Ebook Cis Critical Security Controls 8Th Edition Center For Internet Security Online PDF All Chapter

CIS Critical Security Controls 8th
Edition Center For Internet Security

Visit to download the full and correct content document:
https://ebookmeta.com/product/cis-critical-security-controls-8th-edition-center-for-inter
net-security/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Azure Security For Critical Workloads: Implementing

Modern Security Controls for Authentication,
Authorization and Auditing 1st Edition Sagar Lad
https://ebookmeta.com/product/azure-security-for-critical-
workloads-implementing-modern-security-controls-for-
authentication-authorization-and-auditing-1st-edition-sagar-lad/
Blockchain for International Security The Potential of

Distributed Ledger Technology for Nonproliferation and
Export Controls Advanced Sciences and Technologies for
Security Applications U6Fonter
https://ebookmeta.com/product/blockchain-for-international-
security-the-potential-of-distributed-ledger-technology-for-
nonproliferation-and-export-controls-advanced-sciences-and-
technologies-for-security-applications-u6fonter/
The Complete Internet Security Manual 18th Edition 2023
https://ebookmeta.com/product/the-complete-internet-security-
manual-18th-edition-2023/
Internet Security and You 1st Edition Sherri Mabry

Gordon
https://ebookmeta.com/product/internet-security-and-you-1st-
edition-sherri-mabry-gordon/
Internet and Web Application Security 3rd Edition Mike
Harwood
https://ebookmeta.com/product/internet-and-web-application-
security-3rd-edition-mike-harwood/
IT Security Controls: A Guide to Corporate Standards

and Frameworks 1st Edition Virgilio Viegas
https://ebookmeta.com/product/it-security-controls-a-guide-to-
corporate-standards-and-frameworks-1st-edition-virgilio-viegas/
Auditing Information and Cyber Security Governance: A

Controls-Based Approach 1st Edition Robert E. Davis
https://ebookmeta.com/product/auditing-information-and-cyber-
security-governance-a-controls-based-approach-1st-edition-robert-
e-davis/
The Politics of Energy Security Critical Security

Studies New Materialism and Governmentality 1st Edition
Johannes Kester
https://ebookmeta.com/product/the-politics-of-energy-security-
critical-security-studies-new-materialism-and-
governmentality-1st-edition-johannes-kester/
RFID Protocol Design Optimization and Security for the

Internet of Things Alex X. Liu
https://ebookmeta.com/product/rfid-protocol-design-optimization-
and-security-for-the-internet-of-things-alex-x-liu/
Introduction
The CIS Critical Security Controls® (CIS Controls®) started as a
simple grassroots activity to identify the most common and
important real-world cyber-attacks that affect enterprises every day,
translate that knowledge and experience into positive, constructive
action for defenders, and then share that information with a wider
audience. The original goals were modest—to help people and
enterprises focus their attention and get started on the most
important steps to defend themselves from the attacks that really
mattered.
Led by the Center for Internet Security® (CIS®), the CIS Controls
have matured into an international community of volunteer
individuals and institutions that:
Share insights into attacks and attackers, identify root causes,

and translate that into classes of defensive action
Create and share tools, working aids, and stories of adoption
and problem-solving
Map the CIS Controls to regulatory and compliance frameworks
in order to ensure alignment and bring collective priority and
focus to them
Identify common problems and barriers (like initial assessment
and implementation roadmaps), and solve them as a community
The Structure of CIS Controls

The presentation of each Control in this document includes the
following elements:
Overview. A brief description of the intent of the Control and

its utility as a defensive action
Why is this Control critical? A description of the importance
of this Control in blocking, mitigating, or identifying attacks, and
an explanation of how attackers actively exploit the absence of
this Control
Procedures and tools. A more technical description of the
processes and technologies that enable implementation and
automation of this Control
Safeguard descriptions. A table of the specific actions that
enterprises should take to implement the Control
The 18 CIS Critical Security Controls

Formerly the SANS Critical Security Controls (SANS Top 20) these are
now officially called the CIS Critical Security Controls (CIS Controls).
CIS Controls Version 8 combines and consolidates the CIS Controls

by activities, rather than by who manages the devices. Physical
devices, fixed boundaries, and discrete islands of security
implementation are less important; this is reflected in v8 through
revised terminology and grouping of Safeguards, resulting in a
decrease of the number of Controls from 20 to 18.
Click on the individual CIS Control for more information:
CIS Control 1: Inventory and Control of Enterprise Assets

CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and
Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email Web Browser and Protections
CIS Control 10: Malware Defenses
CIS Control 11: Data Recovery
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skills Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
CIS Control 17: Incident Response Management
CIS Control 18: Penetration Testing
The 3 CIS Critical Security Implementation
Groups
IG1
An IG1 enterprise is small to medium-sized with limited IT and

cybersecurity expertise to dedicate towards protecting IT assets and
personnel. The principal concern of these enterprises is to keep the
business operational, as they have a limited tolerance for downtime.
The sensitivity of the data that they are trying to protect is low and
principally surrounds employee and financial information.
Safeguards selected for IG1 should be implementable with limited

cybersecurity expertise and aimed to thwart general, non-targeted
attacks. These Safeguards will also typically be designed to work in
conjunction with small or home office commercial off-the-shelf
(COTS) hardware and software.
IG2 (Includes IG1)
An IG2 enterprise employs individuals responsible for managing and

protecting IT infrastructure. These enterprises support multiple
departments with differing risk profiles based on job function and
mission. Small enterprise units may have regulatory compliance
burdens. IG2 enterprises often store and process sensitive client or
enterprise information and can withstand short interruptions of
service. A major concern is loss of public confidence if a breach
occurs.
Safeguards selected for IG2 help security teams cope with increased
operational complexity. Some Safeguards will depend on enterprise-
grade technology and specialized expertise to properly install and
configure.
IG3 (Includes IG1 and IG2)
An IG3 enterprise employs security experts that specialize in the

different facets of cybersecurity (e.g., risk management, penetration
testing, application security). IG3 assets and data contain sensitive
information or functions that are subject to regulatory and
compliance oversight. An IG3 enterprise must address availability of
services and the confidentiality and integrity of sensitive data.
Successful attacks can cause significant harm to the public welfare.
Safeguards selected for IG3 must abate targeted attacks from a

sophisticated adversary and reduce the impact of zero-day attacks
CIS Critical Security Control 1: Inventory and
Control of Enterprise Assets
Overview
Actively manage (inventory, track, and correct) all enterprise assets

(end-user devices, including portable and mobile; network devices;
non-computing/Internet of Things (IoT) devices; and servers)
connected to the infrastructure physically, virtually, remotely, and
those within cloud environments, to accurately know the totality of
assets that need to be monitored and protected within the
enterprise. This will also support identifying unauthorized and
unmanaged assets to remove or remediate.
Why is this Control critical?
Enterprises cannot defend what they do not know they have.

Managed control of all enterprise assets also plays a critical role in
security monitoring, incident response, system backup, and recovery.
Enterprises should know what data is critical to them, and proper
asset management will help identify those enterprise assets that
hold or manage this critical data, so that appropriate security
controls can be applied.
External attackers are continuously scanning the internet address

space of target enterprises, premise-based or in the cloud,
identifying possibly unprotected assets attached to an enterprise’s
network. Attackers can take advantage of new assets that are
installed, yet not securely configured and patched. Internally,
unidentified assets can also have weak security configurations that
can make them vulnerable to web- or email-based malware; and,
adversaries can leverage weak security configurations for traversing
the network, once they are inside.
Additional assets that connect to the enterprise’s network (e.g.,

demonstration systems, temporary test systems, guest networks)
should be identified and/or isolated in order to prevent adversarial
access from affecting the security of enterprise operations.
Large, complex, dynamic enterprises understandably struggle with

the challenge of managing intricate, fast-changing environments.
However, attackers have shown the ability, patience, and willingness
to “inventory and control” our enterprise assets at very large scale in
order to support their opportunities.
Another challenge is that portable end-user devices will periodically

join a network and then disappear, making the inventory of currently
available assets very dynamic. Likewise, cloud environments and
virtual machines can be difficult to track in asset inventories when
they are shut down or paused.
Another benefit of complete enterprise asset management is

supporting incident response, both when investigating the
origination of network traffic from an asset on the network and
when identifying all potentially vulnerable, or impacted, assets of
similar type or location during an incident.
Procedures and tools
This CIS Control requires both technical and procedural actions,

united in a process that accounts for, and manages the inventory of,
enterprise assets and all associated data throughout its life cycle. It
also links to business governance through establishing data/asset
owners who are responsible for each component of a business
process. Enterprises can use large-scale, comprehensive enterprise
products to maintain IT asset inventories. Smaller enterprises can
leverage security tools already installed on enterprise assets or used
on the network to collect this data. This includes doing a discovery
scan of the network with a vulnerability scanner; reviewing anti-
malware logs, logs from endpoint security portals, network logs from
switches, or authentication logs; and managing the results in a
spreadsheet or database.
Maintaining a current and accurate view of enterprise assets is an

ongoing and dynamic process. Even for enterprises, there is rarely a
single source of truth, as enterprise assets are not always
provisioned or installed by the IT department. The reality is that a
variety of sources need to be “crowd-sourced” to determine a high-
confidence count of enterprise assets. Enterprises can actively scan
on a regular basis, sending a variety of different packet types to
identify assets connected to the network. In addition to asset
sources mentioned above for small enterprises, larger enterprises
can collect data from cloud portals and logs from enterprise
platforms such as: Active Directory (AD), Single Sign-On (SSO),
Multi-Factor Authentication (MFA), Virtual Private Network (VPN),
Intrusion Detection Systems (IDS) or Deep Packet Inspection (DPI),
Mobile Device Management (MDM), and vulnerability scanning tools.
Property inventory databases, purchase order tracking, and local
inventory lists are other sources of data to determine which devices
are connected. There are tools and methods that normalize this data
to identify devices that are unique among these sources.
→ For cloud-specific guidance, refer to the CIS Controls Cloud
Companion Guide – https://www.cisecurity.org/controls/v8/
→ For tablet and smart phone guidance, refer to the CIS
Controls Mobile Companion Guide –
https://www.cisecurity.org/controls/v8/
→ For IoT guidance, refer to the CIS Controls Internet of Things
→ For Industrial Control Systems (ICS) guidance, refer to the
CIS Controls ICS Implementation Guide –
Safeguards
Number Title/Description Asset Type Security Function IG1 IG2 IG3

