{"catalog":{"uuid":"e95fb23c-57d2-495f-8ab5-2c6b3152bcee","metadata":{"links":[{"rel":"alternate","href":"#4b0e0260-8212-40de-9354-9fa6d0508865"},{"rel":"reference","href":"#ef4c23e3-3f1b-40db-958b-96bb56f26215"},{"rel":"reference","href":"#391bdf11-1551-496e-8897-85993509e130"}],"props":[{"name":"keywords","value":"control, assessment"}],"title":"CIS Controls","version":"8.1","document-ids":[{"scheme":"http://oscal.io/oscal/identifier/content-uuid","identifier":"b0783eae-6c21-411a-967a-44ec5465a41d"}],"last-modified":"2025-02-21T11:00:00Z","oscal-version":"1.1.3"},"groups":[{"id":"cisc","title":"CIS Controls","controls":[{"id":"cisc-001","links":[{"rel":"reference","href":"#876fe32d-0e4f-48b8-92f5-4eb84f5b2cd2"},{"rel":"reference","href":"#65ccc8e8-2f3e-4965-9a6d-36ee62b9bb21"},{"rel":"reference","href":"#5c3c47ab-a626-4a2e-8336-19291a3c7f16"},{"rel":"reference","href":"#4bed343f-54d1-40b1-91a9-973f746772ca"}],"parts":[{"id":"cisc-001_stmt","name":"statement","prose":"Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate."}],"props":[{"name":"label","value":"CIS Control 1"}],"title":"Inventory and Control of Enterprise Assets","controls":[{"id":"cisc-001.001","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"},{"rel":"reference","href":"#68033664-1b0d-4ded-b5d2-daa770d6ca55"}],"parts":[{"id":"cisc-001.001_stmt","name":"statement","prose":"Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently."},{"id":"cisc-001.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-001.001_stmt"}],"parts":[{"id":"cisc-001.001_obj-001","name":"assessment-objective","prose":"An accurate, detailed, and up-to-date inventory is established and maintained for all enterprise assets with the potential to store or process data."},{"id":"cisc-001.001_obj-002","name":"assessment-objective","prose":"Enterprise assets include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers.\n\nThe inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise's network infrastructure, even if they are not under control of the enterprise."},{"id":"cisc-001.001_obj-003","name":"assessment-objective","prose":"The inventory records the network address (if static), hardware address, machine name, enterprise asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate."},{"id":"cisc-001.001_obj-004","name":"assessment-objective","prose":"The inventory is reviewed and updated for all enterprise assets bi-annually, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 1.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"bi-annually"}],"title":"Establish and Maintain Detailed Enterprise Asset Inventory"},{"id":"cisc-001.002","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"},{"rel":"reference","href":"#68033664-1b0d-4ded-b5d2-daa770d6ca55"},{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-001.002_stmt","name":"statement","prose":"Ensure that a process exists to address unauthorized assets on a weekly basis. The enterprise may choose to remove the asset from the network, deny the asset from connecting remotely to the network, or quarantine the asset."},{"id":"cisc-001.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-001.002_stmt"}],"parts":[{"id":"cisc-001.002_obj-001","name":"assessment-objective","prose":"A process exists to address unauthorized assets."},{"id":"cisc-001.002_obj-002","name":"assessment-objective","prose":"The enterprise removes the asset from the network, denies the asset from connecting remotely to the network, or quarantines the asset."},{"id":"cisc-001.002_obj-003","name":"assessment-objective","prose":"Unauthorized assets are addressed on a weekly basis."}]}],"props":[{"name":"label","value":"CIS Safeguard 1.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"respond"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"weekly"}],"title":"Address Unauthorized Assets"},{"id":"cisc-001.003","links":[{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-001.003_stmt","name":"statement","prose":"Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently."},{"id":"cisc-001.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-001.003_stmt"}],"parts":[{"id":"cisc-001.003_obj-001","name":"assessment-objective","prose":"An active discovery tool is used to identify assets connected to the enterprise's network."},{"id":"cisc-001.003_obj-002","name":"assessment-objective","prose":"The active discovery tool is configured to execute daily, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 1.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"daily"}],"title":"Utilize an Active Discovery Tool"},{"id":"cisc-001.004","links":[{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-001.004_stmt","name":"statement","prose":"Use DHCP logging on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory. Review and use logs to update the enterprise's asset inventory weekly, or more frequently."},{"id":"cisc-001.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-001.004_stmt"}],"parts":[{"id":"cisc-001.004_obj-001","name":"assessment-objective","prose":"DHCP logging is used on all DHCP servers or Internet Protocol (IP) address management tools to update the enterprise's asset inventory."},{"id":"cisc-001.004_obj-002","name":"assessment-objective","prose":"The logs are reviewed and used to update the enterprise's asset inventory weekly, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 1.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"weekly"}],"title":"Use Dynamic Host Configuration Protocol (DHCP) Logging to Update Enterprise Asset Inventory"},{"id":"cisc-001.005","links":[{"rel":"required","href":"#cisc-004.002"},{"rel":"required","href":"#cisc-012.004"}],"parts":[{"id":"cisc-001.005_stmt","name":"statement","prose":"Use a passive discovery tool to identify assets connected to the enterprise's network. Review and use scans to update the enterprise's asset inventory at least weekly, or more frequently."},{"id":"cisc-001.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-001.005_stmt"}],"parts":[{"id":"cisc-001.005_obj-001","name":"assessment-objective","prose":"A passive discovery tool is used to identify assets connected to the enterprise's network."},{"id":"cisc-001.005_obj-002","name":"assessment-objective","prose":"The scans are reviewed and used to update the enterprise's asset inventory at least weekly, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 1.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"weekly"}],"title":"Use a Passive Asset Discovery Tool"}]},{"id":"cisc-002","links":[{"rel":"reference","href":"#876fe32d-0e4f-48b8-92f5-4eb84f5b2cd2"},{"rel":"reference","href":"#65ccc8e8-2f3e-4965-9a6d-36ee62b9bb21"},{"rel":"reference","href":"#5c3c47ab-a626-4a2e-8336-19291a3c7f16"},{"rel":"reference","href":"#4bed343f-54d1-40b1-91a9-973f746772ca"}],"parts":[{"id":"cisc-002_stmt","name":"statement","prose":"Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution."}],"props":[{"name":"label","value":"CIS Control 2"}],"title":"Inventory and Control of Software Assets","controls":[{"id":"cisc-002.001","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"},{"rel":"reference","href":"#68033664-1b0d-4ded-b5d2-daa770d6ca55"}],"parts":[{"id":"cisc-002.001_stmt","name":"statement","prose":"Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, decommission date, and number of licenses. Review and update the software inventory bi-annually, or more frequently."},{"id":"cisc-002.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-002.001_stmt"}],"parts":[{"id":"cisc-002.001_obj-001","name":"assessment-objective","prose":"A detailed inventory is established and maintained for all licensed software installed on enterprise assets."},{"id":"cisc-002.001_obj-002","name":"assessment-objective","prose":"The software inventory documents the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date."},{"id":"cisc-002.001_obj-003","name":"assessment-objective","prose":"The software inventory is reviewed and updated bi-annually, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 2.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"bi-annually"}],"title":"Establish and Maintain a Software Inventory"},{"id":"cisc-002.002","links":[{"rel":"reference","href":"#68033664-1b0d-4ded-b5d2-daa770d6ca55"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-002.002_stmt","name":"statement","prose":"Ensure that only currently supported software is designated as authorized in the software inventory for enterprise assets. If software is unsupported, yet necessary for the fulfillment of the enterprise's mission, document an exception detailing mitigating controls and residual risk acceptance. For any unsupported software without an exception documentation, designate as unauthorized. Review the software list to verify software support at least monthly, or more frequently."},{"id":"cisc-002.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-002.002_stmt"}],"parts":[{"id":"cisc-002.002_obj-001","name":"assessment-objective","prose":"Only currently supported software is designated as authorized in the software inventory for enterprise assets."},{"id":"cisc-002.002_obj-002","name":"assessment-objective","prose":"An exception is documented, detailing mitigating controls and residual risk acceptance, for software that is unsupported, yet necessary for the fulfillment of the enterprise's mission."},{"id":"cisc-002.002_obj-003","name":"assessment-objective","prose":"Unsupported software without an exception documentation is designated as unauthorized."},{"id":"cisc-002.002_obj-004","name":"assessment-objective","prose":"The software list is reviewed at least monthly, or more frequently, to verify software support."}]}],"props":[{"name":"label","value":"CIS Safeguard 2.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"monthly"}],"title":"Ensure Authorized Software is Currently Supported"},{"id":"cisc-002.003","links":[{"rel":"reference","href":"#68033664-1b0d-4ded-b5d2-daa770d6ca55"},{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-002.003_stmt","name":"statement","prose":"Ensure that unauthorized software is either removed from use on enterprise assets or receives a documented exception. Review monthly, or more frequently."},{"id":"cisc-002.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-002.003_stmt"}],"parts":[{"id":"cisc-002.003_obj-001","name":"assessment-objective","prose":"Unauthorized software is either removed from use on enterprise assets or receives a documented exception."},{"id":"cisc-002.003_obj-002","name":"assessment-objective","prose":"A review for unauthorized software occurs monthly, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 2.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"respond"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"monthly"}],"title":"Address Unauthorized Software"},{"id":"cisc-002.004","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.003"}],"parts":[{"id":"cisc-002.004_stmt","name":"statement","prose":"Utilize software inventory tools, when possible, throughout the enterprise to automate the discovery and documentation of installed software."},{"id":"cisc-002.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-002.004_stmt"}],"prose":"Software inventory tools, when possible, are used throughout the enterprise to automate the discovery and documentation of installed software."}],"props":[{"name":"label","value":"CIS Safeguard 2.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Utilize Automated Software Inventory Tools"},{"id":"cisc-002.005","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-002.003"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-002.005_stmt","name":"statement","prose":"Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently."},{"id":"cisc-002.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-002.005_stmt"}],"parts":[{"id":"cisc-002.005_obj-001","name":"assessment-objective","prose":"Technical controls, such as application allowlisting, are used to ensure that only authorized software can execute or be accessed."},{"id":"cisc-002.005_obj-002","name":"assessment-objective","prose":"Reassess authorized software bi-annually, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 2.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"bi-annually"}],"title":"Allowlist Authorized Software"},{"id":"cisc-002.006","links":[{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-002.005"},{"rel":"required","href":"#cisc-004.002"}],"parts":[{"id":"cisc-002.006_stmt","name":"statement","prose":"Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process. Block unauthorized libraries from loading into a system process. Reassess bi-annually, or more frequently."},{"id":"cisc-002.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-002.006_stmt"}],"parts":[{"id":"cisc-002.006_obj-001","name":"assessment-objective","prose":"Technical controls are used to ensure that only authorized software libraries, such as specific .dll, .ocx, and .so files, are allowed to load into a system process."},{"id":"cisc-002.006_obj-002","name":"assessment-objective","prose":"Unauthorized libraries are blocked from loading into a system process."},{"id":"cisc-002.006_obj-003","name":"assessment-objective","prose":"Authorized libraries are reassessed bi-annually, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 2.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"bi-annually"}],"title":"Allowlist Authorized Libraries"},{"id":"cisc-002.007","links":[{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-002.007_stmt","name":"statement","prose":"Use technical controls, such as digital signatures and version control, to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute. Block unauthorized scripts from executing. Reassess bi-annually, or more frequently."},{"id":"cisc-002.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-002.007_stmt"}],"parts":[{"id":"cisc-002.007_obj-001","name":"assessment-objective","prose":"Technical controls, such as digital signatures and version control, are used to ensure that only authorized scripts, such as specific .ps1, and .py files are allowed to execute."},{"id":"cisc-002.007_obj-002","name":"assessment-objective","prose":"Unauthorized scripts are blocked from executing."},{"id":"cisc-002.007_obj-003","name":"assessment-objective","prose":"Authorized scripts are reassessed bi-annually, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 2.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"bi-annually"}],"title":"Allowlist Authorized Scripts"}]},{"id":"cisc-003","links":[{"rel":"reference","href":"#40c2fdc4-a104-44bb-bed1-7fd535937fc3"},{"rel":"reference","href":"#876fe32d-0e4f-48b8-92f5-4eb84f5b2cd2"},{"rel":"reference","href":"#65ccc8e8-2f3e-4965-9a6d-36ee62b9bb21"},{"rel":"reference","href":"#6c887586-ff8a-4f6f-ab3b-034a6e652c44"},{"rel":"reference","href":"#529b84c7-6e48-4874-93e6-99855f7ae1d6"}],"parts":[{"id":"cisc-003_stmt","name":"statement","prose":"Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data."}],"props":[{"name":"label","value":"CIS Control 3"}],"title":"Data Protection","controls":[{"id":"cisc-003.001","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"}],"parts":[{"id":"cisc-003.001_stmt","name":"statement","prose":"Establish and maintain a documented data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-003.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.001_stmt"}],"parts":[{"id":"cisc-003.001_obj-001","name":"assessment-objective","prose":"A documented data management process is established and maintained."},{"id":"cisc-003.001_obj-002","name":"assessment-objective","prose":"Data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise, are addressed within the process."},{"id":"cisc-003.001_obj-003","name":"assessment-objective","prose":"Documentation is updated and reviewed annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 3.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Data Management Process"},{"id":"cisc-003.002","links":[{"rel":"reference","href":"#68033664-1b0d-4ded-b5d2-daa770d6ca55"},{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-003.002_stmt","name":"statement","prose":"Establish and maintain a data inventory based on the enterprise's data management process. Inventory sensitive data, at a minimum. Review and update inventory annually, at a minimum, with a priority on sensitive data."},{"id":"cisc-003.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.002_stmt"}],"parts":[{"id":"cisc-003.002_obj-001","name":"assessment-objective","prose":"A data inventory is established and maintained, based on the enterprise's data management process."},{"id":"cisc-003.002_obj-002","name":"assessment-objective","prose":"Sensitive data is inventoried, at a minimum."},{"id":"cisc-003.002_obj-003","name":"assessment-objective","prose":"Inventory is reviewed and updated annually, at a minimum, with a priority on sensitive data."}]}],"props":[{"name":"label","value":"CIS Safeguard 3.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Data Inventory"},{"id":"cisc-003.003","links":[{"rel":"required","href":"#cisc-003.002"},{"rel":"required","href":"#cisc-004.001"},{"rel":"required","href":"#cisc-005.001"}],"parts":[{"id":"cisc-003.003_stmt","name":"statement","prose":"Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications."},{"id":"cisc-003.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.003_stmt"}],"parts":[{"id":"cisc-003.003_obj-001","name":"assessment-objective","prose":"Data access control lists are configured based on a user's need to know."},{"id":"cisc-003.003_obj-002","name":"assessment-objective","prose":"Data access control lists, also known as access permissions, are applied to local and remote file systems, databases, and applications."}]}],"props":[{"name":"label","value":"CIS Safeguard 3.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Configure Data Access Control Lists"},{"id":"cisc-003.004","links":[{"rel":"required","href":"#cisc-003.001"},{"rel":"required","href":"#cisc-003.002"}],"parts":[{"id":"cisc-003.004_stmt","name":"statement","prose":"Retain data according to the enterprise's documented data management process. Data retention must include both minimum and maximum timelines."},{"id":"cisc-003.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.004_stmt"}],"parts":[{"id":"cisc-003.004_obj-001","name":"assessment-objective","prose":"Data is retained according to the enterprise's documented data management process."},{"id":"cisc-003.004_obj-002","name":"assessment-objective","prose":"Data retention includes both minimum and maximum timelines."}]}],"props":[{"name":"label","value":"CIS Safeguard 3.