Page 1 of 9

CIS Controls Cloud Companion Guide

Be sure to download our PDF with details around each CIS Control and Sub-Control

Introduction

The CIS Controls™ are a prioritized set of actions that collectively form a defense-in-depth set of best practifces that
mitigate the most common attacks against systems and networks. The CIS Controls are developed by a community of IT
experts who apply their first-hand experience as cyber defenders to create these globally accepted security best
practices. The experts who develop the CIS Controls come from a wide range of sectors including, retail, manufacturing,
healthcare, education, government, defense, and others. So, while the CIS Controls address the general practices that
most organizations should take to secure their systems, some operational environments may present unique
requirements not addressed by the CIS Controls.

We are at a fascinating point in the evolution of what we now call cyber defense. To help us understand the cyber threat,
we have seen the emergence of threat information feeds, reports, tools, alert services, standards, and threat-sharing
frameworks. To top it all off, we are surrounded by security requirements, risk management frameworks, compliance
regimes, regulatory mandates, and so forth. There is no shortage of information available to security practitioners on
what they should do to secure their infrastructure. But all of this technology, information, and oversight has become a
The Center for Internet Security, Inc.
veritable “Fog of More” – competing options, priorities, opinions, and claims that can paralyze or distract an enterprise (CIS) is a 501(c)(3) nonprofit organization
from vital action. Business complexity is growing, dependencies are expanding, users are becoming more mobile, and whose mission is to identify, develop,
validate, promote, and sustain best practices
the threats are evolving. New technology brings us great benefits, but it also means that our data and applications are in cybersecurity; deliver world-class
distributed across multiple locations, many of which are not within our organization’s infrastructure. cybersecurity solutions to prevent and
rapidly respond to cyber incidents;
and build and lead communities to enable
an environment of trust in cyberspace.
Rather than chase every new exceptional threat and neglect the fundamentals, how can we get on track with a roadmap For additional information, go to
of fundamentals and guidance for measures and improve? How can we get on track with a roadmap of fundamentals, https://www.cisecurity.org/
and guidance to measure and improve cloud security? Which CIS Controls and defensive steps are applicable and have
the greatest value?

The CIS Controls started as a grassroots activity to cut through the "Fog of More" and focus on the most fundamental
and valuable actions that every enterprise should take. This companion guide will break down and map the applicable
Controls and their implementation for the cloud environment. As the CIS Controls continue to be refined and re-worked
through the community, the call for this CIS Controls Guidance for the cloud was identified as one of the high priority
companion documents to be developed.

S.5.06.01.1F Cloud Services Assessment Worksheet Introduction 10/20/2021

 Page 2 of 9

While many of the core security concerns of enterprise Information Technology (IT) systems are shared within cloud
environments, the main challenge in applying best practices is tied to the fact that these systems typically operate
software and hardware under different assumed security responsibilities. Ensuring and understanding that the service-
level agreements (SLAs) and Legal Contracts with the Cloud Service Provider (CSP) highlight liability, service levels,
breach disclosure, and incident response timeframes is an important piece of your cloud security. The shared security
responsibility, as well as the specific cloud services and deployment models utilized, changes who handles the security
requirements and whom the assumed security risk resides with. CSPs are constantly adding new functional services
along with configuration and security tools to better manage them at a very rapid pace. As new tools become available,
the cloud consumer should consider a hybrid approach using third-party tools along with CSP native security tools that
best fit an organization's security and management needs. Company management processes should ensure there is
overlap rather than gaps in coverage between native and third-party tools.
A cloud environment has four distinct service models that the application or service can fall under:
· IaaS (Infrastructure as a Service) is a cloud environment that computing resources such as virtual servers,
storage, and networking hardware. The consumer utilizes their own software such as operating systems, middleware,
and applications. The underlying cloud infrastructure is managed by the CSP.
· PaaS (Platform as a Service) is a cloud computing environment for development and management of a
consumer’s applications. It includes the infrastructure hardware: virtual servers, storage, and networking while tying in
the middleware and development tools to allow the consumer to deploy their applications. It is designed to support the
complete application lifecycle while leaving the management of the underlying infrastructure to the CSP.
· SaaS (Software as a Service) is a cloud computing software solution that provides the consumer with access to a
complete software product. The software application resides on a cloud environment and is accessed by the consumer
through the web or an application program interface (API). The consumer can utilize the application to store and analyze
data without having to worry about managing the infrastructure, service, or software, as that falls to the CSP.
· FaaS (Function as a Service) is a cloud computing service that allows the consumer to develop, manage, and run
their application functionalities without having to manage and maintain any of the infrastructure that is required. The
consumer can execute code in response to events that happen within the CSP or the application without having to build
out or maintain a complex underlying infrastructure.
To complicate things even more, a cloud environment has multiple deployment models:
· Private cloud (on-prem) consists of all the computing resources being hosted and used exclusively by one
consumer (organization) within its own offices and data centers. The consumer is responsible for the operational costs,
hardware, software, and the resources required to build and maintain the infrastructure. This is best used for critical
business operations and applications that require complete control and configurability.
· Private cloud (third-party hosted) is a private cloud that is hosted by an external third party provider. The third
party provides an exclusive cloud environment for the consumer and manages the hardware. All costs associated with
the maintenance is the responsibility of the consumer.
· Community cloud (shared) is a deployment solution where the computing resources and infrastructure are shared
between several organizations. The resources can be managed internally or by a third party and they can be hosted on-
prem or externally. The organizations share the cost and often have similar cloud security requirements and business
objectives.
· Public cloud is an infrastructure and computing services hosted by a third party company defined as a CSP. It is
available over the internet and the services are delivered through a self-service portal. The consumer is provided on-
demand accessibility and scalability without the high overhead cost of maintaining the physical hardware and software.
The CSP is responsible for the management and maintenance of the system while the consumer pays only for resources
they use.
· Hybrid cloud is an environment that uses a combination of the three cloud deployment models, private cloud (on-
prem), private cloud (third- party hosted), and public cloud with an orchestration service between the three deployment
models.
These are the kinds of issues that led to and now drive the CIS Controls Cloud Companion Guide, https://www.cisecurity.org/resources/white-papers/?o=controls.

How to Use This Document

In this document, we provide guidance on how to apply the security best practices found in CIS Controls Version 7 to any
cloud environment from the consumer/customer perspective. For each top-level CIS Control, there is a brief discussion
of how to interpret and apply the CIS Control in such environments, along with any unique considerations or differences
from common IT environments.

