title: Establish and Maintain a Data Inventory + props: + - name: label + value: CIS Safeguard 3.2 + - name: sort-id + value: cisc-03.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-3.2_stmt + name: statement + prose: |- + Establish and maintain a data inventory, based on the enterprise’s data management process. + Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, + with a priority on sensitive data. + - id: cisc-3.3 + title: Configure Data Access Control Lists + props: + - name: label + value: CIS Safeguard 3.3 + - name: sort-id + value: cisc-03.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-3.2 + rel: dependency + - href: cisc-4.1 + rel: dependency + - href: cisc-5.1 + rel: dependency + parts: + - id: cisc-3.3_stmt + name: statement + prose: |- + Configure data access control lists based on a user’s need to know. Apply data access control + lists, also known as access permissions, to local and remote file systems, databases, and + applications. + - id: cisc-3.4 + title: Enforce Data Retention + props: + - name: label + value: CIS Safeguard 3.4 + - name: sort-id + value: cisc-03.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-3.1 + rel: dependency + - href: cisc-3.2 + rel: dependency + parts: + - id: cisc-3.4_stmt + name: statement + prose: |- + Retain data according to the enterprise’s data management process. Data retention must + include both minimum and maximum timelines. + - id: cisc-3.5 + title: Securely Dispose of Data + props: + - name: label + value: CIS Safeguard 3.5 + - name: sort-id + value: cisc-03.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-3.1 + rel: dependency + - href: cisc-3.2 + rel: dependency + parts: + - id: cisc-3.5_stmt + name: statement + prose: |- + Securely dispose of data as outlined in the enterprise’s data management process. Ensure the + disposal process and method are commensurate with the data sensitivity. + - id: cisc-3.6 + title: Encrypt Data on End-User Devices + props: + - name: label + value: CIS Safeguard 3.6 + - name: sort-id + value: cisc-03.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-3.6_stmt + name: statement + prose: |- + Encrypt data on end-user devices containing sensitive data. Example implementations can + include, Windows BitLocker®, Apple FileVault®, Linux® dm-crypt. + - id: cisc-3.7 + title: Establish and Maintain a Data Classification Scheme + props: + - name: label + value: CIS Safeguard 3.7 + - name: sort-id + value: cisc-03.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-3.1 + rel: dependency + - href: cisc-3.2 + rel: dependency + parts: + - id: cisc-3.7_stmt + name: statement + prose: |- + Establish and maintain an overall data classification scheme for the enterprise. Enterprises + may use labels, such as "Sensitive", "Confidential" and "Public", and classify their data + according to those labels. Review and update the classification scheme annually, or when + significant enterprise changes occur that could impact this Safeguard. + - id: cisc-3.8 + title: Document Data Flows + props: + - name: label + value: CIS Safeguard 3.8 + - name: sort-id + value: cisc-03.08 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-3.1 + rel: dependency + - href: cisc-3.2 + rel: dependency + parts: + - id: cisc-3.8_stmt + name: statement + prose: |- + Document data flows. Data flow documentation includes service provider data flows and should + be based on the enterprise?s data management process. Review and update documentation annually, + or when significant enterprise changes occur that could impact this Safeguard. + - id: cisc-3.9 + title: Encrypt Data on Removable Media + props: + - name: label + value: CIS Safeguard 3.9 + - name: sort-id + value: cisc-03.09 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-3.9_stmt + name: statement + prose: Encrypt data on removable media. + - id: cisc-3.10 + title: Encrypt Sensitive Data in Transit + props: + - name: label + value: CIS Safeguard 3.10 + - name: sort-id + value: cisc-03.10 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-3.2 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-3.10_stmt + name: statement + prose: |- + Encrypt sensitive data in transit. Example implementations can include, Transport Layer + Security (TLS) and Open Secure Shell (OpenSSH). + - id: cisc-3.11 + title: Encrypt Sensitive Data At Rest + props: + - name: label + value: CIS Safeguard 3.11 + - name: sort-id + value: cisc-03.11 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-3.11_stmt + name: statement + prose: |- + Encrypt sensitive data at rest on servers, applications, and databases containing sensitive + data. Storage-layer encryption, also known as server-side encryption, meets the minimum + requirement of this Safeguard. Additional encryption methods may include application-layer + encryption, also known as client-side encryption, where access to the data storage device(s) + does not permit access to the plain-text data. + - id: cisc-3.12 + title: Segment Data Processing and Storage Based on Sensitivity + props: + - name: label + value: CIS Safeguard 3.12 + - name: sort-id + value: cisc-03.12 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: nhttps://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-3.2 + rel: dependency + - href: cisc-12.4 + rel: dependency + parts: + - id: cisc-3.12_stmt + name: statement + prose: |- + Segment data processing and storage, based on the sensitivity of the data. Do not process + sensitive data on enterprise assets intended for lower sensitivity data. + - id: cisc-3.13 + title: Segment Data Processing and Storage Based on Sensitivity + props: + - name: label + value: CIS Safeguard 3.13 + - name: sort-id + value: cisc-03.13 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: nhttps://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + - href: cisc-3.2 + rel: dependency + parts: + - id: cisc-3.13_stmt + name: statement + prose: |- + Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify + all sensitive data stored, processed, or transmitted through enterprise assets, including those + located onsite or at a remote service provider, and update the enterprise’s sensitive data + inventory. + - id: cisc-3.14 + title: Log Sensitive Data Access + props: + - name: label + value: CIS Safeguard 3.14 + - name: sort-id + value: cisc-03.14 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: nhttps://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-3.14_stmt + name: statement + prose: "Log sensitive data access, including modification and disposal." + - id: cisc-4 + title: Secure Configuration of Enterprise Assets and Software + props: + - name: label + value: CIS Control 4 + - name: sort-id + value: cisc-04 + parts: + - id: cisc-4_stmt + name: statement + prose: |- + Establish and maintain the secure configuration of enterprise assets (end-user devices, + including portable and mobile; network devices; non-computing/IoT devices; and servers) and + software (operating systems and applications). + - id: cisc-4_gdn + name: guidance + prose: |- + As delivered from manufacturers and resellers, the default configurations for enterprise + assets and software are normally geared towards ease-of-deployment and ease-of-use rather than + security. Basic controls, open services and ports, default accounts or passwords, pre-configured + Domain Name System (DNS) settings, older (vulnerable) protocols, and pre-installation of + unnecessary software can all be exploitable if left in their default state. Further, these + security configuration updates need to be managed and maintained over the life cycle of + enterprise assets and software. Configuration updates need to be tracked and approved through + configuration management workflow process to maintain a record that can be reviewed for + compliance, leveraged for incident response, and to support audits. This CIS Control is + important to on-premises devices, as well as remote devices, network devices, and cloud + environments. + + Service providers play a key role in modern infrastructures, especially for smaller + enterprises. They often are not set up by default in the most secure configuration to provide + flexibility for their customers to apply their own security policies. Therefore, the presence of + default accounts or passwords, excessive access, or unnecessary services are common in default + configurations. These could introduce weaknesses that are under the responsibility of the + enterprise that is using the software, rather than the service provider. This extends to ongoing + management and updates, as some Platform as a Service (PaaS) only extend to the operating + system, so patching and updating hosted applications are under the responsibility of the + enterprise. + + Even after a strong initial configuration is developed and applied, it must be continually + managed to avoid degrading security as software is updated or patched, new security + vulnerabilities are reported, and configurations are "tweaked," to allow the installation of new + software or to support new operational requirements. + controls: + - id: cisc-4.1 + title: Establish and Maintain a Secure Configuration Process + props: + - name: label + value: CIS Safeguard 4.1 + - name: sort-id + value: cisc-04.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-4.1_stmt + name: statement + prose: |- + Establish and maintain a secure configuration process for enterprise assets (end-user + devices, including portable and mobile, non-computing/IoT devices, and servers) and software + (operating systems and applications). Review and update documentation annually, or when + significant enterprise changes occur that could impact this Safeguard. + - id: cisc-4.2 + title: Establish and Maintain a Secure Configuration Process for Network Infrastructure + props: + - name: label + value: CIS Safeguard 4.2 + - name: sort-id + value: cisc-04.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-4.2_stmt + name: statement + prose: |- + Establish and maintain a secure configuration process for network devices. Review and update + documentation annually, or when significant enterprise changes occur that could impact this + Safeguard. + - id: cisc-4.3 + title: Configure Automatic Session Locking on Enterprise Assets + props: + - name: label + value: CIS Safeguard 4.3 + - name: sort-id + value: cisc-04.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-4.3_stmt + name: statement + prose: |- + Configure automatic session locking on enterprise assets after a defined period of + inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For + mobile end-user devices, the period must not exceed 2 minutes. + - id: cisc-4.4 + title: Implement and Manage a Firewall on Servers + props: + - name: label + value: CIS Safeguard 4.4 + - name: sort-id + value: cisc-04.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-4.4_stmt + name: statement + prose: |- + Implement and manage a firewall on servers, where supported. Example implementations include + a virtual firewall, operating system firewall, or a third-party firewall agent. + - id: cisc-4.5 + title: Implement and Manage a Firewall on End-User Devices + props: + - name: label + value: CIS Safeguard 4.5 + - name: sort-id + value: cisc-04.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-4.5_stmt + name: statement + prose: |- + Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a + default-deny rule that drops all traffic except those services and ports that are explicitly + allowed. + - id: cisc-4.6 + title: Securely Manage Enterprise Assets and Software + props: + - name: label + value: CIS Safeguard 4.6 + - name: sort-id + value: cisc-04.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-4.6_stmt + name: statement + prose: |- + Securely manage enterprise assets and software. Example implementations include managing + configuration through version-controlled-infrastructure-as-code and accessing administrative + interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer + Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype + Network) and HTTP, unless operationally essential. + - id: cisc-4.7 + title: Manage Default Accounts on Enterprise Assets and Software + props: + - name: label + value: CIS Safeguard 4.7 + - name: sort-id + value: cisc-04.