Establish and Maintain
1.1 Detailed Enterprise
Asset Inventory
Devices Identify • • •
Establish and maintain an accurate, detailed, and up-to-date inventory of all
enterprise assets with the potential to store or process data, to include: end-user
devices (including portable and mobile), network devices, non-computing/IoT
devices, and servers. Ensure the inventory records the network address (if static),
hardware address, machine name, enterprise asset owner, department for each
asset, and whether the asset has been approved to connect to the network. For
mobile end-user devices, MDM type tools can support this process, where
appropriate. This inventory includes assets connected to the infrastructure
physically, virtually, remotely, and those within cloud environments. Additionally, it
includes assets that are regularly connected to the enterprise’s network
infrastructure, even if they are not under control of the enterprise. Review and
update the inventory of all enterprise assets bi-annually, or more frequently.
1.2
Address Unauthorized
Assets
Devices Respond • • •
Ensure that a process exists to address unauthorized assets on a weekly basis.
The enterprise may choose to remove the asset from the network, deny the asset
from connecting remotely to the network, or quarantine the asset.
1.3
Utilize an Active
Discovery Tool
Devices Detect • •
Utilize an active discovery tool to identify assets connected to the enterprise’s
network. Configure the active discovery tool to execute daily, or more frequently.
Use Dynamic Host

Configuration Protocol
1.4 (DHCP) Logging to
Update Enterprise Asset
Devices Identify • •
Inventory
Use DHCP logging on all DHCP servers or Internet Protocol (IP) address
management tools to update the enterprise’s asset inventory. Review and use logs
to update the enterprise’s asset inventory weekly, or more frequently.
1.5
Use a Passive Asset
Discovery Tool
Devices Detect •
Use a passive discovery tool to identify assets connected to the enterprise’s
network. Review and use scans to update the enterprise’s asset inventory at least
weekly, or more frequently.
CIS Critical Security Control 2: Inventory and
Control of Software Assets
Overview
Actively manage (inventory, track, and correct) all software

(operating systems and applications) on the network so that only
authorized software is installed and can execute, and that
unauthorized and unmanaged software is found and prevented from
installation or execution.
A complete software inventory is a critical foundation for preventing

attacks. Attackers continuously scan target enterprises looking for
vulnerable versions of software that can be remotely exploited. For
example, if a user opens a malicious website or attachment with a
vulnerable browser, an attacker can often install backdoor programs
and bots that give the attacker long-term control of the system.
Attackers can also use this access to move laterally through the
network. One of the key defenses against these attacks is updating
and patching software. However, without a complete inventory of
software assets, an enterprise cannot determine if they have
vulnerable software, or if there are potential licensing violations.
Even if a patch is not yet available, a complete software inventory

list allows an enterprise to guard against known attacks until the
patch is released. Some sophisticated attackers use “zero-day
exploits,” which take advantage of previously unknown vulnerabilities
that have yet to have a patch released from the software vendor.
Depending on the severity of the exploit, an enterprise can
implement temporary mitigation measures to guard against attacks
until the patch is released.
Management of software assets is also important to identify

unnecessary security risks. An enterprise should review its software
inventory to identify any enterprise assets running software that is
not needed for business purposes. For example, an enterprise asset
may come installed with default software that creates a potential
security risk and provides no benefit to the enterprise. It is critical to
inventory, understand, assess, and manage all software connected
to an enterprise’s infrastructure.
Allowlisting can be implemented using a combination of commercial

allowlisting tools, policies, or application execution tools that come
with anti-malware suites and popular operating systems. Commercial
software inventory tools are widely available and used in many
enterprises today. The best of these tools provides an inventory
check of hundreds of common software used in enterprises. The
tools pull information about the patch level of each installed program
to ensure that it is the latest version and leverage standardized
application names, such as those found in the Common Platform
Enumeration (CPE) specification. One example of a method that can
be used is the Security Content Automation Protocol (SCAP).
Additional information on SCAP can be found here:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST. SP.800-
126r3.pdf
Features that implement allowlists are included in many modern

endpoint security suites and even natively implemented in certain
versions of major operating systems. Moreover, commercial solutions
are increasingly bundling together anti-malware, anti- spyware,
personal firewall, and host-based IDS and Intrusion Prevention
System (IPS), along with application allow and block listing. In
particular, most endpoint security solutions can look at the name, file
system location, and/or cryptographic hash of a given executable to
determine whether the application should be allowed to run on the
protected machine. The most effective of these tools offer custom
allowlists based on executable path, hash, or regular expression
matching. Some even include a non- malicious, yet unapproved,
applications function that allows administrators to define rules for
execution of specific software for certain users and at certain times
of the day.

→ For IoT guidance, refer to the CIS Controls Internet of Things
→ For Industrial Control Systems (ICS) guidance, refer to the
CIS Controls ICS Implementation Guide –
Safeguards

2.1
a Software Inventory
Applications Identify • • •
Establish and maintain a detailed inventory of all licensed software installed on
enterprise assets. The software inventory must document the title, publisher,
initial install/use date, and business purpose for each entry; where appropriate,
include the Uniform Resource Locator (URL), app store(s), version(s), deployment
mechanism, and decommission date. Review and update the software inventory
bi-annually, or more frequently.
Ensure Authorized
2.2 Software is Currently Applications Identify
Supported
• • •
Ensure that only currently supported software is designated as authorized in the
software inventory for enterprise assets. If software is unsupported, yet necessary
for the fulfillment of the enterprise’s mission, document an exception detailing
mitigating controls and residual risk acceptance. For any unsupported software
without an exception documentation, designate as unauthorized. Review the
software list to verify software support at least monthly, or more frequently.
2.3
Address Unauthorized
Software
Applications Respond • • •
Ensure that unauthorized software is either removed from use on enterprise
assets or receives a documented exception. Review monthly, or more frequently.
Utilize Automated
2.4 Software Inventory
Tools
Applications Detect • •
Utilize software inventory tools, when possible, throughout the enterprise to
automate the discovery and documentation of installed software.
2.5
Allowlist Authorized
Software
Applications Protect • •
Use technical controls, such as application allowlisting, to ensure that only
authorized software can execute or be accessed. Reassess bi-annually, or more
frequently.
2.6
Libraries
Applications Protect • •
Use technical controls to ensure that only authorized software libraries, such as
specific .dll, .ocx, .so, etc., files are allowed to load into a system process. Block
unauthorized libraries from loading into a system process. Reassess bi-annually, or
more frequently.
2.7
Scripts
Applications Protect •
Use technical controls, such as digital signatures and version control, to ensure
that only authorized scripts, such as specific .ps1, .py, etc., files are allowed to
execute. Block unauthorized scripts from executing. Reassess bi-annually, or more
frequently.
CIS Critical Security Control 3: Data Protection
Overview
Develop processes and technical controls to identify, classify,

securely handle, retain, and dispose of data.
Data is no longer only contained within an enterprise’s border; it is in

the cloud, on portable end-user devices where users work from
home, and is often shared with partners or online services that
might have it anywhere in the world. In addition to sensitive data an
enterprise holds related to finances, intellectual property, and
customer data, there also might be numerous international
regulations for protection of personal data. Data privacy has become
increasingly important, and enterprises are learning that privacy is
about the appropriate use and management of data, not just
encryption. Data must be appropriately managed through its entire
life cycle. These privacy rules can be complicated for multi-national
enterprises of any size; however, there are fundamentals that can
apply to all.
Once attackers have penetrated an enterprise’s infrastructure, one of
their first tasks is to find and exfiltrate data. Enterprises might not
be aware that sensitive data is leaving their environment because
they are not monitoring data outflows.
While many attacks occur on the network, others involve physical

theft of portable end-user devices, attacks on service providers or
other partners holding sensitive data. Other sensitive enterprise
assets may also include non-computing devices that provide
management and control of physical systems, such as Supervisory
Control and Data Acquisition (SCADA) systems.
The enterprise’s loss of control over protected or sensitive data is a

serious and often reportable business impact. While some data is
compromised or lost as a result of theft or espionage, the vast
majority are a result of poorly understood data management rules,
and user error. The adoption of data encryption, both in transit and
at rest, can provide mitigation against data compromise, and, even
more important, it is a regulatory requirement for most controlled
data.
It is important for an enterprise to develop a data management

process that includes a data management framework, data
classification guidelines, and requirements for protection, handling,
retention, and disposal of data. There should also be a data breach
process that plugs into the incident response plan, and the
compliance and communication plans. To derive data sensitivity
levels, enterprises need to catalog their key types of data and the
overall criticality (impact to its loss or corruption) to the enterprise.
This analysis would be used to create an overall data classification
scheme for the enterprise. Enterprises may use labels, such as
“Sensitive,” “Confidential,” and “Public,” and classify their data
according to those labels.
Once the sensitivity of the data has been defined, a data inventory
or mapping should be developed that identifies software accessing
data at various sensitivity levels and the enterprise assets that house
those applications. Ideally, the network would be separated so that
enterprise assets of the same sensitivity level are on the same
network and separated from enterprise assets with different
sensitivity levels. If possible, firewalls need to control access to each
segment, and have user access rules applied to only allow those
with a business need to access the data.
For more comprehensive treatment of this topic, we suggest the

following resources to help the enterprise with data protection:
→ NIST® SP 800-88r1 Guides for Media Sanitization –

https://nvlpubs.nist.gov/
nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
→ NIST® FIPS 140-2 –
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-2.pdf
→ NIST® FIPS 140-3 –
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.140-3.pdf
Safeguards

