What is CIS Controls v8?

Key takeaways

• CIS Controls v8 organizes security into 18 controls, each containing safeguards (153 total) that the average organization can implement to materially reduce attack success.
• The controls are prioritized; the first six produce the largest risk reduction per dollar of investment.
• Three Implementation Groups (IG1, IG2, IG3) match the controls to organization size and resource availability. Most mid-market manufacturers should aim for IG2.
• CIS Controls is not a compliance standard; it is the practical implementation layer underneath higher-level frameworks like NIST CSF 2.0 and ISO 27001.
• ARG references CIS Controls in audit reports because the safeguards are prescriptive enough to drive remediation without further translation.

What are the 18 CIS Controls, and how are they grouped?

CIS Controls v8 consolidated previous versions into 18 controls, organized as:

Basic Cyber Hygiene (Controls 1-6):

1. Inventory and Control of Enterprise Assets. Know what you have.
2. Inventory and Control of Software Assets. Know what is installed.
3. Data Protection. Know your data, encrypt where needed, prevent unauthorized data movement.
4. Secure Configuration of Enterprise Assets and Software. Baseline configurations, hardening.
5. Account Management. Named accounts, lifecycle management, dormant account removal.
6. Access Control Management. Least privilege, role-based access, MFA on remote and privileged access.

Foundational Cyber Hygiene (Controls 7-14):

1. Continuous Vulnerability Management. Scan and remediate.
2. Audit Log Management. Capture, retain, review logs.
3. Email and Web Browser Protections. Reduce browser/email attack surface.
4. Malware Defenses. Anti-malware on endpoints.
5. Data Recovery. Backups, restoration testing.
6. Network Infrastructure Management. Maintain and harden network gear.
7. Network Monitoring and Defense. Detect anomalous behavior.
8. Security Awareness and Skills Training. People as a control layer.

Organizational Cyber Hygiene (Controls 15-18):

1. Service Provider Management. Third-party governance. See What is third-party risk for manufacturers?.
2. Application Software Security. Secure development practices for organizations that build software.
3. Incident Response Management. Plan, test, learn. See What is an incident response plan (IRP)?.
4. Penetration Testing. Validate that controls work. See What is continuous penetration testing?.

Each control contains several safeguards (the specific implementation expectations). The 18 controls together produce 153 safeguards in v8.

The prioritization matters: the first six controls cover the basic hygiene that prevents the largest share of real-world attacks. An organization that implements Controls 1-6 well but only partially implements 7-14 has a stronger security posture than one that implements all 18 superficially.

The CIS Implementation Groups (IG1, IG2, IG3)

The 153 safeguards are not all expected of every organization. CIS publishes three Implementation Groups that map safeguards to organizational profile.

IG1: Essential cyber hygiene. 56 safeguards. The baseline expected of every organization, including small businesses and organizations with limited IT resources. Designed to be implementable with off-the-shelf tools and basic IT staff. Roughly equivalent to "if you do nothing else, do these".

IG2: Manage greater complexity. Adds another 74 safeguards (total 130). For organizations with regulated data, sensitive operations, or meaningful security investment. Most mid-market manufacturers should aim for IG2.

IG3: Prevent or limit harm from sophisticated attacks. Adds the remaining safeguards (total 153). For organizations with significant attack-target value: critical infrastructure, defense suppliers, healthcare, financial services, organizations handling sensitive intellectual property. Enterprises and high-value targets implement IG3.

The implementation groups are not about size; they are about risk profile. A 100-person defense supplier handling CUI may need IG3-equivalent posture; a 400-person general manufacturer with no regulated data may sit at IG2.

For most mid-market manufacturers, the right target is IG2 with selected IG3 safeguards where the risk profile justifies. The path is usually IG1 first (within twelve months), IG2 within twenty-four months, IG3 selectively as customer or regulatory pressure justifies.

Why CIS is the most practical starting point for under-resourced security teams

Three properties make CIS Controls the highest-leverage starting framework for mid-market manufacturers.

