Now is a great time to review your security posture, as you have a new tool to help you. On May 18, 2021, the Center for Internet Security (CIS) released Version 8 of its CIS Controls, formerly known as the CIS Critical Security Controls (and often called the "CIS Top 20").
CIS intends the new version to better address some of the major developments in IT and cybersecurity over the past several years, including the movement to cloud solutions, increased mobility, and normalization of remote work. CIS is also updating the ecosystem of tools that support the Controls, including self-assessment tools and a method for risk assessments that helps to justify security investments.
The Version 8 update is likely to garner a lot of attention from companies looking to address the "reasonable security" requirements referenced in California law (see Cal. Civ. Code 1798.81.5(b), 1798.150(a)(1)), including in the forthcoming California Privacy Rights Act (CPRA), as well as numerous other state laws.
Then-California Attorney General (now Vice President) Kamala Harris concluded in her 2016 data breach report that an organization's failure to implement all applicable CIS Controls "constitutes a lack of reasonable security." Since that report, many companies have used the CIS Controls as a primary way for evaluating their compliance with reasonable security provisions.
Evolving Environments, Evolving Controls
At their core, the CIS Controls are a list of security best practices similar to security frameworks such as NIST 800-53 and the ISO 27000-series. Prior to Version 8, the CIS Controls were organized into 20 top-level controls that addressed, for example, access control, vulnerability assessment, audit log maintenance, and other foundational controls that mitigate security risk. Each top-level control includes specific "safeguards" (previously called "sub-controls"), which are actions, tools, or other resources that support the top-level control.
The key difference between the CIS Controls and other frameworks is their organization of the controls into "Implementation Groups" (IGs), which define a set of recommended security controls based on risk. Organizations may choose the IG appropriate to their risk and budget, then implement the controls listed for that IG.
- IG 1 is the most basic group of controls, which CIS considers to be "basic cyber hygiene" that "represents an emerging minimum standard of information security for all enterprises."
- IG 2 builds on IG 1 for organizations that have more complex security risks and needs.
- IG 3 comprises all the controls.
This grouping makes the CIS Controls an attractive option for businesses of varying sizes and risk profiles, including small- and medium-sized businesses focused on basic cyber hygiene and defense.
In addition to creating IGs, Version 8 consolidates several top-level controls, thereby reducing the total number from 20 to 18, renames many of the controls, and reorganizes the relationship between the controls and many of their underlying safeguards. The Version 8 safeguards place much more emphasis on mobile and cloud security than prior versions' sub-controls.
In large part, these changes reflect CIS's goal of focusing more holistically on system and asset security—regardless of where those systems or assets reside (within the corporate network, in the cloud, at an employee's home, etc.) and which IT teams might be responsible for them. For example, Version 7.1 has a control specifically for "Wireless Access Control," which includes a sub-control to "Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data" (among others).
In Version 8, there is no control singularly focused on wireless security. Instead, wireless safeguards are dispersed throughout, and encryption of wireless traffic is rolled into a more general safeguard to "Encrypt Sensitive Data in Transit" under the "Data Protocol" control. Version 8 notes that "[p]hysical devices, fixed boundaries, and discrete islands of security implementation are less important" in computing now than they were when prior versions were adopted.
"Reasonable Security," Significant Risk
New data privacy and security laws are increasing pressure on organizations to adopt "reasonable" security controls for personal data. For instance, the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which went into effect in March 2020, requires businesses to "implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information."
On the other side of the country, the CPRA will update California law as of January 1, 2023, to require "[a] business that collects a consumer's personal information [to] implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5."
Likewise, the Virginia Consumer Data Protection Act, which also becomes operative on January 1, 2023, requires businesses to "[e]stablish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data."
The White House, too, has joined the fray with its recent Executive Order on Improving the Nation's Cybersecurity (which we previously covered here). Intentionally or not, Version 8's more holistic approach to security and increased emphasis on cloud and mobile technologies echoes many provisions of the Executive Order.
Among other things, the Executive Order directs the government to accelerate its movement to cloud systems and to adopt "zero-trust architecture" (ZTA), a security model that challenges the traditional notion of a security "perimeter" and focuses on the defense of computing assets wherever they reside.1 Government contractors and suppliers who may need to shift towards cloud-based systems and ZTA-based security might consult the new CIS Controls to evaluate and develop their security programs.
Organizations of all sizes face some degree of information security risk to confidential or personal data. CIS Controls Version 8 makes mitigating those risks even more accessible and provides a great excuse to take account of your security posture.
1 The National Institute of Standards and Technology (NIST) states that ZTA's "focus on protecting resources rather than network segments is a response to enterprise trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary."