Center For Internet Security Critical Security Controls V.6.1

With regard to Critical Security Controls, CSC “…failure to implement all of the controls that apply to an organization’s environment constitutes a lack of reasonable security.”

Kamala Harris, Attorney General, CA, Breach Report 2016

Cybersecurity Challenge

Reputation is the new target for cyber attacks

  • Criminals value information – financial, health, critical infrastructure
  • When assessing and documenting Cyber risk it’s hard to know if we’ve got it right
  • The pace of technology increases unknown dependency on third parties
  • IT cannot trace or control our data – exfiltration occurs
  • The role of government and information custody is often misunderstood
  • External auditors share how well your systems, software, and procedures worked with actual data collected across a specified timeframe.
  • Findings in audit reports become barriers to business.
  • In today’s cloud economy, customer due diligence has gone from nice to have to mandate.



Center for Internet Security’s Critical Security Controls is especially relevant because they are updated by cyber experts based on actual attack data pulled from a variety of public and private threat sources. Organizations that implement CIS Controls are likely to prevent the majority of cyber-attacks. The CIS Critical Security Controls™ (CIS Controls) are a concise, prioritized set of cyber practices created to stop today's most pervasive and dangerous cyber-attacks. CIS CSC v6.1 contains important components that make-up an effective cyber defense system, allowing companies to prioritize controls that protect against the greatest threats, provide metrics for IT personnel to understand, continuously diagnose and mitigate risks, and automate defenses to ensure compliance with the controls.

CIS CSC Top 20Security and Compliance offers a system based mapping of CIS Benchmark rules according to their most relevant CIS CSC 6.1 risks, making failure and success in IT control continuously available to risk management reporting process.


  • Referenced by the U.S. Federal Government in the NIST Cybersecurity Framework and other guidelines, and validated by the Australian government
  • Recommended by the U.S. National Governor’s Association, the UK’s Centre for the Protection of National Infrastructure (CPNI), Symantec, Zurich Insurance, and others


Facing multiple forms of external controls assessment, organizations often fail due to improper security settings, incorrect configurations, low levels of encryption, or poor policies and procedures. Continuous testing over those controls could have prevented costs in business disruption, time-consuming client discussion, or lost business opportunities.

Audit Once Use Many - Unified Compliance

Like many standards covering cyber risk, Critical Security Controls are broken out to Network, Application, and System. Whether the organization approaches security from a risk-centric or the matrix approach of NIST 800-53 r4 and Appendix J for Privacy, the efforts to make an enterprise resilient should be the same.  Explaining these efforts to the board should be results driven and simple. Cavirin security and compliance experts evaluate and map the CSC top 20 to 100% of applicable areas in NIST 800-53 r4 and Appendix J for Privacy. 

NIST Coverage in CSC

Steps to associate the controls prescribed for NIST 800-53 r4 are same throughout all areas of compliance, so Cavirin team iterates across risk and vulnerability concepts using the best industry research and tieing down themes of risk that result in a resilient compliance fabric.


NIST in CIS CSC Network Full

CIS CSC NIST Network Controls Full

NIST in CIS CSC Application full

CIS CSC NIST Application Controls full

NIST in CIS CSC System Full

CIS CSC NIST System Controls full

EnterpriseGRC Solutions content mapping methodology works with Cavirin's ARAP platform in some striking ways.  Cavirin’s ARAP™ solution automatically checks system configuration settings across all target environments, reporting against expected system based CSC top 20 Critical Security Controls.  Review and response to address recommended fix actions allows timely remediation to found problems, and further rewards the business by rapid completion of unnecessarily disruptive audit events.

People with compliance responsibilities have only three choices, to avoid, accept or share a risk.  The burden of proving prudence and speed falls to those we entrust with positions to manage risks to the enterprise, including its people, process, and systems.  Using this type approach allows for qualitative and quantitative risk analysis.  The objective is always to make the right decisions faster.



EnterpriseGRC recommends using Cavirin’s Automated Risk Analysis Platform (ARAP™)  as a component to assist Chief Risk & Security, as well as IT and DevOps leadership in gathering configuration data used to address their top security and compliance challenges:

  • Settings that indicate missing patches for operating systems and applications.
  • Monitoring and detecting sensitive data loss (data exfiltration)
  • Locating policies that enable weak passwords.
  • Lack of logs and audit trails necessary to conduct forensics
  • Security validation for new systems
  • Missing or outdated anti-malware technology
  • Settings that enable encryption of sensitive information in transit
  • The information necessary to remediate deficiencies that would otherwise be impossible to manage due to the lack of trained staff maintaining security controls


  • Cloud Native platform supporting 12-factor patterns (things like port binding, logs, concurrency…)
  • A “hyperplane” of integrated “risk assessment” amongst segmented vulnerability domains
  • Works with Private, Hybrid, and Public Clouds and Support AWS, Azure, GCP(Google Cloud Platform)
  • Manages thousands of out-of-box policies, well curated and certified (SCAP, XCCDF, OVAL)
  • Supports most compliance authorities (PCI, HIPAA, NIST, SOC2, FedRamp, CIS Benchmark, DISA, CIS CSC, CSF)
  • Is CIS Certified security content (Multiple OS, Docker, AWS Cloud)
  • Complies with DISA standards in all aspects of delivery and reported results


EnterpriseGRC Solutions and Cavirin Security and Compliance actively contribute to CSC mapping with NIST Cyber Security Framework (CSF) and NIST 800-53 r4 and Appendix J for Privacy, making this contribution publically available through the Champion contribution. In fact, EnterpriseGRC Solutions Security and Compliance actively contributes to all major standards and organizations responsible for the mapping of regulatory requirements and the most highly leveraged national and international standards.  In addition to organic CIS Benchmarks and DISA STIG NIST based configuration management, EnterpriseGRC has implemented all assessments with NIST Cyber Security Framework (CSF) and NIST 800-53 r4 and Appendix J for Privacy.  Clients who elect to use multiple policy packs, including ISO27002:2013, will benefit the extended use of multiple frameworks to align Information Security Programs and Policy.


Cavirin is transforming the way IT security manages risk. Founded in 2012, Cavirin’s platform is a purpose-built agent-less solution that deploys quickly to on-premises, cloud, and containerized infrastructures, helping organizations reduce complexity, become agile, and drive dramatic increases in efficiency with their risk and compliance programs. Leveraging continuous visibility and automated assessments, companies are empowered to make the right decisions faster. Automated Risk Analysis Platform (ARAP) is a security and compliance fabric that provides continuous configuration evaluation with recommendations for alignment to industry standards and best practices, prioritizing systems and risk remediation efforts across complex hybrid IT infrastructures.  Offering up-to-the-minute system based elements of compliance assessment, Cavirin supplies audit ready evidence as measured by every major regulatory, and security best practice framework.

ABOUT EnterpriseGRC Solutions

EnterpriseGRC Solutions is empowered to implement governance, security, risk, and compliance automation products and programs, emphasizing system based policies specific to security settings for secure configuration management. EnterpriseGRC is a women-owned small business offering compliance readiness, Security & GRC tools, Enterprise Security Architecture, Cybersecurity Risk Assessment, and a wide variety of resources for security and GRC technology support. Founded October of 2002 as Phoenix Business and Systems Process, and rebranded in 2011 as EnterpriseGRC Solution, the company is positioned to solve an organization's greatest cloud security and cyber challenges. True to its tagline "Simple Solutions to Complex Problems" the company offers pragmatic, remote and on-site web-enabled compliance implementation, training, strategy, management consulting, security and risk management services.