3.1 a Data Management
Process
Data Identify • • •
Establish and maintain a data management process. In the process, address data
sensitivity, data owner, handling of data, data retention limits, and disposal
requirements, based on sensitivity and retention standards for the enterprise.
Review and update documentation annually, or when significant enterprise
changes occur that could impact this Safeguard.
3.2
a Data Inventory
Data Identify • • •
Establish and maintain a data inventory, based on the enterprise’s data
management process. Inventory sensitive data, at a minimum. Review and update
inventory annually, at a minimum, with a priority on sensitive data.
3.3
Configure Data Access
Control Lists
Data Protect • • •
Configure data access control lists based on a user’s need to know. Apply data
access control lists, also known as access permissions, to local and remote file
systems, databases, and applications.
3.4 Enforce Data Retention Data Protect • • •

Retain data according to the enterprise’s data management process. Data
retention must include both minimum and maximum timelines.
3.5
Securely Dispose of
Data
Data Protect • • •
Securely dispose of data as outlined in the enterprise’s data management process.
Ensure the disposal process and method are commensurate with the data
sensitivity.
3.6
Encrypt Data on End-
User Devices
Devices Protect • • •
Encrypt data on end-user devices containing sensitive data. Example
implementations can include: Windows BitLocker®, Apple FileVault®, Linux® dm-
crypt.
3.7 Document Data Flows Data Identify • •

Document data flows. Data flow documentation includes service provider data
flows and should be based on the enterprise’s data management process. Review
and update documentation annually, or when significant enterprise changes occur
that could impact this Safeguard.
3.8 Document Data Flows Data Identify • •

Document data flows. Data flow documentation includes service provider data
flows and should be based on the enterprise’s data management process. Review
3.9
Encrypt Data on
Removable Media
Data Protect • •
Encrypt data on removable media.
3.10
Encrypt Sensitive Data
in Transit
Encrypt sensitive data in transit. Example implementations can include: Transport
Layer Security (TLS) and Open Secure Shell (OpenSSH).
3.11
Encrypt Sensitive Data
at Rest
Encrypt sensitive data at rest on servers, applications, and databases containing
sensitive data. Storage-layer encryption, also known as server-side encryption,
meets the minimum requirement of this Safeguard. Additional encryption methods
may include application-layer encryption, also known as client-side encryption,
where access to the data storage device(s) does not permit access to the plain-
text data.
Segment Data
3.12 Processing and Storage Network
Based on Sensitivity
Protect •
Implement an automated tool, such as a host-based Data Loss Prevention (DLP)
tool to identify all sensitive data stored, processed, or transmitted through
enterprise assets, including those located onsite or at a remote service provider,
and update the enterprise’s sensitive data inventory.
3.13
Deploy a Data Loss
Prevention Solution
Data Protect •
Implement an automated tool, such as a host-based Data Loss Prevention (DLP)
tool to identify all sensitive data stored, processed, or transmitted through
enterprise assets, including those located onsite or at a remote service provider,
and update the enterprise’s sensitive data inventory.
3.14
Log Sensitive Data
Access
Data Detect •
Log sensitive data access, including modification and disposal.
CIS Critical Security Control 4: Secure
Configuration of Enterprise Assets and
Software
Overview
Establish and maintain the secure configuration of enterprise assets

(end-user devices, including portable and mobile; network devices;
non-computing/IoT devices; and servers) and software (operating
systems and applications).
As delivered from manufacturers and resellers, the default

configurations for enterprise assets and software are normally
geared towards ease-of-deployment and ease-of- use rather than
security. Basic controls, open services and ports, default accounts or
passwords, pre-configured Domain Name System (DNS) settings,
older (vulnerable) protocols, and pre-installation of unnecessary
software can all be exploitable if left in their default state. Further,
these security configuration updates need to be managed and
maintained over the life cycle of enterprise assets and software.
Configuration updates need to be tracked and approved through
configuration management workflow process to maintain a record
that can be reviewed for compliance, leveraged for incident
response, and to support audits. This CIS Control is important to on-
premises devices, as well as remote devices, network devices, and
cloud environments.
Service providers play a key role in modern infrastructures,

especially for smaller enterprises. They often are not set up by
default in the most secure configuration to provide flexibility for their
customers to apply their own security policies. Therefore, the
presence of default accounts or passwords, excessive access, or
unnecessary services are common in default configurations. These
could introduce weaknesses that are under the responsibility of the
enterprise that is using the software, rather than the service
provider. This extends to ongoing management and updates, as
some Platform as a Service (PaaS) only extend to the operating
system, so patching and updating hosted applications are under the
responsibility of the enterprise.
Even after a strong initial configuration is developed and applied, it

must be continually managed to avoid degrading security as
software is updated or patched, new security vulnerabilities are
reported, and configurations are “tweaked,” to allow the installation
of new software or to support new operational requirements.
There are many available security baselines for each system.

Enterprises should start with these publicly developed, vetted, and
supported security benchmarks, security guides, or checklists. Some
resources include:
→ The CIS Benchmarks™ Program –

http://www.cisecurity.org/cis-benchmarks/
→ The National Institute of Standards and Technology (NIST®)
National Checklist Program Repository –
https://nvd.nist.gov/ncp/repository
Enterprises should augment or adjust these baselines to satisfy

enterprise security policies, and industry and government regulatory
requirements. Deviations of standard configurations and rationale
should be documented to facilitate future reviews or audits.
For a larger or more complex enterprise, there will be multiple

security baseline configurations based on security requirements or
classification of the data on the enterprise asset. Here is an example
of the steps to build a secure baseline image:
1. Determine the risk classification of the data handled/stored on

the enterprise asset (e.g., high, moderate, low risk).
2. Create a security configuration script that sets system security
settings to meet the requirements to protect the data used on
the enterprise asset. Use benchmarks, such as the ones
described earlier in this section.
3. Install the base operating system software.
4. Apply appropriate operating system and security patches.
5. Install appropriate application software packages, tool, and
utilities.
6. Apply appropriate updates to software installed in Step 4.
7. Install local customization scripts to this image.
8. Run the security script created in Step 2 to set the appropriate
security level.
9. Run a SCAP compliant tool to record/score the system setting of
the baseline image.
10. Perform a security quality assurance test.
11. Save this base image in a secure location.
Commercial and/or free configuration management tools, such as

the CIS Configuration Assessment Tool (CIS-CAT®)
https://learn.cisecurity.org/cis-cat-lite, can be deployed to measure
the settings of operating systems and applications of managed
machines to look for deviations from the standard image
configurations. Commercial configuration management tools use
some combination of an agent installed on each managed system, or
agentless inspection of systems through remotely logging into each
enterprise asset using administrator credentials. Additionally, a
hybrid approach is sometimes used whereby a remote session is
initiated, a temporary or dynamic agent is deployed on the target
system for the scan, and then the agent is removed.
Safeguards

Establish and Maintain a
4.1 Secure Configuration
Process
Applications Protect • • •
Establish and maintain a secure configuration process for enterprise assets (end-
user devices, including portable and mobile; non-computing/IoT devices; and
servers) and software (operating systems and applications). Review and update
documentation annually, or when significant enterprise changes occur that could
impact this Safeguard.

4.2
Secure Configuration
Process for Network
Network Protect • • •
Infrastructure
Establish and maintain a secure configuration process for network devices. Review
Configure Automatic
4.3 Session Locking on
Enterprise Assets
Users Protect • • •
Configure automatic session locking on enterprise assets after a defined period of
inactivity. For general purpose operating systems, the period must not exceed 15
minutes. For mobile end-user devices, the period must not exceed 2 minutes.
4.4 Implement and Manage Devices Protect

• • •
a Firewall on Servers
Implement and manage a firewall on servers, where supported. Example
implementations include a virtual firewall, operating system firewall, or a third-
party firewall agent.
Implement and Manage

4.5 a Firewall on End-User Devices
Devices
Protect • • •
Implement and manage a host-based firewall or port-filtering tool on end-user
devices, with a default-deny rule that drops all traffic except those services and
ports that are explicitly allowed.
Securely Manage
4.6 Enterprise Assets and Network
Software
Protect • • •
Securely manage enterprise assets and software. Example implementations
include managing configuration through version-controlled-infrastructure-as-code
and accessing administrative interfaces over secure network protocols, such as
Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS). Do not use
insecure management protocols, such as Telnet (Teletype Network) and HTTP,
unless operationally essential.
Manage Default
4.7 Accounts on Enterprise Users
Assets and Software
Protect • • •
Manage default accounts on enterprise assets and software, such as root,
administrator, and other pre-configured vendor accounts. Example
implementations can include: disabling default accounts or making them unusable.
Uninstall or Disable
4.8
Unnecessary Services
on Enterprise Assets
Devices Protect • • •
and Software
Uninstall or disable unnecessary services on enterprise assets and software, such
as an unused file sharing service, web application module, or service function.
Configure Trusted DNS

4.9 Servers on Enterprise Devices
Assets
Protect • •
Configure trusted DNS servers on enterprise assets. Example implementations
include: configuring assets to use enterprise-controlled DNS servers and/or
reputable externally accessible DNS servers.
Enforce Automatic
4.10
Device Lockout on
Portable End-User
Devices Respond • •
Devices
Enforce automatic device lockout following a predetermined threshold of local
failed authentication attempts on portable end-user devices, where supported. For
laptops, do not allow more than 20 failed authentication attempts; for tablets and
smartphones, no more than 10 failed authentication attempts. Example
implementations include Microsoft® InTune Device Lock and Apple®
Configuration Profile maxFailedAttempts.
Enforce Remote Wipe