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: potect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-5.2 + rel: dependency + parts: + - id: cisc-4.7_stmt + name: statement + prose: |- + Manage default accounts on enterprise assets and software, such as root, administrator, and + other pre-configured vendor accounts. Example implementations can include: disabling default + accounts or making them unusable. + - id: cisc-4.8 + title: Uninstall or Disable Unnecessary Services on Enterprise Assets and Software + props: + - name: label + value: CIS Safeguard 4.8 + - name: sort-id + value: cisc-04.08 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-4.8_stmt + name: statement + prose: |- + Uninstall or disable unnecessary services on enterprise assets and software, such as an + unused file sharing service, web application module, or service function. + - id: cisc-4.9 + title: Configure Trusted DNS Servers on Enterprise Assets + props: + - name: label + value: CIS Safeguard 4.9 + - name: sort-id + value: cisc-04.09 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-4.9_stmt + name: statement + prose: |- + Configure trusted DNS servers on enterprise assets. Example implementations include: + configuring assets to use enterprise-controlled DNS servers and/or reputable externally + accessible DNS servers. + - id: cisc-4.10 + title: Enforce Automatic Device Lockout on Portable End-User Devices + props: + - name: label + value: CIS Safeguard 4.10 + - name: sort-id + value: cisc-04.10 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-4.10_stmt + name: statement + prose: |- + Enforce automatic device lockout following a predetermined threshold of local failed + authentication attempts on portable end-user devices, where supported. For laptops, do not + allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 + failed authentication attempts. Example implementations include Microsoft? InTune Device Lock + and Apple? Configuration Profile maxFailedAttempts. + - id: cisc-4.11 + title: Enforce Remote Wipe Capability on Portable End-User Devices + props: + - name: label + value: CIS Safeguard 4.11 + - name: sort-id + value: cisc-04.11 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-4.11_stmt + name: statement + prose: |- + Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed + appropriate such as lost or stolen devices, or when an individual no longer supports the + enterprise. + - id: cisc-4.12 + title: Separate Enterprise Workspaces on Mobile End-User Devices + props: + - name: label + value: CIS Safeguard 4.12 + - name: sort-id + value: cisc-04.12 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: nhttps://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-4.12_stmt + name: statement + prose: |- + Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. + Example implementations include using an Apple? Configuration Profile or Android? Work Profile + to separate enterprise applications and data from personal applications and data. + - id: cisc-5 + title: Account Management + props: + - name: label + value: CIS Control 5 + - name: sort-id + value: cisc-05 + parts: + - id: cisc-5_stmt + name: statement + prose: |- + Use processes and tools to assign and manage authorization to credentials for user accounts, + including administrator accounts, as well as service accounts, to enterprise assets and + software. + - id: cisc-5_gdn + name: guidance + prose: |- + It is easier for an external or internal threat actor to gain unauthorized access to + enterprise assets or data through using valid user credentials than through "hacking" the + environment. There are many ways to covertly obtain access to user accounts, including: weak + passwords, accounts still valid after a user leaves the enterprise, dormant or lingering test + accounts, shared accounts that have not been changed in months or years, service accounts + embedded in applications for scripts, a user having the same password as one they use for an + online account that has been compromised (in a public password dump), social engineering a user + to give their password, or using malware to capture passwords or tokens in memory or over the + network. + + Administrative, or highly privileged, accounts are a particular target, because they allow + attackers to add other accounts, or make changes to assets that could make them more vulnerable + to other attacks. Service accounts are also sensitive, as they are often shared among teams, + internal and external to the enterprise, and sometimes not known about, only to be revealed in + standard account management audits. + + Finally, account logging and monitoring is a critical component of security operations. While + account logging and monitoring are covered in CIS Control 8 (Audit Log Management), it is + important in the development of a comprehensive Identity and Access Management (IAM) + program. + controls: + - id: cisc-5.1 + title: Establish and Maintain an Inventory of Accounts + props: + - name: label + value: CIS Safeguard 5.1 + - name: sort-id + value: cisc-05.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-5.1_stmt + name: statement + prose: |- + Establish and maintain an inventory of all accounts managed in the enterprise. The inventory + must include both user and administrator accounts. The inventory, at a minimum, should contain + the person’s name, username, start/stop dates, and department. Validate that all active + accounts are authorized, on a recurring schedule at a minimum quarterly, or more + frequently. + - id: cisc-5.2 + title: Use Unique Passwords + props: + - name: label + value: CIS Safeguard 5.2 + - name: sort-id + value: cisc-05.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-5.2_stmt + name: statement + prose: |- + Use unique passwords for all enterprise assets. Best practice implementation includes, at a + minimum, an 8-character password for accounts using MFA and a 14-character password for + accounts not using MFA. + - id: cisc-5.3 + title: Disable Dormant Accounts + props: + - name: label + value: CIS Safeguard 5.3 + - name: sort-id + value: cisc-05.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-5.1 + rel: dependency + parts: + - id: cisc-5.3_stmt + name: statement + prose: |- + Delete or disable any dormant accounts after a period of 45 days of inactivity, where + supported + - id: cisc-5.4 + title: Restrict Administrator Privileges to Dedicated Administrator Accounts + props: + - name: label + value: CIS Safeguard 5.4 + - name: sort-id + value: cisc-05.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-5.1 + rel: dependency + parts: + - id: cisc-5.4_stmt + name: statement + prose: |- + Restrict administrator privileges to dedicated administrator accounts on enterprise assets. + Conduct general computing activities, such as internet browsing, email, and productivity suite + use, from the user’s primary, non-privileged account. + - id: cisc-5.5 + title: Establish and Maintain an Inventory of Service Accounts + props: + - name: label + value: CIS Safeguard 5.5 + - name: sort-id + value: cisc-05.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-6.6 + rel: dependency + parts: + - id: cisc-5.5_stmt + name: statement + prose: |- + Establish and maintain an inventory of service accounts. The inventory, at a minimum, must + contain department owner, review date, and purpose. Perform service account reviews to validate + that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or + more frequently. + - id: cisc-5.6 + title: Centralize Account Management + props: + - name: label + value: CIS Safeguard 5.6 + - name: sort-id + value: cisc-05.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-5.6_stmt + name: statement + prose: Centralize account management through a directory or identity service. + - id: cisc-6 + title: Access Control Management + props: + - name: label + value: CIS Control 6 + - name: sort-id + value: cisc-06 + parts: + - id: cisc-6_stmt + name: statement + prose: |- + Use processes and tools to create, assign, manage, and revoke access credentials and + privileges for user, administrator, and service accounts for enterprise assets and software. + - id: cisc-6_gdn + name: guidance + prose: |- + Where CIS Control 5 deals specifically with account management, CIS Control 6 focuses on + managing what access these accounts have, ensuring users only have access to the data or + enterprise assets appropriate for their role, and ensuring that there is strong authentication + for critical or sensitive enterprise data or functions. Accounts should only have the minimal + authorization needed for the role. Developing consistent access rights for each role and + assigning roles to users is a best practice. Developing a program for complete provision and + de-provisioning access is also important. Centralizing this function is ideal. + + There are some user activities that pose greater risk to an enterprise, either because they + are accessed from untrusted networks, or performing administrator functions that allow the + ability to add, change, or remove other accounts, or make configuration changes to operating + systems or applications to make them less secure. This also enforces the importance of using MFA + and Privileged Access Management (PAM) tools. + + Some users have access to enterprise assets or data they do not need for their role; this + might be due to an immature process that gives all users all access, or lingering access as + users change roles within the enterprise over time. Local administrator privileges to users’ + laptops is also an issue, as any malicious code installed or downloaded by the user can have + greater impact on the enterprise asset running as administrator. User, administrator, and + service account access should be based on enterprise role and need. + controls: + - id: cisc-6.1 + title: Establish an Access Granting Process + props: + - name: label + value: CIS Safeguard 6.1 + - name: sort-id + value: cisc-06.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-6.1_stmt + name: statement + prose: |- + Establish and follow a process, preferably automated, for granting access to enterprise + assets upon new hire, rights grant, or role change of a user. + - id: cisc-6.2 + title: Establish an Access Revoking Process + props: + - name: label + value: CIS Safeguard 6.2 + - name: sort-id + value: cisc-06.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-6.2_stmt + name: statement + prose: |- + Establish and follow a process, preferably automated, for revoking access to enterprise + assets, through disabling accounts immediately upon termination, rights revocation, or role + change of a user. Disabling accounts, instead of deleting accounts, may be necessary to + preserve audit trails. + - id: cisc-6.3 + title: Require MFA for Externally-Exposed Applications + props: + - name: label + value: CIS Safeguard 6.3 + - name: sort-id + value: cisc-06.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + - href: cisc-5.1 + rel: dependency + parts: + - id: cisc-6.3_stmt + name: statement + prose: |- + Require all externally-exposed enterprise or third-party applications to enforce MFA, where + supported. Enforcing MFA through a directory service or SSO provider is a satisfactory + implementation of this Safeguard. + - id: cisc-6.4 + title: Require MFA for Remote Network Access + props: + - name: label + value: CIS Safeguard 6.4 + - name: sort-id + value: cisc-06.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-6.4_stmt + name: statement + prose: Require MFA for remote network access. + - id: cisc-6.5 + title: Require MFA for Administrative Access + props: + - name: label + value: CIS Safeguard 6.5 + - name: sort-id + value: cisc-06.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-4.1 + rel: dependency + - href: cisc-5.1 + rel: dependency + parts: + - id: cisc-6.5_stmt + name: statement + prose: |- + Require MFA for all administrative access accounts, where supported, on all enterprise + assets, whether managed on-site or through a third-party provider. + - id: cisc-6.6 + title: Establish and Maintain an Inventory of Authentication and Authorization Systems + props: + - name: label + value: CIS Safeguard 6.6 + - name: sort-id + value: cisc-06.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-6.6_stmt + name: statement + prose: |- + Establish and maintain an inventory of the enterprise’s authentication and authorization + systems, including those hosted on-site or at a remote service provider. Review and update the + inventory, at a minimum, annually, or more frequently. + - id: cisc-6.7 + title: Centralize Access Control + props: + - name: label + value: CIS Safeguard 6.7 + - name: sort-id + value: cisc-06.