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Enforce Data Retention"},{"id":"cisc-003.005","links":[{"rel":"required","href":"#cisc-003.001"},{"rel":"required","href":"#cisc-003.002"}],"parts":[{"id":"cisc-003.005_stmt","name":"statement","prose":"Securely dispose of data as outlined in the enterprise's documented data management process. Ensure the disposal process and method are commensurate with the data sensitivity."},{"id":"cisc-003.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.005_stmt"}],"parts":[{"id":"cisc-003.005_obj-001","name":"assessment-objective","prose":"Data is securely disposed of, as outlined in the enterprise's documented data management process."},{"id":"cisc-003.005_obj-002","name":"assessment-objective","prose":"The disposal process and method are commensurate with the data sensitivity."}]}],"props":[{"name":"label","value":"CIS Safeguard 3.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Securely Dispose of Data"},{"id":"cisc-003.006","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-003.006_stmt","name":"statement","prose":"Encrypt data on end-user devices containing sensitive data. Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt."},{"id":"cisc-003.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.006_stmt"}],"prose":"Data is encrypted on end-user devices containing sensitive data."},{"id":"cisc-003.006_eg","name":"example","prose":"Example implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-crypt."}],"props":[{"name":"label","value":"CIS Safeguard 3.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Encrypt Data on End-User Devices"},{"id":"cisc-003.007","links":[{"rel":"required","href":"#cisc-003.001"},{"rel":"required","href":"#cisc-003.002"}],"parts":[{"id":"cisc-003.007_stmt","name":"statement","prose":"Establish and maintain an overall data classification scheme for the enterprise. Enterprises may use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels. Review and update the classification scheme annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-003.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.007_stmt"}],"parts":[{"id":"cisc-003.007_obj-001","name":"assessment-objective","prose":"An overall data classification scheme is established and maintained for the enterprise."},{"id":"cisc-003.007_obj-002","name":"assessment-objective","prose":"Enterprises use labels, such as \"Sensitive,\" \"Confidential,\" and \"Public,\" and classify their data according to those labels."},{"id":"cisc-003.007_obj-003","name":"assessment-objective","prose":"The classification scheme is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 3.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Data Classification Scheme"},{"id":"cisc-003.008","links":[{"rel":"required","href":"#cisc-003.001"},{"rel":"required","href":"#cisc-003.002"}],"parts":[{"id":"cisc-003.008_stmt","name":"statement","prose":"Document data flows. Data flow documentation includes service provider data flows and should be based on the enterprise's data management process. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-003.008_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.008_stmt"}],"parts":[{"id":"cisc-003.008_obj-001","name":"assessment-objective","prose":"Data flows are documented."},{"id":"cisc-003.008_obj-002","name":"assessment-objective","prose":"Data flow documentation includes service provider data flows and is based on the enterprise's data management process."},{"id":"cisc-003.008_obj-003","name":"assessment-objective","prose":"Documentation is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 3.8"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Document Data Flows"},{"id":"cisc-003.009","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-003.009_stmt","name":"statement","prose":"Encrypt data on removable media."},{"id":"cisc-003.009_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.009_stmt"}],"prose":"Data on removable media is encrypted."}],"props":[{"name":"label","value":"CIS Safeguard 3.9"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Encrypt Data on Removable Media"},{"id":"cisc-003.010","links":[{"rel":"required","href":"#cisc-003.002"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-003.010_stmt","name":"statement","prose":"Encrypt sensitive data in transit. Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH)."},{"id":"cisc-003.010_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.010_stmt"}],"prose":"Sensitive data in transit is encrypted."},{"id":"cisc-003.010_eg","name":"example","prose":"Example implementations can include: Transport Layer Security (TLS) and Open Secure Shell (OpenSSH)."}],"props":[{"name":"label","value":"CIS Safeguard 3.10"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Encrypt Sensitive Data in Transit"},{"id":"cisc-003.011","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-003.011_stmt","name":"statement","prose":"Encrypt sensitive data at rest on servers, applications, and databases. Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard. Additional encryption methods may include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data."},{"id":"cisc-003.011_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.011_stmt"}],"prose":"Sensitive data at rest is encrypted on servers, applications, and databases."},{"id":"cisc-003.011_gdn","name":"guidance","prose":"Storage-layer encryption, also known as server-side encryption, meets the minimum requirement of this Safeguard.\n\nAdditional encryption methods include application-layer encryption, also known as client-side encryption, where access to the data storage device(s) does not permit access to the plain-text data."}],"props":[{"name":"label","value":"CIS Safeguard 3.11"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Encrypt Sensitive Data at Rest"},{"id":"cisc-003.012","links":[{"rel":"required","href":"#cisc-003.002"},{"rel":"required","href":"#cisc-012.004"}],"parts":[{"id":"cisc-003.012_stmt","name":"statement","prose":"Segment data processing and storage based on the sensitivity of the data. Do not process sensitive data on enterprise assets intended for lower sensitivity data."},{"id":"cisc-003.012_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.012_stmt"}],"parts":[{"id":"cisc-003.012_obj-001","name":"assessment-objective","prose":"Data processing and storage is segmented based on the sensitivity of the data."},{"id":"cisc-003.012_obj-002","name":"assessment-objective","prose":"Sensitive data is not processed on enterprise assets intended for lower sensitivity data."}]}],"props":[{"name":"label","value":"CIS Safeguard 3.12"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Segment Data Processing and Storage Based on Sensitivity"},{"id":"cisc-003.013","links":[{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-003.002"}],"parts":[{"id":"cisc-003.013_stmt","name":"statement","prose":"Implement an automated tool, such as a host-based Data Loss Prevention (DLP) tool to identify all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider, and update the enterprise's data inventory."},{"id":"cisc-003.013_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.013_stmt"}],"parts":[{"id":"cisc-003.013_obj-001","name":"assessment-objective","prose":"An automated tool, such as a host-based Data Loss Prevention (DLP) tool, is implemented."},{"id":"cisc-003.013_obj-002","name":"assessment-objective","prose":"The data loss prevention solution identifies all sensitive data stored, processed, or transmitted through enterprise assets, including those located onsite or at a remote service provider."},{"id":"cisc-003.013_obj-003","name":"assessment-objective","prose":"As a result, the enterprise's data inventory is updated."}]}],"props":[{"name":"label","value":"CIS Safeguard 3.13"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Deploy a Data Loss Prevention Solution"},{"id":"cisc-003.014","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-003.014_stmt","name":"statement","prose":"Log sensitive data access, including modification and disposal."},{"id":"cisc-003.014_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-003.014_stmt"}],"prose":"Sensitive data access is logged, including modification and disposal."}],"props":[{"name":"label","value":"CIS Safeguard 3.14"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Log Sensitive Data Access"}]},{"id":"cisc-004","links":[{"rel":"reference","href":"#13236c14-239f-42c9-a785-a47ba7cf1c86"},{"rel":"reference","href":"#c4ee4db6-0803-4729-9d86-b785a3414609"},{"rel":"reference","href":"#edb3da2b-8a7f-4fd2-9186-6d2953e74fe7"}],"parts":[{"id":"cisc-004_stmt","name":"statement","prose":"Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications)."}],"props":[{"name":"label","value":"CIS Control 4"}],"title":"Secure Configuration of Enterprise Assets and Software","controls":[{"id":"cisc-004.001","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"},{"rel":"reference","href":"#13236c14-239f-42c9-a785-a47ba7cf1c86"},{"rel":"reference","href":"#edb3da2b-8a7f-4fd2-9186-6d2953e74fe7"},{"rel":"reference","href":"#6d82c5b2-f01f-4f53-9371-8f016196fc04"},{"rel":"reference","href":"#d6d0d742-fa15-43bf-86e8-68f72ade2a4c"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-004.001_stmt","name":"statement","prose":"Establish and maintain a documented secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-004.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.001_stmt"}],"parts":[{"id":"cisc-004.001_obj-001","name":"assessment-objective","prose":"A documented secure configuration process is established and maintained for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications)."},{"id":"cisc-004.001_obj-002","name":"assessment-objective","prose":"Documentation is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 4.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Secure Configuration Process"},{"id":"cisc-004.002","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"},{"rel":"reference","href":"#13236c14-239f-42c9-a785-a47ba7cf1c86"},{"rel":"reference","href":"#edb3da2b-8a7f-4fd2-9186-6d2953e74fe7"},{"rel":"reference","href":"#6d82c5b2-f01f-4f53-9371-8f016196fc04"},{"rel":"reference","href":"#d6d0d742-fa15-43bf-86e8-68f72ade2a4c"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-004.002_stmt","name":"statement","prose":"Establish and maintain a documented secure configuration process for network devices. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-004.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.002_stmt"}],"parts":[{"id":"cisc-004.002_obj-001","name":"assessment-objective","prose":"A documented secure configuration process is established and maintained for network devices."},{"id":"cisc-004.002_obj-002","name":"assessment-objective","prose":"Documentation is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 4.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Secure Configuration Process for Network Infrastructure"},{"id":"cisc-004.003","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-004.003_stmt","name":"statement","prose":"Configure automatic session locking on enterprise assets after a defined period of inactivity. For general purpose operating systems, the period must not exceed 15 minutes. For mobile end-user devices, the period must not exceed 2 minutes."},{"id":"cisc-004.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.003_stmt"}],"parts":[{"id":"cisc-004.003_obj-001","name":"assessment-objective","prose":"Automatic session locking is configured on enterprise assets after a defined period of inactivity."},{"id":"cisc-004.003_obj-002","name":"assessment-objective","prose":"For general purpose operating systems, the period does not exceed 15 minutes."},{"id":"cisc-004.003_obj-003","name":"assessment-objective","prose":"For mobile end-user devices, the period does not exceed two (2) minutes."}]}],"props":[{"name":"label","value":"CIS Safeguard 4.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Configure Automatic Session Locking on Enterprise Assets"},{"id":"cisc-004.004","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-004.004_stmt","name":"statement","prose":"Implement and manage a firewall on servers, where supported. Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent."},{"id":"cisc-004.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.004_stmt"}],"prose":"A firewall is implemented and managed on servers, where supported."},{"id":"cisc-004.004_eg","name":"example","prose":"Example implementations include a virtual firewall, operating system firewall, or a third-party firewall agent."}],"props":[{"name":"label","value":"CIS Safeguard 4.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Implement and Manage a Firewall on Servers"},{"id":"cisc-004.005","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-004.005_stmt","name":"statement","prose":"Implement and manage a host-based firewall or port-filtering tool on end-user devices, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed."},{"id":"cisc-004.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.005_stmt"}],"parts":[{"id":"cisc-004.005_obj-001","name":"assessment-objective","prose":"A host-based firewall or port-filtering tool is implemented and managed on end-user devices."},{"id":"cisc-004.005_obj-002","name":"assessment-objective","prose":"A default-deny rule is in place that drops all traffic except those services and ports that are explicitly allowed."}]}],"props":[{"name":"label","value":"CIS Safeguard 4.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Implement and Manage a Firewall on End-User Devices"},{"id":"cisc-004.006","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-004.006_stmt","name":"statement","prose":"Securely manage enterprise assets and software. Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use insecure management protocols, such as Telnet (Teletype Network) and HTTP, unless operationally essential."},{"id":"cisc-004.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.006_stmt"}],"parts":[{"id":"cisc-004.006_obj-001","name":"assessment-objective","prose":"Enterprise assets and software are securely managed."},{"id":"cisc-004.006_obj-002","name":"assessment-objective","prose":"Insecure management protocols are not used, such as Telnet (Teletype Network) and HTTP, unless operationally essential."}]},{"id":"cisc-004.006_eg","name":"example","prose":"Example implementations include managing configuration through version-controlled Infrastructure-as-Code (IaC) and accessing administrative interfaces over secure network protocols, such as Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS)."}],"props":[{"name":"label","value":"CIS Safeguard 4.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Securely Manage Enterprise Assets and Software"},{"id":"cisc-004.007","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-005.002"}],"parts":[{"id":"cisc-004.007_stmt","name":"statement","prose":"Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable."},{"id":"cisc-004.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.007_stmt"}],"prose":"Default accounts are managed on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts."},{"id":"cisc-004.007_eg","name":"example","prose":"Example implementations can include: disabling default accounts or making them unusable."}],"props":[{"name":"label","value":"CIS Safeguard 4.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Manage Default Accounts on Enterprise Assets and Software"},{"id":"cisc-004.008","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-004.008_stmt","name":"statement","prose":"Uninstall or disable unnecessary services on enterprise assets and software, such as an unused file sharing service, web application module, or service function."},{"id":"cisc-004.008_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.008_stmt"}],"prose":"Unnecessary services are uninstalled or disabled on enterprise assets and software."},{"id":"cisc-004.008_eg","name":"example","prose":"Examples include disabling or uninstalling an unused file sharing service, web application module, or service function."}],"props":[{"name":"label","value":"CIS Safeguard 4.8"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Uninstall or Disable Unnecessary Services on Enterprise Assets and Software"},{"id":"cisc-004.009","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-004.009_stmt","name":"statement","prose":"Configure trusted DNS servers on network infrastructure. Example implementations include configuring network devices to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers."},{"id":"cisc-004.009_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.009_stmt"}],"prose":"Trusted DNS servers are configured on network infrastructure."},{"id":"cisc-004.009_eg","name":"example","prose":"Example implementations include configuring network devices to use enterprise-controlled DNS servers and/or reputable externally accessible DNS servers."}],"props":[{"name":"label","value":"CIS Safeguard 4.9"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Configure Trusted DNS Servers on Enterprise Assets"},{"id":"cisc-004.010","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-004.010_stmt","name":"statement","prose":"Enforce automatic device lockout following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported. For laptops, do not allow more than 20 failed authentication attempts; for tablets and smartphones, no more than 10 failed authentication attempts. Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts."},{"id":"cisc-004.010_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.010_stmt"}],"parts":[{"id":"cisc-004.010_obj-001","name":"assessment-objective","prose":"Automatic device lockout is enforced following a predetermined threshold of local failed authentication attempts on portable end-user devices, where supported."},{"id":"cisc-004.010_obj-002","name":"assessment-objective","prose":"For laptops, no more than 20 failed authentication attempts are allowed."},{"id":"cisc-004.010_obj-003","name":"assessment-objective","prose":"For tablets and smartphones, no more than 10 failed authentication attempts are allowed."}]},{"id":"cisc-004.010_eg","name":"example","prose":"Example implementations include Microsoft® InTune Device Lock and Apple® Configuration Profile maxFailedAttempts."}],"props":[{"name":"label","value":"CIS Safeguard 4.10"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Enforce Automatic Device Lockout on Portable End-User Devices"},{"id":"cisc-004.011","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-004.011_stmt","name":"statement","prose":"Remotely wipe enterprise data from enterprise-owned portable end-user devices when deemed appropriate such as lost or stolen devices, or when an individual no longer supports the enterprise."},{"id":"cisc-004.011_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.011_stmt"}],"prose":"Enterprise data is wiped from enterprise-owned portable end-user devices when deemed appropriate."},{"id":"cisc-004.011_eg","name":"example","prose":"Example situations include when devices are lost or stolen, or when an individual no longer supports the enterprise."}],"props":[{"name":"label","value":"CIS Safeguard 4.11"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Enforce Remote Wipe Capability on Portable End-User Devices"},{"id":"cisc-004.012","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-004.012_stmt","name":"statement","prose":"Ensure separate enterprise workspaces are used on mobile end-user devices, where supported. Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data."},{"id":"cisc-004.012_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-004.012_stmt"}],"prose":"Separate enterprise workspaces are used on mobile end-user devices, where supported."},{"id":"cisc-004.012_eg","name":"example","prose":"Example implementations include using an Apple® Configuration Profile or Android™ Work Profile to separate enterprise applications and data from personal applications and data."}],"props":[{"name":"label","value":"CIS Safeguard 4.12"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Separate Enterprise Workspaces on Mobile End-User Devices"}]},{"id":"cisc-005","links":[{"rel":"reference","href":"#6f22e961-97ba-48ca-abc0-128d89f6bc4a"},{"rel":"reference","href":"#35a2658c-7625-4f4a-8419-22e416c52b84"}],"parts":[{"id":"cisc-005_stmt","name":"statement","prose":"Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software."}],"props":[{"name":"label","value":"CIS Control 5"}],"title":"Account Management","controls":[{"id":"cisc-005.001","links":[{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-005.001_stmt","name":"statement","prose":"Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must at a minimum include user, administrator, and service accounts. The inventory, at a minimum, should contain the person's name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently."},{"id":"cisc-005.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-005.001_stmt"}],"parts":[{"id":"cisc-005.001_obj-001","name":"assessment-objective","prose":"An inventory of all accounts managed in the enterprise is established and maintained."},{"id":"cisc-005.001_obj-002","name":"assessment-objective","prose":"The inventory includes, at a minimum, user, administrator accounts, and service accounts."},{"id":"cisc-005.001_obj-003","name":"assessment-objective","prose":"The inventory, at a minimum, contains the person's name, username, start/stop dates, and department."},{"id":"cisc-005.001_obj-004","name":"assessment-objective","prose":"All active accounts are validated and authorized, on a recurring schedule, at a minimum, quarterly, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 5.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"quarterly"}],"title":"Establish and Maintain an Inventory of Accounts"},{"id":"cisc-005.002","links":[{"rel":"reference","href":"#35a2658c-7625-4f4a-8419-22e416c52b84"}],"parts":[{"id":"cisc-005.002_stmt","name":"statement","prose":"Use unique passwords for all enterprise assets. Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA."},{"id":"cisc-005.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-005.002_stmt"}],"prose":"Unique passwords are used for all enterprise assets."},{"id":"cisc-005.002_gdn","name":"guidance","prose":"Best practice implementation includes, at a minimum, an 8-character password for accounts using Multi-Factor Authentication (MFA) and a 14-character password for accounts not using MFA."}],"props":[{"name":"label","value":"CIS Safeguard 5.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Use Unique Passwords"},{"id":"cisc-005.003","links":[{"rel":"required","href":"#cisc-005.001"}],"parts":[{"id":"cisc-005.003_stmt","name":"statement","prose":"Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported."},{"id":"cisc-005.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-005.003_stmt"}],"prose":"Dormant accounts are deleted or disabled after a period of 45 days of inactivity, where supported."}],"props":[{"name":"label","value":"CIS Safeguard 5.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Disable Dormant Accounts"},{"id":"cisc-005.004","links":[{"rel":"required","href":"#cisc-005.001"}],"parts":[{"id":"cisc-005.004_stmt","name":"statement","prose":"Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account."},{"id":"cisc-005.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-005.004_stmt"}],"parts":[{"id":"cisc-005.004_obj-001","name":"assessment-objective","prose":"Administrator privileges are restricted to dedicated administrator accounts on enterprise assets."},{"id":"cisc-005.004_obj-002","name":"assessment-objective","prose":"General computing activities, such as internet browsing, email, and productivity suite use, are conducted from the user's primary, non-privileged account."}]}],"props":[{"name":"label","value":"CIS Safeguard 5.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Restrict Administrator Privileges to Dedicated Administrator Accounts"},{"id":"cisc-005.005","links":[{"rel":"required","href":"#cisc-006.006"}],"parts":[{"id":"cisc-005.005_stmt","name":"statement","prose":"Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently."},{"id":"cisc-005.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-005.005_stmt"}],"parts":[{"id":"cisc-005.005_obj-001","name":"assessment-objective","prose":"An inventory of service accounts is established and maintained."},{"id":"cisc-005.005_obj-002","name":"assessment-objective","prose":"The inventory, at a minimum, contains department owner, review date, and purpose."},{"id":"cisc-005.005_obj-003","name":"assessment-objective","prose":"Service account reviews, to validate that all active accounts are authorized, are performed on a recurring schedule at a minimum, quarterly, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 5.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"quarterly"}],"title":"Establish and Maintain an Inventory of Service Accounts"},{"id":"cisc-005.006","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-005.006_stmt","name":"statement","prose":"Centralize account management through a directory or identity service."},{"id":"cisc-005.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-005.006_stmt"}],"prose":"Account management is centralized through a directory or identity service."}],"props":[{"name":"label","value":"CIS Safeguard 5.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Centralize Account Management"}]},{"id":"cisc-006","links":[{"rel":"reference","href":"#6f22e961-97ba-48ca-abc0-128d89f6bc4a"}],"parts":[{"id":"cisc-006_stmt","name":"statement","prose":"Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software."}],"props":[{"name":"label","value":"CIS Control 6"}],"title":"Access Control Management","controls":[{"id":"cisc-006.001","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"}],"parts":[{"id":"cisc-006.001_stmt","name":"statement","prose":"Establish and follow a documented process, preferably automated, for granting access to enterprise assets upon new hire or role change of a user."},{"id":"cisc-006.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-006.001_stmt"}],"prose":"A documented process, preferably automated, is established and followed, for granting access to enterprise assets upon new hire or role change of a user."}],"props":[{"name":"label","value":"CIS Safeguard 6.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Establish an Access Granting Process"},{"id":"cisc-006.002","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"}],"parts":[{"id":"cisc-006.002_stmt","name":"statement","prose":"Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails."},{"id":"cisc-006.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-006.002_stmt"}],"parts":[{"id":"cisc-006.002_obj-001","name":"assessment-objective","prose":"A process, preferably automated, is established and followed for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user."},{"id":"cisc-006.002_obj-002","name":"assessment-objective","prose":"Accounts are disabled, instead of deleted, if needed, to preserve audit trails."}]}],"props":[{"name":"label","value":"CIS Safeguard 6.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Establish an Access Revoking Process"},{"id":"cisc-006.003","links":[{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"},{"rel":"required","href":"#cisc-005.001"}],"parts":[{"id":"cisc-006.003_stmt","name":"statement","prose":"Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard."},{"id":"cisc-006.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-006.003_stmt"}],"prose":"All externally-exposed enterprise or third-party applications enforce MFA, where supported."},{"id":"cisc-006.003_eg","name":"example","prose":"Example implementation includes enforcing MFA through a directory service or SSO provider."}],"props":[{"name":"label","value":"CIS Safeguard 6.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Require MFA for Externally-Exposed Applications"},{"id":"cisc-006.004","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-006.004_stmt","name":"statement","prose":"Require MFA for remote network access."},{"id":"cisc-006.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-006.004_stmt"}],"prose":"MFA is required for remote network access."}],"props":[{"name":"label","value":"CIS Safeguard 6.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Require MFA for Remote Network Access"},{"id":"cisc-006.005","links":[{"rel":"required","href":"#cisc-004.001"},{"rel":"required","href":"#cisc-005.001"}],"parts":[{"id":"cisc-006.005_stmt","name":"statement","prose":"Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider."},{"id":"cisc-006.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-006.005_stmt"}],"prose":"MFA is required for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a service provider."}],"props":[{"name":"label","value":"CIS Safeguard 6.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Require MFA for Administrative Access"},{"id":"cisc-006.006","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-006.006_stmt","name":"statement","prose":"Establish and maintain an inventory of the enterprise's authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently."},{"id":"cisc-006.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-006.006_stmt"}],"parts":[{"id":"cisc-006.006_obj-001","name":"assessment-objective","prose":"An inventory of the enterprise's authentication and authorization systems is established and maintained, including those hosted on-site or at a remote service provider."},{"id":"cisc-006.006_obj-002","name":"assessment-objective","prose":"The inventory is reviewed and updated, at a minimum, annually, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 6.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain an Inventory of Authentication and Authorization Systems"},{"id":"cisc-006.007","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-006.007_stmt","name":"statement","prose":"Centralize access control for all enterprise assets through a directory service or SSO provider, where supported."},{"id":"cisc-006.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-006.007_stmt"}],"prose":"Access control is centralized for all enterprise assets through a directory service or SSO provider, where supported."}],"props":[{"name":"label","value":"CIS Safeguard 6.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Centralize Access Control"},{"id":"cisc-006.008","links":[{"rel":"required","href":"#cisc-005.001"}],"parts":[{"id":"cisc-006.008_stmt","name":"statement","prose":"Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently."},{"id":"cisc-006.008_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-006.008_stmt"}],"parts":[{"id":"cisc-006.008_obj-001","name":"assessment-objective","prose":"Role-based access control is defined and maintained, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties."},{"id":"cisc-006.008_obj-002","name":"assessment-objective","prose":"Access control reviews of enterprise assets are performed to validate that all privileges are authorized."},{"id":"cisc-006.008_obj-003","name":"assessment-objective","prose":"Reviews are performed on a recurring schedule, at a minimum annually, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 6.8"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Define and Maintain Role-Based Access Control"}]},{"id":"cisc-007","links":[{"rel":"reference","href":"#37c4fb6d-ca59-4281-9006-51b7cdf633d8"}],"parts":[{"id":"cisc-007_stmt","name":"statement","prose":"Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise's infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information."}],"props":[{"name":"label","value":"CIS Control 7"}],"title":"Continuous Vulnerability Management","controls":[{"id":"cisc-007.001","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"}],"parts":[{"id":"cisc-007.001_stmt","name":"statement","prose":"Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-007.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-007.001_stmt"}],"parts":[{"id":"cisc-007.001_obj-001","name":"assessment-objective","prose":"A documented vulnerability management process is established and maintained for enterprise assets."},{"id":"cisc-007.001_obj-002","name":"assessment-objective","prose":"Documentation is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 7.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Vulnerability Management Process"},{"id":"cisc-007.002","parts":[{"id":"cisc-007.002_stmt","name":"statement","prose":"Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews."},{"id":"cisc-007.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-007.002_stmt"}],"parts":[{"id":"cisc-007.002_obj-001","name":"assessment-objective","prose":"A risk-based remediation strategy, documented in a remediation process, is established and maintained."},{"id":"cisc-007.002_obj-002","name":"assessment-objective","prose":"Reviews occur monthly, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 7.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"monthly"}],"title":"Establish and Maintain a Remediation Process"},{"id":"cisc-007.003","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-007.003_stmt","name":"statement","prose":"Perform operating system updates on enterprise assets through automated patch management on a monthly, or more frequent, basis."},{"id":"cisc-007.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-007.003_stmt"}],"parts":[{"id":"cisc-007.003_obj-001","name":"assessment-objective","prose":"Operating system updates are performed on enterprise assets through automated patch management."},{"id":"cisc-007.003_obj-002","name":"assessment-objective","prose":"Patching occurs on a monthly, or more frequent, basis."}]}],"props":[{"name":"label","value":"CIS Safeguard 7.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"monthly"}],"title":"Perform Automated Operating System Patch Management"},{"id":"cisc-007.004","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-007.004_stmt","name":"statement","prose":"Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis."},{"id":"cisc-007.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-007.004_stmt"}],"parts":[{"id":"cisc-007.004_obj-001","name":"assessment-objective","prose":"Application updates are performed on enterprise assets through automated patch management."},{"id":"cisc-007.004_obj-002","name":"assessment-objective","prose":"Patching occurs on a monthly, or more frequent, basis."}]}],"props":[{"name":"label","value":"CIS Safeguard 7.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"monthly"}],"title":"Perform Automated Application Patch Management"},{"id":"cisc-007.005","links":[{"rel":"reference","href":"#dab6ccea-c07f-4dc1-a720-0bf05a6dcc53"},{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-007.005_stmt","name":"statement","prose":"Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans."},{"id":"cisc-007.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-007.005_stmt"}],"parts":[{"id":"cisc-007.005_obj-001","name":"assessment-objective","prose":"Automated vulnerability scans of internal enterprise assets are performed."},{"id":"cisc-007.005_obj-002","name":"assessment-objective","prose":"Scans are conducted on a quarterly, or more frequent, basis."},{"id":"cisc-007.005_obj-003","name":"assessment-objective","prose":"Both authenticated and unauthenticated scans are conducted."}]}],"props":[{"name":"label","value":"CIS Safeguard 7.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"quarterly"}],"title":"Perform Automated Vulnerability Scans of Internal Enterprise Assets"},{"id":"cisc-007.006","links":[{"rel":"reference","href":"#dab6ccea-c07f-4dc1-a720-0bf05a6dcc53"},{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-007.006_stmt","name":"statement","prose":"Perform automated vulnerability scans of externally-exposed enterprise assets. Perform scans on a monthly, or more frequent, basis."},{"id":"cisc-007.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-007.006_stmt"}],"parts":[{"id":"cisc-007.006_obj-001","name":"assessment-objective","prose":"Automated vulnerability scans of externally-exposed enterprise assets are performed."},{"id":"cisc-007.006_obj-002","name":"assessment-objective","prose":"Scans are performed on a monthly, or more frequent, basis."}]}],"props":[{"name":"label","value":"CIS Safeguard 7.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"monthly"}],"title":"Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets"},{"id":"cisc-007.007","links":[{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-007.007_stmt","name":"statement","prose":"Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process."},{"id":"cisc-007.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-007.007_stmt"}],"parts":[{"id":"cisc-007.007_obj-001","name":"assessment-objective","prose":"Detected vulnerabilities are remediated in software through processes and tooling."},{"id":"cisc-007.007_obj-002","name":"assessment-objective","prose":"Vulnerabilities are remediated on a monthly, or more frequent basis, based on the remediation process."}]}],"props":[{"name":"label","value":"CIS Safeguard 7.