CIS Critical Security Controls Version 6.0 Released!
Big news in the cybersecurity industry this week! 
The Center for Internet Security released version 6.0 of their CIS Critical Security Controls on Thursday, October 15. This version of the publication includes a whole new control category (“Email and Web Browser Protection”) and also jettisoned the “Quick Win” labels, among other big changes.
Due to a partnership formed between the Center for Internet Security and the Council on Cybersecurity, the publication is now sporting the name “CIS Critical Security Controls. They describe the publication as “not just another list of good things to do, but a prioritized, highly focused set of actions that have a community support network.”
The value of the Critical Security Controls has always been that they are practical and prioritized by risk mitigation effectiveness. The newest version continues this important tradition, emphasizing that it is “informed by actual attacks and effective defenses and reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, individuals).”
This real-world input makes the Critical Security Controls an effective tool for IT teams across every sector. It is particularly helpful for small-to-midsized organizations that may not have the resources to develop their own customized IT risk assessments or risk management plans. While no controls framework is one-sized-fits-all, the new Critical Security Controls v6.0 are prioritized so that most effective risk mitigation tactics come first (CSC 1 through 5), which are referred to as the “Foundational Cyber Hygiene.”
Some information security experts will mourn the loss of the “Quick Win” categories; but many professionals complained that these were not really quick to implement, anyway! The new publication simply groups controls into categories labeled “System,” “Network” and “Application,” which may be helpful for assigning responsibility for implementation.
Notably, CIS has deleted critical control #19 (“Secure Network Engineering”), which reads:
“Make security an inherent attribute of the enterprise by specifying, designing, and building-in features that allow high confidence systems operations while denying or minimizing opportunities for attackers.”
This section once contained a motley group of four controls, such as a high-level directive to “design the network using a minimum of three-tier architecture,” and a control requiring hierarchical DNS.
Arguably the most important of these controls, “Segment the enterprise network into multiple, separate trust zones,” has now been integrated into the newly rewritten “Controlled Access Based on the Need to Know” category (specifically, 14.1).
The CIS has also added a much-needed “Email and Web Browser Protection” category. While it would have been possible to address these issues as part of other categories, phishing and client-side attacks really are a large enough issue that these controls deserve their own separate section.
Conveniently, the CIS has included a publication mapping the Critical Controls v 6.0 to the NIST Cybersecurity Framework. Sherri Davidoff, CEO of LMG Security, says, “For organizations seeking a structured approach to information security, these two frameworks are an excellent pairing. The NIST Cybersecurity Framework can be used at an enterprise level, and is a great standard for auditing/examination purposes.”
Both the FFIEC and the SEC have published guidance in the past few months specifically referring to the NIST Cybersecurity Framework. The Critical Security Controls can be used in conjunction with the NIST Cybersecurity Framework to provide a more detailed, technical controls framework for IT staff.
“The beauty of the Critical Security Controls is that you don’t have to adhere to all of them in order to make a big difference in your organization’s risk profile,” Ms Davidoff commented. “Instead, sit down once every year or so, review the latest controls, prioritize them for your organization and decide which ones make sense for you to implement.”
In all, the newest version of the Critical Security Controls effectively addresses the latest threats while still providing the practical framework many of us have come to rely upon for technical information security management. Thanks, CIS!
The CIS Critical Security Controls are available to download if you are interested in learning more about current cybersecurity controls, norms and insights!
About the Author
Sherri Davidoff
Sherri Davidoff is the CEO of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity.” As a recognized expert in cybersecurity, she has been called a “security badass” by the New York Times. Sherri is a regular instructor at the renowned Black Hat trainings and a faculty member at the Pacific Coast Banking School. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), and has been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien.” Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and received her degree in Computer Science and Electrical Engineering from MIT.