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: users + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-6.7_stmt + name: statement + prose: |- + Centralize access control for all enterprise assets through a directory service or SSO + provider, where supported. + - id: cisc-6.8 + title: Centralize Access Control + props: + - name: label + value: CIS Safeguard 6.8 + - name: sort-id + value: cisc-06.08 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-5.1 + rel: dependency + parts: + - id: cisc-6.8_stmt + name: statement + prose: |- + Define and maintain role-based access control, through determining and documenting the access + rights necessary for each role within the enterprise to successfully carry out its assigned + duties. Perform access control reviews of enterprise assets to validate that all privileges are + authorized, on a recurring schedule at a minimum annually, or more frequently. + - id: cisc-7 + title: Continuous Vulnerability Management + props: + - name: label + value: CIS Control 7 + - name: sort-id + value: cisc-07 + parts: + - id: cisc-7_stmt + name: statement + prose: |- + Develop a plan to continuously assess and track vulnerabilities on all enterprise assets + within the enterprise’s infrastructure, in order to remediate, and minimize, the window of + opportunity for attackers. Monitor public and private industry sources for new threat and + vulnerability information. + - id: cisc-7_gdn + name: guidance + prose: |- + Cyber defenders are constantly being challenged from attackers who are looking for + vulnerabilities within their infrastructure to exploit and gain access. Defenders must have + timely threat information available to them about: software updates, patches, security + advisories, threat bulletins, etc., and they should regularly review their environment to + identify these vulnerabilities before the attackers do. Understanding and managing + vulnerabilities is a continuous activity, requiring focus of time, attention, and resources. + + Attackers have access to the same information and can often take advantage of vulnerabilities + more quickly than an enterprise can remediate. While there is a gap in time from a vulnerability + being known to when it is patched, defenders can prioritize which vulnerabilities are most + impactful to the enterprise, or likely to be exploited first due to ease of use. For example, + when researchers or the community report new vulnerabilities, vendors have to develop and deploy + patches, indicators of compromise (IOCs), and updates. Defenders need to assess the risk of the + new vulnerability to the enterprise, regression-test patches , and install the patch. + + There is never perfection in this process. Attackers might be using an exploit to a + vulnerability that is not known within the security community. They might have developed an + exploit to this vulnerability referred to as a "zero-day" exploit. Once the vulnerability is + known in the community, the process mentioned above starts. Therefore, defenders must keep in + mind that an exploit might already exist when the vulnerability is widely socialized. Sometimes + vulnerabilities might be known within a closed community (e.g., vendor still developing a fix) + for weeks, months, or years before it is disclosed publicly. Defenders have to be aware that + there might always be vulnerabilities they cannot remediate, and therefore need to use other + controls to mitigate. + + Enterprises that do not assess their infrastructure for vulnerabilities and proactively + address discovered flaws face a significant likelihood of having their enterprise assets + compromised. Defenders face particular challenges in scaling remediation across an entire + enterprise, and prioritizing actions with conflicting priorities, while not impacting the + enterprise’s business or mission. + controls: + - id: cisc-7.1 + title: Establish and Maintain a Vulnerability Management Process + props: + - name: label + value: CIS Safeguard 7.1 + - name: sort-id + value: cisc-07.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-7.1_stmt + name: statement + prose: |- + Establish and maintain a documented vulnerability management process for enterprise assets. + Review and update documentation annually, or when significant enterprise changes occur that + could impact this Safeguard. + - id: cisc-7.2 + title: Establish and Maintain a Remediation Process + props: + - name: label + value: CIS Safeguard 7.2 + - name: sort-id + value: cisc-07.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-7.2_stmt + name: statement + prose: |- + Establish and maintain a risk-based remediation strategy documented in a remediation process, + with monthly, or more frequent, reviews. + - id: cisc-7.3 + title: Perform Automated Operating System Patch Management + props: + - name: label + value: CIS Safeguard 7.3 + - name: sort-id + value: cisc-07.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-7.3_stmt + name: statement + prose: |- + Perform operating system updates on enterprise assets through automated patch management on a + monthly, or more frequent, basis. + - id: cisc-7.4 + title: Perform Automated Application Patch Management + props: + - name: label + value: CIS Safeguard 7.4 + - name: sort-id + value: cisc-07.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-7.4_stmt + name: statement + prose: |- + Perform application updates on enterprise assets through automated patch management on a + monthly, or more frequent, basis. + - id: cisc-7.5 + title: Perform Automated Vulnerability Scans of Internal Enterprise Assets + props: + - name: label + value: CIS Safeguard 7.5 + - name: sort-id + value: cisc-07.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-7.5_stmt + name: statement + prose: |- + Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more + frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant + vulnerability scanning tool. + - id: cisc-7.6 + title: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets + props: + - name: label + value: CIS Safeguard 7.6 + - name: sort-id + value: cisc-07.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-7.6_stmt + name: statement + prose: |- + Perform automated vulnerability scans of externally-exposed enterprise assets using a + SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, + basis. + - id: cisc-7.7 + title: Remediate Detected Vulnerabilities + props: + - name: label + value: CIS Safeguard 7.7 + - name: sort-id + value: cisc-07.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-7.7_stmt + name: statement + prose: |- + Remediate detected vulnerabilities in software through processes and tooling on a monthly, or + more frequent, basis, based on the remediation process. + - id: cisc-8 + title: Audit Log Management + props: + - name: label + value: CIS Control 8 + - name: sort-id + value: cisc-08 + parts: + - id: cisc-8_stmt + name: statement + prose: |- + Collect, alert, review, and retain audit logs of events that could help detect, understand, or + recover from an attack. + - id: cisc-8_gdn + name: guidance + prose: |- + Log collection and analysis is critical for an enterprise’s ability to detect malicious + activity quickly. Sometimes audit records are the only evidence of a successful attack. + Attackers know that many enterprises keep audit logs for compliance purposes, but rarely analyze + them. Attackers use this knowledge to hide their location, malicious software, and activities on + victim machines. Due to poor or nonexistent log analysis processes, attackers sometimes control + victim machines for months or years without anyone in the target enterprise knowing. + + There are two types of logs that are generally treated and often configured independently: + system logs and audit logs. System logs typically provide system-level events that show various + system process start/end times, crashes, etc. These are native to systems, and take less + configuration to turn on. Audit logs typically include user-level events – when a user logged + in, accessed a file, etc. – and take more planning and effort to set up. + + Logging records are also critical for incident response. After an attack has been detected, + log analysis can help enterprises understand the extent of an attack. Complete logging records + can show, for example, when and how the attack occurred, what information was accessed, and if + data was exfiltrated. Retention of logs is also critical in case a follow-up investigation is + required or if an attack remained undetected for a long period of time. + controls: + - id: cisc-8.1 + title: Establish and Maintain an Audit Log Management Process + props: + - name: label + value: CIS Safeguard 8.1 + - name: sort-id + value: cisc-08.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-8.1_stmt + name: statement + prose: |- + Establish and maintain an audit log management process that defines the enterprise’s logging + requirements. At a minimum, address the collection, review, and retention of audit logs for + enterprise assets. Review and update documentation annually, or when significant enterprise + changes occur that could impact this Safeguard. + - id: cisc-8.2 + title: Collect Audit Logs + props: + - name: label + value: CIS Safeguard 8.2 + - name: sort-id + value: cisc-08.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + - href: cisc-8.1 + rel: dependency + parts: + - id: cisc-8.2_stmt + name: statement + prose: |- + Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, + has been enabled across enterprise assets. + - id: cisc-8.3 + title: Ensure Adequate Audit Log Storage + props: + - name: label + value: CIS Safeguard 8.3 + - name: sort-id + value: cisc-08.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-8.3_stmt + name: statement + prose: |- + Ensure that logging destinations maintain adequate storage to comply with the enterprise’s + audit log management process. + - id: cisc-8.4 + title: Standardize Time Synchronization + props: + - name: label + value: CIS Safeguard 8.4 + - name: sort-id + value: cisc-08.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-8.4_stmt + name: statement + prose: |- + Standardize time synchronization. Configure at least two synchronized time sources across + enterprise assets, where supported. + - id: cisc-8.5 + title: Collect Detailed Audit Logs + props: + - name: label + value: CIS Safeguard 8.5 + - name: sort-id + value: cisc-08.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-8.5_stmt + name: statement + prose: |- + Configure detailed audit logging for enterprise assets containing sensitive data. Include + event source, date, username, timestamp, source addresses, destination addresses, and other + useful elements that could assist in a forensic investigation. + - id: cisc-8.6 + title: Collect DNS Query Audit Logs + props: + - name: label + value: CIS Safeguard 8.6 + - name: sort-id + value: cisc-08.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-8.6_stmt + name: statement + prose: "Collect DNS query audit logs on enterprise assets, where appropriate and supported." + - id: cisc-8.7 + title: Collect URL Request Audit Logs + props: + - name: label + value: CIS Safeguard 8.7 + - name: sort-id + value: cisc-08.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-8.7_stmt + name: statement + prose: "Collect URL request audit logs on enterprise assets, where appropriate and supported." + - id: cisc-8.8 + title: Collect Command-Line Audit Logs + props: + - name: label + value: CIS Safeguard 8.8 + - name: sort-id + value: cisc-08.08 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-8.8_stmt + name: statement + prose: |- + Collect command-line audit logs. Example implementations include collecting audit logs from + PowerShell®, BASH™, and remote administrative terminals. + - id: cisc-8.9 + title: Centralize Audit Logs + props: + - name: label + value: CIS Safeguard 8.9 + - name: sort-id + value: cisc-08.09 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-8.9_stmt + name: statement + prose: |- + Centralize, to the extent possible, audit log collection and retention across enterprise + assets. + - id: cisc-8.10 + title: Retain Audit Logs + props: + - name: label + value: CIS Safeguard 8.10 + - name: sort-id + value: cisc-08.10 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-4.1 + rel: dependency + - href: cisc-8.9 + rel: dependency + parts: + - id: cisc-8.10_stmt + name: statement + prose: Retain audit logs across enterprise assets for a minimum of 90 days. + - id: cisc-8.11 + title: Conduct Audit Log Reviews + props: + - name: label + value: CIS Safeguard 8.11 + - name: sort-id + value: cisc-08.11 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-8.11_stmt + name: statement + prose: |- + Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a + potential threat. Conduct reviews on a weekly, or more frequent, basis. + - id: cisc-8.12 + title: Collect Service Provider Logs + props: + - name: label + value: CIS Safeguard 8.12 + - name: sort-id + value: cisc-08.12 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-4.1 + rel: dependency + - href: cisc-15.1 + rel: dependency + parts: + - id: cisc-8.12_stmt + name: statement + prose: |- + Collect service provider logs, where supported. Example implementations include collecting + authentication and authorization events, data creation and disposal events, and user management + events. + - id: cisc-9 + title: Email and Web Browser Protections + props: + - name: label + value: CIS Control 9 + - name: sort-id + value: cisc-09 + parts: + - id: cisc-9_stmt + name: statement + prose: |- + Improve protections and detections of threats from email and web vectors, as these are + opportunities for attackers to manipulate human behavior through direct engagement. + - id: cisc-9_gdn + name: guidance + prose: |- + Web browsers and email clients are very common points of entry for attackers because of their + direct interaction with users inside an enterprise. Content can be crafted to entice or spoof + users into disclosing credentials, providing sensitive data, or providing an open channel to + allow attackers to gain access, thus increasing risk to the enterprise. Since email and web are + the main means that users interact with external and untrusted users and environments, these are + prime targets for both malicious code and social engineering. Additionally, as enterprises move + to web-based email, or mobile email access, users no longer use traditional full-featured email + clients, which provide embedded security controls like connection encryption, strong + authentication, and phishing reporting buttons. + controls: + - id: cisc-9.1 + title: Ensure Use of Only Fully Supported Browsers and Email Clients + props: + - name: label + value: CIS Safeguard 9.1 + - name: sort-id + value: cisc-09.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-9.1_stmt + name: statement + prose: |- + Ensure only fully supported browsers and email clients are allowed to execute in the + enterprise, only using the latest version of browsers and email clients provided through the + vendor. + - id: cisc-9.2 + title: Use DNS Filtering Services + props: + - name: label + value: CIS Safeguard 9.2 + - name: sort-id + value: cisc-09.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-9.2_stmt + name: statement + prose: |- + Use DNS filtering services on all enterprise assets to block access to known malicious + domains. + - id: cisc-9.3 + title: Maintain and Enforce Network-Based URL Filters + props: + - name: label + value: CIS Safeguard 9.3 + - name: sort-id + value: cisc-09.