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"respond"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"monthly"}],"title":"Remediate Detected Vulnerabilities"}]},{"id":"cisc-008","parts":[{"id":"cisc-008_stmt","name":"statement","prose":"Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack."}],"props":[{"name":"label","value":"CIS Control 8"}],"title":"Audit Log Management","controls":[{"id":"cisc-008.001","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"}],"parts":[{"id":"cisc-008.001_stmt","name":"statement","prose":"Establish and maintain a documented audit log management process that defines the enterprise's logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-008.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.001_stmt"}],"parts":[{"id":"cisc-008.001_obj-001","name":"assessment-objective","prose":"A documented audit log management process is established and maintained that defines the enterprise's logging requirements."},{"id":"cisc-008.001_obj-002","name":"assessment-objective","prose":"At a minimum, the collection, review, and retention of audit logs are addressed for enterprise assets."},{"id":"cisc-008.001_obj-003","name":"assessment-objective","prose":"Documentation is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 8.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain an Audit Log Management Process"},{"id":"cisc-008.002","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"},{"rel":"required","href":"#cisc-008.001"}],"parts":[{"id":"cisc-008.002_stmt","name":"statement","prose":"Collect audit logs. Ensure that logging, per the enterprise's audit log management process, has been enabled across enterprise assets."},{"id":"cisc-008.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.002_stmt"}],"parts":[{"id":"cisc-008.002_obj-001","name":"assessment-objective","prose":"Audit logs are collected."},{"id":"cisc-008.002_obj-002","name":"assessment-objective","prose":"Logging, per the enterprise's audit log management process, has been enabled across enterprise assets."}]}],"props":[{"name":"label","value":"CIS Safeguard 8.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Collect Audit Logs"},{"id":"cisc-008.003","links":[{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-008.003_stmt","name":"statement","prose":"Ensure that logging destinations maintain adequate storage to comply with the enterprise's audit log management process."},{"id":"cisc-008.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.003_stmt"}],"prose":"Logging destinations maintain adequate storage to comply with the enterprise's audit log management process."}],"props":[{"name":"label","value":"CIS Safeguard 8.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Ensure Adequate Audit Log Storage"},{"id":"cisc-008.004","links":[{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-008.004_stmt","name":"statement","prose":"Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported."},{"id":"cisc-008.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.004_stmt"}],"parts":[{"id":"cisc-008.004_obj-001","name":"assessment-objective","prose":"Time synchronization is standardized."},{"id":"cisc-008.004_obj-002","name":"assessment-objective","prose":"At least two synchronized time sources are configured across enterprise assets, where supported."}]}],"props":[{"name":"label","value":"CIS Safeguard 8.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Standardize Time Synchronization"},{"id":"cisc-008.005","links":[{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-008.005_stmt","name":"statement","prose":"Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation."},{"id":"cisc-008.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.005_stmt"}],"parts":[{"id":"cisc-008.005_obj-001","name":"assessment-objective","prose":"Detailed audit logging for enterprise assets containing sensitive data is configured."},{"id":"cisc-008.005_obj-002","name":"assessment-objective","prose":"Logs collect event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation."}]}],"props":[{"name":"label","value":"CIS Safeguard 8.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Collect Detailed Audit Logs"},{"id":"cisc-008.006","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-008.006_stmt","name":"statement","prose":"Collect DNS query audit logs on enterprise assets, where appropriate and supported."},{"id":"cisc-008.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.006_stmt"}],"prose":"DNS query audit logs are collected on enterprise assets, where appropriate and supported."}],"props":[{"name":"label","value":"CIS Safeguard 8.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Collect DNS Query Audit Logs"},{"id":"cisc-008.007","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-008.007_stmt","name":"statement","prose":"Collect URL request audit logs on enterprise assets, where appropriate and supported."},{"id":"cisc-008.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.007_stmt"}],"prose":"URL request audit logs are collected on enterprise assets, where appropriate and supported."}],"props":[{"name":"label","value":"CIS Safeguard 8.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Collect URL Request Audit Logs"},{"id":"cisc-008.008","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-008.008_stmt","name":"statement","prose":"Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals."},{"id":"cisc-008.008_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.008_stmt"}],"prose":"Command-line audit logs are collected."},{"id":"cisc-008.008_eg","name":"example","prose":"Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals."}],"props":[{"name":"label","value":"CIS Safeguard 8.8"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Collect Command-Line Audit Logs"},{"id":"cisc-008.009","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-008.009_stmt","name":"statement","prose":"Centralize, to the extent possible, audit log collection and retention across enterprise assets in accordance with the documented audit log management process. Example implementations primarily include leveraging a SIEM tool to centralize multiple log sources."},{"id":"cisc-008.009_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.009_stmt"}],"prose":"To the extent possible, audit log collection and retention is centralized across enterprise assets in accordance with the documented audit log management process."},{"id":"cisc-008.009_eg","name":"example","prose":"Example implementations primarily include leveraging a SIEM tool to centralize multiple log sources."}],"props":[{"name":"label","value":"CIS Safeguard 8.9"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Centralize Audit Logs"},{"id":"cisc-008.010","links":[{"rel":"required","href":"#cisc-004.001"},{"rel":"required","href":"#cisc-008.009"}],"parts":[{"id":"cisc-008.010_stmt","name":"statement","prose":"Retain audit logs across enterprise assets for a minimum of 90 days."},{"id":"cisc-008.010_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.010_stmt"}],"parts":[{"id":"cisc-008.010_obj-001","name":"assessment-objective","prose":"Audit logs are retained across enterprise assets."},{"id":"cisc-008.010_obj-002","name":"assessment-objective","prose":"Audit logs are retained for a minimum of 90 days."}]}],"props":[{"name":"label","value":"CIS Safeguard 8.10"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Retain Audit Logs"},{"id":"cisc-008.011","parts":[{"id":"cisc-008.011_stmt","name":"statement","prose":"Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis."},{"id":"cisc-008.011_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.011_stmt"}],"parts":[{"id":"cisc-008.011_obj-001","name":"assessment-objective","prose":"Reviews of audit logs are conducted to detect anomalies or abnormal events that could indicate a potential threat."},{"id":"cisc-008.011_obj-002","name":"assessment-objective","prose":"Reviews are conducted on a weekly, or more frequent, basis."}]}],"props":[{"name":"label","value":"CIS Safeguard 8.11"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"weekly"}],"title":"Conduct Audit Log Reviews"},{"id":"cisc-008.012","links":[{"rel":"required","href":"#cisc-004.001"},{"rel":"required","href":"#cisc-015.001"}],"parts":[{"id":"cisc-008.012_stmt","name":"statement","prose":"Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events."},{"id":"cisc-008.012_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-008.012_stmt"}],"prose":"Service provider logs, where supported, are collected."},{"id":"cisc-008.012_eg","name":"example","prose":"Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events."}],"props":[{"name":"label","value":"CIS Safeguard 8.12"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Collect Service Provider Logs"}]},{"id":"cisc-009","parts":[{"id":"cisc-009_stmt","name":"statement","prose":"Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement."}],"props":[{"name":"label","value":"CIS Control 9"}],"title":"Email and Web Browser Protections","controls":[{"id":"cisc-009.001","links":[{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-009.001_stmt","name":"statement","prose":"Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor."},{"id":"cisc-009.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-009.001_stmt"}],"parts":[{"id":"cisc-009.001_obj-001","name":"assessment-objective","prose":"Only fully supported browsers and email clients are allowed to execute in the enterprise."},{"id":"cisc-009.001_obj-002","name":"assessment-objective","prose":"Only the latest version of browsers and email clients provided through the vendor is used."}]}],"props":[{"name":"label","value":"CIS Safeguard 9.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Ensure Use of Only Fully Supported Browsers and Email Clients"},{"id":"cisc-009.002","links":[{"rel":"reference","href":"#2e593067-66f2-4303-8dc4-e82089cd2bbd"},{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-009.002_stmt","name":"statement","prose":"Use DNS filtering services on all end-user devices, including remote and on-premises assets, to block access to known malicious domains."},{"id":"cisc-009.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-009.002_stmt"}],"prose":"DNS filtering services are used on all end-user devices, including remote and on-premises assets, to block access to known malicious domains."}],"props":[{"name":"label","value":"CIS Safeguard 9.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Use DNS Filtering Services"},{"id":"cisc-009.003","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-009.003_stmt","name":"statement","prose":"Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets."},{"id":"cisc-009.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-009.003_stmt"}],"parts":[{"id":"cisc-009.003_obj-001","name":"assessment-objective","prose":"Network-based URL filters are enforced and updated to limit an enterprise asset from connecting to potentially malicious or unapproved websites."},{"id":"cisc-009.003_obj-002","name":"assessment-objective","prose":"Filters are enforced for all enterprise assets."}]},{"id":"cisc-009.003_eg","name":"example","prose":"Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists."}],"props":[{"name":"label","value":"CIS Safeguard 9.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Maintain and Enforce Network-Based URL Filters"},{"id":"cisc-009.004","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-009.004_stmt","name":"statement","prose":"Restrict, either through uninstalling or disabling, any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications."},{"id":"cisc-009.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-009.004_stmt"}],"prose":"Any unauthorized or unnecessary browser or email client plugins, extensions, and add-on applications are restricted, either through uninstalling or disabling them."}],"props":[{"name":"label","value":"CIS Safeguard 9.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Restrict Unnecessary or Unauthorized Browser and Email Client Extensions"},{"id":"cisc-009.005","links":[{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-009.005_stmt","name":"statement","prose":"To lower the chance of spoofed or modified emails from valid domains, implement DMARC policy and verification, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards."},{"id":"cisc-009.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-009.005_stmt"}],"prose":"A DMARC policy and verification is implemented, starting with implementing the Sender Policy Framework (SPF) and the DomainKeys Identified Mail (DKIM) standards."}],"props":[{"name":"label","value":"CIS Safeguard 9.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Implement DMARC"},{"id":"cisc-009.006","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-009.006_stmt","name":"statement","prose":"Block unnecessary file types attempting to enter the enterprise's email gateway."},{"id":"cisc-009.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-009.006_stmt"}],"prose":"Unnecessary file types are blocked that are attempting to enter the enterprise's email gateway."}],"props":[{"name":"label","value":"CIS Safeguard 9.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Block Unnecessary File Types"},{"id":"cisc-009.007","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-009.007_stmt","name":"statement","prose":"Deploy and maintain email server anti-malware protections, such as attachment scanning and/or sandboxing."},{"id":"cisc-009.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-009.007_stmt"}],"prose":"Email server anti-malware protections are deployed and maintained."},{"id":"cisc-009.007_eg","name":"example","prose":"Example implementation include attachment scanning and/or sandboxing."}],"props":[{"name":"label","value":"CIS Safeguard 9.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Deploy and Maintain Email Server Anti-Malware Protections"}]},{"id":"cisc-010","links":[{"rel":"reference","href":"#fe691ea4-33b8-401c-b544-7e93bb790fe5"}],"parts":[{"id":"cisc-010_stmt","name":"statement","prose":"Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets."}],"props":[{"name":"label","value":"CIS Control 10"}],"title":"Malware Defenses","controls":[{"id":"cisc-010.001","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-010.001_stmt","name":"statement","prose":"Deploy and maintain anti-malware software on all enterprise assets."},{"id":"cisc-010.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-010.001_stmt"}],"prose":"Anti-malware software is deployed and maintained on all enterprise assets."}],"props":[{"name":"label","value":"CIS Safeguard 10.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Deploy and Maintain Anti-Malware Software"},{"id":"cisc-010.002","links":[{"rel":"required","href":"#cisc-010.001"}],"parts":[{"id":"cisc-010.002_stmt","name":"statement","prose":"Configure automatic updates for anti-malware signature files on all enterprise assets."},{"id":"cisc-010.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-010.002_stmt"}],"prose":"Automatic updates are configured for anti-malware signature files on all enterprise assets."}],"props":[{"name":"label","value":"CIS Safeguard 10.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Configure Automatic Anti-Malware Signature Updates"},{"id":"cisc-010.003","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-010.003_stmt","name":"statement","prose":"Disable autorun and autoplay auto-execute functionality for removable media."},{"id":"cisc-010.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-010.003_stmt"}],"prose":"Autorun and autoplay, an auto-execute functionality, is disabled for removable media."}],"props":[{"name":"label","value":"CIS Safeguard 10.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Disable Autorun and Autoplay for Removable Media"},{"id":"cisc-010.004","links":[{"rel":"required","href":"#cisc-004.001"},{"rel":"required","href":"#cisc-010.001"}],"parts":[{"id":"cisc-010.004_stmt","name":"statement","prose":"Configure anti-malware software to automatically scan removable media."},{"id":"cisc-010.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-010.004_stmt"}],"prose":"Anti-malware software is configured to automatically scan removable media."}],"props":[{"name":"label","value":"CIS Safeguard 10.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Configure Automatic Anti-Malware Scanning of Removable Media"},{"id":"cisc-010.005","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-010.005_stmt","name":"statement","prose":"Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™."},{"id":"cisc-010.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-010.005_stmt"}],"prose":"Anti-exploitation features are enabled on enterprise assets and software, where possible."},{"id":"cisc-010.005_eg","name":"example","prose":"Example implementations include Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™."}],"props":[{"name":"label","value":"CIS Safeguard 10.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Enable Anti-Exploitation Features"},{"id":"cisc-010.006","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-010.001"}],"parts":[{"id":"cisc-010.006_stmt","name":"statement","prose":"Centrally manage anti-malware software."},{"id":"cisc-010.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-010.006_stmt"}],"prose":"Anti-malware software is centrally managed."}],"props":[{"name":"label","value":"CIS Safeguard 10.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Centrally Manage Anti-Malware Software"},{"id":"cisc-010.007","links":[{"rel":"reference","href":"#d36b6d4f-27d1-4216-b0c5-6bb87e3cacc8"},{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-010.007_stmt","name":"statement","prose":"Use behavior-based anti-malware software."},{"id":"cisc-010.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-010.007_stmt"}],"prose":"Behavior-based anti-malware software is used."}],"props":[{"name":"label","value":"CIS Safeguard 10.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Use Behavior-Based Anti-Malware Software"}]},{"id":"cisc-011","parts":[{"id":"cisc-011_stmt","name":"statement","prose":"Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state."}],"props":[{"name":"label","value":"CIS Control 11"}],"title":"Data Recovery","controls":[{"id":"cisc-011.001","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"}],"parts":[{"id":"cisc-011.001_stmt","name":"statement","prose":"Establish and maintain a documented data recovery process that includes detailed backup procedures. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-011.