4.11 Capability on Portable Devices
End-User Devices
Protect • •
Remotely wipe enterprise data from enterprise-owned portable end-user devices
when deemed appropriate such as lost or stolen devices, or when an individual no
longer supports the enterprise.
Separate Enterprise
4.12 Workspaces on Mobile Devices
End-User Devices
Protect •
Ensure separate enterprise workspaces are used on mobile end-user devices,
where supported. Example implementations include using an Apple®
Configuration Profile or Android™ Work Profile to separate enterprise applications
and data from personal applications and data.
CIS Critical Security Control 5: Account
Management
Overview
Use processes and tools to assign and manage authorization to

credentials for user accounts, including administrator accounts, as
well as service accounts, to enterprise assets and software.
It is easier for an external or internal threat actor to gain

unauthorized access to enterprise assets or data through using valid
user credentials than through “hacking” the environment. There are
many ways to covertly obtain access to user accounts, including:
weak passwords, accounts still valid after a user leaves the
enterprise, dormant or lingering test accounts, shared accounts that
have not been changed in months or years, service accounts
embedded in applications for scripts, a user having the same
password as one they use for an online account that has been
compromised (in a public password dump), social engineering a user
to give their password, or using malware to capture passwords or
tokens in memory or over the network.
Administrative, or highly privileged, accounts are a particular target,

because they allow attackers to add other accounts, or make
changes to assets that could make them more vulnerable to other
attacks. Service accounts are also sensitive, as they are often shared
among teams, internal and external to the enterprise, and
sometimes not known about, only to be revealed in standard
account management audits.
Finally, account logging and monitoring is a critical component of

security operations. While account logging and monitoring are
covered in CIS Control 8 (Audit Log Management), it is important in
the development of a comprehensive Identity and Access
Management (IAM) program.
Credentials are assets that must be inventoried and tracked like

enterprise assets and software, as they are the primary entry point
into the enterprise. Appropriate password policies and guidance not
to reuse passwords should be developed.
→ For guidance on the creation and use of passwords,

reference the CIS Password Policy Guide –
https://www.cisecurity.org/white-papers/cis- password-policy-
guide/
Accounts must also be tracked; any account that is dormant must be

disabled and eventually removed from the system. There should be
periodic audits to ensure all active accounts are traced back to
authorized users of the enterprise asset. Look for new accounts
added since previous review, especially administrator and service
accounts. Close attention should be made to identify and track
administrative, or high- privileged accounts and service accounts.
Users with administrator or other privileged access should have
separate accounts for those higher authority tasks. These accounts
would only be used when performing those tasks or accessing
especially sensitive data, to reduce risk in case their normal user
account is compromised. For users with multiple accounts, their base
user account, used day-to-day for non-administrative tasks, should
not have any elevated privileges.
Single Sign-On (SSO) is convenient and secure when an enterprise

has many applications, including cloud applications, which helps
reduce the number of passwords a user must manage. Users are
recommended to use password manager applications to securely
store their passwords, and should be instructed not to keep them in
spreadsheets or text files on their computers. MFA is recommended
for remote access.
→ An excellent resource is the NIST® Digital Identity Guidelines

– https://pages. nist.gov/800-63-3/
Safeguards

5.1 an Inventory of
Accounts
Users Identify • • •
Establish and maintain an inventory of all accounts managed in the enterprise.
The inventory must include both user and administrator accounts. The inventory,
at a minimum, should contain the person’s name, username, start/stop dates, and
department. Validate that all active accounts are authorized, on a recurring
schedule at a minimum quarterly, or more frequently.
5.2 Use Unique Passwords Users Protect • • •

Use unique passwords for all enterprise assets. Best practice implementation
includes, at a minimum, an 8-character password for accounts using MFA and a
14-character password for accounts not using MFA.
5.3
Disable Dormant
Accounts
Users Respond • • •
Delete or disable any dormant accounts after a period of 45 days of inactivity,
where supported.
Restrict Administrator
5.4 Privileges to Dedicated Users
Administrator Accounts
Protect • • •
Restrict administrator privileges to dedicated administrator accounts on enterprise
assets. Conduct general computing activities, such as internet browsing, email,
and productivity suite use, from the user’s primary, non-privileged account.

5.5 an Inventory of Service Users
Accounts
Identify • •
Establish and maintain an inventory of service accounts. The inventory, at a
minimum, must contain department owner, review date, and purpose. Perform
service account reviews to validate that all active accounts are authorized, on a
recurring schedule at a minimum quarterly, or more frequently.
5.6
Centralize Account
Management
Users Protect • •
Centralize account management through a directory or identity service.
CIS Critical Security Control 6: Access Control
Management
Overview
Use processes and tools to create, assign, manage, and revoke

access credentials and privileges for user, administrator, and service
accounts for enterprise assets and software.
Where CIS Control 5 deals specifically with account management,

CIS Control 6 focuses on managing what access these accounts
have, ensuring users only have access to the data or enterprise
assets appropriate for their role, and ensuring that there is strong
authentication for critical or sensitive enterprise data or functions.
Accounts should only have the minimal authorization needed for the
role. Developing consistent access rights for each role and assigning
roles to users is a best practice. Developing a program for complete
provision and de-provisioning access is also important. Centralizing
this function is ideal.
There are some user activities that pose greater risk to an
enterprise, either because they are accessed from untrusted
networks, or performing administrator functions that allow the ability
to add, change, or remove other accounts, or make configuration
changes to operating systems or applications to make them less
secure. This also enforces the importance of using MFA and
Privileged Access Management (PAM) tools.
Some users have access to enterprise assets or data they do not

need for their role; this might be due to an immature process that
gives all users all access, or lingering access as users change roles
within the enterprise over time. Local administrator privileges to
users’ laptops is also an issue, as any malicious code installed or
downloaded by the user can have greater impact on the enterprise
asset running as administrator. User, administrator, and service
account access should be based on enterprise role and need.
There should be a process where privileges are granted and revoked

for user accounts. This ideally is based on enterprise role and need
through role-based access. Role- based access is a technique to
define and manage access requirements for each account based on:
need to know, least privilege, privacy requirements, and/or
separation of duties. There are technology tools to help manage this
process. However, there might be more granular or temporary
access based on circumstance.
MFA should be universal for all privileged or administrator accounts.

There are many tools that have smartphone applications to perform
this function, and are easy to deploy. Using the number-generator
feature is more secure than just sending a Short Messaging Service
(SMS) message with a one-time code, or prompting a “push” alert
for a user to accept. However, neither is recommended for privileged
account MFA. PAM tools are available for privileged account control,
and provide a one-time password that must be checked out for each
use. For additional security in system administration, using “jump-
boxes” or out of band terminal connections is recommended.
Comprehensive account de-provisioning is important. Many

enterprises have repeatable consistent processes for removing
access when employees leave the enterprise. However, that process
is not always consistent for contractors, and must be included in the
standard de-provisioning process. Enterprises should also inventory
and track service accounts, as a common error is leaving clear text
tokens or passwords in code, and posting to public cloud-based code
repositories.
High-privileged accounts should not be used for day-to-day use,

such as web surfing and email reading. Administrators should have
separate accounts that do not have elevated privileges for daily
office use, and should log into administrator accounts only when
performing administrator functions requiring that level of
authorization. Security personnel should periodically gather a list of
running processes to determine whether any browsers or email
readers are running with high privileges.
→ An excellent resource is the NIST® Digital Identity Guidelines

– https://pages.nist.gov/800-63-3/
Safeguards

6.1
Establish an Access
Granting Process
Establish and follow a process, preferably automated, for granting access to
enterprise assets upon new hire, rights grant, or role change of a user.
6.2
Establish an Access
Revoking Process
Establish and follow a process, preferably automated, for revoking access to
enterprise assets, through disabling accounts immediately upon termination, rights
revocation, or role change of a user. Disabling accounts, instead of deleting
accounts, may be necessary to preserve audit trails.
Require MFA for

6.3 Externally-Exposed
Applications
Require all externally-exposed enterprise or third-party applications to enforce
MFA, where supported. Enforcing MFA through a directory service or SSO provider
is a satisfactory implementation of this Safeguard.
6.4
Require MFA for Remote
Network Access
Require MFA for remote network access.
6.5
Require MFA for
Administrative Access
Require MFA for all administrative access accounts, where supported, on all
enterprise assets, whether managed on-site or through a third-party provider.

6.6
an Inventory of
Authentication and
Users Identify • •
Authorization Systems
Establish and maintain an inventory of the enterprise’s authentication and
authorization systems, including those hosted on-site or at a remote service
provider. Review and update the inventory, at a minimum, annually, or more
frequently.
6.7
Centralize Access
Control
Users Protect • •
Centralize access control for all enterprise assets through a directory service or
SSO provider, where supported.
Define and Maintain

6.8 Role-Based Access
Control
Data Protect •
Define and maintain role-based access control, through determining and
documenting the access rights necessary for each role within the enterprise to
successfully carry out its assigned duties. Perform access control reviews of
enterprise assets to validate that all privileges are authorized, on a recurring
schedule at a minimum annually, or more frequently.
CIS Critical Security Control 7: Continuous
Vulnerability Management
Overview
Develop a plan to continuously assess and track vulnerabilities on all

enterprise assets within the enterprise’s infrastructure, in order to
remediate, and minimize, the window of opportunity for attackers.
Monitor public and private industry sources for new threat and
vulnerability information.
Cyber defenders are constantly being challenged from attackers who

are looking for vulnerabilities within their infrastructure to exploit
and gain access. Defenders must have timely threat information
available to them about: software updates, patches, security
advisories, threat bulletins, etc., and they should regularly review
their environment to identify these vulnerabilities before the
attackers do. Understanding and managing vulnerabilities is a
continuous activity, requiring focus of time, attention, and resources.
Attackers have access to the same information and can often take
advantage of vulnerabilities more quickly than an enterprise can
remediate. While there is a gap in time from a vulnerability being
known to when it is patched, defenders can prioritize which
vulnerabilities are most impactful to the enterprise, or likely to be
exploited first due to ease of use. For example, when researchers or
the community report new vulnerabilities, vendors have to develop
and deploy patches, indicators of compromise (IOCs), and updates.
Defenders need to assess the risk of the new vulnerability to the
enterprise, regression-test patches, and install the patch.
There is never perfection in this process. Attackers might be using

an exploit to a vulnerability that is not known within the security
community. They might have developed an exploit to this
vulnerability referred to as a “zero-day” exploit. Once the
vulnerability is known in the community, the process mentioned
above starts. Therefore, defenders must keep in mind that an exploit
might already exist when the vulnerability is widely socialized.
Sometimes vulnerabilities might be known within a closed
community (e.g., vendor still developing a fix) for weeks, months, or
years before it is disclosed publicly. Defenders have to be aware that
there might always be vulnerabilities they cannot remediate, and
therefore need to use other controls to mitigate.
Enterprises that do not assess their infrastructure for vulnerabilities

and proactively address discovered flaws face a significant likelihood
of having their enterprise assets compromised. Defenders face
particular challenges in scaling remediation across an entire
enterprise, and prioritizing actions with conflicting priorities, while
not impacting the enterprise’s business or mission.
A large number of vulnerability scanning tools are available to

evaluate the security configuration of enterprise assets. Some
enterprises have also found commercial services using remotely
managed scanning appliances to be effective. To help standardize
the definitions of discovered vulnerabilities across an enterprise, it is
preferable to use vulnerability scanning tools that map vulnerabilities
to one or more of the following industry-recognized vulnerability,
configuration and platform classification schemes and languages:
Common Vulnerabilities and Exposures (CVE®), Common
Configuration Enumeration (CCE), Open Vulnerability and
Assessment Language (OVAL®), Common Platform Enumeration
(CPE), Common Vulnerability Scoring System (CVSS), and/or
Extensible Configuration Checklist Description Format (XCCDF).
These schemes and languages are components of SCAP.
→ More information on SCAP can be found here –