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-9.3_stmt + name: statement + prose: |- + Enforce and update network-based URL filters to limit an enterprise asset from connecting to + potentially malicious or unapproved websites. Example implementations include category-based + filtering, reputation-based filtering, or through the use of block lists. Enforce filters for + all enterprise assets. + - id: cisc-9.4 + title: Restrict Unnecessary or Unauthorized Browser and Email Client Extensions + props: + - name: label + value: CIS Safeguard 9.4 + - name: sort-id + value: cisc-09.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-9.4_stmt + name: statement + prose: |- + Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser + or email client plugins, extensions, and add-on applications. + - id: cisc-9.5 + title: Implement DMARC + props: + - name: label + value: CIS Safeguard 9.5 + - name: sort-id + value: cisc-09.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-9.5_stmt + name: statement + prose: |- + To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy + and verification, starting with implementing the Sender Policy Framework (SPF) and the + DomainKeys Identified Mail (DKIM) standards. + - id: cisc-9.6 + title: Block Unnecessary File Types + props: + - name: label + value: CIS Safeguard 9.6 + - name: sort-id + value: cisc-09.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-9.6_stmt + name: statement + prose: Block unnecessary file types attempting to enter the enterprise's email gateway. + - id: cisc-9.7 + title: Deploy and Maintain Email Server Anti-Malware Protections + props: + - name: label + value: CIS Safeguard 9.7 + - name: sort-id + value: cisc-09.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-9.7_stmt + name: statement + prose: |- + Deploy and maintain email server anti-malware protections, such as attachment scanning and/or + sandboxing. + - id: cisc-10 + title: Malware Defenses + props: + - name: label + value: CIS Control 10 + - name: sort-id + value: cisc-10 + parts: + - id: cisc-10_stmt + name: statement + prose: |- + Prevent or control the installation, spread, and execution of malicious applications, code, or + scripts on enterprise assets. + - id: cisc-10_gdn + name: guidance + prose: |- + Malicious software (sometimes categorized as viruses or Trojans) is an integral and dangerous + aspect of internet threats. They can have many purposes, from capturing credentials, stealing + data, identifying other targets within the network, and encrypting or destroying data. Malware + is ever-evolving and adaptive, as modern variants leverage machine learning techniques. + + Malware enters an enterprise through vulnerabilities within the enterprise on end-user + devices, email attachments, webpages, cloud services, mobile devices, and removable media. + Malware often relies on insecure end-user behavior, such as clicking links, opening attachments, + installing software or profiles, or inserting Universal Serial Bus (USB) flash drives. Modern + malware is designed to avoid, deceive, or disable defenses. + + Malware defenses must be able to operate in this dynamic environment through automation, + timely and rapid updating, and integration with other processes like vulnerability management + and incident response. They must be deployed at all possible entry points and enterprise assets + to detect, prevent spread, or control the execution of malicious software or code. + controls: + - id: cisc-10.1 + title: Deploy and Maintain Anti-Malware Software + props: + - name: label + value: CIS Safeguard 10.1 + - name: sort-id + value: cisc-10.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-10.1_stmt + name: statement + prose: Deploy and maintain anti-malware software on all enterprise assets. + - id: cisc-10.2 + title: Configure Automatic Anti-Malware Signature Updates + props: + - name: label + value: CIS Safeguard 10.2 + - name: sort-id + value: cisc-10.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-10.1 + rel: dependency + parts: + - id: cisc-10.2_stmt + name: statement + prose: Configure automatic updates for anti-malware signature files on all enterprise assets. + - id: cisc-10.3 + title: Disable Autorun and Autoplay for Removable Media + props: + - name: label + value: CIS Safeguard 10.3 + - name: sort-id + value: cisc-10.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-10.3_stmt + name: statement + prose: Disable autorun and autoplay auto-execute functionality for removable media. + - id: cisc-10.4 + title: Configure Automatic Anti-Malware Scanning of Removable Media + props: + - name: label + value: CIS Safeguard 10.4 + - name: sort-id + value: cisc-10.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-4.1 + rel: dependency + - href: cisc-10.1 + rel: dependency + parts: + - id: cisc-10.4_stmt + name: statement + prose: Configure anti-malware software to automatically scan removable media. + - id: cisc-10.5 + title: Enable Anti-Exploitation Features + props: + - name: label + value: CIS Safeguard 10.5 + - name: sort-id + value: cisc-10.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-10.5_stmt + name: statement + prose: |- + Enable anti-exploitation features on enterprise assets and software, where possible, such as + Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® + System Integrity Protection (SIP) and Gatekeeper™. + - id: cisc-10.6 + title: Centrally Manage Anti-Malware Software + props: + - name: label + value: CIS Safeguard 10.6 + - name: sort-id + value: cisc-10.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-10.1 + rel: dependency + parts: + - id: cisc-10.6_stmt + name: statement + prose: Centrally manage anti-malware software. + - id: cisc-10.7 + title: Use Behavior-Based Anti-Malware Software + props: + - name: label + value: CIS Safeguard 10.7 + - name: sort-id + value: cisc-10.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-10.7_stmt + name: statement + prose: Use behavior-based anti-malware software. + - id: cisc-11 + title: Data Recovery + props: + - name: label + value: CIS Control 11 + - name: sort-id + value: cisc-11 + parts: + - id: cisc-11_stmt + name: statement + prose: |- + Establish and maintain data recovery practices sufficient to restore in-scope enterprise + assets to a pre-incident and trusted state. + - id: cisc-11_gdn + name: guidance + prose: |- + In the cybersecurity triad – Confidentiality, Integrity, and Availability (CIA) – the + availability of data is, in some cases, more critical than its confidentiality. Enterprises need + many types of data to make business decisions, and when that data is not available or is + untrusted, then it could impact the enterprise. An easy example is weather information to a + transportation enterprise. + + When attackers compromise assets, they make changes to configurations, add accounts, and often + add software or scripts. These changes are not always easy to identify, as attackers might have + corrupted or replaced trusted applications with malicious versions, or the changes might appear + to be standard-looking account names. Configuration changes can include adding or changing + registry entries, opening ports, turning off security services, deleting logs, or other + malicious actions that make a system insecure. These actions do not have to be malicious; human + error can cause each of these as well. Therefore, it is important to have an ability to have + recent backups or mirrors to recover enterprise assets and data back to a known trusted + state. + + There has been an exponential rise in ransomware over the last few years. It is not a new + threat, though it has become more commercialized and organized as a reliable method for + attackers to make money. If an attacker encrypts an enterprise’s data and demands ransom for its + restoration, having a recent backup to recover to a known, trusted state can be helpful. + However, as ransomware has evolved, it has also become an extortion technique, where data is + exfiltrated before being encrypted, and the attacker asks for payment to restore the + enterprise’s data, as well as to keep it from being sold or publicized. In this case, + restoration would only solve the issue of restoring systems to a trusted state and continuing + operations. Leveraging the guidance within the CIS Controls will help reduce the risk of + ransomware through improved cyber hygiene, as attackers usually use older or basic exploits on + insecure systems. + controls: + - id: cisc-11.1 + title: Establish and Maintain a Data Recovery Process + props: + - name: label + value: CIS Safeguard 11.1 + - name: sort-id + value: cisc-11.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: recovery + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-11.1_stmt + name: statement + prose: |- + Establish and maintain a data recovery process. In the process, address the scope of data + recovery activities, recovery prioritization, and the security of backup data. Review and + update documentation annually, or when significant enterprise changes occur that could impact + this Safeguard. + - id: cisc-11.2 + title: Perform Automated Backups + props: + - name: label + value: CIS Safeguard 11.2 + - name: sort-id + value: cisc-11.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: recovery + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-11.2_stmt + name: statement + prose: |- + Perform automated backups of in-scope enterprise assets. Run backups weekly, or more + frequently, based on the sensitivity of the data. + - id: cisc-11.3 + title: Protect Recovery Data + props: + - name: label + value: CIS Safeguard 11.3 + - name: sort-id + value: cisc-11.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-11.3_stmt + name: statement + prose: |- + Protect recovery data with equivalent controls to the original data. Reference encryption or + data separation, based on requirements. + - id: cisc-11.4 + title: Establish and Maintain an Isolated Instance of Recovery Data + props: + - name: label + value: CIS Safeguard 11.4 + - name: sort-id + value: cisc-11.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: recovery + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + parts: + - id: cisc-11.4_stmt + name: statement + prose: |- + Establish and maintain an isolated instance of recovery data. Example implementations + include, version controlling backup destinations through offline, cloud, or off-site systems or + services. + - id: cisc-11.5 + title: Test Data Recovery + props: + - name: label + value: CIS Safeguard 11.5 + - name: sort-id + value: cisc-11.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: recover + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-11.5_stmt + name: statement + prose: |- + Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise + assets. + - id: cisc-12 + title: Network Infrastructure Management + props: + - name: label + value: CIS Control 12 + - name: sort-id + value: cisc-12 + parts: + - id: cisc-12_stmt + name: statement + prose: |- + Establish, implement, and actively manage (track, report, correct) network devices, in order + to prevent attackers from exploiting vulnerable network services and access points. + - id: cisc-12_gdn + name: guidance + prose: |- + Secure network infrastructure is an essential defense against attacks. This includes an + appropriate security architecture, addressing vulnerabilities that are, often times, introduced + with default settings, monitoring for changes, and reassessment of current configurations. + Network infrastructure includes devices such as physical and virtualized gateways, firewalls, + wireless access points, routers, and switches. + + Default configurations for network devices are geared for ease-of-deployment and ease-of-use – + not security. Potential default vulnerabilities include open services and ports, default + accounts and passwords (including service accounts), support for older vulnerable protocols, and + pre-installation of unneeded software. Attackers search for vulnerable default settings, gaps or + inconsistencies in firewall rule sets, routers, and switches and use those holes to penetrate + defenses. They exploit flaws in these devices to gain access to networks, redirect traffic on a + network, and intercept data while in transmission. + + Network security is a constantly changing environment that necessitates regular re-evaluation + of architecture diagrams, configurations, access controls, and allowed traffic flows. Attackers + take advantage of network device configurations becoming less secure over time as users demand + exceptions for specific business needs. Sometimes the exceptions are deployed, but not removed + when they are no longer applicable to the business’s needs. In some cases, the security risk of + an exception is neither properly analyzed nor measured against the associated business need and + can change over time. + controls: + - id: cisc-12.1 + title: Ensure Network Infrastructure is Up-to-Date + props: + - name: label + value: CIS Safeguard 12.1 + - name: sort-id + value: cisc-12.