CIS Controls Version 7 Launch Event

Speaker: CIS Controls Team
Event: CIS Controls Launch Event
Date: March 19, 2018
Watch on YouTube: https://www.youtube.com/watch?v=eJ1qxgf26wk

Introduction

The launch of CIS Controls Version 7 marks a major step forward in cybersecurity best practices. The Center for Internet Security (CIS) has continuously evolved its framework to help organizations prioritize and implement effective security measures. During this event, Tony Sager, Jane Lute, Philip Lengyel, and others from the CIS Controls team discussed the history, significance, and enhancements introduced in Version 7.

This webcast captures how the CIS Controls have evolved from a small initiative to a globally recognized standard used across industries, government agencies, and enterprises. The focus remains on providing a practical, prioritized approach to cybersecurity, making it easier for organizations to improve their defenses against common cyber threats.

Key Takeaways

A Practical Approach to Cybersecurity: The CIS Controls provide a prioritized, actionable framework to address real-world cybersecurity threats.

Simplicity and Clarity: Version 7 refines the controls with clearer language, eliminating ambiguity and making implementation more straightforward.

Community-Driven Development: CIS Controls are shaped by hundreds of cybersecurity professionals, ensuring they remain relevant and effective.

Stronger Alignment with Industry Standards: Version 7 aligns with NIST Cybersecurity Framework, ISO standards, and regulatory requirements, helping organizations meet compliance needs.

Enhanced Focus on Emerging Threats: The new version includes updates to application whitelisting, multi-factor authentication (MFA), and risk-based prioritization.

The Evolution of CIS Controls

Tony Sager shared the history of CIS Controls, tracing its origins from a small working group at the National Security Agency (NSA) to a globally recognized standard. The primary challenge has always been how to prioritize security efforts to help organizations focus on the most effective measures.

The initial CIS Controls began as a simple five-to-ten-item checklist but quickly grew into a structured, community-driven framework. The goal remains the same: reduce cybersecurity risk by implementing foundational best practices.

What’s New in Version 7?

CIS Controls Version 7 introduces several key refinements:

Simplified Language: The team revised controls to make them easier to understand and implement, reducing the need for interpretation.
One Ask per Sub-Control: Each sub-control now has a single, clear requirement to ensure consistency in implementation and measurement.
Revised Categorization: The controls are now grouped into three categories:
Basic: Essential cybersecurity hygiene practices that every organization should implement.
Foundational: Additional safeguards that enhance an organization’s cybersecurity posture.
Organizational: Governance and policy-oriented controls that help maintain long-term security.
Expanded Application Whitelisting Guidance: More emphasis on controlling application libraries, scripts, and privileged execution.
Stronger MFA Requirements: Additional focus on MFA for remote access, administrative accounts, and high-risk environments.
Quality Management Measures: New metrics and maturity models help organizations track and improve their cybersecurity effectiveness over time.

The Role of Community and Industry Alignment

Philip Lengyel emphasized how CIS Controls remain community-driven, with over 600 recommendations integrated from cybersecurity professionals worldwide. The process involved multiple iterations, public reviews, and expert collaborations to ensure the controls reflect real-world security needs.

Additionally, Version 7 aligns more closely with major industry frameworks, including:

NIST Cybersecurity Framework

ISO 27001 & 27002

PCI DSS 3.2

Federal and State Regulatory Requirements

By ensuring compatibility with these frameworks, CIS Controls help organizations streamline compliance efforts while maintaining strong security practices.

Implementation Success Stories

One of the webcast highlights was a presentation from Kathy Bordelon of the State of Virginia, showcasing how CIS Controls have helped secure Virginia’s IT infrastructure. The state has successfully:

Reduced malware incidents by limiting local administrative privileges.

Improved patch management processes to address vulnerabilities.

Strengthened web application security by implementing regular vulnerability scans.

Enhanced employee awareness training through simulated phishing exercises.

Virginia’s experience underscores how CIS Controls provide a practical roadmap for improving security across government and enterprise environments.

Actionable Insights

Prioritize Basic Security Measures: Start with fundamental controls like inventory management, vulnerability patching, and endpoint protection before implementing advanced security measures.

Leverage Industry Frameworks: Use CIS Controls to align with NIST, ISO, and other compliance standards for streamlined regulatory adherence.

Implement MFA Everywhere: Protect remote access, privileged accounts, and cloud-based systems with multi-factor authentication.

Adopt a Risk-Based Approach: Focus on high-impact areas first, such as application control and access management.

Engage in Continuous Improvement: Conduct regular security assessments and track progress using maturity models introduced in Version 7.

Conclusion

The CIS Controls Version 7 launch reinforces the importance of a prioritized, community-driven approach to cybersecurity. By simplifying implementation, improving alignment with industry standards, and emphasizing real-world effectiveness, Version 7 makes it easier than ever for organizations to adopt and benefit from best practices in security.

For businesses and government agencies alike, the CIS Controls provide an essential roadmap to reducing cyber risk and improving overall security posture.

For more insights on this topic, watch the full webcast here.