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-011.001_stmt"}],"parts":[{"id":"cisc-011.001_obj-001","name":"assessment-objective","prose":"A documented data recovery process that includes detailed backup procedures is established and maintained."},{"id":"cisc-011.001_obj-002","name":"assessment-objective","prose":"The process addresses the scope of data recovery activities, recovery prioritization, and the security of backup data."},{"id":"cisc-011.001_obj-003","name":"assessment-objective","prose":"The documentation is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 11.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Data Recovery Process"},{"id":"cisc-011.002","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-011.002_stmt","name":"statement","prose":"Perform automated backups of in-scope enterprise assets. Run backups weekly, or more frequently, based on the sensitivity of the data."},{"id":"cisc-011.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-011.002_stmt"}],"parts":[{"id":"cisc-011.002_obj-001","name":"assessment-objective","prose":"Automated backups are performed on in-scope enterprise assets."},{"id":"cisc-011.002_obj-002","name":"assessment-objective","prose":"Backups are run weekly, or more frequently, based on the sensitivity of the data."}]}],"props":[{"name":"label","value":"CIS Safeguard 11.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"recover"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"weekly"}],"title":"Perform Automated Backups"},{"id":"cisc-011.003","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-011.003_stmt","name":"statement","prose":"Protect recovery data with equivalent controls to the original data. Reference encryption or data separation, based on requirements."},{"id":"cisc-011.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-011.003_stmt"}],"parts":[{"id":"cisc-011.003_obj-001","name":"assessment-objective","prose":"Recovery data is protected with equivalent controls to the original data."},{"id":"cisc-011.003_obj-002","name":"assessment-objective","prose":"Encryption or data separation is used, based on requirements."}]}],"props":[{"name":"label","value":"CIS Safeguard 11.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Protect Recovery Data"},{"id":"cisc-011.004","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"}],"parts":[{"id":"cisc-011.004_stmt","name":"statement","prose":"Establish and maintain an isolated instance of recovery data. Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services."},{"id":"cisc-011.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-011.004_stmt"}],"prose":"An isolated instance of recovery data is established and maintained."},{"id":"cisc-011.004_eg","name":"example","prose":"Example implementations include, version controlling backup destinations through offline, cloud, or off-site systems or services."}],"props":[{"name":"label","value":"CIS Safeguard 11.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"recover"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Establish and Maintain an Isolated Instance of Recovery Data"},{"id":"cisc-011.005","links":[{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-011.005_stmt","name":"statement","prose":"Test backup recovery quarterly, or more frequently, for a sampling of in-scope enterprise assets."},{"id":"cisc-011.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-011.005_stmt"}],"parts":[{"id":"cisc-011.005_obj-001","name":"assessment-objective","prose":"Backup recovery is tested for a sampling of in-scope enterprise assets."},{"id":"cisc-011.005_obj-002","name":"assessment-objective","prose":"Backup recovery is tested quarterly, or more frequently."}]}],"props":[{"name":"label","value":"CIS Safeguard 11.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"recover"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"quarterly"}],"title":"Test Data Recovery"}]},{"id":"cisc-012","links":[{"rel":"reference","href":"#0eb8ef50-ac8f-4ed0-be9c-a09b6ff6e6bf"}],"parts":[{"id":"cisc-012_stmt","name":"statement","prose":"Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points."}],"props":[{"name":"label","value":"CIS Control 12"}],"title":"Network Infrastructure Management","controls":[{"id":"cisc-012.001","links":[{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-012.001_stmt","name":"statement","prose":"Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network as a service (Naas) offerings. Review software versions monthly, or more frequently, to verify software support."},{"id":"cisc-012.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-012.001_stmt"}],"parts":[{"id":"cisc-012.001_obj-001","name":"assessment-objective","prose":"Network infrastructure is kept up to date."},{"id":"cisc-012.001_obj-002","name":"assessment-objective","prose":"Software versions are reviewed monthly, or more frequently, to verify software support."}]},{"id":"cisc-012.001_eg","name":"example","prose":"Example implementations include running the latest stable release of software and/or using currently supported network as a service (NaaS) offerings."}],"props":[{"name":"label","value":"CIS Safeguard 12.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"monthly"}],"title":"Ensure Network Infrastructure is Up-to-Date"},{"id":"cisc-012.002","links":[{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-012.004"}],"parts":[{"id":"cisc-012.002_stmt","name":"statement","prose":"Design and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. Example implementations may include documentation, policy, and design components."},{"id":"cisc-012.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-012.002_stmt"}],"parts":[{"id":"cisc-012.002_obj-001","name":"assessment-objective","prose":"A secure network architecture is designed and maintained."},{"id":"cisc-012.002_obj-002","name":"assessment-objective","prose":"The secure network architecture addresses segmentation, least privilege, and availability, at a minimum."}]},{"id":"cisc-012.002_eg","name":"example","prose":"Example implementations may include documentation, policy, and design components."}],"props":[{"name":"label","value":"CIS Safeguard 12.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Establish and Maintain a Secure Network Architecture"},{"id":"cisc-012.003","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.002"},{"rel":"required","href":"#cisc-012.004"}],"parts":[{"id":"cisc-012.003_stmt","name":"statement","prose":"Securely manage network infrastructure. Example implementations include version-controlled Infrastructure-as-Code (IaC), and the use of secure network protocols, such as SSH and HTTPS."},{"id":"cisc-012.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-012.003_stmt"}],"prose":"Network infrastructure is securely managed."},{"id":"cisc-012.003_eg","name":"example","prose":"Example implementations include version-controlled Infrastructure-as-Code (IaC) and the use of secure network protocols, such as SSH and HTTPS."}],"props":[{"name":"label","value":"CIS Safeguard 12.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Securely Manage Network Infrastructure"},{"id":"cisc-012.004","parts":[{"id":"cisc-012.004_stmt","name":"statement","prose":"Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-012.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-012.004_stmt"}],"parts":[{"id":"cisc-012.004_obj-001","name":"assessment-objective","prose":"Architecture diagram(s) and/or other network system documentation is established and maintained."},{"id":"cisc-012.004_obj-002","name":"assessment-objective","prose":"Documentation is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 12.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain Architecture Diagram(s)"},{"id":"cisc-012.005","links":[{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-012.005_stmt","name":"statement","prose":"Centralize network AAA."},{"id":"cisc-012.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-012.005_stmt"}],"prose":"Network AAA is centralized."}],"props":[{"name":"label","value":"CIS Safeguard 12.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Centralize Network Authentication, Authorization, and Auditing (AAA)"},{"id":"cisc-012.006","links":[{"rel":"required","href":"#cisc-004.002"},{"rel":"required","href":"#cisc-012.002"}],"parts":[{"id":"cisc-012.006_stmt","name":"statement","prose":"Adopt secure network management protocols (e.g., 802.1X) and secure communication protocols (e.g., Wi-Fi Protected Access 2 (WPA2) Enterprise or more secure alternatives)."},{"id":"cisc-012.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-012.006_stmt"}],"prose":"Secure network management and communication protocols are adopted."},{"id":"cisc-012.006_eg","name":"example","prose":"Examples include 802.1X, Wi-Fi Protected Access 2 (WPA2) Enterprise or more secure alternatives."}],"props":[{"name":"label","value":"CIS Safeguard 12.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Use of Secure Network Management and Communication Protocols"},{"id":"cisc-012.007","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"},{"rel":"required","href":"#cisc-012.005"}],"parts":[{"id":"cisc-012.007_stmt","name":"statement","prose":"Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices."},{"id":"cisc-012.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-012.007_stmt"}],"prose":"Users are required to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices."}],"props":[{"name":"label","value":"CIS Safeguard 12.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise's AAA Infrastructure"},{"id":"cisc-012.008","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.002"}],"parts":[{"id":"cisc-012.008_stmt","name":"statement","prose":"Establish and maintain dedicated computing resources, either physically or logically separated, for all administrative tasks or tasks requiring administrative access. The computing resources should be segmented from the enterprise's primary network and not be allowed internet access."},{"id":"cisc-012.008_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-012.008_stmt"}],"parts":[{"id":"cisc-012.008_obj-001","name":"assessment-objective","prose":"Dedicated computing resources, either physically or logically separated, are established and maintained for all administrative tasks or tasks requiring administrative access."},{"id":"cisc-012.008_obj-002","name":"assessment-objective","prose":"The computing resources are segmented from the enterprise's primary network and are not allowed internet access."}]}],"props":[{"name":"label","value":"CIS Safeguard 12.8"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Establish and Maintain Dedicated Computing Resources for All Administrative Work"}]},{"id":"cisc-013","parts":[{"id":"cisc-013_stmt","name":"statement","prose":"Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base."}],"props":[{"name":"label","value":"CIS Control 13"}],"title":"Network Monitoring and Defense","controls":[{"id":"cisc-013.001","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-013.001_stmt","name":"statement","prose":"Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard."},{"id":"cisc-013.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.001_stmt"}],"prose":"Security event alerting is centralized across enterprise assets for log correlation and analysis."},{"id":"cisc-013.001_eg","name":"example","prose":"Example implementation includes the use of a SIEM, which includes vendor-defined event correlation alerts, or a log analytics platform configured with security-relevant correlation alerts."}],"props":[{"name":"label","value":"CIS Safeguard 13.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Centralize Security Event Alerting"},{"id":"cisc-013.002","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-013.002_stmt","name":"statement","prose":"Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported."},{"id":"cisc-013.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.002_stmt"}],"prose":"A host-based intrusion detection solution is deployed on enterprise assets, where appropriate and/or supported."}],"props":[{"name":"label","value":"CIS Safeguard 13.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Deploy a Host-Based Intrusion Detection Solution"},{"id":"cisc-013.003","links":[{"rel":"reference","href":"#925d3755-46b9-48e8-b8a7-47bda1fe4f09"},{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-012.004"}],"parts":[{"id":"cisc-013.003_stmt","name":"statement","prose":"Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service."},{"id":"cisc-013.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.003_stmt"}],"prose":"A network intrusion detection solution is deployed on enterprise assets, where appropriate."},{"id":"cisc-013.003_eg","name":"example","prose":"Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service."}],"props":[{"name":"label","value":"CIS Safeguard 13.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Deploy a Network Intrusion Detection Solution"},{"id":"cisc-013.004","parts":[{"id":"cisc-013.004_stmt","name":"statement","prose":"Perform traffic filtering between network segments, where appropriate."},{"id":"cisc-013.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.004_stmt"}],"prose":"Traffic filtering between network segments is performed, where appropriate."}],"props":[{"name":"label","value":"CIS Safeguard 13.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Perform Traffic Filtering Between Network Segments"},{"id":"cisc-013.005","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.001"},{"rel":"required","href":"#cisc-006.006"}],"parts":[{"id":"cisc-013.005_stmt","name":"statement","prose":"Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up-to-date."},{"id":"cisc-013.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.005_stmt"}],"parts":[{"id":"cisc-013.005_obj-001","name":"assessment-objective","prose":"Access control is managed for assets remotely connecting to enterprise resources."},{"id":"cisc-013.005_obj-002","name":"assessment-objective","prose":"The amount of access to enterprise resources is determined based on: up-to-date anti-malware software installed, configuration compliance with the enterprise's secure configuration process, and ensuring the operating system and applications are up to date."}]}],"props":[{"name":"label","value":"CIS Safeguard 13.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Manage Access Control for Remote Assets"},{"id":"cisc-013.006","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-004.002"},{"rel":"required","href":"#cisc-012.004"}],"parts":[{"id":"cisc-013.006_stmt","name":"statement","prose":"Collect network traffic flow logs and/or network traffic to review and alert upon from network devices."},{"id":"cisc-013.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.006_stmt"}],"prose":"Network traffic flow logs and/or network traffic is collected to review and alert upon from network devices."}],"props":[{"name":"label","value":"CIS Safeguard 13.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Collect Network Traffic Flow Logs"},{"id":"cisc-013.007","links":[{"rel":"reference","href":"#d36b6d4f-27d1-4216-b0c5-6bb87e3cacc8"},{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-013.007_stmt","name":"statement","prose":"Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent."},{"id":"cisc-013.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.007_stmt"}],"prose":"A host-based intrusion prevention solution is deployed on enterprise assets, where appropriate and/or supported."},{"id":"cisc-013.007_eg","name":"example","prose":"Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent."}],"props":[{"name":"label","value":"CIS Safeguard 13.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"devices"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Deploy a Host-Based Intrusion Prevention Solution"},{"id":"cisc-013.008","links":[{"rel":"required","href":"#cisc-001.001"},{"rel":"required","href":"#cisc-012.004"}],"parts":[{"id":"cisc-013.008_stmt","name":"statement","prose":"Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service."},{"id":"cisc-013.008_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.008_stmt"}],"prose":"A network intrusion prevention solution is deployed, where appropriate."},{"id":"cisc-013.008_eg","name":"example","prose":"Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service."}],"props":[{"name":"label","value":"CIS Safeguard 13.8"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Deploy a Network Intrusion Prevention Solution"},{"id":"cisc-013.009","links":[{"rel":"required","href":"#cisc-001.001"}],"parts":[{"id":"cisc-013.009_stmt","name":"statement","prose":"Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication."},{"id":"cisc-013.009_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.009_stmt"}],"parts":[{"id":"cisc-013.009_obj-001","name":"assessment-objective","prose":"Port-level access control is deployed."},{"id":"cisc-013.009_obj-002","name":"assessment-objective","prose":"Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication."}]}],"props":[{"name":"label","value":"CIS Safeguard 13.9"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Deploy Port-Level Access Control"},{"id":"cisc-013.010","parts":[{"id":"cisc-013.010_stmt","name":"statement","prose":"Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway."},{"id":"cisc-013.010_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.010_stmt"}],"prose":"Application layer filtering is performed."},{"id":"cisc-013.010_eg","name":"example","prose":"Example implementations include a filtering proxy, application layer firewall, or gateway."}],"props":[{"name":"label","value":"CIS Safeguard 13.10"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Perform Application Layer Filtering"},{"id":"cisc-013.011","parts":[{"id":"cisc-013.011_stmt","name":"statement","prose":"Tune security event alerting thresholds monthly, or more frequently."},{"id":"cisc-013.011_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-013.011_stmt"}],"parts":[{"id":"cisc-013.011_obj-001","name":"assessment-objective","prose":"Security event alerting thresholds are tuned."},{"id":"cisc-013.011_obj-002","name":"assessment-objective","prose":"Tuning is done on a monthly, or more frequent, basis."}]}],"props":[{"name":"label","value":"CIS Safeguard 13.11"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Tune Security Event Alerting Thresholds"}]},{"id":"cisc-014","links":[{"rel":"reference","href":"#0eb8ef50-ac8f-4ed0-be9c-a09b6ff6e6bf"},{"rel":"reference","href":"#5aec90ed-c7d7-4ab5-8595-a6f6bed32ff4"},{"rel":"reference","href":"#5b2ade11-a87e-4bd7-910d-3fed0b8b2dfc"},{"rel":"reference","href":"#e7744b7d-c05a-4bc2-8796-269e71cd6c0a"},{"rel":"reference","href":"#49d667fa-31bc-4213-ae53-dbfed06d0bd0"},{"rel":"reference","href":"#18a3b4a9-7e8c-4643-a8fe-7c5a0945e0b8"}],"parts":[{"id":"cisc-014_stmt","name":"statement","prose":"Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise."}],"props":[{"name":"label","value":"CIS Control 14"}],"title":"Security Awareness and Skills Training","controls":[{"id":"cisc-014.001","links":[{"rel":"reference","href":"#64c3d97a-6549-4f2a-a99d-bb45d36ffefe"}],"parts":[{"id":"cisc-014.001_stmt","name":"statement","prose":"Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-014.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-014.001_stmt"}],"parts":[{"id":"cisc-014.001_obj-001","name":"assessment-objective","prose":"A security awareness program is established and maintained to educate the enterprise's workforce on how to interact with enterprise assets and data in a secure manner."},{"id":"cisc-014.001_obj-002","name":"assessment-objective","prose":"Training is conducted at hire and, at a minimum, annually."},{"id":"cisc-014.001_obj-003","name":"assessment-objective","prose":"Content is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 14.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Security Awareness Program"},{"id":"cisc-014.002","parts":[{"id":"cisc-014.002_stmt","name":"statement","prose":"Train workforce members to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating."},{"id":"cisc-014.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-014.002_stmt"}],"prose":"Workforce members are trained to recognize social engineering attacks, such as phishing, business email compromise (BEC), pretexting, and tailgating."}],"props":[{"name":"label","value":"CIS Safeguard 14.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Train Workforce Members to Recognize Social Engineering Attacks"},{"id":"cisc-014.003","parts":[{"id":"cisc-014.003_stmt","name":"statement","prose":"Train workforce members on authentication best practices. Example topics include MFA, password composition, and credential management."},{"id":"cisc-014.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-014.003_stmt"}],"prose":"Workforce members are trained on authentication best practices."},{"id":"cisc-014.003_eg","name":"example","prose":"Example topics include MFA, password composition, and credential management."}],"props":[{"name":"label","value":"CIS Safeguard 14.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Train Workforce Members on Authentication Best Practices"},{"id":"cisc-014.004","parts":[{"id":"cisc-014.004_stmt","name":"statement","prose":"Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive data. This also includes training workforce members on clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely."},{"id":"cisc-014.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-014.004_stmt"}],"parts":[{"id":"cisc-014.004_obj-001","name":"assessment-objective","prose":"Workforce members are trained on how to identify and properly store, transfer, archive, and destroy sensitive data."},{"id":"cisc-014.004_obj-002","name":"assessment-objective","prose":"Training includes clear screen and desk best practices, such as locking their screen when they step away from their enterprise asset, erasing physical and virtual whiteboards at the end of meetings, and storing data and assets securely."}]}],"props":[{"name":"label","value":"CIS Safeguard 14.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Train Workforce on Data Handling Best Practices"},{"id":"cisc-014.005","parts":[{"id":"cisc-014.005_stmt","name":"statement","prose":"Train workforce members to be aware of causes for unintentional data exposure. Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences."},{"id":"cisc-014.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-014.005_stmt"}],"prose":"Workforce members are trained to be aware of causes for unintentional data exposure."},{"id":"cisc-014.005_eg","name":"example","prose":"Example topics include mis-delivery of sensitive data, losing a portable end-user device, or publishing data to unintended audiences."}],"props":[{"name":"label","value":"CIS Safeguard 14.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Train Workforce Members on Causes of Unintentional Data Exposure"},{"id":"cisc-014.006","parts":[{"id":"cisc-014.006_stmt","name":"statement","prose":"Train workforce members to be able to recognize a potential incident and be able to report such an incident."},{"id":"cisc-014.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-014.006_stmt"}],"prose":"Workforce members are trained to recognize a potential incident and to report such an incident."}],"props":[{"name":"label","value":"CIS Safeguard 14.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Train Workforce Members on Recognizing and Reporting Security Incidents"},{"id":"cisc-014.007","parts":[{"id":"cisc-014.007_stmt","name":"statement","prose":"Train workforce to understand how to verify and report out-of-date software patches or any failures in automated processes and tools. Part of this training should include notifying IT personnel of any failures in automated processes and tools."},{"id":"cisc-014.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-014.007_stmt"}],"parts":[{"id":"cisc-014.007_obj-001","name":"assessment-objective","prose":"Workforce is trained to understand how to verify and report out-of-date software patches or any failures in automated processes and tools."},{"id":"cisc-014.007_obj-002","name":"assessment-objective","prose":"Training includes notifying IT personnel of any failures in automated processes and tools."}]}],"props":[{"name":"label","value":"CIS Safeguard 14.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates"},{"id":"cisc-014.008","parts":[{"id":"cisc-014.008_stmt","name":"statement","prose":"Train workforce members on the dangers of connecting to, and transmitting data over, insecure networks for enterprise activities. If the enterprise has remote workers, training must include guidance to ensure that all users securely configure their home network infrastructure."},{"id":"cisc-014.008_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-014.008_stmt"}],"parts":[{"id":"cisc-014.008_obj-001","name":"assessment-objective","prose":"Workforce members are trained on the dangers of connecting to and transmitting data over insecure networks for enterprise activities."},{"id":"cisc-014.008_obj-002","name":"assessment-objective","prose":"For enterprises with remote workers, training includes guidance to ensure that all users securely configure their home network infrastructure."}]}],"props":[{"name":"label","value":"CIS Safeguard 14.8"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks"},{"id":"cisc-014.009","parts":[{"id":"cisc-014.009_stmt","name":"statement","prose":"Conduct role-specific security awareness and skills training. Example implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles."},{"id":"cisc-014.009_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-014.009_stmt"}],"prose":"Role-specific security awareness and skills training is conducted."},{"id":"cisc-014.009_eg","name":"example","prose":"Example implementations include secure system administration courses for IT professionals, OWASP® Top 10 vulnerability awareness and prevention training for web application developers, and advanced social engineering awareness training for high-profile roles."}],"props":[{"name":"label","value":"CIS Safeguard 14.9"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Conduct Role-Specific Security Awareness and Skills Training"}]},{"id":"cisc-015","links":[{"rel":"reference","href":"#40c2fdc4-a104-44bb-bed1-7fd535937fc3"}],"parts":[{"id":"cisc-015_stmt","name":"statement","prose":"Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise's critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately."}],"props":[{"name":"label","value":"CIS Control 15"}],"title":"Service Provider Management","controls":[{"id":"cisc-015.001","parts":[{"id":"cisc-015.001_stmt","name":"statement","prose":"Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-015.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-015.001_stmt"}],"parts":[{"id":"cisc-015.001_obj-001","name":"assessment-objective","prose":"An inventory of service providers is established and maintained."},{"id":"cisc-015.001_obj-002","name":"assessment-objective","prose":"The inventory lists all known service providers, including classification(s), and designates an enterprise contact for each service provider."},{"id":"cisc-015.001_obj-003","name":"assessment-objective","prose":"The inventory is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 15.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain an Inventory of Service Providers"},{"id":"cisc-015.002","parts":[{"id":"cisc-015.002_stmt","name":"statement","prose":"Establish and maintain a service provider management policy. Ensure the policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers. Review and update the policy annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-015.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-015.002_stmt"}],"parts":[{"id":"cisc-015.002_obj-001","name":"assessment-objective","prose":"A service provider management policy is established and maintained."},{"id":"cisc-015.002_obj-002","name":"assessment-objective","prose":"The policy addresses the classification, inventory, assessment, monitoring, and decommissioning of service providers."},{"id":"cisc-015.002_obj-003","name":"assessment-objective","prose":"The policy is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 15.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Service Provider Management Policy"},{"id":"cisc-015.003","links":[{"rel":"required","href":"#cisc-015.001"},{"rel":"required","href":"#cisc-015.002"}],"parts":[{"id":"cisc-015.003_stmt","name":"statement","prose":"Classify service providers. Classification consideration may include one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk. Update and review classifications annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-015.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-015.003_stmt"}],"parts":[{"id":"cisc-015.003_obj-001","name":"assessment-objective","prose":"Service providers are classified."},{"id":"cisc-015.003_obj-002","name":"assessment-objective","prose":"Classifications are reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]},{"id":"cisc-015.003_gdn","name":"guidance","prose":"Classification consideration includes one or more characteristics, such as data sensitivity, data volume, availability requirements, applicable regulations, inherent risk, and mitigated risk."}],"props":[{"name":"label","value":"CIS Safeguard 15.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Classify Service Providers"},{"id":"cisc-015.004","links":[{"rel":"required","href":"#cisc-015.001"},{"rel":"required","href":"#cisc-015.002"}],"parts":[{"id":"cisc-015.004_stmt","name":"statement","prose":"Ensure service provider contracts include security requirements. Example requirements may include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments. These security requirements must be consistent with the enterprise's service provider management policy. Review service provider contracts annually to ensure contracts are not missing security requirements."},{"id":"cisc-015.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-015.004_stmt"}],"parts":[{"id":"cisc-015.004_obj-001","name":"assessment-objective","prose":"Service provider contracts include security requirements."},{"id":"cisc-015.004_obj-002","name":"assessment-objective","prose":"Security requirements are consistent with the enterprise's service provider management policy."},{"id":"cisc-015.004_obj-003","name":"assessment-objective","prose":"Service provider contracts are reviewed annually to ensure contracts are not missing security requirements."}]},{"id":"cisc-015.004_eg","name":"example","prose":"Example requirements include minimum security program requirements, security incident and/or data breach notification and response, data encryption requirements, and data disposal commitments."}],"props":[{"name":"label","value":"CIS Safeguard 15.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Ensure Service Provider Contracts Include Security Requirements"},{"id":"cisc-015.005","parts":[{"id":"cisc-015.005_stmt","name":"statement","prose":"Assess service providers consistent with the enterprise's service provider management policy. Assessment scope may vary based on classification(s), and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes. Reassess service providers annually, at a minimum, or with new and renewed contracts."},{"id":"cisc-015.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-015.005_stmt"}],"parts":[{"id":"cisc-015.005_obj-001","name":"assessment-objective","prose":"Service providers are assessed consistent with the enterprise's service provider management policy."},{"id":"cisc-015.005_obj-002","name":"assessment-objective","prose":"Service providers are reassessed annually, at a minimum, or with new and renewed contracts."}]},{"id":"cisc-015.005_eg","name":"example","prose":"Assessment scope varies based on classification(s) and may include review of standardized assessment reports, such as Service Organization Control 2 (SOC 2) and Payment Card Industry (PCI) Attestation of Compliance (AoC), customized questionnaires, or other appropriately rigorous processes."}],"props":[{"name":"label","value":"CIS Safeguard 15.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Assess Service Providers"},{"id":"cisc-015.006","links":[{"rel":"required","href":"#cisc-015.001"},{"rel":"required","href":"#cisc-015.002"}],"parts":[{"id":"cisc-015.006_stmt","name":"statement","prose":"Monitor service providers consistent with the enterprise's service provider management policy. Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring."},{"id":"cisc-015.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-015.006_stmt"}],"prose":"Service providers are monitored consistent with the enterprise's service provider management policy."},{"id":"cisc-015.006_eg","name":"example","prose":"Monitoring may include periodic reassessment of service provider compliance, monitoring service provider release notes, and dark web monitoring."}],"props":[{"name":"label","value":"CIS Safeguard 15.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Monitor Service Providers"},{"id":"cisc-015.007","links":[{"rel":"required","href":"#cisc-015.001"},{"rel":"required","href":"#cisc-015.002"}],"parts":[{"id":"cisc-015.007_stmt","name":"statement","prose":"Securely decommission service providers. Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems."},{"id":"cisc-015.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-015.007_stmt"}],"prose":"Service providers are securely decommissioned."},{"id":"cisc-015.007_eg","name":"example","prose":"Example considerations include user and service account deactivation, termination of data flows, and secure disposal of enterprise data within service provider systems."}],"props":[{"name":"label","value":"CIS Safeguard 15.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"data"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Securely Decommission Service Providers"}]},{"id":"cisc-016","links":[{"rel":"reference","href":"#8979a189-b24f-41f0-85ec-b934deb2f459"},{"rel":"reference","href":"#112fe63b-1d76-45b2-ab6e-fa951d237f1b"},{"rel":"reference","href":"#8bc084ef-1993-49c2-af57-633cc873c7d9"},{"rel":"reference","href":"#2ecd06fe-65e7-4d33-aa07-4e5cfdf1a0c4"}],"parts":[{"id":"cisc-016_stmt","name":"statement","prose":"Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise."}],"props":[{"name":"label","value":"CIS Control 16"}],"title":"Application Software Security","controls":[{"id":"cisc-016.001","parts":[{"id":"cisc-016.001_stmt","name":"statement","prose":"Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-016.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.001_stmt"}],"parts":[{"id":"cisc-016.001_obj-001","name":"assessment-objective","prose":"A secure application development process is established and maintained."},{"id":"cisc-016.001_obj-002","name":"assessment-objective","prose":"The process addresses items such as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures."},{"id":"cisc-016.001_obj-003","name":"assessment-objective","prose":"The documentation is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 16.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Secure Application Development Process"},{"id":"cisc-016.002","parts":[{"id":"cisc-016.002_stmt","name":"statement","prose":"Establish and maintain a process to accept and address reports of software vulnerabilities, including providing a means for external entities to report. The process is to include such items as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing. As part of the process, use a vulnerability tracking system that includes severity ratings and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. Third-party application developers need to consider this an externally-facing policy that helps to set expectations for outside stakeholders."},{"id":"cisc-016.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.002_stmt"}],"parts":[{"id":"cisc-016.002_obj-001","name":"assessment-objective","prose":"A process is established and maintained to accept and address reports of software vulnerabilities, including providing a means for external entities to report.\n\nAn externally-facing policy is considered for third-party application developers that helps to set expectations for outside stakeholders."},{"id":"cisc-016.002_obj-002","name":"assessment-objective","prose":"The process includes items such as: a vulnerability handling policy that identifies reporting process, responsible party for handling vulnerability reports, and a process for intake, assignment, remediation, and remediation testing."},{"id":"cisc-016.002_obj-003","name":"assessment-objective","prose":"A vulnerability tracking system is used that includes severity ratings and metrics for measuring timing for identification, analysis, and remediation of vulnerabilities."},{"id":"cisc-016.002_obj-004","name":"assessment-objective","prose":"Documentation is reviewed and updated annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 16.