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-12.1_stmt + name: statement + prose: |- + Ensure network infrastructure is kept up-to-date. Example implementations include running the + latest stable release of software and/or using currently supported network-as-a-service (NaaS) + offerings. Review software versions monthly, or more frequently, to verify software + support. + - id: cisc-12.2 + title: Establish and Maintain a Secure Network Architecture + props: + - name: label + value: CIS Safeguard 12.2 + - name: sort-id + value: cisc-12.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + - href: cisc-12.4 + rel: dependency + parts: + - id: cisc-12.2_stmt + name: statement + prose: |- + Establish and maintain a secure network architecture. A secure network architecture must + address segmentation, least privilege, and availability, at a minimum. + - id: cisc-12.3 + title: Securely Manage Network Infrastructure + props: + - name: label + value: CIS Safeguard 12.3 + - name: sort-id + value: cisc-12.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.2 + rel: dependency + - href: cisc-12.4 + rel: dependency + parts: + - id: cisc-12.3_stmt + name: statement + prose: |- + Securely manage network infrastructure. Example implementations include + version-controlled-infrastructure-as-code, and the use of secure network protocols, such as SSH + and HTTPS. + - id: cisc-12.4 + title: Establish and Maintain Architecture Diagram(s) + props: + - name: label + value: CIS Safeguard 12.4 + - name: sort-id + value: cisc-12.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-12.4_stmt + name: statement + prose: |- + Establish and maintain architecture diagram(s) and/or other network system documentation. + Review and update documentation annually, or when significant enterprise changes occur that + could impact this Safeguard. + - id: cisc-12.5 + title: "Centralize Network Authentication, Authorization, and Auditing (AAA)" + props: + - name: label + value: CIS Safeguard 12.5 + - name: sort-id + value: cisc-12.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-12.5_stmt + name: statement + prose: Centralize network AAA + - id: cisc-12.6 + title: Use of Secure Network Management and Communication Protocols + props: + - name: label + value: CIS Safeguard 12.6 + - name: sort-id + value: cisc-12.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-4.2 + rel: dependency + - href: cisc-12.2 + rel: dependency + parts: + - id: cisc-12.6_stmt + name: statement + prose: |- + Use secure network management and communication protocols (e.g., 802.1X, Wi-Fi Protected + Access 2 (WPA2) Enterprise or greater). + - id: cisc-12.7 + title: Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure + props: + - name: label + value: CIS Safeguard 12.7 + - name: sort-id + value: cisc-12.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + - href: cisc-12.5 + rel: dependency + parts: + - id: cisc-12.7_stmt + name: statement + prose: |- + Require users to authenticate to enterprise-managed VPN and authentication services prior to + accessing enterprise resources on end-user devices. + - id: cisc-12.8 + title: Establish and Maintain Dedicated Computing Resources for All Administrative Work + props: + - name: label + value: CIS Safeguard 12.8 + - name: sort-id + value: cisc-12.08 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.2 + rel: dependency + parts: + - id: cisc-12.8_stmt + name: statement + prose: |- + Establish and maintain dedicated computing resources, either physically or logically + separated, for all administrative tasks or tasks requiring administrative access. The computing + resources should be segmented from the enterprise’s primary network and not be allowed internet + access. + - id: cisc-13 + title: Network Monitoring and Defense + props: + - name: label + value: CIS Control 13 + - name: sort-id + value: cisc-13 + parts: + - id: cisc-13_stmt + name: statement + prose: |- + Operate processes and tooling to establish and maintain comprehensive network monitoring and + defense against security threats across the enterprise’s network infrastructure and user + base. + - id: cisc-13_gdn + name: guidance + prose: |- + We cannot rely on network defenses to be perfect. Adversaries continue to evolve and mature, + as they share, or sell, information among their community on exploits and bypasses to security + controls. Even if security tools work "as advertised," it takes an understanding of the + enterprise risk posture to configure, tune, and log them to be effective. Often, + misconfigurations due to human error or lack of knowledge of tool capabilities give enterprises + a false sense of security. + + Security tools can only be effective if they are supporting a process of continuous monitoring + that allows staff the ability to be alerted and respond to security incidents quickly. + Enterprises that adopt a purely technology-driven approach will also experience more false + positives, due to their over-reliance on alerts from tools. Identifying and responding to these + threats requires visibility into all threat vectors of the infrastructure and leveraging humans + in the process of detection, analysis, and response. It is critical for large or heavily + targeted enterprises to have a security operations capability to prevent, detect, and quickly + respond to cyber threats before they can impact the enterprise. This process will generate + activity reports and metrics that will help enhance security policies, and support regulatory + compliance for many enterprises. + + As we have seen many times in the press, enterprises have been compromised for weeks, months, + or years before discovery. The primary benefit of having comprehensive situational awareness is + to increase the speed of detection and response. This is critical to respond quickly when + malware is discovered, credentials are stolen, or when sensitive data is compromised to reduce + impact to the enterprise. + + Through good situational awareness (i.e., security operations), enterprises will identify and + catalog Tactics, Techniques, and Procedures (TTPs) of attackers, including their IOCs that will + help the enterprise become more proactive in identifying future threats or incidents. Recovery + can be achieved faster when the response has access to complete information about the + environment and enterprise structure to develop efficient response strategies. + controls: + - id: cisc-13.1 + title: Centralize Security Event Alerting + props: + - name: label + value: CIS Safeguard 13.1 + - name: sort-id + value: cisc-13.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-13.1_stmt + name: statement + prose: |- + Centralize security event alerting across enterprise assets for log correlation and analysis. + Best practice implementation requires the use of a SIEM, which includes vendor-defined event + correlation alerts. A log analytics platform configured with security-relevant correlation + alerts also satisfies this Safeguard. + - id: cisc-13.2 + title: Deploy a Host-Based Intrusion Detection Solution + props: + - name: label + value: CIS Safeguard 13.2 + - name: sort-id + value: cisc-13.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-13.2_stmt + name: statement + prose: |- + Deploy a host-based intrusion detection solution on enterprise assets, where appropriate + and/or supported. + - id: cisc-13.3 + title: Deploy a Network Intrusion Detection Solution + props: + - name: label + value: CIS Safeguard 13.3 + - name: sort-id + value: cisc-13.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-12.4 + rel: dependency + parts: + - id: cisc-13.3_stmt + name: statement + prose: |- + Deploy a network intrusion detection solution on enterprise assets, where appropriate. + Example implementations include the use of a Network Intrusion Detection System (NIDS) or + equivalent cloud service provider (CSP) service. + - id: cisc-13.4 + title: Perform Traffic Filtering Between Network Segments + props: + - name: label + value: CIS Safeguard 13.4 + - name: sort-id + value: cisc-13.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-13.4_stmt + name: statement + prose: "Perform traffic filtering between network segments, where appropriate." + - id: cisc-13.5 + title: Manage Access Control for Remote Assets + props: + - name: label + value: CIS Safeguard 13.5 + - name: sort-id + value: cisc-13.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.1 + rel: dependency + - href: cisc-6.6 + rel: dependency + parts: + - id: cisc-13.5_stmt + name: statement + prose: |- + Manage access control for assets remotely connecting to enterprise resources. Determine + amount of access to enterprise resources based on: up-to-date anti-malware software installed, + configuration compliance with the enterprise’s secure configuration process, and ensuring the + operating system and applications are up-to-date. + - id: cisc-13.6 + title: Collect Network Traffic Flow Logs + props: + - name: label + value: CIS Safeguard 13.6 + - name: sort-id + value: cisc-13.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-4.2 + rel: dependency + - href: cisc-12.4 + rel: dependency + parts: + - id: cisc-13.6_stmt + name: statement + prose: |- + Collect network traffic flow logs and/or network traffic to review and alert upon from + network devices. + - id: cisc-13.7 + title: Deploy a Host-Based Intrusion Prevention Solution + props: + - name: label + value: CIS Safeguard 13.7 + - name: sort-id + value: cisc-13.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-13.7_stmt + name: statement + prose: |- + Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate + and/or supported. Example implementations include use of an Endpoint Detection and Response + (EDR) client or host-based IPS agent. + - id: cisc-13.8 + title: Deploy a Network Intrusion Prevention Solutions + props: + - name: label + value: CIS Safeguard 13.8 + - name: sort-id + value: cisc-13.08 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-12.4 + rel: dependency + parts: + - id: cisc-13.8_stmt + name: statement + prose: |- + Deploy a network intrusion prevention solution, where appropriate. Example implementations + include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service. + - id: cisc-13.9 + title: Deploy Port-Level Access Control + props: + - name: label + value: CIS Safeguard 13.9 + - name: sort-id + value: cisc-13.09 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: devices + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + parts: + - id: cisc-13.9_stmt + name: statement + prose: |- + Deploy port-level access control. Port-level access control utilizes 802.1x, or similar + network access control protocols, such as certificates, and may incorporate user and/or device + authentication. + - id: cisc-13.10 + title: Perform Application Layer Filtering + props: + - name: label + value: CIS Safeguard 13.10 + - name: sort-id + value: cisc-13.10 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-1.1 + rel: dependency + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-13.10_stmt + name: statement + prose: |- + Perform application layer filtering. Example implementations include a filtering proxy, + application layer firewall, or gateway. + - id: cisc-13.11 + title: Tune Security Event Alerting Thresholds + props: + - name: label + value: CIS Safeguard 13.11 + - name: sort-id + value: cisc-13.11 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-13.1 + rel: dependency + parts: + - id: cisc-13.11_stmt + name: statement + prose: "Tune security event alerting thresholds monthly, or more frequently." + - id: cisc-14 + title: Security Awareness and Skills Training + props: + - name: label + value: CIS Control 14 + - name: sort-id + value: cisc-14 + parts: + - id: cisc-14_stmt + name: statement + prose: |- + Establish and maintain a security awareness program to influence behavior among the workforce + to be security conscious and properly skilled to reduce cybersecurity risks to the + enterprise. + - id: cisc-14_gdn + name: guidance + prose: |- + The actions of people play a critical part in the success or failure of an enterprise’s + security program. It is easier for an attacker to entice a user to click a link or open an email + attachment to install malware in order to get into an enterprise, than to find a network exploit + to do it directly. + + Users themselves, both intentionally and unintentionally, can cause incidents as a result of + mishandling sensitive data, sending an email with sensitive data to the wrong recipient, losing + a portable end-user device, using weak passwords, or using the same password they use on public + sites. + + No security program can effectively address cyber risk without a means to address this + fundamental human vulnerability. Users at every level of the enterprise have different risks. + For example: executives manage more sensitive data; system administrators have the ability to + control access to systems and applications; and users in finance, human resources, and contracts + all have access to different types of sensitive data that can make them targets. + + The training should be updated regularly. This will increase the culture of security and + discourage risky workarounds. + controls: + - id: cisc-14.1 + title: Establish and Maintain a Security Awareness Program + props: + - name: label + value: CIS Safeguard 14.1 + - name: sort-id + value: cisc-14.