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.80
0-126r3.pdf
The frequency of scanning activities should increase as the diversity

of an enterprise’s assets increases to account for the varying patch
cycles of each vendor. Advanced vulnerability scanning tools can be
configured with user credentials to authenticate into enterprise
assets and perform more comprehensive assessments. These are
called “authenticated scans.”
In addition to the scanning tools that check for vulnerabilities and

misconfigurations across the network, various free and commercial
tools can evaluate security settings and configurations of enterprise
assets. Such tools can provide fine-grained insight into unauthorized
changes in configuration or the inadvertent introduction of security
weaknesses from administrators.
Effective enterprises link their vulnerability scanners with problem-

ticketing systems that track and report progress on fixing
vulnerabilities. This can help highlight unmitigated critical
vulnerabilities to senior management to ensure they are resolved.
Enterprises can also track how long it took to remediate a
vulnerability, after identified, or a patch has been issued. These can
support internal or industry compliance requirements. Some mature
enterprises will go over these reports in IT security steering
committee meetings, which bring leaders from IT and the business
together to prioritize remediation efforts based on business impact.
In selecting which vulnerabilities to fix, or patches to apply, an

enterprise should augment NIST’s Common Vulnerability Scoring
System (CVSS) with data concerning the likelihood of a threat actor
using a vulnerability, or potential impact of an exploit to the
enterprise. Information on the likelihood of exploitation should also
be periodically updated based on the most current threat
information. For example, the release of a new exploit, or new
intelligence relating to exploitation of the vulnerability, should
change the priority through which the vulnerability should be
considered for patching. Various commercial systems are available to
allow an enterprise to automate and maintain this process in a
scalable manner.
The most effective vulnerability scanning tools compare the results

of the current scan with previous scans to determine how the
vulnerabilities in the environment have changed over time. Security
personnel use these features to conduct vulnerability trending from
month to month.
Finally, there should be a quality assurance process to verify

configuration updates, or that patches are implemented correctly
and across all relevant enterprise assets.
Safeguards

7.1 Vulnerability
Management Process
Establish and maintain a documented vulnerability management process for
enterprise assets. Review and update documentation annually, or when significant
enterprise changes occur that could impact this Safeguard.
7.2
Remediation Process
Applications Respond • • •
Establish and maintain a risk-based remediation strategy documented in a
remediation process, with monthly, or more frequent, reviews.
Perform Automated
7.3 Operating System Patch Applications Protect
Management
• • •
Perform operating system updates on enterprise assets through automated patch
management on a monthly, or more frequent, basis.
Perform Automated
7.4 Application Patch
Management
Perform application updates on enterprise assets through automated patch
management on a monthly, or more frequent, basis.
Perform Automated
7.5
Vulnerability Scans of
Internal Enterprise
Applications Identify • • •
Assets
Perform automated vulnerability scans of internal enterprise assets on a quarterly,
or more frequent, basis. Conduct both authenticated and unauthenticated scans,
using a SCAP-compliant vulnerability scanning tool.
Perform Automated
7.6
Vulnerability Scans of
Externally-Exposed
Applications Identify • •
Enterprise Assets
Perform automated vulnerability scans of externally-exposed enterprise assets
using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly,
or more frequent, basis.
7.7
Remediate Detected
Vulnerabilities
Applications Respond • •
Remediate detected vulnerabilities in software through processes and tooling on a
monthly, or more frequent, basis, based on the remediation process.
CIS Critical Security Control 8: Audit Log
Management
Overview
Collect, alert, review, and retain audit logs of events that could help
detect, understand, or recover from an attack.
Log collection and analysis is critical for an enterprise’s ability to

detect malicious activity quickly. Sometimes audit records are the
only evidence of a successful attack. Attackers know that many
enterprises keep audit logs for compliance purposes, but rarely
analyze them. Attackers use this knowledge to hide their location,
malicious software, and activities on victim machines. Due to poor or
nonexistent log analysis processes, attackers sometimes control
victim machines for months or years without anyone in the target
enterprise knowing.
There are two types of logs that are generally treated and often
configured independently: system logs and audit logs. System logs
typically provide system-level events that show various system
process start/end times, crashes, etc. These are native to systems,
and take less configuration to turn on. Audit logs typically include
user-level events—when a user logged in, accessed a file, etc.—and
take more planning and effort to set up.
Logging records are also critical for incident response. After an

attack has been detected, log analysis can help enterprises
understand the extent of an attack. Complete logging records can
show, for example, when and how the attack occurred, what
information was accessed, and if data was exfiltrated. Retention of
logs is also critical in case a follow-up investigation is required or if
an attack remained undetected for a long period of time.
Most enterprise assets and software offer logging capabilities. Such

logging should be activated, with logs sent to centralized logging
servers. Firewalls, proxies, and remote access systems (Virtual
Private Network (VPN), dial-up, etc.) should all be configured for
verbose logging where beneficial. Retention of logging data is also
important in the event an incident investigation is required.
Furthermore, all enterprise assets should be configured to create

access control logs when a user attempts to access resources
without the appropriate privileges. To evaluate whether such logging
is in place, an enterprise should periodically scan through its logs
and compare them with the enterprise asset inventory assembled as
part of CIS Control 1, in order to ensure that each managed asset
actively connected to the network is periodically generating logs.
Safeguards

8.1 Establish and Maintain Network
an Audit Log
Protect
• • •
Another random document with
no related content on Scribd:
interfere with individual freedom. But in it they did vest whatever
ability of that kind, under the American doctrine of human liberty,
they thought a government of free men or citizens ought to have.
They did not, however, grant unlimited ability to make laws
interfering with individual freedom. When constituting their
government they named many matters in which no laws could be
made, such as laws abridging the right of free speech, laws
suspending the privilege of habeas corpus, etc. Outside these
named matters, they granted law-making ability of that kind to
whatever extent American principles of human liberty determined a
government ought to have. The extent of that ability, so to be
determined, they left to the legislature to ascertain in the first
instance. But to the judicial department they gave the right finally to
ascertain and decide whether, in any particular law, the legislative
department had exceeded its granted ability.
In living again the education days of the Americans, who later
created and constituted the republican nation which is America, we
have come now to the close of the eventful year 1776. We find
ourselves, at that time, viewing this status of the American human
being and his relation to all governments.
With his fellow Americans, he has declared that they are not the
subjects of any government or governments in the world. With his
fellow Americans, on many battlefields, he is fighting their former
Government, which still claims that they are its subjects. If he is a
Virginian, he and his fellow Virginians, with the consent of their fellow
Americans, have constituted themselves a free and independent
nation of human beings and have given to their law-making attorney
in fact, the legislature of Virginia, some ability to make laws in
restraint of the individual freedom of Virginians, in such matter and to
such extent, as the citizens of Virginia have deemed wise. In each of
the other twelve nations the situation is the same. In no nation, in
America, has any government servant and attorney in fact of the
people any ability whatever to interfere with human freedom in any
matter or to any extent, except such ability of that kind as has been
given to that government by direct grant from its citizens. Nowhere,
in America, has any government any power whatever, in any matter
or to any extent, to make a valid command restraining the human
freedom of the individual American as an American. All Americans
are fighting throughout America with the armies of the only
government in the world which claims such ability. All Americans
everywhere are determined to win that war and keep it the basic law
of America that no government ever shall have ability of that kind
unless the whole American people, by direct grant from themselves,
shall give it to a general American government. There is yet no
republic of America. There are yet no citizens of America. There are
only citizens of thirteen respective nations, which nations are allied in
an existing war. The affairs of the allied nations are being directed by
a committee of delegates from the different nations, called the
Congress. The first Committee or Congress of that kind, known in
history as the First Continental Congress, had met at Philadelphia
from September 5 to October 26, 1774, and “recommended peaceful
concerted action against British taxation and coercion.” The second
Committee, known as the Second Continental Congress, had
assembled, also at Philadelphia, on May 10, 1775, and had
assumed direction of the war.
CHAPTER II
THE STATE GOVERNMENTS FORM A UNION OF
STATES
We have now lived with the American of an earlier generation