1. Prescriptive. Unlike NIST CSF 2.0, which describes outcomes, CIS Controls describes specific actions. "Use multi-factor authentication for externally exposed administrative accounts" is implementable; "manage authentication" is interpretation work.
2. Prioritized. The 18 controls and three implementation groups produce a clear sequence. The team can work through Controls 1-6 in IG1 before moving on. The sequence is decided; the team's job is execution, not framework design.
3. Mappable to other frameworks. CIS publishes mappings to NIST CSF, NIST SP 800-53, ISO 27001 Annex A, PCI DSS, and others. The safeguards captured for CIS satisfy substantial portions of other frameworks. One unit of evidence supports multiple audits.

For a manufacturer whose security work is owned by an IT lead alongside other responsibilities, CIS Controls is the framework most likely to produce measurable improvement on a realistic timeline. NIST CSF requires more analytical work to operationalize; ISO 27001 requires more management-system overhead; CMMC is contract-driven.

The combination ARG sees working at mid-market manufacturers: CIS Controls as the practical implementation layer, NIST CSF 2.0 as the executive-facing organizing framework, CMMC where defense work requires it.

Examples of high-impact controls most mid-market shops miss

Across engagements, ARG sees consistent under-implementation of specific safeguards. The highest-leverage ones:

• Safeguard 1.1: Establish and maintain detailed enterprise asset inventory. Most manufacturers have an incomplete asset inventory. Missing assets are unmanaged risk.
• Safeguard 5.3: Disable dormant accounts. Old employee accounts, vendor accounts, and service accounts accumulate. The dormant accounts are credential-theft targets.
• Safeguard 6.3: Require MFA for externally-exposed applications. Push-based MFA where it exists, no MFA where it does not. See What is phishing-resistant MFA?.
• Safeguard 6.5: Require MFA for administrative access. Often missing on internal admin interfaces and on the privileged access management system itself.
• Safeguard 7.1: Establish and maintain a vulnerability management process. Vulnerability scanning is run; remediation tracking is informal.
• Safeguard 8.5: Collect detailed audit logs. Logs are collected from some systems but not endpoints, identity, or OT.
• Safeguard 11.3: Protect recovery data. Backups exist; they are not protected from the same ransomware operator who would encrypt the production data.
• Safeguard 13.1: Centralize security event alerting. Alerts in multiple places; no single pane of glass; alerts routinely missed.
• Safeguard 17.4: Establish and maintain an incident response process. Plan exists; rehearsal has not happened.

Each of these is a single safeguard with a specific implementation. Closing them produces measurable risk reduction without redesigning the security program.

How to map existing security spend to CIS Controls

For a mid-market manufacturer with existing security spend (EDR, MFA, backup, awareness training) but no organizing framework, mapping the spend to CIS produces immediate clarity.

The process:

1. List current security investments. Tools, services, processes, training. Include line items in IT budget and any embedded security spend (e.g., MFA cost inside the Microsoft 365 license).
2. For each investment, identify which CIS Controls it supports. Most investments support multiple safeguards. Document the mapping.
3. Identify uncovered safeguards. Where there is no current investment for a required IG2 (or target IG) safeguard, the gap is a remediation candidate.
4. Identify overcovered safeguards. Where multiple investments overlap, there may be opportunity to consolidate.
5. Produce a coverage map. Visual or spreadsheet that shows the IG2 (or target IG) coverage against current investment.

The output is the foundation for the next year's security investment plan. New tools and processes get added to fill specific gaps; renewals get justified against the safeguards they support; investments without clear safeguard support get reviewed for value.