The applicability of specific CIS Controls and CIS Sub-Controls is addressed, and additional steps needed in any cloud
environment are explained, based on the individual service models. Throughout this document, we take into
consideration the unique mission/business requirements found in cloud environments, as well as the unique risks
(vulnerabilities, threats, consequences, and security responsibilities), which in turn drive the priority of the security
requirements (e.g., availability, integrity, and confidentiality of process data).

By walking through CIS Controls Version 7 with this companion guide, the reader should be able to tailor the CIS
Controls in the context of a specific IT/OT cloud enterprise as an essential starting point for a security improvement
assessment and roadmap.

Contact Information
CIS
31 Tech Valley Drive
East Greenbush, NY 12061
518.266.3460
controlsinfo@cisecurity.org

S.5.06.01.1F Cloud Services Assessment Worksheet Introduction 10/20/2021

 Page 3 of 9

License for Use

This work is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-
nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy and redistribute the content as a framework for use by you, within your
organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you
remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to
(http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject
to the prior approval of CIS® (Center for Internet Security, Inc.).

This spreadsheet has been modified for use in the State of Nevada by the Nevada Office of Information Security. Permission was obtained from CIS for these modifications and use.

This spreadsheet and the responses provided are classified Confidential under NRS 242.105, and are not subject to disclosure or public records requests.

S.5.06.01.1F Cloud Services Assessment Worksheet License for Use 10/20/2021

 Page 4 of 9

State Agencies

Download a copy of the spreadsheet and rename it to the name of the agency cloud services project.
Filter the controls based on the risk level of the information being used in the cloud, including all lower risk levels. For example, a Medium risk project would include Medium and Low risk
controls.
Select the type of cloud service being considered, and filter the controls to exclude the controls for which the agency is responsible. Optionally, hide the other cloud service columns.
Review the controls to ensure they not only are applicable to the project, but that they also reflect any other applicable regulatory requirements for cloud services. Agencies are free to add
additional controls or columns as needed to work with this tool.

S.5.06.01.1F Cloud Services Assessment Worksheet Instructions for Use 10/20/2021

 Page 5 of 9

Applicability Overview for each Service Model

Legend
High More than 60% of CIS Sub-Controls apply
Low Between 0% and 60% of the CIS Sub-Controls apply
None No CIS Sub-Controls apply

Control Control Title IaaS PaaS SaaS FaaS

1 Inventory and Control of Hardware Assets High High Low Low
2 Inventory and Control of Software Assets High High Low Low
3 Continuous Vulnerability Management High High None None
4 Controlled Use of Administrative Privileges High High High High
Secure Configuration for Hardware and Software on Mobile Devices,
5 Laptops, Workstations and Servers High Low Low Low
6 Maintenance, Monitoring and Analysis of Audit Logs High High High High
7 Email High High Low Low
8 Malware Defenses High High None None
9 Limitation and Control of Network Ports, Protocols, and Services High High High Low
10 Data Recovery Capabilities High High High High
Secure Configuration for Network Devices, such as Firewalls, Routers and
11 Switches High Low None None
12 Boundary Defense High Low None None
13 Data Protection High Low Low Low
14 Controlled Access Based on the Need to Know High Low Low Low
15 Wireless Access Control None None None None
16 Account Monitoring and Control High High High High
17 Implement a Security Awareness and Training Program High High High High
18 Application Software Security High High High Low
19 Incident Response and Management High High High High
20 Penetration Teses and Red Team Exercises High High High High

S.5.06.01.1F Cloud Services Assessment Worksheet: Applicability Overview 10/20/2021

Confidential Page 6 of 9
1 Inventory and Control of Hardware Assets
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given
access, and unauthorized and unmanaged devices are found and prevented from gaining access.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
1 1.1 Devices Identify Utilize an Active Utilize an active discovery tool to identify devices connected to the Medium Agency Agency CSP CSP
Discovery Tool organization's network and update the hardware asset inventory.
1 1.2 Devices Identify Use a Passive Asset Utilize a passive discovery tool to identify devices connected to High Agency Agency CSP CSP
Discovery Tool the organization's network and automatically update the
organization's hardware asset inventory.
1 1.3 Devices Identify Use DHCP Logging Use Dynamic Host Configuration Protocol (DHCP) logging on all Medium Agency Agency CSP CSP
to Update Asset DHCP servers or IP address management tools to update the
Inventory organization's hardware asset inventory.
1 1.4 Devices Identify Maintain Detailed Maintain an accurate and up-to-date inventory of all technology Low Agency Agency CSP CSP
Asset Inventory assets with the potential to store or process information. This
inventory shall include all hardware assets, whether connected to
the organization's network or not.
1 1.5 Devices Identify Maintain Asset Ensure that the hardware asset inventory records the network Medium Agency Agency CSP CSP
Inventory Information address, hardware address, machine name, data asset owner,
and department for each asset and whether the hardware asset
has been approved to connect to the network.
1 1.6 Devices Respond Address Ensure that unauthorized assets are either removed from the Low Agency Agency CSP CSP
Unauthorized Assets network, quarantined, or the inventory is updated in a timely
manner.
1 1.7 Devices Protect Deploy Port Level Utilize port level access control, following 802.1x standards, to Medium Agency Agency CSP CSP
Access Control control which devices can authenticate to the network. The
authentication system shall be tied into the hardware asset
inventory data to ensure only authorized devices can connect to
the network.
1 1.8 Devices Protect Utilize Client Use client certificates to authenticate hardware assets connecting High Agency CSP Agency Agency
Certificates to to the organization's trusted network.
Authenticate
Hardware Assets
2 Inventory and Control of Software Assets
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can
execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
2 2.1 Applications Identify Maintain Inventory of Maintain an up-to-date list of all authorized software that is Low Agency Agency Agency Agency
Authorized Software required in the enterprise for any business purpose on any
business system.
2 2.2 Applications Identify Ensure Software is Ensure that only software applications or operating systems Low Agency Agency Agency CSP
Supported by Vendor currently supported and receiving vendor updates are added to
the organization's authorized software inventory. Unsupported
software should be tagged as unsupported in the inventory
system.
2 2.3 Applications Identify Utilize Software Utilize software inventory tools throughout the organization to Medium Agency Agency CSP CSP
Inventory Tools automate the documentation of all software on business systems.
2 2.4 Applications Identify Track Software The software inventory system should track the name, version, Medium Agency Agency Agency CSP
Inventory Information
publisher, and install date for all software, including operating
systems authorized by the organization.
2 2.5 Applications Identify Integrate Software The software inventory system should be tied into the hardware High Agency Agency CSP CSP
and Hardware Asset asset inventory so all devices and associated software are
Inventories tracked from a single location.
2 2.6 Applications Respond Address unapproved Ensure that unauthorized software is either removed or the Low Agency Agency CSP CSP
software inventory is updated in a timely manner
2 2.7 Applications Protect Utilize Application Utilize application whitelisting technology on all assets to ensure High Agency CSP CSP CSP
Whitelisting that only authorized software executes and all unauthorized
software is blocked from executing on assets.
2 2.8 Applications Protect Implement The organization's application whitelisting software must ensure High Agency CSP CSP CSP
Application that only authorized software libraries (such as *.dll, *.ocx, *.so,
Whitelisting of etc.) are allowed to load into a system process.
Libraries
2 2.9 Applications Protect Implement The organization's application whitelisting software must ensure High Agency CSP CSP CSP
Application that only authorized, digitally signed scripts (such as *.ps1, *.py,
Whitelisting of Scripts macros, etc.) are allowed to run on a system.