through the days in which he ceased to be a subject of any
government, and in which he established forever in America the
basic law that no government can exercise or possess any ability to
interfere with his individual freedom except by direct grant from its
citizens. We have seen him, in each of the former colonies, create a
nation, become one of its citizens and, with his fellow citizens of that
nation, give to its government some ability of that kind.
When we recall it to be the tribute of history that these Americans
were better acquainted with the science of government than any
other people in the world, it is well to reflect for a moment upon the
significant exhibition of that knowledge during the days through
which we have just lived with them.
When the suggestion came from Philadelphia, in the summer of
1776, that the Americans in each former colony constitute a
government for their own nation and give to it a limited ability to
govern themselves in restraint of their individual freedom, it is
recorded history that Americans generally knew that a gift of that
kind to government could never be validly made by governments. It
“was felt and acknowledged by all” that only its own citizens ever
could grant ability of that kind to any government.
As the people of New England had been the most thoroughly
trained in the actual experience of self government, we naturally find
them acting upon and clearly stating the American legal principle that
legislatures never can give ability of that kind to government. The
records of Concord, Massachusetts, for October 21, 1776, show how
clearly this was understood by the Americans of that generation.
After the Philadelphia suggestion had been made, the
Massachusetts legislature framed a constitution and sent it to the
Massachusetts townships for approval. On that October 21, 1776,
the people of Concord refused to act upon it. Their reason was that
government ability to interfere with human freedom could never
come from legislatures but must always come directly from the
citizens themselves. Let the Americans of Concord, in their own
words, impart some of their knowledge to the Americans of this
generation.
“Resolved secondly, that the supreme Legislative, either in their
proper capacity or in joint committee, are by no means a body proper
to form and establish a Constitution or form of government for
reasons following, viz.: First, because we conceive that Constitution
in its proper idea intends a system of principles established to secure
the subject in the possession of and enjoyment of their Rights and
Privileges against any encroachment of the Governing Part.
Secondly, because the same body that forms a Constitution have of
consequence a power to alter it. Thirdly, because a Constitution
alterable by the Supreme Legislative is no security at all to the
subject against the encroachment of the Governing Part on any or
on all their Rights and Privileges.”
(See Constitutional Review, April, 1918, p. 97.)
The people of Concord or New England were not alone in this
knowledge. On this we have the later testimony of Marshall from the
Bench of the Supreme Court. Speaking of that day, a few years after
1776, when the whole American people created their nation and
gave enumerated powers of that kind to its government, he said:
But when, “in order to form a more perfect Union,” it was
deemed necessary to change this alliance into an effective
government, possessing great and sovereign powers, and
acting directly on the people, the necessity of referring it to
the people, and of deriving its powers directly from them, was
felt and acknowledged by all. (M’Culloch v. Maryland, 4
Wheat. 316.)
Fixing this knowledge of that day firmly in our mind, let us go on
with the remarkable Americans of that generation through the next
period in which the relation of government to government and of
nation to nation was changed, but in which the status of the citizen of
each nation and his relation to all governments remained exactly
what he and his fellow citizens of that nation had made it.
On November 15, 1777, there came from the Congress at
Philadelphia another suggestion, this time a proposal to the thirteen
nations that they, already allied in an existing war, should form a
permanent union or federation of nations. With that proposal went a
drafted set of constitutional Articles, having for their purpose the
establishment of a government (to be called a Congress) for the
proposed federation, some of which Articles would give to that
government ability to govern the members of the union, the thirteen
nations. The proposal and the constitutional Articles were sent, for
ratification or rejection, to the legislature of each nation as its proper
attorney in fact in creating a federal union of nations and in giving
federal ability to govern, which federal ability never directly interferes
with individual freedom.
Let us reflect upon the accurate knowledge of the science of
government again shown by the Americans of that generation in that
proposal. Only a few short months earlier there had come, from the
same men at Philadelphia, the proposal that national government be
established in each nation. These men at Philadelphia had been
subjects of the British Government until July, 1776. All government
ability to interfere with human freedom, then as now, under British
law, had its source in a legislature, the Westminster Parliament. And
yet these men at Philadelphia, in the summer of 1776, had
accurately known that, under basic American law, such government
ability could only have one valid source, direct action by the citizens
themselves assembled in conventions. Acting on this knowledge in
the summer of 1776, the suggestion that government in each state
be given national power to govern, namely, ability directly to interfere
with individual freedom, had come as a suggestion to the citizens of
each nation for their own direct action. That suggestion had been
followed, and thus had been exercised, for the first time since
Americans ceased to be subjects, the inherent and inalienable and
always existing ability of the citizens of a free nation to make any
kind of constitutional Articles of government, including the national
kind which give government any power to interfere with individual
freedom.
When, therefore, these same men at Philadelphia made their
proposal of November, 1777, that other constitutional Articles of
government be made in America, the proposed Articles of Union
between nations, it might have been natural that this proposal also
should have suggested ratification of these Articles by the people
themselves. It would have seemed all the more natural, when we
remember that one of the leaders at Philadelphia in that time was
Jefferson, the historic champion of human individual freedom against
all governments. But the Americans of that generation and their
leaders were not as the leaders of our own time. They knew very
accurately the difference between a national Article of government,
which gave ability to interfere with human freedom, and a federal
Article, which gave no ability of that kind but only ability to govern
nations or states, as political entities. With this accurate knowledge
of the vital distinction between a national and a federal Article, they
naturally knew that either the people themselves or the legislative
attorney in fact of the nation, which makes all agreements for the
nation with other nations, may validly make a federal Article.
Therefore, they sent the proposed Articles of Confederation between
nations (not one of which gave national power to the proposed
federal government) to the legislatures of the respective nations for
ratification or rejection on behalf of the nations. As Marshall later
summed up the knowledge which prompted that sending of those
federal articles to the legislatures:
To the formation of a league, such as was the
Confederation, the State sovereignties were certainly
competent. (M’Culloch v. Maryland, 4 Wheat. 316.)
Each state legislature acted favorably upon the proposed articles
and ratified them. By July 9, 1778, the legislatures of ten states had
ratified. The legislatures of New Jersey and Delaware followed
before the end of February, 1779. The legislature of Maryland did not
ratify until March 1, 1781.
It is well for the average American of the present generation, at
this point, to fix firmly in his mind that this legislative ratification of
these federal Articles was the important exercise of an existing and
recognized ability of state legislatures to make all constitutional
articles of a federal nature, which never confer any government
ability directly to interfere with human freedom. It is well for the same
American also to fix firmly in his mind that it was the exercise of an
ability to make constitutional articles entirely distinct from the other
existing ability to make them, which had been exercised, in each
nation, directly by the citizens themselves, in “conventions,” in the
preceding year of 1776. In that year, there had been exercised the
inherent and inalienable and always existing ability of citizens of a
nation, assembled in conventions of deputies chosen for that
express purpose, to make any kind of constitutional article, whether
it confers federal or national power on government. In the years
1777 to 1781, there had been exercised the recognized and existing
but limited ability of state legislatures to make federal articles, an
ability clearly then known not to include the ability to confer upon
government national power to interfere with individual freedom.
Living with those Americans through their great days, we have
now reached the day in 1781 when they were all citizens of some
nation but were not all citizens of the same nation. The great
Republic, America, had not yet been born. The legal status of the
American as an individual, and his relation to all governments was
exactly the same as it had been since 1776. Each American was the
citizen of some nation. His individual freedom could be directly
interfered with only by some law of the legislature of that single
nation under a valid grant, from him and his fellow citizens, of power
to enact that law on that subject. Neither the legislature of any other
nation in America, nor the legislatures of all other nations in America,
nor the government of nations which those legislatures had created
and endowed with federal powers, the Congress of the Federation,
could singly or collectively issue a single command to him, interfering
in any manner with his human freedom, or could give to any
government or governments a power to issue such a command.
There were existing and recognized by all in America two distinct
and different abilities—one limited and the other unlimited—to make
constitutional articles. One was the limited ability of state
legislatures. They could give federal power to a government, but
they could not give any national power or power directly to interfere
with human freedom. The other was the unlimited ability of the
citizens of any nation. They could give any kind of power, federal or
national, to their own government. Each ability, at a different time,
had been evoked to exercise by a distinct proposal from the same
Americans at Philadelphia, the Second Continental Congress, which
had under its direction the conduct of the Revolutionary War.
Dormant for the time being, but existing over all other ability in
America, was the supreme will of the collective people of America,
who had not yet created their own great Republic or become its
citizens or given to its government its enumerated powers to
interfere with their individual freedom.
This was the legal status of the American, and his relation to all
governments, and the relation of governments in America to one
another, when the Treaty of Peace was concluded with England on
September 3, 1783, and was later ratified by the Federal Congress
on January 14, 1784.
CHAPTER III
AMERICANS FIND THE NEED OF A SINGLE
NATION
Living over the great days of our forefathers, we now approach the
greatest of all. It comes four years after the end of the Revolution.
Not satisfied with a mere union of their states, the whole American
people, in 1787, proposed to form the great nation of men, America.
On June 21, 1788, it is created by them. On March 4, 1789, its only
government, now also the government of the continued union of
states, begins to function.
Between May 29, 1787, and March 4, 1789, the whole American
people did their greatest work for individual liberty. That was their
greatest day. Most Americans of this generation know nothing about
that period. Still more is it to be regretted that our leaders in public
life, even our most renowned lawyers, do not understand what was
achieved therein for human freedom. It is of vital importance to the
average American that he always know and understand and realize
that achievement. That he do so, it is not in the slightest degree
essential that he be learned in the law. It is only necessary that he
know and understand a few simple facts. The experience of five
years since 1917 teaches one lesson. It is that Americans, who have
not the conviction that they are great constitutional thinkers, far more
quickly than those who have that conviction, can grasp the full
meaning of the greatest event in American history.
The reason is plain. Back in the ages, there was a time when
scientific men “knew” that the earth was flat. Because they “knew” it,
the rest of men assumed that it was so. And, because they “knew” it,
it was most difficult to convince them that their “knowledge” was
false “knowledge.”
In a similar way, our statesmen and constitutional thinkers came to
the year 1917 with the “knowledge” that legislatures in America, if
enough of them combined, had exactly the omnipotence over the
individual freedom of the American which had been denied to the
British Parliament by the early Americans. Naturally, it is difficult for
them to understand that their “knowledge” is false “knowledge.” For
us who have no false knowledge to overcome, it is comparatively
simple to grasp what those other plain Americans of 1787 and 1788
meant to accomplish and did accomplish. Why should it not be
simple for us? With those other plain Americans, we have just been
through their strenuous years which immediately preceded their
greatest days of 1787 and 1788. They were a simple people as are
we average Americans of this generation. From living with them
through those earlier days, we have come to know their dominant
purpose. They sought to secure to themselves and to their posterity
the greatest measure of protected enjoyment of human life, liberty
and happiness against interference from outside America and
against usurpation of power by any governments in America.
Certainly, it ought not to be difficult for us to grasp accurately and
quickly what they meant to do and what they did do in their last and
greatest achievement in the quest of that protected enjoyment of
human freedom. But, with all our happy predisposition accurately to
understand the meaning of the facts in 1787 and 1788, that
understanding cannot come until we know the facts themselves. Let
us, therefore, live through those years with those other plain
Americans of whom we are the posterity. Only then can we
understand their legacy of secured liberty to us and keep it against
usurpation by those who do not understand.
So long as the former subjects continued their Revolution, it was
only natural that Americans should not realize how inadequately a
mere federation of states would serve really to secure the protected
enjoyment of individual human freedom. But, as soon as that war
had ended, discerning men began quickly to realize that fact.
Jealousies between nations, jealousies in abeyance while those
nations were fighting a common war for independence, quickly had
their marked effect upon the relations of these nations to one
another and upon the respect which they showed to the commands
of the government of the federation of which all those nations were
members. As a matter of fact, those commands, because the
governing powers of that government were wholly federal, were
tantamount to nothing but requisitions. Those requisitions were
honored largely by ignoring them. There was no way of enforcing
respect for them or compelling observance of them. The plan of a
purely federal union of nations permitted no method of enforcement
save that of war upon whatever nation or nations might refuse
obedience to a requisition. Such a war would have been repugnant
to the mind of every patriotic American.
This was only one of the many defects coming from the fact that
Americans, in spirit one people or nation, had no political existence
as one nation and had no general national government, with general
powers over all Americans, to command respect at home and
abroad for the individual freedom of the American.
There is neither time nor necessity for dwelling further upon the
fact, quickly brought home to the American people after the close of
their Revolution, that a purely federal government of the states was
no adequate security for their own freedom. Let the words of one of
themselves, apologizing for the inadequacy of that government,
attest their quick recognition that it was inadequate. They are the
words of Jay in The Federalist of 1787. This is what he said: “A
strong sense of the value and blessings of union induced the people,
at a very early period, to institute a federal government to preserve
and perpetuate it. They formed it almost as soon as they had a
political existence; nay, at a time when their habitations were in
flames, when many of their citizens were bleeding, and when the
progress of hostility and desolation left little room for those calm and
mature inquiries and reflections which must ever precede the
formation of a wise and well-balanced government for a free people.
It is not to be wondered at, that a government instituted in times so
inauspicious, should on experiment be found greatly deficient and
inadequate to the purpose it was intended to answer.” (Fed., No. 2.)
CHAPTER IV
THE BIRTH OF THE NATION
Living through those old days, immediately after the peace with
England of 1783, we find that public and official recognition of a fatal
defect in the federal form of union came from the inability of its
federal government, which had no power over commerce, to
establish a uniform regulation of trade among the thirteen American
nations themselves and between them and foreign nations.
Discerning men, such as Madison and Washington and others,
already recognized other incurable defects in any form of union
which was solely a union of nations and not a union of the American
people themselves, in one nation, with a government which should
have national, as well as federal, powers. Taking advantage of the