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-14.1_stmt + name: statement + prose: |- + Establish and maintain a security awareness program. The purpose of a security awareness + program is to educate the enterprise’s workforce on how to interact with enterprise assets and + data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and + update content annually, or when significant enterprise changes occur that could impact this + Safeguard. + - id: cisc-14.2 + title: Train Workforce Members to Recognize Social Engineering Attacks + props: + - name: label + value: CIS Safeguard 14.2 + - name: sort-id + value: cisc-14.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-14.2_stmt + name: statement + prose: |- + Train workforce members to recognize social engineering attacks, such as phishing, + pre-texting, and tailgating. + - id: cisc-14.3 + title: Train Workforce Members on Authentication Best Practices + props: + - name: label + value: CIS Safeguard 14.3 + - name: sort-id + value: cisc-14.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-14.3_stmt + name: statement + prose: |- + Train workforce members on authentication best practices. Example topics include MFA, + password composition, and credential management. + - id: cisc-14.4 + title: Train Workforce on Data Handling Best Practices + props: + - name: label + value: CIS Safeguard 14.4 + - name: sort-id + value: cisc-14.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-14.4_stmt + name: statement + prose: |- + Train workforce members on how to identify and properly store, transfer, archive, and destroy + sensitive data. This also includes training workforce members on clear screen and desk best + practices, such as locking their screen when they step away from their enterprise asset, + erasing physical and virtual whiteboards at the end of meetings, and storing data and assets + securely. + - id: cisc-14.5 + title: Train Workforce Members on Causes of Unintentional Data Exposure + props: + - name: label + value: CIS Safeguard 14.5 + - name: sort-id + value: cisc-14.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-14.5_stmt + name: statement + prose: |- + Train workforce members to be aware of causes for unintentional data exposure. Example topics + include mis-delivery of sensitive data, losing a portable end-user device, or publishing data + to unintended audiences. + - id: cisc-14.6 + title: Train Workforce Members on Recognizing and Reporting Security Incidents + props: + - name: label + value: CIS Safeguard 14.6 + - name: sort-id + value: cisc-14.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-14.6_stmt + name: statement + prose: |- + Train workforce members to be able to recognize a potential incident and be able to report + such an incident. + - id: cisc-14.7 + title: Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates + props: + - name: label + value: CIS Safeguard 14.7 + - name: sort-id + value: cisc-14.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-14.7_stmt + name: statement + prose: |- + Train workforce to understand how to verify and report out-of-date software patches or any + failures in automated processes and tools. Part of this training should include notifying IT + personnel of any failures in automated processes and tools. + - id: cisc-14.8 + title: Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks + props: + - name: label + value: CIS Safeguard 14.8 + - name: sort-id + value: cisc-14.08 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-14.8_stmt + name: statement + prose: |- + Train workforce members on the dangers of connecting to, and transmitting data over, insecure + networks for enterprise activities. If the enterprise has remote workers, training must include + guidance to ensure that all users securely configure their home network infrastructure. + - id: cisc-14.9 + title: Conduct Role-Specific Security Awareness and Skills Training + props: + - name: label + value: CIS Safeguard 14.9 + - name: sort-id + value: cisc-14.09 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-14.9_stmt + name: statement + prose: |- + Conduct role-specific security awareness and skills training. Example implementations include + secure system administration courses for IT professionals, (OWASP® Top 10 vulnerability + awareness and prevention training for web application developers, and advanced social + engineering awareness training for high-profile roles. + - id: cisc-15 + title: Service Provider Management + props: + - name: label + value: CIS Control 15 + - name: sort-id + value: cisc-15 + parts: + - id: cisc-15_stmt + name: statement + prose: |- + Develop a process to evaluate service providers who hold sensitive data, or are responsible + for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting + those platforms and data appropriately. + - id: cisc-15_gdn + name: guidance + prose: |- + In our modern, connected world, enterprises rely on vendors and partners to help manage their + data or rely on third-party infrastructure for core applications or functions. + + There have been numerous examples where third-party breaches have significantly impacted an + enterprise; for example, as early as the late 2000s, payment cards were compromised after + attackers infiltrated smaller third-party vendors in the retail industry. More recent examples + include ransomware attacks that impact an enterprise indirectly, due to one of their service + providers being locked down, causing disruption to business. Or worse, if directly connected, a + ransomware attack could encrypt data on the main enterprise. + + Most data security and privacy regulations require their protection extend to third-party + service providers, such as with Health Insurance Portability and Accountability Act (HIPAA) + Business Associate agreements in healthcare, Federal Financial Institutions Examination Council + (FFIEC) requirements for the financial industry, and the United Kingdom (U.K.) Cyber Essentials. + Third-party trust is a core Governance Risk and Compliance (GRC) function, as risks that are not + managed within the enterprise are transferred to entities outside the enterprise. + + While reviewing the security of third-parties has been a task performed for decades, there is + not a universal standard for assessing security; and, many service providers are being audited + by their customers multiple times a month, causing impacts to their own productivity. This is + because every enterprise has a different "checklist" or set of standards to grade the service + provider. There are only a few industry standards, such as in finance, with the Shared + Assessments program, or in higher education, with their Higher Education Community Vendor + Assessment Toolkit (HECVAT). Insurance companies selling cybersecurity policies also have their + own measurements. + + While an enterprise might put a lot of scrutiny into large cloud or application hosting + companies because they are hosting their email or critical business applications, smaller firms + are often a greater risk. Often times, a third-party service provider contracts with additional + parties to provide other plugins or services, such as when a third-party uses a fourth-party + platform or product to support the main enterprise. + controls: + - id: cisc-15.1 + title: Establish and Maintain an Inventory of Service Providers + props: + - name: label + value: CIS Safeguard 15.1 + - name: sort-id + value: cisc-15.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-15.1_stmt + name: statement + prose: |- + Establish and maintain an inventory of service providers. The inventory is to list all known + service providers, include classification(s), and designate an enterprise contact for each + service provider. Review and update the inventory annually, or when significant enterprise + changes occur that could impact this Safeguard. + - id: cisc-15.2 + title: Establish and Maintain a Service Provider Management Policy + props: + - name: label + value: CIS Safeguard 15.2 + - name: sort-id + value: cisc-15.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-15.2_stmt + name: statement + prose: |- + Establish and maintain a service provider management policy. Ensure the policy addresses the + classification, inventory, assessment, monitoring, and decommissioning of service providers. + Review and update the policy annually, or when significant enterprise changes occur that could + impact this Safeguard. + - id: cisc-15.3 + title: Classify Service Providers + props: + - name: label + value: CIS Safeguard 15.3 + - name: sort-id + value: cisc-15.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-15.1 + rel: dependency + - href: cisc-15.2 + rel: dependency + parts: + - id: cisc-15.3_stmt + name: statement + prose: |- + Classify service providers. Classification consideration may include one or more + characteristics, such as data sensitivity, data volume, availability requirements, applicable + regulations, inherent risk, and mitigated risk. Update and review classifications annually, or + when significant enterprise changes occur that could impact this Safeguard. + - id: cisc-15.4 + title: Ensure Service Provider Contracts Include Security Requirements + props: + - name: label + value: CIS Safeguard 15.4 + - name: sort-id + value: cisc-15.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-15.1 + rel: dependency + - href: cisc-15.2 + rel: dependency + parts: + - id: cisc-15.4_stmt + name: statement + prose: |- + Ensure service provider contracts include security requirements. Example requirements may + include minimum security program requirements, security incident and/or data breach + notification and response, data encryption requirements, and data disposal commitments. These + security requirements must be consistent with the enterprise’s service provider management + policy. Review service provider contracts annually to ensure contracts are not missing security + requirements. + - id: cisc-15.5 + title: Assess Service Providers + props: + - name: label + value: CIS Safeguard 13.5 + - name: sort-id + value: cisc-13.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-15.1 + rel: dependency + - href: cisc-15.2 + rel: dependency + parts: + - id: cisc-15.5_stmt + name: statement + prose: |- + Assess service providers consistent with the enterprise’s service provider management policy. + Assessment scope may vary based on classification(s), and may include review of standardized + assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry + (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately + rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed + contracts. + - id: cisc-15.6 + title: Monitor Service Providers + props: + - name: label + value: CIS Safeguard 15.6 + - name: sort-id + value: cisc-15.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: detect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-15.1 + rel: dependency + - href: cisc-15.2 + rel: dependency + parts: + - id: cisc-15.6_stmt + name: statement + prose: |- + Monitor service providers consistent with the enterprise’s service provider management + policy. Monitoring may include periodic reassessment of service provider compliance, monitoring + service provider release notes, and dark web monitoring. + - id: cisc-15.7 + title: Securely Decommission Service Providers + props: + - name: label + value: CIS Safeguard 15.7 + - name: sort-id + value: cisc-15.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: data + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-15.1 + rel: dependency + - href: cisc-15.2 + rel: dependency + parts: + - id: cisc-15.7_stmt + name: statement + prose: |- + Securely decommission service providers. Example considerations include user and service + account deactivation, termination of data flows, and secure disposal of enterprise data within + service provider systems + - id: cisc-16 + title: Application Software Security + props: + - name: label + value: CIS Control 16 + - name: sort-id + value: cisc-16 + parts: + - id: cisc-16_stmt + name: statement + prose: |- + Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, + detect, and remediate security weaknesses before they can impact the enterprise. + - id: cisc-16_gdn + name: guidance + prose: |- + Applications provide a human-friendly interface to allow users to access and manage data in a + way that is aligned to business functions. They also minimize the need for users to deal + directly with complex (and potentially error-prone) system functions, like logging into a + database to insert or modify files. Enterprises use applications to manage their most sensitive + data and control access to system resources, and so an attacker can use the application itself + to compromise the data, instead of an elaborate network and system hacking sequence, attempting + to bypass network security controls and sensors. This is why protecting user credentials + (specifically application credentials), defined in CIS Control 6, is so important.Applications + provide a human-friendly interface to allow users to access and manage data in a way that is + aligned to business functions. They also minimize the need for users to deal directly with + complex (and potentially error-prone) system functions, like logging into a database to insert + or modify files. Enterprises use applications to manage their most sensitive data and control + access to system resources, and so an attacker can use the application itself to compromise the + data, instead of an elaborate network and system hacking sequence, attempting to bypass network + security controls and sensors. This is why protecting user credentials (specifically application + credentials), defined in CIS Control 6, is so important. + + Lacking