2 2.10 Applications Protect Physically or Physically or logically segregated systems should be used to High Agency CSP CSP CSP
Logically Segregate isolate and run software that is required for business operations
High Risk but incurs higher risk for the organization.
Applications
3 Continuous Vulnerability Management
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize
the window of opportunity for attackers.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
3 3.1 Applications Detect Run Automated Utilize an up-to-date Security Content Automation Protocol Medium Agency Agency CSP CSP
Vulnerability (SCAP) compliant vulnerability scanning tool to automatically scan
Scanning Tools all systems on the network on a weekly or more frequent basis to
identify all potential vulnerabilities on the organization's systems.
3 3.2 Applications Detect Perform Perform authenticated vulnerability scanning with agents running Medium Agency Agency CSP CSP
Authenticated locally on each system or with remote scanners that are
Vulnerability configured with elevated rights on the system being tested.
Scanning
3 3.3 Users Protect Protect Dedicated Use a dedicated account for authenticated vulnerability scans, Medium Agency Agency CSP CSP
Assessment which should not be used for any other administrative activities
Accounts and should be tied to specific machines at specific IP addresses.
3 3.4 Applications Protect Deploy Automated Deploy automated software update tools in order to ensure that Low Agency Agency CSP CSP
Operating System the operating systems are running the most recent security
Patch Management updates provided by the software vendor.
Tools
3 3.5 Applications Protect Deploy Automated Deploy automated software update tools in order to ensure that Low Agency Agency CSP CSP
Software Patch third-party software on all systems is running the most recent
Management Tools security updates provided by the software vendor.
3 3.6 Applications Respond Compare Back-to- Regularly compare the results from consecutive vulnerability Medium Agency Agency CSP CSP
Back Vulnerability scans to verify that vulnerabilities have been remediated in a
Scans timely manner.
3 3.7 Applications Respond Utilize a Risk-Rating Utilize a risk-rating process to prioritize the remediation of Medium Agency Agency CSP CSP
Process discovered vulnerabilities.
4 Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative
privileges on computers, networks, and applications.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
4 4.1 Users Detect Maintain Inventory of Use automated tools to inventory all administrative accounts, Medium Agency Agency Agency Agency
Administrative including domain and local accounts, to ensure that only
Accounts authorized individuals have elevated privileges.
4 4.2 Users Protect Change Default Before deploying any new asset, change all default passwords to Low Agency Agency Agency Agency
Passwords have values consistent with administrative level accounts.
4 4.3 Users Protect Ensure the Use of Ensure that all users with administrative account access use a Low Agency Agency Agency Agency
Dedicated dedicated or secondary account for elevated activities. This
Administrative account should only be used for administrative activities and not
Accounts internet browsing, email, or similar activities.
4 4.4 Users Protect Use Unique Where multi-factor authentication is not supported (such as local Medium Agency Agency Agency Agency
Passwords administrator, root, or service accounts), accounts will use
passwords that are unique to that system.
4 4.5 Users Protect Use Multi-Factor Use multi-factor authentication and encrypted channels for all Medium Agency Agency Agency Agency
Authentication for All administrative account access.
Administrative
Access
4 4.6 Users Protect Use Dedicated Worksta
Ensure administrators use a dedicated machine for all Medium Agency Agency Agency Agency
administrative tasks or tasks requiring administrative access. This
machine will be segmented from the organization's primary
network and not be allowed Internet access. This machine will not
be used for reading e-mail, composing documents, or browsing
the Internet.
4 4.7 Users Protect Limit Access to Script Limit access to scripting tools (such as Microsoft® PowerShell Medium Agency Agency CSP CSP
Tools and Python) to only administrative or development users with the
need to access those capabilities.
4 4.8 Users Detect Log and Alert on Configure systems to issue a log entry and alert when an account Medium Agency Agency Agency Agency
Changes to is added to or removed from any group assigned administrative
Administrative Group privileges.
Membership
4 4.9 Users Detect Log and Alert on Configure systems to issue a log entry and alert on unsuccessful Medium Agency Agency Agency Agency
Unsuccessful logins to an administrative account.
Administrative
Account Login
5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops,
servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers
from exploiting vulnerable services and settings.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
5 5.1 Applications Protect Establish Secure Maintain documented security configuration standards for all Low Agency Agency Agency Agency
Configurations authorized operating systems and software.
5 5.2 Applications Protect Maintain Secure Maintain secure images or templates for all systems in the Medium Agency CSP CSP CSP
Images enterprise based on the organization's approved configuration
standards. Any new system deployment or existing system that
becomes compromised should be imaged using one of those
images or templates.
5 5.3 Applications Protect Securely Store Store the master images and templates on securely configured Medium Agency CSP CSP CSP
Master Images servers, validated with integrity monitoring tools, to ensure that
only authorized changes to the images are possible.
5 5.4 Applications Protect Deploy System Deploy system configuration management tools that will Medium Agency CSP CSP CSP
Configuration automatically enforce and redeploy configuration settings to
Management Tools systems at regularly scheduled intervals.
5 5.5 Applications Detect Implement Utilize a Security Content Automation Protocol (SCAP) compliant Medium Agency Agency CSP CSP
Automated configuration monitoring system to verify all security configuration
Configuration elements, catalog approved exceptions, and alert when
Monitoring Systems unauthorized changes occur.
6 Maintenance, Monitoring and Analysis of Audit Logs
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
6 6.1 Network Detect Utilize Three Use at least three synchronized time sources from which all Medium Agency Agency CSP CSP
Synchronized Time servers and network devices retrieve time information on a regular
Sources basis so that timestamps in logs are consistent.
6 6.2 Network Detect Activate Audit Ensure that local logging has been enabled on all systems and Low Agency Agency CSP CSP
Logging networking devices.
6 6.3 Network Detect Enable Detailed Enable system logging to include detailed information such as a Medium Agency Agency Agency Agency
Logging event source, date, user, timestamp, source addresses,
destination addresses, and other useful elements.
6 6.4 Network Detect Ensure Adequate Ensure that all systems that store logs have adequate storage Medium Agency Agency Agency Agency
Storage for Logs space for the logs generated.
6 6.5 Network Detect Central Log Ensure that appropriate logs are being aggregated to a central log Medium Agency Agency Agency Agency
Management management system for analysis and review.
6 6.6 Network Detect Deploy SIEM or Log Deploy Security Information and Event Management (SIEM) or Medium Agency Agency Agency Agency
Analytic Tools log analytic tool for log correlation and analysis.
6 6.7 Network Detect Regularly Review On a regular basis, review logs to identify anomalies or abnormal Medium Agency Agency Agency Agency
Logs events.
6 6.8 Network Detect Regularly Tune SIEM On a regular basis, tune your SIEM system to better identify High Agency Agency Agency Agency
actionable events and decrease event noise.
7 Email and Web Browser Protections
Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web

