Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile, network devices, non-computing/IoT devices, and servers) and software (operating systems and applications).
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts to enterprise assets and software.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure in order to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threats and vulnerability information.
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Establish, implement, and actively manage (track, report, correct) network devices in order to prevent attackers from exploiting vulnerable network services and access points.
Applicable Controls
| CIS CONTROL | CIS SAFEGUARD | ASSET TYPE | SECURITY FUNCTION | TITLE | DESCRIPTION |
|---|---|---|---|---|---|
3 | 3.4 | Data | Protect | Enforce Data Protection | Retain data according to the enterprise’s documented data management process. Data retention must include both minimum and maximum timelines. |
3 | 3.5 | Data | Protect | Securely Dispose of Data | Securely dispose of data as outlined in the enterprise’s documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity. |
3 | 3.6 | Data | Protect | Disable Dormant Accounts | Encrypt data on end-user devices containing sensitive data. Example implementations can include, Windows BitLocker®, Apple FileVault®, Linux® dm-crypt |
4 | 4.1 | Network | Protect | Establish and Maintain a Secure Configuration Process | Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
4 | 4.2 | Network | Protect | Establish and Maintain a Secure Configuration Process for Network Infrastructure | Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
4 | 4.3 | Network | Protect | Configure Automatic Session Locking on Enterprise Assets | Configure automatic session locking on enterprise assets after a defined period of inactivity. For general-purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes. |
4 | 4.4 | Network | Protect | Implement and Manage a Firewall on Servers | Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, an operating system firewall, or a third-party firewall agent. |
4 | 4.5 | Devices | Protect | Implement and Manage a Firewall on End-User Devices | Implement and manage a host-based firewall or port-filtering tool on end-user devices with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed. |
4 | 4.6 | Network | Protect | Securely Manage Enterprise Assets and Software | Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential. |
4 | 4.7 | Users | Protect | Manage Default Accounts on Enterprise Assets and Software | Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable. |
5 | 5.2 | Users | Protect | Use Unique Passwords | Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA. |
5 | 5.4 | Users | Protect | Restrict Administrator Privileges to Dedicated Administrator Accounts | Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account. |
6 | 6.1 | Users | Protect | Establish an Access Granting Process | Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user. |
6 | 6.2 | Users | Protect | Establish an Access Revoking Process | Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails. |
6 | 6.3 | Users | Protect | Require MFA for Externally-Exposed Applications | Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard. |
6 | 6.4 | Users | Protect | Require MFA for Remote Network Access | Require MFA for remote network access. |
6 | 6.5 | Users | Protect | Require MFA for Administrative Access | Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider. |
7 | 7.3 | Applications | Protect | Perform Automated Operating System Patch Management | Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. |
7 | 7.4 | Applications | Protect | Perform Automated Application Patch Management | Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis. |
8 | 8.1 | Network | Protect | Establish and Maintain an Audit Log Management Process | Establish and maintain a documented audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
8 | 8.3 | Network | Protect | Ensure Adequate Audit Log Storage | Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process |
9 | 9.1 | Applications | Protect | Ensure Use of Only Fully Supported Browsers and Email Clients | Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. |
9 | 9.2 | Network | Protect | Use DNS Filtering Services | Use DNS filtering services on all end-user devices, including remote and on-premises assets, to block access to known malicious domains. |
10 | 10.1 | Devices | Protect | Deploy and Maintain Anti-Malware Software | Deploy and maintain anti-malware software on all enterprise assets. |
10 | 10.2 | Devices | Protect | Configure Automatic Anti-Malware Signature Updates | Configure automatic updates for anti-malware signature files on all enterprise assets. |
10 | 10.3 | Devices | Protect | Disable Autorun and Autoplay for Removable Media | Disable autorun and autoplay auto-execute functionality for removable media. |
11 | 11.3 | Data | Protect | Protect Recovery Data | Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements. |
12 | 12.1 | Network | Protect | Ensure Network Infrastructure is Up-to-Date | Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network as a service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. |
Policy Templates for Security Controls
Acceptable Use Policy Template for the CIS Controls
This template can assist an enterprise in developing acceptable use for the CIS Controls.
Download the template
Secure Configuration Management Policy Template for CIS Control 4, 9, and 12
This template can assist an enterprise in developing a secure configuration management policy.
Download the template
Account and Credential Management Policy Template for CIS Controls 5 and 6
This template can assist an enterprise in developing an account and credential management policy.
Download the template
Vulnerability Management Policy Template for CIS Control 7
This template can assist an enterprise in developing a data management policy.
Download the template
Audit Log Management Policy Template for CIS Control 8
This template can assist an enterprise in developing an audit log management policy.
Download the template
Malware Defense Policy Template for CIS Control 10
This template can assist an enterprise in developing a malware defense policy.
Download the template
Data Recovery Policy Template for CIS Control 11
This template can assist an enterprise in developing a data recovery policy.
Download template
Public and Non-profit Tools
CyberTrust Massachusetts Advisory Services
Comprehensive assessment services that review Active Directory, antivirus, internal system, and email vulnerabilities. Free for Plymouth County municipalities.
CISA Cyber Hygiene Service – Vulnerability Scanning
Free to U.S.-based federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations. Services includes Vulnerability Scanning (continuous monitoring and assessment of internet-accessible network assess to assess host and vulnerability status)
CISA's Logging Made Easy (LME)
This service is a no-cost log management solution for small to medium-sized organizations with limited resources. It provides centralized logging and proactive threat detection and delivers enhanced security by allowing organizations to monitor their network, identify users, and actively analyze Sysmon data to quickly identify potential malicious activity.
CISA Cyber Hygiene Service – Web Application Scanning
Free to U.S.-based federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations. Web Application Scanning (uncovers exploitable vulnerabilities and misconfigurations) Reports delivered on-demand as well as monthly.
NSA DIB Cybersecurity Services – Protective DNS
NSA offers no-cost cybersecurity services to any company that contracts with DoD (sub or prime) or has access to non-public DoD information. Protective DNS (PDNS) is a DNS filter which blocks users from connecting to malicious or suspicious domains. To date, NSA’s PDNS program has blocked 1 billion malicious or suspicious domains, including nation-state spearphishing, malware, botnets, and ransomware activity.
NSA DIB Cybersecurity Services - Attack Surface Management
NSA offers no-cost cybersecurity services to any company that contracts with DoD (sub or prime) or has access to non-public DoD information. Through this service, NSA takes an adversarial approach to illuminate any internet facing assets, searching for ways your network might be vulnerable. This allows customers to identify and remediate issues before they become compromises. Each customer receives a tailored, prioritized report of issues for mitigation, along with an overview of their organization’s Internet footprint.
CISA SCUBA Tool
The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments.
Nmap ("Network Mapper")
Free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Celerium Defense Network
Celerium’s automated cyber defense solutions help fortify organizations against modern cyber threats with innovative threat detection and blocking.
- DIB fully funded
- Small business cost: $60 per month
CyberTrust Massachusetts SOC Services
State subsidized 24/7 Managed Detection Response (using SentinelOne SOC) and Advisory Services rolled into one service.