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Establish and Maintain a Process to Accept and Address Software Vulnerabilities"},{"id":"cisc-016.003","links":[{"rel":"required","href":"#cisc-016.002"}],"parts":[{"id":"cisc-016.003_stmt","name":"statement","prose":"Perform root cause analysis on security vulnerabilities. When reviewing vulnerabilities, root cause analysis is the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise."},{"id":"cisc-016.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.003_stmt"}],"prose":"Root cause analysis is performed on security vulnerabilities that includes the task of evaluating underlying issues that create vulnerabilities in code, and allows development teams to move beyond just fixing individual vulnerabilities as they arise."}],"props":[{"name":"label","value":"CIS Safeguard 16.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Perform Root Cause Analysis on Security Vulnerabilities"},{"id":"cisc-016.004","links":[{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-016.004_stmt","name":"statement","prose":"Establish and manage an updated inventory of third-party components used in development, often referred to as a \"bill of materials,\" as well as components slated for future use. This inventory is to include any risks that each third-party component could pose. Evaluate the list at least monthly to identify any changes or updates to these components, and validate that the component is still supported."},{"id":"cisc-016.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.004_stmt"}],"parts":[{"id":"cisc-016.004_obj-001","name":"assessment-objective","prose":"An updated inventory of third-party components used in development is established and maintained, often referred to as a \"bill of materials,\" as well as components slated for future use."},{"id":"cisc-016.004_obj-002","name":"assessment-objective","prose":"The inventory includes any risks that each third-party component could pose."},{"id":"cisc-016.004_obj-003","name":"assessment-objective","prose":"The list is evaluated at least monthly to identify any changes or updates to these components, and validate that the component is still supported."}]}],"props":[{"name":"label","value":"CIS Safeguard 16.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"identify"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Establish and Manage an Inventory of Third-Party Software Components"},{"id":"cisc-016.005","links":[{"rel":"required","href":"#cisc-016.004"}],"parts":[{"id":"cisc-016.005_stmt","name":"statement","prose":"Use up-to-date and trusted third-party software components. When possible, choose established and proven frameworks and libraries that provide adequate security. Acquire these components from trusted sources or evaluate the software for vulnerabilities before use."},{"id":"cisc-016.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.005_stmt"}],"parts":[{"id":"cisc-016.005_obj-001","name":"assessment-objective","prose":"Up-to-date and trusted third-party software components are used."},{"id":"cisc-016.005_obj-002","name":"assessment-objective","prose":"Established and proven frameworks and libraries are chosen that provide adequate security, when possible."},{"id":"cisc-016.005_obj-003","name":"assessment-objective","prose":"Components are acquired from trusted sources or software is evaluated for vulnerabilities before use."}]}],"props":[{"name":"label","value":"CIS Safeguard 16.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Use Up-to-Date and Trusted Third-Party Software Components"},{"id":"cisc-016.006","links":[{"rel":"required","href":"#cisc-016.002"}],"parts":[{"id":"cisc-016.006_stmt","name":"statement","prose":"Establish and maintain a severity rating system and process for application vulnerabilities that facilitates prioritizing the order in which discovered vulnerabilities are fixed. This process includes setting a minimum level of security acceptability for releasing code or applications. Severity ratings bring a systematic way of triaging vulnerabilities that improves risk management and helps ensure the most severe bugs are fixed first. Review and update the system and process annually."},{"id":"cisc-016.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.006_stmt"}],"parts":[{"id":"cisc-016.006_obj-001","name":"assessment-objective","prose":"A severity rating system and process is established and maintained for application vulnerabilities."},{"id":"cisc-016.006_obj-002","name":"assessment-objective","prose":"The severity rating system facilitates prioritizing the order in which discovered vulnerabilities are fixed."},{"id":"cisc-016.006_obj-003","name":"assessment-objective","prose":"The process includes setting a minimum level of security acceptability for releasing code or applications."},{"id":"cisc-016.006_obj-004","name":"assessment-objective","prose":"The system and process are reviewed and updated annually."}]}],"props":[{"name":"label","value":"CIS Safeguard 16.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain a Severity Rating System and Process for Application Vulnerabilities"},{"id":"cisc-016.007","links":[{"rel":"required","href":"#cisc-004.001"},{"rel":"required","href":"#cisc-004.002"}],"parts":[{"id":"cisc-016.007_stmt","name":"statement","prose":"Use standard, industry-recommended hardening configuration templates for application infrastructure components. This includes underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components. Do not allow in-house developed software to weaken configuration hardening."},{"id":"cisc-016.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.007_stmt"}],"parts":[{"id":"cisc-016.007_obj-001","name":"assessment-objective","prose":"Standard, industry-recommended hardening configuration templates are used for application infrastructure components."},{"id":"cisc-016.007_obj-002","name":"assessment-objective","prose":"The configuration templates apply to underlying servers, databases, and web servers, and applies to cloud containers, Platform as a Service (PaaS) components, and SaaS components."},{"id":"cisc-016.007_obj-003","name":"assessment-objective","prose":"In-house developed software does not weaken configuration hardening."}]}],"props":[{"name":"label","value":"CIS Safeguard 16.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Use Standard Hardening Configuration Templates for Application Infrastructure"},{"id":"cisc-016.008","parts":[{"id":"cisc-016.008_stmt","name":"statement","prose":"Maintain separate environments for production and non-production systems."},{"id":"cisc-016.008_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.008_stmt"}],"prose":"Separate environments are maintained for production and non-production systems."}],"props":[{"name":"label","value":"CIS Safeguard 16.8"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Separate Production and Non-Production Systems"},{"id":"cisc-016.009","parts":[{"id":"cisc-016.009_stmt","name":"statement","prose":"Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities. Training can include general security principles and application security standard practices. Conduct training at least annually and design in a way to promote security within the development team, and build a culture of security among the developers."},{"id":"cisc-016.009_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.009_stmt"}],"parts":[{"id":"cisc-016.009_obj-001","name":"assessment-objective","prose":"All software development personnel receive training in writing secure code for their specific development environment and responsibilities."},{"id":"cisc-016.009_obj-002","name":"assessment-objective","prose":"Training is designed in a way to promote security within the development team, and build a culture of security among the developers."},{"id":"cisc-016.009_obj-003","name":"assessment-objective","prose":"Training is conducted at least annually."}]},{"id":"cisc-016.009_gdn","name":"guidance","prose":"Training can include general security principles and application security standard practices."}],"props":[{"name":"label","value":"CIS Safeguard 16.9"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Train Developers in Application Security Concepts and Secure Coding"},{"id":"cisc-016.010","links":[{"rel":"required","href":"#cisc-016.001"}],"parts":[{"id":"cisc-016.010_stmt","name":"statement","prose":"Apply secure design principles in application architectures. Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of \"never trust user input.\" Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats. Secure design also means minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts."},{"id":"cisc-016.010_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.010_stmt"}],"prose":"Secure design principles are applied in application architectures."},{"id":"cisc-016.010_gdn","name":"guidance","prose":"Secure design principles include the concept of least privilege and enforcing mediation to validate every operation that the user makes, promoting the concept of \"never trust user input.\"\n\nSecure design also includes minimizing the application infrastructure attack surface, such as turning off unprotected ports and services, removing unnecessary programs and files, and renaming or removing default accounts."},{"id":"cisc-016.010_eg","name":"example","prose":"Examples include ensuring that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats."}],"props":[{"name":"label","value":"CIS Safeguard 16.10"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Apply Secure Design Principles in Application Architectures"},{"id":"cisc-016.011","links":[{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-016.011_stmt","name":"statement","prose":"Leverage vetted modules or services for application security components, such as identity management, encryption, auditing, and logging. Using platform features in critical security functions will reduce developers' workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications. Use only standardized, currently accepted, and extensively reviewed encryption algorithms. Operating systems also provide mechanisms to create and maintain secure audit logs."},{"id":"cisc-016.011_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.011_stmt"}],"parts":[{"id":"cisc-016.011_obj-001","name":"assessment-objective","prose":"Vetted modules or services are used for application security components, such as identity management, encryption, auditing, and logging."},{"id":"cisc-016.011_obj-002","name":"assessment-objective","prose":"Only standardized, currently accepted, and extensively reviewed encryption algorithms are used."}]},{"id":"cisc-016.011_gdn","name":"guidance","prose":"Using platform features in critical security functions will reduce developers’ workload and minimize the likelihood of design or implementation errors. Modern operating systems provide effective mechanisms for identification, authentication, and authorization and make those mechanisms available to applications."}],"props":[{"name":"label","value":"CIS Safeguard 16.11"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Leverage Vetted Modules or Services for Application Security Components"},{"id":"cisc-016.012","links":[{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-016.012_stmt","name":"statement","prose":"Apply static and dynamic analysis tools within the application life cycle to verify that secure coding practices are being followed."},{"id":"cisc-016.012_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.012_stmt"}],"prose":"Static and dynamic analysis tools are applied within the application life cycle to verify that secure coding practices are being followed."}],"props":[{"name":"label","value":"CIS Safeguard 16.12"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Implement Code-Level Security Checks"},{"id":"cisc-016.013","links":[{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-016.013_stmt","name":"statement","prose":"Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user."},{"id":"cisc-016.013_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.013_stmt"}],"prose":"Application penetration testing is conducted."},{"id":"cisc-016.013_gdn","name":"guidance","prose":"For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing.\n\nPenetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user."}],"props":[{"name":"label","value":"CIS Safeguard 16.13"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Conduct Application Penetration Testing"},{"id":"cisc-016.014","links":[{"rel":"required","href":"#cisc-002.001"}],"parts":[{"id":"cisc-016.014_stmt","name":"statement","prose":"Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses."},{"id":"cisc-016.014_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-016.014_stmt"}],"prose":"Threat modeling is conducted."},{"id":"cisc-016.014_gdn","name":"guidance","prose":"Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses."}],"props":[{"name":"label","value":"CIS Safeguard 16.14"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"software"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Conduct Threat Modeling"}]},{"id":"cisc-017","links":[{"rel":"reference","href":"#2607e60c-9c2f-4bec-83fc-102d28a4ff0c"}],"parts":[{"id":"cisc-017_stmt","name":"statement","prose":"Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack."}],"props":[{"name":"label","value":"CIS Control 17"}],"title":"Incident Response Management","controls":[{"id":"cisc-017.001","parts":[{"id":"cisc-017.001_stmt","name":"statement","prose":"Designate one key person, and at least one backup, who will manage the enterprise's incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, service providers, or a hybrid approach. If using a service provider, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-017.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-017.001_stmt"}],"parts":[{"id":"cisc-017.001_obj-001","name":"assessment-objective","prose":"One key person, and at least one backup, are designated who will manage the enterprise's incident handling process."},{"id":"cisc-017.001_obj-002","name":"assessment-objective","prose":"Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and consist of employees internal to the enterprise, service providers, or a hybrid approach."},{"id":"cisc-017.001_obj-003","name":"assessment-objective","prose":"If using a service provider, at least one person internal to the enterprise is designated to oversee any third-party work."},{"id":"cisc-017.001_obj-004","name":"assessment-objective","prose":"A list of personnel is reviewed annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 17.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"respond"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Designate Personnel to Manage Incident Handling"},{"id":"cisc-017.002","parts":[{"id":"cisc-017.002_stmt","name":"statement","prose":"Establish and maintain contact information for parties that need to be informed of security incidents. Contacts may include internal staff, service providers, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Verify contacts annually to ensure that information is up-to-date."},{"id":"cisc-017.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-017.002_stmt"}],"parts":[{"id":"cisc-017.002_obj-001","name":"assessment-objective","prose":"Contact information is established and maintained for parties that need to be informed of security incidents."},{"id":"cisc-017.002_obj-002","name":"assessment-objective","prose":"Contacts are verified annually to ensure that information is up to date."}]},{"id":"cisc-017.002_eg","name":"example","prose":"Contacts may include internal staff, service providers, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders."}],"props":[{"name":"label","value":"CIS Safeguard 17.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain Contact Information for Reporting Security Incidents"},{"id":"cisc-017.003","parts":[{"id":"cisc-017.003_stmt","name":"statement","prose":"Establish and maintain an documented enterprise process for the workforce to report security incidents. The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported. Ensure the process is publicly available to all of the workforce. Review annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-017.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-017.003_stmt"}],"parts":[{"id":"cisc-017.003_obj-001","name":"assessment-objective","prose":"A documented enterprise process for the workforce to report security incidents is established and maintained."},{"id":"cisc-017.003_obj-002","name":"assessment-objective","prose":"The process includes reporting timeframe, personnel to report to, mechanism for reporting, and the minimum information to be reported."},{"id":"cisc-017.003_obj-003","name":"assessment-objective","prose":"The process is publicly available to all of the workforce."},{"id":"cisc-017.003_obj-004","name":"assessment-objective","prose":"The process is reviewed annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 17.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"1"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain an Enterprise Process for Reporting Incidents"},{"id":"cisc-017.004","parts":[{"id":"cisc-017.004_stmt","name":"statement","prose":"Establish and maintain a documented incident response process that addresses roles and responsibilities, compliance requirements, and a communication plan. Review annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-017.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-017.004_stmt"}],"parts":[{"id":"cisc-017.004_obj-001","name":"assessment-objective","prose":"A documented incident response process is established and maintained."},{"id":"cisc-017.004_obj-002","name":"assessment-objective","prose":"The process addresses roles and responsibilities, compliance requirements, and a communication plan."},{"id":"cisc-017.004_obj-003","name":"assessment-objective","prose":"The process is reviewed annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 17.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain an Incident Response Process"},{"id":"cisc-017.005","links":[{"rel":"reference","href":"#b84ff188-2db5-40d8-a3ba-59202e68c543"},{"rel":"required","href":"#cisc-017.004"}],"parts":[{"id":"cisc-017.005_stmt","name":"statement","prose":"Assign key roles and responsibilities for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, analysts, and relevant third parties. Review annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-017.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-017.005_stmt"}],"parts":[{"id":"cisc-017.005_obj-001","name":"assessment-objective","prose":"Key roles and responsibilities are assigned for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, analysts, and relevant third parties."},{"id":"cisc-017.005_obj-002","name":"assessment-objective","prose":"The roles and responsibilities are reviewed annually, or when significant enterprise changes occur that could impact this Safeguard."}]}],"props":[{"name":"label","value":"CIS Safeguard 17.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"respond"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Assign Key Roles and Responsibilities"},{"id":"cisc-017.006","links":[{"rel":"required","href":"#cisc-017.004"}],"parts":[{"id":"cisc-017.006_stmt","name":"statement","prose":"Determine which primary and secondary mechanisms will be used to communicate and report during a security incident. Mechanisms can include phone calls, emails, secure chat, or notification letters. Keep in mind that certain mechanisms, such as emails, can be affected during a security incident. Review annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-017.006_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-017.006_stmt"}],"parts":[{"id":"cisc-017.006_obj-001","name":"assessment-objective","prose":"Primary and secondary mechanisms used to communicate and report during a security incident are determined."},{"id":"cisc-017.006_obj-002","name":"assessment-objective","prose":"Mechanisms are reviewed annually, or when significant enterprise changes occur that could impact this Safeguard."}]},{"id":"cisc-017.006_eg","name":"example","prose":"Mechanisms can include phone calls, emails, secure chat, or notification letters.\n\nKeep in mind that certain mechanisms, such as emails, can be affected during a security incident."}],"props":[{"name":"label","value":"CIS Safeguard 17.6"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"respond"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Define Mechanisms for Communicating During Incident Response"},{"id":"cisc-017.007","links":[{"rel":"required","href":"#cisc-017.004"}],"parts":[{"id":"cisc-017.007_stmt","name":"statement","prose":"Plan and conduct routine incident response exercises and scenarios for key personnel involved in the incident response process to prepare for responding to real-world incidents. Exercises need to test communication channels, decision making, and workflows. Conduct testing on an annual basis, at a minimum."},{"id":"cisc-017.007_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-017.007_stmt"}],"parts":[{"id":"cisc-017.007_obj-001","name":"assessment-objective","prose":"Routine incident response exercises and scenarios are planned and conducted for key personnel involved in the incident response process to prepare for responding to real-world incidents."},{"id":"cisc-017.007_obj-002","name":"assessment-objective","prose":"The exercises test communication channels, decision-making, and workflows."},{"id":"cisc-017.007_obj-003","name":"assessment-objective","prose":"Testing is conducted on an annual basis, at a minimum."}]}],"props":[{"name":"label","value":"CIS Safeguard 17.7"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"recover"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Conduct Routine Incident Response Exercises"},{"id":"cisc-017.008","links":[{"rel":"required","href":"#cisc-017.004"}],"parts":[{"id":"cisc-017.008_stmt","name":"statement","prose":"Conduct post-incident reviews. Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action."},{"id":"cisc-017.008_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-017.008_stmt"}],"prose":"Post-incident reviews are conducted."},{"id":"cisc-017.008_gdn","name":"guidance","prose":"Post-incident reviews help prevent incident recurrence through identifying lessons learned and follow-up action."}],"props":[{"name":"label","value":"CIS Safeguard 17.8"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"users"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"recover"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Conduct Post-Incident Reviews"},{"id":"cisc-017.009","links":[{"rel":"required","href":"#cisc-017.004"}],"parts":[{"id":"cisc-017.009_stmt","name":"statement","prose":"Establish and maintain security incident thresholds, including, at a minimum, differentiating between an incident and an event. Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc. Review annually, or when significant enterprise changes occur that could impact this Safeguard."},{"id":"cisc-017.009_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-017.009_stmt"}],"parts":[{"id":"cisc-017.009_obj-001","name":"assessment-objective","prose":"Security incident thresholds are established and maintained, including, at a minimum, differentiating between an incident and an event."},{"id":"cisc-017.009_obj-002","name":"assessment-objective","prose":"Review security incident thresholds annually, or when significant enterprise changes occur that could impact this Safeguard."}]},{"id":"cisc-017.009_eg","name":"example","prose":"Examples can include: abnormal activity, security vulnerability, security weakness, data breach, privacy incident, etc."}],"props":[{"name":"label","value":"CIS Safeguard 17.9"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"recover"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Establish and Maintain Security Incident Thresholds"}]},{"id":"cisc-018","links":[{"rel":"reference","href":"#2863ff1f-b701-4ba5-a493-19f6ab555a38"},{"rel":"reference","href":"#10991b9c-8597-403c-92b8-eb2f4b2db035"}],"parts":[{"id":"cisc-018_stmt","name":"statement","prose":"Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker."}],"props":[{"name":"label","value":"CIS Control 18"}],"title":"Penetration Testing","controls":[{"id":"cisc-018.001","links":[{"rel":"reference","href":"#c11ffac4-21c8-43fe-ba41-2813969bf9ea"}],"parts":[{"id":"cisc-018.001_stmt","name":"statement","prose":"Establish and maintain a penetration testing program appropriate to the size, complexity, industry, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements."},{"id":"cisc-018.001_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-018.001_stmt"}],"prose":"A penetration testing program is established and maintained appropriate to the size, complexity, industry, and maturity of the enterprise."},{"id":"cisc-018.001_gdn","name":"guidance","prose":"Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements."}],"props":[{"name":"label","value":"CIS Safeguard 18.1"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"documentation"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"govern"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Establish and Maintain a Penetration Testing Program"},{"id":"cisc-018.002","links":[{"rel":"required","href":"#cisc-018.001"}],"parts":[{"id":"cisc-018.002_stmt","name":"statement","prose":"Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box."},{"id":"cisc-018.002_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-018.002_stmt"}],"parts":[{"id":"cisc-018.002_obj-001","name":"assessment-objective","prose":"Periodic external penetration tests are performed based on program requirements."},{"id":"cisc-018.002_obj-002","name":"assessment-objective","prose":"Periodic external penetration tests are performed no less than annually."},{"id":"cisc-018.002_obj-003","name":"assessment-objective","prose":"External penetration testing includes enterprise and environmental reconnaissance to detect exploitable information."},{"id":"cisc-018.002_obj-004","name":"assessment-objective","prose":"Penetration testing is conducted through a qualified party who has specialized skills and experience."}]},{"id":"cisc-018.002_gdn","name":"guidance","prose":"The testing may be clear box or opaque box."}],"props":[{"name":"label","value":"CIS Safeguard 18.2"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Perform Periodic External Penetration Tests"},{"id":"cisc-018.003","links":[{"rel":"required","href":"#cisc-018.002"}],"parts":[{"id":"cisc-018.003_stmt","name":"statement","prose":"Remediate penetration test findings based on the enterprise's documented vulnerability remediation process. This should include determining a timeline and level of effort based on the impact and prioritization of each identified finding."},{"id":"cisc-018.003_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-018.003_stmt"}],"parts":[{"id":"cisc-018.003_obj-001","name":"assessment-objective","prose":"Penetration test findings are remediated based on the enterprise's documented vulnerability remediation process."},{"id":"cisc-018.003_obj-002","name":"assessment-objective","prose":"A timeline and level of effort are determined based on the impact and prioritization of each identified finding."}]}],"props":[{"name":"label","value":"CIS Safeguard 18.3"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"2"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Remediate Penetration Test Findings"},{"id":"cisc-018.004","links":[{"rel":"required","href":"#cisc-018.001"}],"parts":[{"id":"cisc-018.004_stmt","name":"statement","prose":"Validate security measures after each penetration test. If deemed necessary, modify rulesets and capabilities to detect the techniques used during testing."},{"id":"cisc-018.004_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-018.004_stmt"}],"parts":[{"id":"cisc-018.004_obj-001","name":"assessment-objective","prose":"Security measures are validated after each penetration test."},{"id":"cisc-018.004_obj-002","name":"assessment-objective","prose":"If deemed necessary, rulesets and capabilities are modified to detect the techniques used during testing."}]}],"props":[{"name":"label","value":"CIS Safeguard 18.4"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"protect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"}],"title":"Validate Security Measures"},{"id":"cisc-018.005","links":[{"rel":"required","href":"#cisc-018.001"}],"parts":[{"id":"cisc-018.005_stmt","name":"statement","prose":"Perform periodic internal penetration tests based on program requirements, no less than annually. The testing may be clear box or opaque box."},{"id":"cisc-018.005_obj","name":"assessment-objective","links":[{"rel":"assessment-for","href":"#cisc-018.005_stmt"}],"parts":[{"id":"cisc-018.005_obj-001","name":"assessment-objective","prose":"Periodic internal penetration tests are performed based on program requirements."},{"id":"cisc-018.005_obj-002","name":"assessment-objective","prose":"Periodic internal penetration tests are performed no less than annually."}]},{"id":"cisc-018.005_gdn","name":"guidance","prose":"The testing may be clear box or opaque box."}],"props":[{"name":"label","value":"CIS Safeguard 18.5"},{"ns":"https://cisecurity.org/ns/oscal","name":"asset-class","value":"network"},{"ns":"https://cisecurity.org/ns/oscal","name":"security-function","value":"detect"},{"ns":"https://cisecurity.org/ns/oscal","name":"implementation-group","value":"3"},{"ns":"https://cisecurity.org/ns/oscal","name":"frequency","value":"annually"}],"title":"Perform Periodic Internal Penetration Tests"}]}]}],"back-matter":{"resources":[{"uuid":"4b0e0260-8212-40de-9354-9fa6d0508865","title":"CIS Controls Assessment Specification","rlinks":[{"href":"https://cas.docs.cisecurity.org/en/latest/"}]},{"uuid":"ef4c23e3-3f1b-40db-958b-96bb56f26215","title":"Guide to Asset Classes: CIS Critical Security Controls v8.1","rlinks":[{"href":"https://www.cisecurity.org/insights/white-papers/guide-to-asset-classes-cis-critical-security-controls-v8-1"}]},{"uuid":"391bdf11-1551-496e-8897-85993509e130","title":"Guide to Implementation Groups (IG): CIS Critical Security Controls v8.1","rlinks":[{"href":"https://www.cisecurity.org/insights/white-papers/guide-implementation-groups-ig-cis-critical-security-controls-v8-1"}]},{"uuid":"876fe32d-0e4f-48b8-92f5-4eb84f5b2cd2","title":"CIS Controls v8.1 Cloud Companion Guide","rlinks":[{"href":"https://www.cisecurity.org/insights/white-papers/cis-controls-v8-1-cloud-companion-guide"}]},{"uuid":"65ccc8e8-2f3e-4965-9a6d-36ee62b9bb21","title":"CIS Critical Security Controls v8 Mobile Companion Guide","rlinks":[{"href":"https://www.cisecurity.org/controls/resources?crc=environment-specific-guidance"}]},{"uuid":"5c3c47ab-a626-4a2e-8336-19291a3c7f16","title":"CIS Controls v8 Internet of Things Companion Guide","rlinks":[{"href":"https://www.cisecurity.org/controls/resources?crc=environment-specific-guidance"}]},{"uuid":"4bed343f-54d1-40b1-91a9-973f746772ca","title":"CIS Critical Security Controls v8.1 Industrial Control Systems (ICS) Guide","rlinks":[{"href":"https://www.cisecurity.org/insights/white-papers/cis-critical-security-controls-v8-1-industrial-control-systems-ics-guide"}]},{"uuid":"64c3d97a-6549-4f2a-a99d-bb45d36ffefe","title":"CIS Controls Policy Templates","rlinks":[{"href":"https://www.cisecurity.org/controls/resources?crc=implementation-tools-guidance"}]},{"uuid":"68033664-1b0d-4ded-b5d2-daa770d6ca55","title":"CIS Asset Tracking Spreadsheet","rlinks":[{"href":"https://www.cisecurity.org/insights/white-papers/cis-hardware-and-software-asset-tracking-spreadsheet"}]},{"uuid":"40c2fdc4-a104-44bb-bed1-7fd535937fc3","title":"NIST® SP 800-88r1 Guides for Media Sanitization","rlinks":[{"href":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf"}]},{"uuid":"6c887586-ff8a-4f6f-ab3b-034a6e652c44","title":"NIST® FIPS 140-2","rlinks":[{"href":"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf"}]},{"uuid":"529b84c7-6e48-4874-93e6-99855f7ae1d6","title":"NIST® FIPS 140-3","rlinks":[{"href":"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf"}]},{"uuid":"13236c14-239f-42c9-a785-a47ba7cf1c86","title":"The CIS Benchmarks™ Program","rlinks":[{"href":"http://www.cisecurity.org/cis-benchmarks/"}]},{"uuid":"c4ee4db6-0803-4729-9d86-b785a3414609","title":"The National Institute of Standards and Technology (NIST®) National Checklist Program Repository","rlinks":[{"href":"https://nvd.nist.gov/ncp/repository"}]},{"uuid":"edb3da2b-8a7f-4fd2-9186-6d2953e74fe7","title":"CIS Configuration Assessment Tool (CIS-CAT) Lite","rlinks":[{"href":"https://learn.cisecurity.org/cis-cat-lite"}]},{"uuid":"6d82c5b2-f01f-4f53-9371-8f016196fc04","title":"CIS SecureSuite® Membership","rlinks":[{"href":"https://www.cisecurity.org/cis-securesuite"}]},{"uuid":"d6d0d742-fa15-43bf-86e8-68f72ade2a4c","title":"CIS Hardened Images®","rlinks":[{"href":"https://www.cisecurity.org/cis-hardened-images"}]},{"uuid":"6f22e961-97ba-48ca-abc0-128d89f6bc4a","title":"NIST® Digital Identity Guidelines","rlinks":[{"href":"https://pages.nist.gov/800-63-3/"}]},{"uuid":"35a2658c-7625-4f4a-8419-22e416c52b84","title":"CIS Password Policy Guide","rlinks":[{"href":"https://www.cisecurity.org/white-papers/cis-password-policy-guide"}]},{"uuid":"37c4fb6d-ca59-4281-9006-51b7cdf633d8","title":"The Technical Specification for the Security Content Automation Protocol (SCAP)","rlinks":[{"href":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-126r3.pdf"}]},{"uuid":"fe691ea4-33b8-401c-b544-7e93bb790fe5","title":"CIS Controls Living off the Land (LotL) Guides","rlinks":[{"href":"https://www.cisecurity.org/controls/resources?crc=minimize-your-threats"}]},{"uuid":"dab6ccea-c07f-4dc1-a720-0bf05a6dcc53","title":"CIS Vulnerability Assessments","rlinks":[{"href":"https://www.cisecurity.org/services/vulnerability-assessments"}]},{"uuid":"0eb8ef50-ac8f-4ed0-be9c-a09b6ff6e6bf","title":"CIS Controls Telework and Small Office Network Security Guide","rlinks":[{"href":"https://www.cisecurity.org/controls/resources?crc=environment-specific-guidance"}]},{"uuid":"2e593067-66f2-4303-8dc4-e82089cd2bbd","title":"MS-ISAC® and EI-ISAC® Service: Malicious Domain Blocking and Reporting (MDBR) service","rlinks":[{"href":"https://www.cisecurity.org/ms-isac/services/mdbr"}]},{"uuid":"d36b6d4f-27d1-4216-b0c5-6bb87e3cacc8","title":"CIS Endpoint Security Services (ESS) for U.S. State, Local, Tribal, and Territorial (SLTT) Governments","rlinks":[{"href":"https://www.cisecurity.org/services/endpoint-security-services"}]},{"uuid":"925d3755-46b9-48e8-b8a7-47bda1fe4f09","title":"Albert Network Monitoring and Management for U.S. State, Local, Tribal, and Territorial (SLTT) Governments","rlinks":[{"href":"https://www.cisecurity.org/services/albert-network-monitoring"}]},{"uuid":"5aec90ed-c7d7-4ab5-8595-a6f6bed32ff4","title":"NIST® SP 800-50 Infosec Awareness Training","rlinks":[{"href":"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-50r1.pdf"}]},{"uuid":"5b2ade11-a87e-4bd7-910d-3fed0b8b2dfc","title":"National Cyber Security Centre (UK)","rlinks":[{"href":"https://www.ncsc.gov.uk/guidance/10-steps-user-education-and-awareness"}]},{"uuid":"e7744b7d-c05a-4bc2-8796-269e71cd6c0a","title":"EDUCAUSE","rlinks":[{"href":"https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/awareness-campaigns"}]},{"uuid":"49d667fa-31bc-4213-ae53-dbfed06d0bd0","title":"National Cyber Security Alliance (NCSA)","rlinks":[{"href":"https://staysafeonline.org/"}]},{"uuid":"18a3b4a9-7e8c-4643-a8fe-7c5a0945e0b8","title":"SANS","rlinks":[{"href":"https://www.sans.org/security-awareness-training/resources"}]},{"uuid":"8979a189-b24f-41f0-85ec-b934deb2f459","title":"SAFECode Application Security Addendum","rlinks":[{"href":"https://safecode.org/cis-controls/"}]},{"uuid":"112fe63b-1d76-45b2-ab6e-fa951d237f1b","title":"NIST® SSDF","rlinks":[{"href":"https://csrc.nist.gov/News/2020/mitigating-risk-of-software-vulns-ssdf"}]},{"uuid":"8bc084ef-1993-49c2-af57-633cc873c7d9","title":"The Software Alliance","rlinks":[{"href":"https://www.bsa.org/reports/updated-bsa-framework-for-secure-software"}]},{"uuid":"b84ff188-2db5-40d8-a3ba-59202e68c543","title":"Incident Response Assistance for U.S. State, Local, Tribal, and Territorial (SLTT) Governments","rlinks":[{"href":"https://www.cisecurity.org/isac/report-an-incident"}]},{"uuid":"2ecd06fe-65e7-4d33-aa07-4e5cfdf1a0c4","title":"OWASP®","rlinks":[{"href":"https://owasp.org/"}]},{"uuid":"2607e60c-9c2f-4bec-83fc-102d28a4ff0c","title":"Council of Registered Security Testers (CREST) Cyber Security Incident Response Guide","rlinks":[{"href":"https://www.crest-approved.org/wp-content/uploads/2022/04/CSIR-Procurement-Guide-1.pdf"}]},{"uuid":"2863ff1f-b701-4ba5-a493-19f6ab555a38","title":"OWASP Penetration Testing Methodologies","rlinks":[{"href":"https://www.owasp.org/index.php/Penetration_testing_methodologies"}]},{"uuid":"10991b9c-8597-403c-92b8-eb2f4b2db035","title":"PCI Security Standards Council","rlinks":[{"href":"https://www.pcisecuritystandards.org/documents/Penetration-Testing-Guidance-v1_1.pdf"}]},{"uuid":"c11ffac4-21c8-43fe-ba41-2813969bf9ea","title":"CIS Penetration Testing Services","rlinks":[{"href":"https://www.cisecurity.org/services/penetration-testing"}]}]}}}