S.5.06.01.1F Cloud Services Assessment Worksheet All CIS Controls & Sub-Controls 10/20/2021
Confidential Page 7 of 9
browsers and email systems.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
7 7.2 Applications Protect Disable Unnecessary Uninstall or disable any unauthorized browser or email client Medium Agency Agency Agency Agency
or Unauthorized plugins or add-on applications.
Browser or Email
Client Plugins
7 7.3 Applications Protect Limit Use of Scripting Ensure that only authorized scripting languages are able to run in Medium Agency Agency Agency Agency
Languages in Web all web browsers and email clients.
Browsers and Email
Clients
7 7.4 Network Protect Maintain and Enforce Enforce network-based URL filters that limit a system's ability to Medium Agency Agency CSP CSP
Network-Based URL connect to websites not approved by the organization. This
Filters filtering shall be enforced for each of the organization's systems,
whether they are physically at an organization's facilities or not.
7 7.5 Network Protect Subscribe to URL- Subscribe to URL-categorization services to ensure that they are Medium Agency Agency CSP CSP
Categorization up-to-date with the most recent website category definitions
Service available. Uncategorized sites shall be blocked by default.
7 7.6 Network Detect Log All URL Log all URL requests from each of the organization's systems, Medium Agency Agency CSP CSP
requester whether on-site or a mobile device, in order to identify potentially
malicious activity and assist incident handlers with identifying
potentially compromised systems.
7 7.7 Network Protect Use of DNS Filtering Use Domain Name System (DNS) filtering services to help block Low Agency Agency CSP CSP
Services access to known malicious domains.
7 7.8 Network Protect Implement DMARC To lower the chance of spoofed or modified emails from valid Medium Agency Agency CSP CSP
and Enable Receiver- domains, implement Domain-based Message Authentication,
Side Verification Reporting and Conformance (DMARC) policy and verification,
starting by implementing the Sender Policy Framework (SPF) and
the DomainKeys Identified Mail(DKIM) standards.
7 7.9 Network Protect Block Unnecessary Block all email attachments entering the organization's email Medium Agency Agency CSP CSP
File Types gateway if the file types are unnecessary for the organization's
business.
7 7.10 Network Protect Sandbox All Email Use sandboxing to analyze and block inbound email attachments High Agency Agency CSP CSP
Attachments with malicious behavior.
8 Malware Defenses
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of
automation to enable rapid updating of defense, data gathering, and corrective action.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
8 8.1 Devices Protect Utilize Centrally Utilize centrally managed anti-malware software to continuously Medium Agency Agency CSP CSP
Managed Anti- monitor and defend each of the organization's workstations and
malware Software servers.
8 8.2 Devices Protect Ensure Anti-Malware Ensure that the organization's anti-malware software updates its Low Agency Agency CSP CSP
Software and scanning engine and signature database on a regular basis.
Signatures Are
Updated
8 8.3 Devices Protect Enable Operating Enable anti-exploitation features such as Data Execution Medium Agency Agency CSP CSP
System Anti- Prevention (DEP) or Address Space Layout Randomization
Exploitation (ASLR) that are available in an operating system or deploy
Features/Deploy Anti- appropriate toolkits that can be configured to apply protection to a
Exploit Technologies broader set of applications and executables.
8 8.4 Devices Detect Configure Anti- Configure devices so that they automatically conduct an anti- Low Agency CSP CSP CSP
Malware Scanning of malware scan of removable media when inserted or connected.
Removable Devices
8 8.5 Devices Protect Configure Devices to Configure devices to not auto-run content from removable media. Low Agency CSP CSP CSP
Not Auto-Run
Content
8 8.6 Devices Detect Centralize Anti- Send all malware detection events to enterprise anti-malware Medium Agency Agency CSP CSP
Malware Logging administration tools and event log servers for analysis and
alerting.
8 8.7 Network Detect Enable DNS Query Enable Domain Name System (DNS) query logging to detect Medium Agency Agency CSP CSP
Logging hostname lookups for known malicious domains.
8 8.8 Devices Detect Enable Command- Enable command-line audit logging for command shells, such as Medium Agency Agency CSP CSP
Line Audit Logging Microsoft PowerShell and Bash.
9 Limitation and Control of Network Ports, Protocols, and Services
Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to
minimize windows of vulnerability available to attackers.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
9 9.1 Devices Identify Associate Active Associate active ports, services, and protocols to the hardware Medium Agency CSP CSP CSP
Ports, Services, and assets in the asset inventory.
Protocols to Asset
Inventory
9 9.2 Devices Protect Ensure Only Ensure that only network ports, protocols, and services listening Medium Agency Agency Agency Agency
Approved Ports, on a system with validated business needs are running on each
Protocols, and system.
Services Are Running
9 9.3 Devices Detect Perform Regular Perform automated port scans on a regular basis against all Medium Agency Agency Agency Agency
Automated Port systems and alert if unauthorized ports are detected on a system.
Scans
9 9.4 Devices Protect Apply Host-Based Apply host-based firewalls or port-filtering tools on end systems, Low Agency Agency CSP CSP
Firewalls or Port- with a default-deny rule that drops all traffic except those services
Filtering and ports that are explicitly allowed.
9 9.5 Devices Protect Implement Place application firewalls in front of any critical servers to verify High Agency Agency Agency CSP
Application Firewalls
and validate the traffic going to the server. Any unauthorized
traffic should be blocked and logged.
10 Data Recovery Capabilities
The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
10 10.2 Data Protect Perform Complete Ensure that all of the organization's key systems are backed up as Low Agency Agency CSP CSP
System Backups a complete system, through processes such as imaging, to enable
the quick recovery of an entire system.
10 10.3 Data Protect Test Data on Backup Test data integrity on backup media on a regular basis by Medium Agency Agency Agency Agency
Media performing a data restoration process to ensure that the backup is
properly working.
10 10.4 Data Protect Ensure Protection of Ensure that backups are properly protected via physical security Low Agency Agency Agency Agency
Backups or encryption when they are stored, as well as when they are
moved across the network. This includes remote backups and
cloud services.
10 10.5 Data Protect Ensure All Backups Ensure that all backups have at least one offline (i.e., not Low Agency Agency Agency Agency
Have at Least One accessible via a network connection) backup destination.
Offline Backup
Destination
11 Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices
using a rigorous configuration management and change control process in order to prevent attackers from exploiting
vulnerable services and settings.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
11 11.2 Network Identify Document Traffic All configuration rules that allow traffic to flow through network Medium Agency Agency CSP CSP
Configuration Rules devices should be documented in a configuration management
system with a specific business reason for each rule, a specific
individual’s name responsible for that business need, and an
expected duration of the need.
11 11.3 Network Detect Use Automated Tools Compare all network device configuration against approved Medium Agency Agency CSP CSP
to Verify Standard security configurations defined for each network device in use,
Device and alert when any deviations are discovered.
Configurations and
Detect Changes
11 11.4 Network Protect Install the Latest Install the latest stable version of any security-related updates on Low Agency CSP CSP CSP
Stable Version of Any all network devices.
Security-Related
Updates on All
Network Devices
11 11.5 Network Protect Manage Network Manage all network devices using multi-factor authentication and Medium Agency CSP CSP CSP
Devices Using Multi- encrypted sessions.
Factor Authentication
and Encrypted
Sessions
11 11.6 Network Protect Use Dedicated Ensure network engineers use a dedicated machine for all Medium Agency CSP CSP CSP
Machines For All administrative tasks or tasks requiring elevated access. This
Network machine shall be segmented from the organization's primary
Administrative Tasks network and not be allowed Internet access. This machine shall
not be used for reading email, composing documents, or surfing
the Internet.
11 11.7 Network Protect Manage Network Manage the network infrastructure across network connections Medium Agency CSP CSP CSP
Infrastructure that are separated from the business use of that network, relying
Through a Dedicated on separate VLANs or, preferably, on entirely different physical
Network connectivity for management sessions for network devices.
12 Boundary Defense
Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging
data.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
12 12.2 Network Detect Scan for Perform regular scans from outside each trusted network Medium Agency CSP CSP CSP
Unauthorized boundary to detect any unauthorized connections which are
Connections Across accessible across the boundary.
Trusted Network
Boundaries
12 12.3 Network Protect Deny Deny communications with known malicious or unused Internet IP Medium Agency Agency CSP CSP
Communications addresses and limit access only to trusted and necessary IP
With Known address ranges at each of the organization's network boundaries,.
Malicious IP
Addresses
12 12.4 Network Protect Deny Communication Deny communication over unauthorized TCP or UDP ports or Low Agency Agency CSP CSP
Over Unauthorized application traffic to ensure that only authorized protocols are
Ports allowed to cross the network boundary in or out of the network at
each of the organization's network boundaries.
12 12.5 Network Detect Configure MonitoringConfigure monitoring systems to record network packets passing Medium Agency CSP CSP CSP
Systems to Record through the boundary at each of the organization's network
Network Packets boundaries.
12 12.6 Network Detect Deploy Network- Deploy network-based Intrusion Detection Systems (IDS) sensors Medium Agency CSP CSP CSP
Based IDS Sensors to look for unusual attack mechanisms and detect compromise of
these systems at each of the organization's network boundaries.
12 12.7 Network Protect Deploy Network- Deploy network-based Intrusion Prevention Systems (IPS) to High Agency CSP CSP CSP
Based Intrusion block malicious network traffic at each of the organization's
Prevention Systems network boundaries.
12 12.8 Network Detect Deploy NetFlow Enable the collection of NetFlow and logging data on all network Medium Agency CSP CSP CSP
Collection on boundary devices.
Networking Boundary
Devices
12 12.9 Network Detect Deploy Application Ensure that all network traffic to or from the Internet passes High Agency CSP CSP CSP
Layer Filtering Proxy through an authenticated application layer proxy that is configured
Server to filter unauthorized connections.
12 12.10 Network Detect Decrypt Network Decrypt all encrypted network traffic at the boundary proxy prior to High Agency CSP CSP CSP
Traffic at Proxy analyzing the content. However, the organization may use
whitelists of allowed sites that can be accessed through the proxy
without decrypting the traffic.
12 12.11 Users Protect Require All Remote Require all remote login access to the organization's network to Medium Agency CSP CSP CSP
Login to Use Multi- encrypt data in transit and use multi-factor authentication.
Factor Authentication

