Table of Contents

CIS Controls Version 8

In May of 2021, the Center for Internet Security (CIS) released an updated version of their CIS Controls which guides security organizations in the kind of tasks required to become a mature, successful program. Historically these controls have been called the SANS Top 20, then the CIS 20 Critical Security Controls, and now the CIS 18 Controls. In this article, we want to point out the new changes to this framework and discuss how those changes help to further streamline the effort necessary to become a mature security organization.

In version 7 of the CIS Critical Security Controls, there were 20 control families, and they were divided into 3 categories: Basic, Foundational, and Organizational. The idea at the time was that if an organization followed the control families in numerical order, they would assemble their security program like building blocks stacked on top of one another and arrive at success.

I’m sure many of the readers who live in the real world are chuckling at this point because, as we have all experienced, the speed at which projects get completed as well as the linear fashion the run due to staff shortages and general day to day chaos of security roles usually results in being stuck in first gear forever.

CIS Controls Categories

The Basic category control families included Inventory, Vulnerability Management, Active Least Privilege Management, Configuration Baselining, and Log Monitoring. Successfully completing Inventory Management is a feat in itself that most organizations I assess have still not achieved and it has been a tenet of Security Operations for multiple decades. Vulnerability Management is easy to start but difficult to complete due to corporate politics. Most organizations perform regular scans of their environment but take little to no action to resolve them because it generates additional work for system administrators who already struggle to complete their primary duties within the work hours of the day. 

This leads us to the lack of a baseline in the majority of organizations I have touched. When systems are built by hand each time by different people the end results are inconsistencies which create lots of one-off problems that soak up the sysadmin’s day. These three large hurdles are enough to lock an organization in project hell for years and never make progress on the remaining 14 control families.

The Reason for Version 8

Obviously, this approach was unsuccessful in advancing security programs as intended. So, after a few years version, 8 of the CIS Controls was released. Some juggling of position occurred in the numerical sense of the controls. Some control families were combined or absorbed into others and the general focus of the families was updated to now include a focus on vendors and third-party services since outsourcing and leveraging cloud resources was the direction taken by businesses in an effort to combat their staff and talent shortages. This resulted in 18 Control Families versus the 20 that had been present for so long. However, the most important change with this new version was the introduction of Implementation Groups.
Implementation Groups serve to create prioritization of specific Safeguards within a control family. Where you previously had 10 sub-controls under a control family that represented all of the things required to be compliant with that major control; now those sub-controls have been reimagined as Safeguards and only a subset of those Safeguards will be enveloped in each Implementation Group. Three Implementation Groups have been introduced (IG1, IG2, and IG3) and they span across all 18 Control Families.
So the focus now is on attacking the Safeguards within IG1 first, which allows your organization to take smaller bites while progressing at similar rates across all of the major control families at the same time. With this approach, the easiest of the tasks for each major control family can be accomplished and a very broad foundation is created in all security domains rather than getting stuck trying to solve some very complex internal issues before moving on to an equally important security domain.

CIS Security Controls Version 8

A good example of this is in my previously mentioned issues with Inventory, specifically Software Inventory. In version 7, if you followed the method, it was necessary to implement an application whitelisting solution that covered binaries, libraries, and scripts in order to be considered compliant. Without getting too far into the weeds, tuning a whitelisting solution is incredibly difficult and time-consuming. This is where most organizations get stuck and never succeed. If you prevented yourself from moving out of the old Basic Category Controls while trying to solve this complex problem you never began working on other Control Families like Security Awareness Training or Data Recovery

Moving Forward

Now with the new version, the expectation is that you should be documenting software procured and standardizing the version of that software which will be allowed. You should have an active solution in place to maintain that standardized version and create an exception process while at the same time designing your Security Awareness Training Program and ensuring all of your systems are being backed up as well as validating that you can seamlessly restore those systems in the event of ransomware.
None of the organizations I have had the pleasure of assessing have ever just not been performing the tasks in the Foundational and Organizational categories of the CIS 20 Critical Security Controls. Every one of them has organically piecemealed together technologies or practices based on industry buzz over time. The purpose of the CIS 18 Controls is to now add polish and close the gaps where sales did not drive a complete solution to a problem.
By prioritizing your project plan using the methodology of Implementation Groups in the CIS 18 Controls you will find that progress comes quicker, and you will realize how much each Control Family relies on another which will, in turn, make the complex problems easier to solve.


Having observed the increase in completion due to this new methodology in the CIS 18 Controls I am a true believer that, no matter the industry or maturity of your security program, organizations should have an independent assessment of their organization based on this new standard. Whether you are a small shop or a global behemoth I am certain that nobody out there is in full compliance and everyone can benefit from a roadmap to climb the ladder in a more efficient manner than putting out fires as they pop up.

Learn more about Version 8

Download CIS' v.8 Implementation Groups Guide