credentials, application flaws are the attack vector of choice. However, today’s + applications are developed, operated, and maintained in a highly complex, diverse, and dynamic + environment. Applications run on multiple platforms; web, mobile, cloud, etc., with application + architectures that are more complex than legacy client-server or database-web server structures. + Development life cycles have become shorter, transitioning from months or years in long + waterfall methodologies, to DevOps cycles with frequent code updates. Also, applications are + rarely created from scratch, and are often "assembled" from a complex mix of development + frameworks, libraries, existing code, and new code. There are also modern and evolving data + protection regulations dealing with user privacy. These may require compliance to regional or + sector-specific data protection requirements. + + These factors make traditional approaches to security, like control (of processes, code + sources, run-time environment, etc.), inspection, and testing, much more challenging. Also, the + risk that an application vulnerability introduces might not be understood, except in a specific + operational setting or context. + + Application vulnerabilities can be present for many reasons; insecure design, insecure + infrastructure, coding mistakes, weak authentication, and failure to test for unusual or + unexpected conditions. Attackers can exploit specific vulnerabilities, including buffer + overflows, exposure to Structured Query Language (SQL) injection, cross-site scripting, + cross-site request forgery, and click-jacking of code to gain access to sensitive data, or take + control over vulnerable assets within the infrastructure as a launching point for further + attacks. + + Applications and websites can also be used to harvest credentials, data, or attempt to install + malware onto the users who access them. + + Finally, it is now more common to acquire Software as a Service (SaaS) platforms, where + software is developed and managed entirely through a third-party. These might be hosted anywhere + in the world. This brings challenges to enterprises who need to know what risks they are + accepting with using these platforms; and they often do not have visibility into the development + and application security practices of these platforms. Some of these SaaS platforms allow for + customizing of their interfaces and databases. Enterprises who extend these applications should + follow this CIS Control, similar to if they were doing ground-up customer development. + controls: + - id: cisc-16.1 + title: Establish and Maintain a Secure Application Development Process + props: + - name: label + value: CIS Safeguard 16.1 + - name: sort-id + value: cisc-16.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-16.1_stmt + name: statement + prose: |- + Establish and maintain a secure application development process. In the process, address such + items as: secure application design standards, secure coding practices, developer training, + vulnerability management, security of third-party code, and application security testing + procedures. Review and update documentation annually, or when significant enterprise changes + occur that could impact this Safeguard. + - id: cisc-16.2 + title: Establish and Maintain a Process to Accept and Address Software Vulnerabilities + props: + - name: label + value: CIS Safeguard 16.2 + - name: sort-id + value: cisc-16.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-16.2_stmt + name: statement + prose: |- + Establish and maintain a process to accept and address reports of software vulnerabilities, + including providing a means for external entities to report. The process is to include such + items as: a vulnerability handling policy that identifies reporting process, responsible party + for handling vulnerability reports, and a process for intake, assignment, remediation, and + remediation testing. As part of the process, use a vulnerability tracking system that includes + severity ratings, and metrics for measuring timing for identification, analysis, and + remediation of vulnerabilities. Review and update documentation annually, or when significant + enterprise changes occur that could impact this Safeguard. + + Third-party application developers need to consider this an externally-facing policy that + helps to set expectations for outside stakeholders. + - id: cisc-16.3 + title: Perform Root Cause Analysis on Security Vulnerabilities + props: + - name: label + value: CIS Safeguard 16.3 + - name: sort-id + value: cisc-16.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-16.2 + rel: dependency + parts: + - id: cisc-16.3_stmt + name: statement + prose: |- + Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root + cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, + and allows development teams to move beyond just fixing individual vulnerabilities as they + arise. + - id: cisc-16.4 + title: Establish and Manage an Inventory of Third-Party Software Components + props: + - name: label + value: CIS Safeguard 16.4 + - name: sort-id + value: cisc-16.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-16.4_stmt + name: statement + prose: |- + Establish and manage an updated inventory of third-party components used in development, + often referred to as a "bill of materials," as well as components slated for future use. This + inventory is to include any risks that each third-party component could pose. Evaluate the list + at least monthly to identify any changes or updates to these components, and validate that the + component is still supported. + - id: cisc-16.5 + title: Use Up-to-Date and Trusted Third-Party Software Components + props: + - name: label + value: CIS Safeguard 16.5 + - name: sort-id + value: cisc-16.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-16.4 + rel: dependency + parts: + - id: cisc-16.5_stmt + name: statement + prose: |- + Use up-to-date and trusted third-party software components. When possible, choose established + and proven frameworks and libraries that provide adequate security. Acquire these components + from trusted sources or evaluate the software for vulnerabilities before use. + - id: cisc-16.6 + title: Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities + props: + - name: label + value: CIS Safeguard 16.6 + - name: sort-id + value: cisc-16.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-16.2 + rel: dependency + parts: + - id: cisc-16.6_stmt + name: statement + prose: |- + Establish and maintain a severity rating system and process for application vulnerabilities + that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This + process includes setting a minimum level of security acceptability for releasing code or + applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves + risk management and helps ensure the most severe bugs are fixed first. Review and update the + system and process annually. + - id: cisc-16.7 + title: Use Standard Hardening Configuration Templates for Application Infrastructure + props: + - name: label + value: CIS Safeguard 16.7 + - name: sort-id + value: cisc-16.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-4.1 + rel: dependency + - href: cisc-4.2 + rel: dependency + parts: + - id: cisc-16.7_stmt + name: statement + prose: |- + Use standard, industry-recommended hardening configuration templates for application + infrastructure components. This includes underlying servers, databases, and web servers, and + applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do + not allow in-house developed software to weaken configuration hardening. + - id: cisc-16.8 + title: Separate Production and Non-Production Systems + props: + - name: label + value: CIS Safeguard 16.8 + - name: sort-id + value: cisc-16.08 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-16.8_stmt + name: statement + prose: |- +
+ + Maintain separate environments for production and non-production systems. + - id: cisc-16.9 + title: Train Developers in Application Security Concepts and Secure Coding + props: + - name: label + value: CIS Safeguard 16.9 + - name: sort-id + value: cisc-16.09 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-16.9_stmt + name: statement + prose: |- + Ensure that all software development personnel receive training in writing secure code for + their specific development environment and responsibilities. Training can include general + security principles and application security standard practices. Conduct training at least + annually and design in a way to promote security within the development team, and build a + culture of security among the developers. + - id: cisc-16.10 + title: Apply Secure Design Principles in Application Architectures + props: + - name: label + value: CIS Safeguard 16.10 + - name: sort-id + value: cisc-16.10 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-16.1 + rel: dependency + parts: + - id: cisc-16.10_stmt + name: statement + prose: |- + Apply secure design principles in application architectures. Secure design principles include + the concept of least privilege and enforcing mediation to validate every operation that the + user makes, promoting the concept of "never trust user input." Examples include ensuring that + explicit error checking is performed and documented for all input, including for size, data + type, and acceptable ranges or formats. Secure design also means minimizing the application + infrastructure attack surface, such as turning off unprotected ports and services, removing + unnecessary programs and files, and renaming or removing default accounts. + - id: cisc-16.11 + title: Leverage Vetted Modules or Services for Application Security Components + props: + - name: label + value: CIS Safeguard 16.11 + - name: sort-id + value: cisc-16.11 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-16.11_stmt + name: statement + prose: |- + Leverage vetted modules or services for application security components, such as identity + management, encryption, and auditing and logging. Using platform features in critical security + functions will reduce developers’ workload and minimize the likelihood of design or + implementation errors. Modern operating systems provide effective mechanisms for + identification, authentication, and authorization and make those mechanisms available to + applications. Use only standardized, currently accepted, and extensively reviewed encryption + algorithms. Operating systems also provide mechanisms to create and maintain secure audit + logs. + - id: cisc-16.12 + title: Implement Code-Level Security Checks + props: + - name: label + value: CIS Safeguard 16.12 + - name: sort-id + value: cisc-16.12 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-16.12_stmt + name: statement + prose: |- + Apply static and dynamic analysis tools within the application life cycle to verify that + secure coding practices are being followed. + - id: cisc-16.13 + title: Conduct Application Penetration Testing + props: + - name: label + value: CIS Safeguard 16.13 + - name: sort-id + value: cisc-16.13 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-16.13_stmt + name: statement + prose: |- + Conduct application penetration testing. For critical applications, authenticated penetration + testing is better suited to finding business logic vulnerabilities than code scanning and + automated security testing. Penetration testing relies on the skill of the tester to manually + manipulate an application as an authenticated and unauthenticated user. + - id: cisc-16.14 + title: Conduct Threat Modeling + props: + - name: label + value: CIS Safeguard 16.14 + - name: sort-id + value: cisc-16.14 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: applications + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-2.1 + rel: dependency + parts: + - id: cisc-16.14_stmt + name: statement + prose: |- + Conduct threat modeling. Threat modeling is the process of identifying and addressing + application security design flaws within a design, before code is created. It is conducted + through specially trained individuals who evaluate the application design and gauge security + risks for each entry point and access level. The goal is to map out the application, + architecture, and infrastructure in a structured way to understand its weaknesses. + - id: cisc-17 + title: Incident Response Management + props: + - name: label + value: CIS Control 17 + - name: sort-id + value: cisc-17 + parts: + - id: cisc-17_stmt + name: statement + prose: |- + Establish a program to develop and maintain an incident response capability (e.g., policies, + plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly + respond to an attack. + - id: cisc-17_gdn + name: guidance + prose: |- + A comprehensive cybersecurity program includes protections, detections, response, and recovery + capabilities. Often, the final two get overlooked in immature enterprises, or the response + technique to compromised systems is just to re-image them to original state, and move on. The + primary goal of incident response is to identify threats on the enterprise, respond to them + before they can spread, and remediate them before they can cause harm. Without understanding the + full scope of an incident, how it happened, and what can be done to prevent it from happening + again, defenders will just be in a perpetual "whack-a-mole" pattern. + + We cannot expect our protections to be effective 100% of the time. When an incident occurs, if + an enterprise does not have a documented plan – even with good people – it is almost impossible + to know the right investigative procedures, reporting, data collection, management + responsibility, legal protocols, and communications strategy that will allow the enterprise to + successfully understand, manage, and recover. + + Along with detection, containment, and eradication, communication to stakeholders is key. If + we are to reduce the probability of material impact due to a cyber event, the enterprise’s + leadership must know what potential impact there could be, so that they can help prioritize + remediation or restoration decisions that best support the enterprise. These business decisions + could be based on regulatory compliance, disclosure rules, service-level agreements with + partners or customers, revenue, or mission impacts. + + Dwell time from when an attack happens to when it is identified can be days, weeks, or months. + The longer the attacker is in the enterprise’s infrastructure, the more embedded they become and + they will develop more ways to maintain persistent access for when they are eventually + discovered. With the rise of ransomware, which is a stable moneymaker for attackers, this dwell + time is critical, especially with modern tactics of stealing data before encrypting it for + ransom. + controls: + - id: cisc-17.1 + title: Designate Personnel to Manage Incident Handling + props: + - name: label + value: CIS Safeguard 17.1 + - name: sort-id + value: cisc-17.