S.5.06.01.1F Cloud Services Assessment Worksheet All CIS Controls & Sub-Controls 10/20/2021
Confidential Page 8 of 9
12 12.12 Devices Protect Manage All Devices Scan all enterprise devices remotely logging into the High Agency CSP CSP CSP
Remotely Logging organization's network prior to accessing the network to ensure
into Internal Network that each of the organization's security policies has been enforced
in the same manner as local network devices.
13 Data Protection
The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and
integrity of sensitive information.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
13 13.2 Data Protect Remove Sensitive Remove sensitive data or systems not regularly accessed by the Low Agency Agency Agency CSP
Data or Systems Not organization from the network. These systems shall only be used
Regularly Accessed as stand-alone systems (disconnected from the network) by the
by Organization business unit needing to occasionally use the system or
completely virtualized and powered off until needed.
13 13.3 Data Detect Monitor and Block Deploy an automated tool on network perimeters that monitors for High Agency Agency CSP CSP
Unauthorized unauthorized transfer of sensitive information and blocks such
Network Traffic transfers while alerting information security professionals.
13 13.4 Data Protect Only Allow Access to Only allow access to authorized cloud storage or email providers. Medium Agency Agency CSP CSP
Authorized Cloud
Storage or Email
Providers
13 13.5 Data Detect Monitor and Detect Monitor all traffic leaving the organization and detect any High Agency Agency CSP CSP
Any Unauthorized unauthorized use of encryption.
Use of Encryption
13 13.6 Data Protect Encrypt Mobile Utilize approved cryptographic mechanisms to protect enterprise Low CSP CSP CSP CSP
Device Data data stored on all mobile devices.
13 13.7 Data Protect Manage USB If USB storage devices are required, enterprise software should Medium CSP CSP CSP CSP
Devices be used that can configure systems to allow the use of specific
devices. An inventory of such devices should be maintained.
13 13.8 Data Protect Manage System's Configure systems not to write data to external removable media, High Agency CSP CSP CSP
External Removable if there is no business need for supporting such devices.
Media's Read/Write
Configurations
13 13.9 Data Protect Encrypt Data on USB If USB storage devices are required, all data stored on such High CSP CSP CSP CSP
Storage Devices devices must be encrypted while at rest.
14 Controlled Access Based on the Need to Know
The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources,
systems) according to the formal determination of which persons, computers, and applications have a need and right to access
these critical assets based on an approved classification.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
14 14.2 Network Protect Enable Firewall Enable firewall filtering between VLANs to ensure that only Medium Agency CSP CSP CSP
Filtering Between authorized systems are able to communicate with other systems
VLANs necessary to fulfill their specific responsibilities.
14 14.3 Network Protect Disable Workstation Disable all workstation-to-workstation communication to limit an Medium Agency CSP CSP CSP
to Workstation attacker's ability to move laterally and compromise neighboring
Communication systems, through technologies such as Private VLANs or micro
segmentation.
14 14.4 Data Protect Encrypt All Sensitive Encrypt all sensitive information in transit. Medium Agency Agency Agency Agency
Information in Transit
14 14.5 Data Detect Utilize an Active Utilize an active discovery tool to identify all sensitive information High Agency CSP CSP CSP
Discovery Tool to stored, processed, or transmitted by the organization's technology
Identify Sensitive systems, including those located on-site or at a remote service
Data provider, and update the organization's sensitive information
inventory.
14 14.6 Data Protect Protect Information Protect all information stored on systems with file system, network Low Agency Agency Agency CSP
Through Access share, claims, application, or database specific access control
Control Lists lists. These controls will enforce the principle that only authorized
individuals should have access to the information based on their
need to access the information as a part of their responsibilities.
14 14.7 Data Protect Enforce Access Use an automated tool, such as host-based Data Loss High Agency CSP CSP CSP
Control to Data Prevention, to enforce access controls to data even when data is
Through Automated copied off a system.
Tools
14 14.8 Data Protect Encrypt Sensitive Encrypt all sensitive information at rest using a tool that requires a High Agency Agency CSP CSP
Information at Rest secondary authentication mechanism not integrated into the
operating system, in order to access the information.
14 14.9 Data Detect Enforce Detail Enforce detailed audit logging for access to sensitive data or High Agency Agency CSP CSP
Logging for Access changes to sensitive data (utilizing tools such as File Integrity
or Changes to Monitoring or Security Information and Event Monitoring).
Sensitive Data
15 Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (WLANs),
access points, and wireless client systems.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
15 15.2 Network Detect Detect Wireless Configure network vulnerability scanning tools to detect and alert Medium N/A N/A N/A N/A
Access Points on unauthorized wireless access points connected to the wired
Connected to the network.
Wired Network
15 15.3 Network Detect Use a Wireless Use a wireless intrusion detection system (WIDS) to detect and Medium N/A N/A N/A N/A
Intrusion Detection alert on unauthorized wireless access points connected to the
System network.
15 15.4 Devices Protect Disable Wireless Disable wireless access on devices that do not have a business High N/A N/A N/A N/A
Access on Devices if purpose for wireless access.
Not Required
15 15.5 Devices Protect Limit Wireless Configure wireless access on client machines that do have an High N/A N/A N/A N/A