general recognition that some central power over commerce was
needed, the legislature of the nation of Virginia appointed James
Madison, Edmund Randolph and others, as commissioners to meet
similar commissioners to be appointed by the twelve other nations.
The instructions to these commissioners were to examine into the
trade situation and report to their respective nations as to how far a
uniform system of commerce regulations was necessary. The
meeting of these commissioners was at Annapolis in September,
1786. Only commissioners from the nations of Virginia, Delaware,
Pennsylvania, New Jersey and New York attended. The other eight
nations were not represented.
Madison and Hamilton were both present at Annapolis and figured
largely in what was done there. It is an interesting and important fact
that these two played a large part from its very inception in the
peaceful Revolution which brought to an end the independent
existence of thirteen nations—a Revolution which subordinated
these nations, their respective national governments, and their
federation to a new nation of the whole American People, and to the
Constitution and the government of that new nation.
At every stage of that Revolution, these two men were among its
foremost leaders. Recorded history has made it plain that Madison,
more than any other man in America, participated in planning what
was accomplished in that Revolution. He drafted the substance of
most of the Articles in what later became the Constitution of the new
nation. By the famous essays (nearly all of which were written by
himself or Hamilton) in The Federalist, explaining and showing the
necessity of each of those Articles, he contributed most effectively to
their making by the people of America, assembled in their
conventions. He actually drew, probably in conference with Hamilton,
what we know as the Fifth Article, which will later herein be largely
the subject of our exclusive interest.
The Annapolis commissioners made a written report of their
recommendations. This report was sent to the respective legislatures
of the five nations, which had commissioners at Annapolis. Copies
were also sent to the Federal Congress and to the Executives of the
other eight nations in the federation. The report explained that the
commissioners had become convinced that there were many
important defects in the federal system, in addition to its lack of any
power over commerce. The report recommended that the thirteen
nations appoint “commissioners, to meet at Philadelphia on the
second Monday in May next, to take into consideration the situation
of the United States; to devise such further provisions as shall seem
to them necessary to render the constitution of the federal
government adequate to the exigencies of the Union; and to report
such an act for that purpose, to the United States in Congress
assembled as, when agreed to by them, and afterwards confirmed
by the legislature of every state, will effectually provide for the
same.”
The Annapolis recommendation was acted upon by the
legislatures of twelve nations. Each nation, except Rhode Island,
appointed delegates to attend the Philadelphia Convention to begin
in May, 1787. Madison himself, in his introduction to his report of the
debates of the Philadelphia Convention, gives his own explanation of
why Rhode Island did not send delegates. “Rhode Island was the
only exception to a compliance with the recommendation from
Annapolis, well known to have been swayed by an obdurate
adherence to an advantage, which her position gave her, of taxing
her neighbors through their consumption of imported supplies—an
advantage which it was foreseen would be taken from her by a
revisal of the Articles of Confederation.” This is mentioned herein
merely to bring home to the minds of Americans of the present
generation the reality of the fact, now so difficult to realize, that there
were then actually in America thirteen independent nations, each
having its powerful jealousies of the other nations and particularly of
its own immediate neighbors. The actual reality of this fact is
something which the reader should not forget. It is important to a
correct understanding of much that is said later herein. It is often
mentioned in the arguments that accompanied the making of our
Constitution, that the nation of New Jersey was suffering from
exactly the same trouble as the nation of Rhode Island was causing
to its neighbors. Almost all imported supplies consumed by the
citizens of New Jersey came through the ports of New York and
Philadelphia and were taxed by the nations of New York and
Pennsylvania.
Interesting though it would be, it is impossible herein to give in
detail the remarkable story of the four months’ Convention at
Philadelphia in 1787. It began on May 14 and its last day was
September 17. It is recommended to every American, who desires
any real knowledge of what his nation really is, that he read, in
preference to any other story of that Convention, the actual report of
its debates by Madison, which he himself states were “written out
from my notes, aided by the freshness of my recollections.” It is
possible only to refer briefly but accurately to those actual facts, in
the history of those four months, which are pertinent to the object of
this book.
At the very outset, it is well for us Americans to know and to
remember the extraordinary nature of the recommendation which
had come from Annapolis and of the very assembling of that
Philadelphia Convention. The suggestion and the Convention were
entirely outside any written law in America. Every one of the thirteen
colonies was then an independent nation. These nations were united
in a federation. Each nation had its own constitution. The federation
had its federal constitution. In none of those constitutions was there
any provision whatever under which any such convention as that of
Philadelphia could be suggested or held. The federal Constitution
provided the specific mode in which ability to amend any of its
federal Articles could be exercised. Such provision neither
suggested nor contemplated any such convention as that to be held
at Philadelphia. For these reasons, Madison and Wilson of
Pennsylvania and other leading delegates at that Convention stoutly
insisted that the Philadelphia Convention had not exercised any
power whatever in making a proposal.
“The fact is, they have exercised no power at all; and, in point of
validity, this Constitution, proposed by them for the government of
the United States, claims no more than a production of the same
nature would claim, flowing from a private pen.” (Wilson,
Pennsylvania State Convention in 1787, 2 Ell. Deb. 470.)
“It is therefore essential that such changes [in government] be
instituted by some informal and unauthorized propositions, made by
some patriotic and respectable citizen or number of citizens.”
(Madison, Fed. No. 40.)
But there was a development even more remarkable on the
second day of this unauthorized Convention.
The Convention was presided over by Washington. Among the
other delegates were Hamilton of New York, Madison and Randolph
and Mason of Virginia, Franklin and Wilson and Robert Morris and
Gouverneur Morris of Pennsylvania, and the two Pinckneys of South
Carolina. Madison himself, speaking of the delegates in his
Introduction to his report of the Debates, says that they were
selected in each state “from the most experienced and highest
standing citizens.” The reader will not forget that each of these men
came under a commission from the independent government of a
sovereign and independent nation, twelve such independent
governments and nations being represented in that Convention. In
the face of this important fact, it is amazing to realize the startling
proposition offered for consideration, on May 30, 1787. On that day,
the Convention having gone into a Committee of the Whole,
Randolph, commissioned delegate from the independent
government and nation of Virginia, moved, on the suggestion of
Gouverneur Morris, commissioned delegate from another
independent government and nation, that the assembled delegates
consider the three following resolutions:
“1. That a union of the states merely federal will not accomplish
the objects proposed by the Articles of Confederation—namely,
common defense, security of liberty, and general welfare.
“2. That no treaty or treaties among the whole or part of the states,
as individual sovereignties, would be sufficient.
“3. That a national government ought to be established, consisting
of a supreme legislative, executive, and judiciary.” (5 Ell. Deb. 132.)
If we wish to realize the sensational nature of those resolutions, let
us assume for a moment a similar convention of delegates
assembled in the City of New York. Let us assume that the delegates
have been commissioned respectively by the governments of
America, Great Britain, Ireland, Canada, Australia, New Zealand,
France, Belgium and other nations. Let us assume that the
ostensible and proclaimed purpose of the convention, stated in the
commissions of the delegates, is that it frame a set of federal Articles
for a league or federation of the independent nations represented
and report the drafted Articles to the respective governments for
ratification or rejection. Let us then assume that, on the second day
of the convention, Lloyd George, on the suggestion of Charles E.
Hughes, calmly proposes that the convention, as a Committee of the
Whole, consider three resolutions, exactly similar to those proposed
by Randolph on May 30, 1787. Imagine the amazement of the world
when it found that the resolutions were to the effect that the
convention should draft and propose a constitution of government
which would create an entirely new nation out of the human beings
in all the assembled nations, and create a new national government
for the new nation, and destroy forever the independence and
sovereignty of each represented nation and its government and
subordinate them to the new national and supreme government.
This was exactly the nature of the startling resolutions of
Randolph. Moreover, before that one day closed, the Committee of
the Whole actually did resolve “that a national government ought to
be established consisting of a supreme legislative, executive and
judiciary.” The vote was six to one. Massachusetts, Pennsylvania,
Delaware, North Carolina, Virginia and South Carolina voted “aye.”
From that day on, the Convention continued to prepare a proposal
involving the destruction of the complete independence of the
existing nations and of the governments which respectively
commissioned the delegates to the Convention. From that day on,
the Convention concerned itself entirely with the drafting of
constitutional Articles which would create a new nation, America, the
members thereof to be all the American people, and would constitute
a national government for them, and give to it national powers over
them, and make it supreme, in its own sphere, over all the existing
nations and governments.
It is interesting and instructive to know that all this startling
purpose, later completely achieved by appeal to the existing ability of
the possessors of the supreme will in America, the people,
assembled in their conventions, had not been the conception of a
moment.
We find Madison, by many credited with the most logical mind of
his remarkable generation, carefully planning, long before the
meeting of the Convention, a quite detailed conception of the
startling proposal of Randolph. In a letter from Madison to Randolph,
dated April 8, 1787 (5 Ell. Deb. 107), he speaks of “the business of
May next,” and of the fact “that some leading propositions at least
would be expected from Virginia,” and says, “I will just hint the ideas
that have occurred, leaving explanations for our interview.” When we
remember the remarkable manner, entirely novel in the history of
political science, in which our Constitution creates a new nation and
its supreme national government and yet keeps alive the former
independent nations and their federation, the next sentence of that
letter is of absorbing interest. It reads, “I think, with you, that it will be
well to retain as much as possible of the old Confederation, though I
doubt whether it may not be best to work the valuable articles into
the new system, instead of engrafting the latter on the former.” When
we read the detailed story of the Philadelphia Convention and study
its product, our Constitution, there worded and later made by the
people, we realize that Madison’s idea, expressed in the quoted
sentence, was accurately carried out largely through his own efforts.
Turning now to a later paragraph in that same April letter, we
marvel at the foresight, the logical mind and the effective ability of
the writer in later securing almost the exact execution of his idea by
the entire people of a continent, even though that idea was the
destruction of the independence of their respective nations and of
their existing respective governments. That paragraph reads: “I hold
it for a fundamental point, that an individual independence of the
states is utterly irreconcilable with the idea of an aggregate
sovereignty. I think, at the same time, that a consolidation of the
states into one simple republic is not less unattainable than it would
be inexpedient. Let it be tried, then, whether any middle ground can
be taken, which will at once support a due supremacy of the national
authority, and leave in force the local authorities so far as they can
be subordinately useful.”
This remarkable letter then goes on, paragraph by paragraph, to
suggest that, in the new Articles, the principle of representation be
changed, so as not to be the same for every state; the new
government be given “positive and complete” national power “in all
cases where uniform measures are necessary”; the new government
keep all the federal powers already granted; the judicial department
of the new government be nationally supreme; the legislative
department be divided into two branches; the new government have
an executive department; there be an Article guaranteeing each
state against internal as well as external dangers. In other words, the
letter reads like a synopsis of the principal provisions of our present
Constitution, although the letter was written over a month before the
Philadelphia Convention began to draft that Constitution.
One paragraph in that remarkable letter is very important as the
first of many similar statements, with the reasons therefor, made by
Madison in the Philadelphia Convention, in the Virginia convention
which ratified the Constitution and in The Federalist which urged its
ratification. Madison was writing his letter within a few short years
after the American people had made their famous Statute of 1776.
He knew its basic law that every ability in government to interfere
with individual freedom must be derived directly by grant from those
to be governed. He knew that governments could give to
government federal power to prescribe rules of conduct for nations.
He also knew that governments could not give to government any
power to prescribe rules of personal conduct which interfered with
the exercise of individual human freedom. In other words, he knew
the existing and limited ability of legislatures to make federal Articles
and that such limited legislative ability was not and never could be, in
America, competent to make national Articles. He also knew the
existing ability of Americans themselves, assembled in their
conventions, to make any kind of constitutional Article, whether it
were federal or national. He knew that the limited ability had been
exercised in making the federal Articles of the existing federation and
that the unlimited ability had been exercised, in each existing nation,
in making its national Articles.
With this accurate knowledge always present in his mind and
repeatedly finding expression by him in the ensuing two years, it is
natural that we find in his remarkable letter of 1787, after his
summary of what Articles the new Constitution ought to contain and
nearly every one of which it does contain, the following significant
statement: “To give the new system its proper energy, it will be
desirable to have it ratified by the authority of the people, and not
merely by that of the legislatures.” From such a logical American, it is
expected that we should find accurate echo again and again of this
deference to basic American law in such later expressions as his
statement in The Federalist, Number 37, “The genius of republican
liberty seems to demand ... that all power should be derived from the
people.”
Having thus grown well aware of the tremendous part played by
Madison in shaping the substance of the Constitution of government
under which we Americans live, let us return to the Philadelphia
Convention in which he figured so prominently and which worded
and proposed the Articles of that Constitution.
In the seven Articles, which were finally worded by that
Convention, there are but three which concern themselves at all with
the vesting of national power in government. They are the First, the
Fifth and the Seventh.
The First Article purports to give, in relation to enumerated
matters, all the national power which the Constitution purports
anywhere to grant to its only donee of power to make laws interfering
with human freedom, the national Legislature or Congress. Indeed,
the opening words of that First Article explicitly state that, “All
legislative Powers herein granted shall be vested in a Congress of
the United States, which shall consist of a Senate and House of
Representatives.” Then the remaining sections of that Article go on
to enumerate all the powers of that kind, the national powers, which
are granted in the Constitution by the donors, the American people
or citizens, assembled in their conventions.
If there be any doubt in the mind of any American that the First
Article contains the enumeration of all national powers granted by
the Constitution, the statements of the Supreme Court, voiced by
Marshall, ought to dispel that doubt.
This instrument contains an enumeration of powers
expressly granted by the people to their government.... In the
last of the enumerated powers, that which grants, expressly,
the means for carrying all others into execution, Congress is
authorized “to make all laws which shall be necessary and
proper” for the purpose. (Gibbons v. Ogden, 9 Wheat. 1.)
This “last” of the enumerated powers, as Marshall accurately
terms it, is that granted in the last paragraph of Section 8 of the First
Article.
It is because the First Article IS the constitution of government of
the American citizen that his government has received its tribute as a
government of enumerated powers. This fact is clearly explained in
the Supreme Court in Kansas v. Colorado, 206 U. S. 46.