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-17.1_stmt + name: statement + prose: |- + Designate one key person, and at least one backup, who will manage the enterprise’s incident + handling process. Management personnel are responsible for the coordination and documentation + of incident response and recovery efforts and can consist of employees internal to the + enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate + at least one person internal to the enterprise to oversee any third-party work. Review + annually, or when significant enterprise changes occur that could impact this Safeguard. + - id: cisc-17.2 + title: Establish and Maintain Contact Information for Reporting Security Incidents + props: + - name: label + value: CIS Safeguard 17.2 + - name: sort-id + value: cisc-17.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-17.2_stmt + name: statement + prose: |- + Establish and maintain contact information for parties that need to be informed of security + incidents. Contacts may include internal staff, third-party vendors, law enforcement, cyber + insurance providers, relevant government agencies, Information Sharing and Analysis Center + (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is + up-to-date. + - id: cisc-17.3 + title: Establish and Maintain an Enterprise Process for Reporting Incidents + props: + - name: label + value: CIS Safeguard 17.3 + - name: sort-id + value: cisc-17.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "1" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-17.3_stmt + name: statement + prose: |- + Establish and maintain an enterprise process for the workforce to report security incidents. + The process includes reporting timeframe, personnel to report to, mechanism for reporting, and + the minimum information to be reported. Ensure the process is publicly available to all of the + workforce. Review annually, or when significant enterprise changes occur that could impact this + Safeguard. + - id: cisc-17.4 + title: Establish and Maintain an Incident Response Process + props: + - name: label + value: CIS Safeguard 17.4 + - name: sort-id + value: cisc-17.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-17.4_stmt + name: statement + prose: |- + Establish and maintain an incident response process that addresses roles and + responsibilities, compliance requirements, and a communication plan. Review annually, or when + significant enterprise changes occur that could impact this Safeguard. + - id: cisc-17.5 + title: Assign Key Roles and Responsibilities + props: + - name: label + value: CIS Safeguard 17.5 + - name: sort-id + value: cisc-17.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-17.4 + rel: dependency + parts: + - id: cisc-17.5_stmt + name: statement + prose: |- + Assign key roles and responsibilities for incident response, including staff from legal, IT, + information security, facilities, public relations, human resources, incident responders, and + analysts, as applicable. Review annually, or when significant enterprise changes occur that + could impact this Safeguard. + - id: cisc-17.6 + title: Define Mechanisms for Communicating During Incident Response + props: + - name: label + value: CIS Safeguard 17.6 + - name: sort-id + value: cisc-17.06 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: respond + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-17.4 + rel: dependency + parts: + - id: cisc-17.6_stmt + name: statement + prose: |- + Determine which primary and secondary mechanisms will be used to communicate and report + during a security incident. Mechanisms can include phone calls, emails, or letters. Keep in + mind that certain mechanisms, such as emails, can be affected during a security incident. + Review annually, or when significant enterprise changes occur that could impact this + Safeguard. + - id: cisc-17.7 + title: Conduct Routine Incident Response Exercises + props: + - name: label + value: CIS Safeguard 17.7 + - name: sort-id + value: cisc-17.07 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: recover + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-17.4 + rel: dependency + parts: + - id: cisc-17.7_stmt + name: statement + prose: |- + Plan and conduct routine incident response exercises and scenarios for key personnel involved + in the incident response process to prepare for responding to real-world incidents. Exercises + need to test communication channels, decision making, and workflows. Conduct testing on an + annual basis, at a minimum. + - id: cisc-17.8 + title: Conduct Post-Incident Reviews + props: + - name: label + value: CIS Safeguard 17.8 + - name: sort-id + value: cisc-17.08 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: recover + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-17.4 + rel: dependency + parts: + - id: cisc-17.8_stmt + name: statement + prose: |- + Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through + identifying lessons learned and follow-up action. + - id: cisc-17.9 + title: Establish and Maintain Security Incident Thresholds + props: + - name: label + value: CIS Safeguard 17.9 + - name: sort-id + value: cisc-17.09 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-17.4 + rel: dependency + parts: + - id: cisc-17.9_stmt + name: statement + prose: |- + Establish and maintain security incident thresholds, including, at a minimum, differentiating + between an incident and an event. Examples can include: abnormal activity, security + vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when + significant enterprise changes occur that could impact this Safeguard. + - id: cisc-18 + title: Penetration Testing + props: + - name: label + value: CIS Control 18 + - name: sort-id + value: cisc-18 + parts: + - id: cisc-18_stmt + name: statement + prose: |- + Test the effectiveness and resiliency of enterprise assets through identifying and exploiting + weaknesses in controls (people, processes, and technology), and simulating the objectives and + actions of an attacker. + - id: cisc-18_gdn + name: guidance + prose: |- + A successful defensive posture requires a comprehensive program of effective policies and + governance, strong technical defenses, combined with appropriate action from people. However, it + is rarely perfect. In a complex environment where technology is constantly evolving and new + attacker tradecraft appears regularly, enterprises should periodically test their controls to + identify gaps and to assess their resiliency. This test may be from external network, internal + network, application, system, or device perspective. It may include social engineering of users, + or physical access control bypasses. + + Often, penetration tests are performed for specific purposes: • As a "dramatic" demonstration + of an attack, usually to convince decision-makers of their enterprise’s weaknesses • As a means + to test the correct operation of enterprise defenses ("verification") • To test that the + enterprise has built the right defenses in the first place ("validation") + + Independent penetration testing can provide valuable and objective insights about the + existence of vulnerabilities in enterprise assets and humans, and the efficacy of defenses and + mitigating controls to protect against adverse impacts to the enterprise. They are part of a + comprehensive, ongoing program of security management and improvement. They can also reveal + process weaknesses, such as incomplete or inconsistent configuration management, or end-user + training. + + Penetration testing differs from vulnerability testing, described in CIS Control 7. + Vulnerability testing just checks for presence of known, insecure enterprise assets, and stops + there. Penetration testing goes further to exploit those weaknesses to see how far an attacker + could get, and what business process or data might be impacted through exploitation of that + vulnerability. This is an important detail, and often penetration testing and vulnerability + testing are incorrectly used interchangeably. Vulnerability testing is exclusively automated + scanning with sometimes manual validation of false positives, whereas penetration testing + requires more human involvement and analysis, sometimes supported through the use of custom + tools or scripts. However, vulnerability testing is often a starting point for a penetration + test. + + Another common term is "Red Team" exercises. These are similar to penetration tests in that + vulnerabilities are exploited; however, the difference is the focus. Red Teams simulate specific + attacker TTPs to evaluate how an enterprise’s environment would withstand an attack from a + specific adversary, or category of adversaries. + controls: + - id: cisc-18.1 + title: Establish and Maintain a Penetration Testing Program + props: + - name: label + value: CIS Safeguard 18.1 + - name: sort-id + value: cisc-18.01 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + parts: + - id: cisc-18.1_stmt + name: statement + prose: |- + Establish and maintain a penetration testing program appropriate to the size, complexity, and + maturity of the enterprise. Penetration testing program characteristics include scope, such as + network, web application, Application Programming Interface (API), hosted services, and + physical premise controls; frequency; limitations, such as acceptable hours, and excluded + attack types; point of contact information; remediation, such as how findings will be routed + internally; and retrospective requirements. + - id: cisc-18.2 + title: Perform Periodic External Penetration Tests + props: + - name: label + value: CIS Safeguard 18.2 + - name: sort-id + value: cisc-18.02 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-18.1 + rel: dependency + parts: + - id: cisc-18.2_stmt + name: statement + prose: |- + Perform periodic external penetration tests based on program requirements, no less than + annually. External penetration testing must include enterprise and environmental reconnaissance + to detect exploitable information. Penetration testing requires specialized skills and + experience and must be conducted through a qualified party. The testing may be clear box or + opaque box. + - id: cisc-18.3 + title: Remediate Penetration Test Findings + props: + - name: label + value: CIS Safeguard 18.3 + - name: sort-id + value: cisc-18.03 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "2" + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-18.2 + rel: dependency + parts: + - id: cisc-18.3_stmt + name: statement + prose: |- + Remediate penetration test findings based on the enterprise’s policy for remediation scope + and prioritization. + - id: cisc-18.4 + title: Validate Security Measures + props: + - name: label + value: CIS Safeguard 18.4 + - name: sort-id + value: cisc-18.04 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: network + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: protect + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-18.1 + rel: dependency + parts: + - id: cisc-18.4_stmt + name: statement + prose: |- + Validate security measures after each penetration test. If deemed necessary, modify rulesets + and capabilities to detect the techniques used during testing. + - id: cisc-18.5 + title: Perform Periodic Internal Penetration Tests + props: + - name: label + value: CIS Safeguard 18.5 + - name: sort-id + value: cisc-18.05 + - name: asset-type + ns: https://cisecurity.org/ns/oscal + value: N/A + - name: security-function + ns: https://cisecurity.org/ns/oscal + value: identify + - name: implementation-group + ns: https://cisecurity.org/ns/oscal + value: "3" + links: + - href: cisc-18.1 + rel: dependency + parts: + - id: cisc-18.5_stmt + name: statement + prose: |- + Perform periodic internal penetration tests based on program requirements, no less than + annually. The testing may be clear box or opaque box.