Access on Client essential wireless business purpose, to allow access only to
Devices authorized wireless networks and to restrict access to other
wireless networks.
15 15.6 Devices Protect Disable Peer-to-Peer Disable peer-to-peer (ad hoc) wireless network capabilities on Medium N/A N/A N/A N/A
Wireless Network wireless clients.
Capabilities on
Wireless Clients
15 15.7 Network Protect Leverage the Leverage the Advanced Encryption Standard (AES) to encrypt Low N/A N/A N/A N/A
Advanced Encryption wireless data in transit.
Standard (AES) to
Encrypt Wireless
Data
15 15.8 Network Protect Use Wireless Ensure that wireless networks use authentication protocols such High N/A N/A N/A N/A
Authentication as Extensible Authentication Protocol-Transport Layer Security
Protocols That (EAP/TLS), which requires mutual, multi-factor authentication.
Require Mutual,
Multi-Factor
Authentication Medium N/A N/A N/A N/A
15 15.9 Devices Protect Disable Wireless Disable wireless peripheral access of devices [such as Bluetooth
Peripheral Access of and Near Field Communication (NFC)], unless such access is
Devices required for a business purpose.
15 15.10 Network Protect Create Separate Create a separate wireless network for personal or untrusted Low N/A N/A N/A N/A
Wireless Network for devices. Enterprise access from this network should be treated as
Personal and untrusted and filtered and audited accordingly.
Untrusted Devices
16 Account Monitoring and Control
Actively manage the life cycle of system and application accounts - their creation, use, dormancy, deletion - in order to
minimize opportunities for attackers to leverage them.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
16 16.2 Users Protect Configure Centralized Configure access for all accounts through as few centralized Medium Agency Agency Agency Agency
Point of points of authentication as possible, including network, security,
Authentication and cloud systems.
16 16.3 Users Protect Require Multi-Factor Require multi-factor authentication for all user accounts, on all Medium Agency Agency Agency Agency
Authentication systems, whether managed on-site or by a third-party provider.
16 16.4 Users Protect Encrypt or Hash all Encrypt or hash with a salt all authentication credentials when Medium Agency Agency Agency Agency
Authentication stored.
Credentials
16 16.5 Users Protect Encrypt Transmittal Ensure that all account usernames and authentication credentials Medium Agency Agency CSP CSP
of Username and are transmitted across networks using encrypted channels.
Authentication
Credentials
16 16.6 Users Identify Maintain an Inventory Maintain an inventory of all accounts organized by authentication Medium Agency Agency Agency Agency
of Accounts system.
16 16.7 Users Protect Establish Process for Establish and follow an automated process for revoking system Medium Agency Agency Agency Agency
Revoking Access access by disabling accounts immediately upon termination or
change of responsibilities of an employee or contractor . Disabling
these accounts, instead of deleting accounts, allows preservation
of audit trails.
16 16.8 Users Respond Disable Any Disable any account that cannot be associated with a business Low Agency Agency Agency Agency
Unassociated process or business owner.
Accounts
16 16.9 Users Respond Disable Dormant Automatically disable dormant accounts after a set period of Low Agency Agency Agency Agency
Accounts inactivity.
16 16.10 Users Protect Ensure All Accounts Ensure that all accounts have an expiration date that is monitored Medium Agency Agency Agency Agency
Have An Expiration and enforced.
Date
16 16.11 Users Protect Lock Workstation Automatically lock workstation sessions after a standard period of Low Agency CSP CSP CSP
Sessions After inactivity.
Inactivity
16 16.12 Users Detect Monitor Attempts to Monitor attempts to access deactivated accounts through audit Medium Agency Agency Agency Agency
Access Deactivated logging.
Accounts
16 16.13 Users Detect Alert on Account Alert when users deviate from normal login behavior, such as High Agency Agency Agency Agency
Login Behavior time-of-day, workstation location, and duration.
Deviation
17 Implement a Security Awareness and Training Program
For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the
specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan
to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
17 17.2 N/A N/A Deliver Training to Fill Deliver training to address the skills gap identified to positively Medium Agency Agency Agency Agency
the Skills Gap impact workforce members' security behavior.
17 17.3 N/A N/A Implement a Security Create a security awareness program for all workforce members Low Agency Agency Agency Agency
Awareness Program to complete on a regular basis to ensure they understand and
exhibit the necessary behaviors and skills to help ensure the
security of the organization. The organization's security
awareness program should be communicated in a continuous and
engaging manner.
17 17.4 N/A N/A Update Awareness Ensure that the organization's security awareness program is Medium Agency Agency Agency Agency
Content Frequently updated frequently (at least annually) to address new
technologies, threats, standards, and business requirements.
17 17.5 N/A N/A Train Workforce on Train workforce members on the importance of enabling and Low Agency Agency Agency Agency
Secure utilizing secure authentication.
Authentication
17 17.6 N/A N/A Train Workforce on Train the workforce on how to identify different forms of social Low Agency Agency Agency Agency
Identifying Social engineering attacks, such as phishing, phone scams, and
Engineering Attacks impersonation calls.
17 17.7 N/A N/A Train Workforce on Train workforce members on how to identify and properly store, Low Agency Agency Agency Agency
Sensitive Data transfer, archive, and destroy sensitive information.
Handling
17 17.8 N/A N/A Train Workforce on Train workforce members to be aware of causes for unintentional Low Agency Agency Agency Agency
Causes of data exposures, such as losing their mobile devices or emailing
Unintentional Data the wrong person due to autocomplete in email.
Exposure