Ebook Cis Critical Security Controls 8Th Edition Center For Internet Security Online PDF All Chapter

Uploaded by

Copyright:

Available Formats

You might also like

Ebook Cis Critical Security Controls 8Th Edition Center For Internet Security Online PDF All Chapter

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ebook Cis Critical Security Controls 8Th Edition Center For Internet Security Online PDF All Chapter

Uploaded by

Copyright:

Available Formats

CIS Critical Security Controls 8th

Edition Center For Internet Security

Azure Security For Critical Workloads: Implementing

Blockchain for International Security The Potential of

The Complete Internet Security Manual 18th Edition 2023

Internet Security and You 1st Edition Sherri Mabry

IT Security Controls: A Guide to Corporate Standards

Auditing Information and Cyber Security Governance: A

The Politics of Energy Security Critical Security

RFID Protocol Design Optimization and Security for the

Share insights into attacks and attackers, identify root causes,

The Structure of CIS Controls

Overview. A brief description of the intent of the Control and

The 18 CIS Critical Security Controls

CIS Controls Version 8 combines and consolidates the CIS Controls

Click on the individual CIS Control for more information:

CIS Control 1: Inventory and Control of Enterprise Assets

An IG1 enterprise is small to medium-sized with limited IT and

Safeguards selected for IG1 should be implementable with limited

IG2 (Includes IG1)

An IG2 enterprise employs individuals responsible for managing and

An IG3 enterprise employs security experts that specialize in the

Safeguards selected for IG3 must abate targeted attacks from a

Actively manage (inventory, track, and correct) all enterprise assets

Why is this Control critical?

Enterprises cannot defend what they do not know they have.

External attackers are continuously scanning the internet address

Additional assets that connect to the enterprise’s network (e.g.,

Large, complex, dynamic enterprises understandably struggle with

Another challenge is that portable end-user devices will periodically

Another benefit of complete enterprise asset management is

This CIS Control requires both technical and procedural actions,

Maintaining a current and accurate view of enterprise assets is an

Number Title/Description Asset Type Security Function IG1 IG2 IG3

Use Dynamic Host

Actively manage (inventory, track, and correct) all software

Why is this Control critical?

A complete software inventory is a critical foundation for preventing

Even if a patch is not yet available, a complete software inventory

Management of software assets is also important to identify

Procedures and tools

Allowlisting can be implemented using a combination of commercial

Features that implement allowlists are included in many modern

→ For cloud-specific guidance, refer to the CIS Controls Cloud

Number Title/Description Asset Type Security Function IG1 IG2 IG3

Develop processes and technical controls to identify, classify,

Why is this Control critical?

Data is no longer only contained within an enterprise’s border; it is in

While many attacks occur on the network, others involve physical

The enterprise’s loss of control over protected or sensitive data is a

Procedures and tools

It is important for an enterprise to develop a data management

For more comprehensive treatment of this topic, we suggest the

→ NIST® SP 800-88r1 Guides for Media Sanitization –

Number Title/Description Asset Type Security Function IG1 IG2 IG3

3.4 Enforce Data Retention Data Protect • • •

3.7 Document Data Flows Data Identify • •

3.8 Document Data Flows Data Identify • •