The CIS Controls are a set of cybersecurity risk-controls developed through the active collaboration of professionals from a wide variety of industries, representing the full gamut of professional responsibilities. Managed and curated by the Center for Internet Security (CIS), a non-profit organization that is best known as the organization behind the Multi-State Information Sharing and Analysis Center (MS-ISAC), the Controls provide a technology-agnostic set of practices that are informed by real-world techniques used by attackers. This “offense-informs-defense” strategy has been proven over time to provide effective defense and hardening across most organizations. Providing a prioritized set of practices that are right-sized for the information-centric risks present within commercial and government organizations allows for focused and long-term objective measurement of risk mitigation in these organizations.

The Controls are developed around “5 core tenants”

Offense Informs Defense

The Controls are selected, dropped, and prioritized based on real-world attack data and specific knowledge of attacker behavior and how to arrest it.

Focus

By avoiding “good things to do” and focusing on the most effective and critical security controls, a set of prioritized safeguards is provided that allows defenders to identify and implement the things they need to do to stop the most impactful attacks.

Feasible

Each of the prioritized safeguards contained within the Controls must be specific and practical for defenders to implement. These safeguards must be realistic for organizations to implement based on the risk exposure they have.

Measurable

Each of the Controls must be measurable. This is especially important for Safeguards hat are aligned with smaller organizations or those with less sophisticated information systems in mind.

Align

The Controls must peacefully co-exist with other Governance, Regulatory, and Process management schemes. This includes key frameworks and structures such as those provided by National Institute of Standards and Technology (NIST), National Cloud Security Alliance ( NCSA), and similar.

Specific mutual cooperation and alignment between existing independent standards and security recommendations will be maintained where applicable. This is currently demonstrated through the CIS Controls’ direct reference and alignment with the security standards and recommendations of NIST, NCSA, Software Assurance Forum for Excellence in Code (SAFECode), MITRE ATT&CK, Open Web Application Security Project (OWASP), amongst others.