S.5.06.01.1F Cloud Services Assessment Worksheet All CIS Controls & Sub-Controls 10/20/2021
Confidential Page 9 of 9
17 17.9 N/A N/A Train Workforce Train workforce members to be able to identify the most common Low Agency Agency Agency Agency
Members on indicators of an incident and be able to report such an incident.
Identifying and
Reporting Incidents
18 Application Software Security
Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct
security weaknesses.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
18 18.2 N/A N/A Ensure That Explicit For in-house developed software, ensure that explicit error Medium Agency Agency Agency Agency
Error Checking is checking is performed and documented for all input, including for
Performed for All In- size, data type, and acceptable ranges or formats.
House Developed
Software
18 18.3 N/A N/A Verify That Acquired Verify that the version of all software acquired from outside your Medium Agency Agency Agency CSP
Software is Still organization is still supported by the developer or appropriately
Supported hardened based on developer security recommendations.
18 18.4 N/A N/A Only Use Up-to-Date Only use up-to-date and trusted third-party components for the Medium Agency Agency Agency CSP
and Trusted Third- software developed by the organization.
Party Components
18 18.5 N/A N/A Use Only Use only standardized, currently accepted, and extensively Medium Agency Agency Agency CSP
Standardized and reviewed encryption algorithms.
Extensively
Reviewed Encryption
Algorithms
18 18.6 N/A N/A Ensure Software Ensure that all software development personnel receive training in Medium Agency Agency Agency Agency
Development writing secure code for their specific development environment
Personnel are and responsibilities.
Trained in Secure
Coding
18 18.7 N/A N/A Apply Static and Apply static and dynamic analysis tools to verify that secure Medium Agency Agency Agency CSP
Dynamic Code coding practices are being adhered to for internally developed
Analysis Tools software.
18 18.8 N/A N/A Establish a Process Establish a process to accept and address reports of software Medium Agency Agency Agency Agency
to Accept and vulnerabilities, including providing a means for external entities to
Address Reports of contact your security group.
Software
Vulnerabilities
18 18.9 N/A N/A Separate Production Maintain separate environments for production and non- Medium Agency Agency Agency Agency
and Non-Production production systems. Developers should not have unmonitored
Systems access to production environments.
18 18.10 N/A N/A Deploy Web Protect web applications by deploying web application firewalls Medium Agency Agency Agency CSP
Application Firewalls (WAFs) that inspect all traffic flowing to the web application for
common web application attacks. For applications that are not
web-based, specific application firewalls should be deployed if
such tools are available for the given application type. If the traffic
is encrypted, the device should either sit behind the encryption or
be capable of decrypting the traffic prior to analysis. If neither
option is appropriate, a host-based web application firewall should
be deployed.