Best practices for prioritizing IG1 to IG2 progression

A typical sequence for a mid-market manufacturer moving from baseline to IG2:

1. Quarter 1: Asset and software inventory (Controls 1-2). Without inventory, the rest of the program cannot prioritize. Spend the first quarter establishing what the organization has.
2. Quarter 2: Account management and access control (Controls 5-6). Named accounts, MFA on all remote and admin access, removal of dormant accounts, basic role-based access. The single highest-leverage cluster.
3. Quarter 3: Secure configuration (Control 4) and email/web protections (Control 9). Baseline configurations, email and browser hardening. Both produce material attack-surface reduction.
4. Quarter 4: Audit logging (Control 8) and data recovery (Control 11). Logs flowing to a central location, backups protected and tested. Sets up Year 2 work.
5. Year 2, Quarter 1: Vulnerability management (Control 7) and malware defense (Control 10). Continuous scanning, EDR coverage, response process.
6. Year 2, Quarter 2: Network monitoring (Control 13) and incident response (Control 17). Detection capability, response process, tabletop testing.
7. Year 2, Quarter 3: Awareness (Control 14) and third-party (Control 15). Adaptive simulation, vendor governance.
8. Year 2, Quarter 4: Validation through penetration testing (Control 18). ARG-style continuous validation produces evidence that the safeguards actually work.

The sequence is suggestive, not prescriptive. The specific order depends on existing investments and immediate risk; a manufacturer with strong endpoint protection but weak identity can compress endpoint-related controls and emphasize identity early.

CIS Controls FAQs

Is CIS Controls a compliance standard or a framework?

It is a framework with prioritized, prescriptive controls, not a compliance standard with formal certification. CIS Controls is widely used as the practical implementation layer underneath higher-level frameworks like NIST CSF and ISO 27001. The Center for Internet Security maintains the controls; there is no formal CIS certification body in the way ISO accredits 27001 certifiers.

How does CIS Controls relate to NIST CSF?

NIST CSF organizes thinking at the function and category level (six functions, 23 categories); CIS Controls provides specific implementation safeguards. Many organizations use CSF as the executive-facing framework and CIS Controls as the practical implementation layer underneath. The two frameworks map cleanly to each other; CIS publishes the mapping.

Can CIS Controls satisfy cyber insurance requirements?

Yes for most carriers. Insurance underwriters increasingly reference CIS Controls as the practical baseline they expect. Demonstrating IG1 implementation usually satisfies the baseline; IG2 implementation supports better pricing. Some carriers reference specific safeguards directly in their renewal questionnaires. See What is cyber insurance underwriting?.

What is the difference between CIS Controls and CIS Benchmarks?

CIS Controls are a prioritized set of cybersecurity safeguards (the 18 controls and their underlying safeguards). CIS Benchmarks are specific configuration recommendations for individual technologies (Windows Server, Linux, AWS, Office 365, etc.). Controls tell you what to do; Benchmarks tell you how to configure a specific system to support a control.

How ARG references CIS Controls in audit reports

ARG references CIS Controls in audit reports because the safeguards are specific enough to drive remediation without translation. The reference is layered alongside NIST CSF 2.0, CMMC, and ISO 27001 mappings, so the same finding feeds multiple compliance contexts.

The audit is conducted by David Ashby, with technical-control assessment from James Wall. Each finding carries the specific CIS safeguard reference, the Implementation Group it belongs to, the current state, and the recommended remediation.

For clients targeting IG2 (the typical mid-market manufacturer target), the engagement report shows safeguard-by-safeguard coverage with traffic-light status (implemented, partial, not implemented). The output is directly actionable: the client team can pick the highest-priority gap and start work without further analysis.

For clients also subject to CMMC, NIST CSF 2.0, ISO 27001, or specific insurance underwriting requirements, the report includes the cross-reference. A single finding might be flagged against CIS Safeguard 6.3, NIST CSF subcategory PR.AA-01, 800-171 control 3.5.3, and Annex A control 5.17 simultaneously. The remediation is one thing; the evidence supports multiple frameworks.

For founding clients, the engagement output explicitly supports IG1 to IG2 progression with quarterly milestones tied to the engagement cadence. The continuous adversarial simulation layer produces ongoing evidence that the safeguards actually work, which is the substance of Safeguard 18 (penetration testing) and the basis for credible insurance renewal evidence.

Apply as a founding client or see how the engagement works for the full delivery cycle.