18.00 18.11 N/A N/A Use Standard For applications that rely on a database, use standard hardening Medium Agency Agency Agency Agency
Hardening configuration templates. All systems that are part of critical
Configuration business processes should also be tested.
Templates for
Databases
19 Incident Response and Management
Protect the organization's information, as well as its reputation, by developing and implementing an incident response
infrastructure (e.g., plans, defined roles, training, communications, management oversight) for quickly discovering an attack
and then effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and
systems.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
19 19.2 N/A N/A Assign Job Titles and Assign job titles and duties for handling computer and network Medium Agency Agency Agency Agency
Duties for Incident incidents to specific individuals, and ensure tracking and
Response documentation throughout the incident through resolution.
19 19.3 N/A N/A Designate Designate management personnel, as well as backups, who will Low Agency Agency Agency Agency
Management support the incident handling process by acting in key decision-
Personnel to Support making roles.
Incident Handling
19 19.4 N/A N/A Devise Organization- Devise organization-wide standards for the time required for Medium Agency Agency Agency Agency
wide Standards for system administrators and other workforce members to report
Reporting Incidents anomalous events to the incident handling team, the mechanisms
for such reporting, and the kind of information that should be
included in the incident notification.
19 19.5 N/A N/A Maintain Contact Assemble and maintain information on third-party contact Low Agency Agency Agency Agency
Information For information to be used to report a security incident, such as Law
Reporting Security Enforcement, relevant government departments, vendors, and
Incidents Information Sharing and Analysis Center (ISAC) partners.
19 19.6 N/A N/A Publish Information Publish information for all workforce members, regarding reporting Low Agency Agency Agency Agency
Regarding Reporting computer anomalies and incidents, to the incident handling team.
Computer Anomalies Such information should be included in routine employee
and Incidents awareness activities.
19 19.7 N/A N/A Conduct Periodic Plan and conduct routine incident, response exercises and Medium Agency Agency Agency Agency
Incident Scenario scenarios for the workforce involved in the incident response to
Sessions for maintain awareness and comfort in responding to real-world
Personnel threats. Exercises should test communication channels, decision
making, and incident responders technical capabilities using tools
and data available to them.
19 19.8 N/A N/A Create Incident Create incident scoring and prioritization schema based on known High Agency Agency Agency Agency
Scoring and or potential impact to your organization. Utilize score to define
Prioritization Schema frequency of status updates and escalation procedures.
20 Penetration Tests and Red Team Exercises
Test the overall strength of an organization's defense (the technology, the processes, and the people) by simulating the
objectives and actions of an attacker.
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
20 20.2 N/A N/A Conduct Regular Conduct regular external and internal penetration tests to identify Medium Agency Agency Agency Agency
External and Internal
vulnerabilities and attack vectors that can be used to exploit
Penetration Tests enterprise systems successfully.
20 20.3 N/A N/A Perform Periodic Red
Perform periodic Red Team exercises to test organizational High Agency Agency Agency Agency
Team Exercises readiness to identify and stop attacks or to respond quickly and
effectively.
20 20.4 N/A N/A Include Tests for Include tests for the presence of unprotected system information Medium Agency Agency Agency Agency
Presence of and artifacts that would be useful to attackers, including network
Unprotected System diagrams, configuration files, older penetration test reports, e-
Information and mails or documents containing passwords or other information
Artifacts critical to system operation.
20 20.5 N/A N/A Create Test Bed for Create a test bed that mimics a production environment for Medium Agency Agency Agency Agency
Elements Not specific penetration tests and Red Team attacks against elements
Typically Tested in that are not typically tested in production, such as attacks against
Production supervisory control and data acquisition and other control
systems.
20 20.6 N/A N/A Use Vulnerability Use vulnerability scanning and penetration testing tools in concert. Medium Agency Agency Agency Agency
Scanning and The results of vulnerability scanning assessments should be used
Penetration Testing as a starting point to guide and focus penetration testing efforts.
Tools in Concert
20 20.7 N/A N/A Ensure Results from Wherever possible, ensure that Red Team results are High Agency Agency Agency Agency
Penetration Test are documented using open, machine-readable standards (e.g.,
Documented Using SCAP). Devise a scoring method for determining the results of
Open, Machine- Red Team exercises so that results can be compared over time.
readable Standards
20 20.8 N/A N/A Control and Monitor Any user or system accounts used to perform penetration testing Medium Agency Agency Agency Agency
Accounts Associated should be controlled and monitored to make sure they are only
with Penetration being used for legitimate purposes, and are removed or restored
Testing to normal function after testing is over.
NV Additional State of Nevada Questions
CIS Control CIS Sub- Asset Type Security Title Description Risk IaaS PaaS SaaS FaaS Vendor Response Agency Notes
Control Function
NV NV.2 N/A N/A Data Segregation If dedicated infrastructure is desired, can you ensure it is isolated? Low CSP CSP CSP CSP
NV NV.3 N/A N/A Data Residency Will State data be held only in data centers located within the Low CSP CSP CSP CSP
continental United States?
NV NV.4 N/A N/A Physical and Is there restricted and monitored physical access to critical assets Low CSP CSP CSP CSP
personnel security 24x7?
NV NV.5 N/A N/A Physical and Do you perform background checks on all relevant personnel? If Low CSP CSP CSP CSP
personnel security so, how extensive?
NV NV.6 N/A N/A Physical and Do you document employee access to customer data? Low CSP CSP CSP CSP
personnel security
NV NV.7 N/A N/A Intellectual property Can the SLA/contract stipulate that all State data (or applications), Low CSP CSP CSP CSP
including all replicated and redundant copies, is owned by the
State of Nevada, and all rights to usage of the data are reserved?
NV NV.8 N/A N/A End-of-service What is delivered at the end-of-service or contract termination? Low CSP CSP CSP CSP
support
NV NV.9 N/A N/A End-of-service Will data be packaged and delivered back to the State? If so, in Low CSP CSP CSP CSP
support what format?
NV NV.10 N/A N/A End-of-service How soon after termination will the State receive the data? Low CSP CSP CSP CSP
support
NV NV.11 N/A N/A End-of-service How will any copies of State information be purged from the Low CSP CSP CSP CSP
support vendor's systems? When will this happen?
NV NV.12 N/A N/A End-of-service Specify any fees that may incur at the end of the service or Low CSP CSP CSP CSP
support contract termination.

S.5.06.01.1F Cloud Services Assessment Worksheet All CIS Controls & Sub-Controls 10/20/2021