IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Sponsor Content
What does this mean?

Why Implementation Groups Are So Important to CIS Controls v8


The Center for Internet Security (CIS) recently dropped the number of Critical Controls from 20 to 18. Some of us still think of them as the SANS Top 20, so that’s kind of a big deal.

Scratch two things off the list!

The Center for Internet Security (CIS) recently dropped the number of Critical Controls from 20 to 18. Some of us still think of them as the SANS Top 20, so that’s kind of a big deal.

There really aren’t fewer things to do, of course. CIS updated the Controls to better address modern technology and to help you prioritize. There’s no magic in the actual number of Controls that you need to implement.

Pay Attention to Implementation Groups

I’ll forgive you if you didn’t notice Implementation Groups (IG) before, but you should definitely know about them now. Here’s a little bit of context:

Introduced back in Version 7.1, the IGs encapsulate recommended guidance that organizations can use to prioritize their implementation of the CIS Controls. They consider an organization’s risk profile and available resources as factors that affect where security teams can direct their focus.

Which brings us to the change made in Version 8. In that iteration, CIS designates the first Implementation Group, IG1, as “basic cyber hygiene.” You can use the 56 Safeguards of IG1 to create a minimum standard of security for your operations.

Note the word minimum in the sentence above. With more resources, you can move onto IG2. That Implementation Group includes all the Safeguards of IG1 along with 74 additional Safeguards for building an even stronger security posture. And for the most comprehensive protection against digital threats long term, you can embrace IG3 and implement all 153 Safeguards.

Putting This Change into Context

Cybersecurity is an ongoing effort – security teams simply can’t do everything they need to do upfront immediately. A better approach is to figure out where you are currently and not get overwhelmed by all that you could do to strengthen your security posture. It’s a point that echoes across all of cybersecurity, and one that the CIS is increasingly highlighting now. Organizations need to find out where to start. That’s why you should consider focusing on IG1 first before progressing to IG2 and IG3.

Why is this important? After talking with customers at various companies over the years, I’ve come to see that many organizations don’t always know what to do when it comes to their cybersecurity efforts. Many don’t know where their holes are, and many others don’t have a roadmap to guide where they need to improve. While others know what to do but feel the pressure of trying to figure out which best practices to implement first.

Focusing on IG1 can help you overcome all of those obstacles. There’s something from 15 out of the 18 CIS Controls in IG1. So, if you are looking at IG1, you’re looking at Safeguards from most of the Controls. IG1 can also guide organizations that don’t have a formal security strategy. In this scenario, IG1 becomes the roadmap. You can use it to do what’s missing. If five things are missing, you can do those. And if you have more than that, you can do five and then figure out what you want to do from there.

Guidelines for an Individual Success

All that said, it’s important to remember that IGs are just guidelines.

No two cyber security professionals will ever agree on what exactly should fall into each Implementation Groups. That’s because everyone has a different perception of risk.

Effective cybersecurity isn’t one-size-fits-all; it’s a game of risk management. There’s an increasing need for organizations to do it effectively because they don’t have infinite resources. What are your organizations priorities? What risks can you accept as you bring other risks to an acceptable level? Those are questions that we need to look at individually and answer for ourselves.

Self-sovereignty doesn’t end there. It’s also important to filter out all the FUD from vendors. It can be easy to let fear drive security priorities or cause a mixture of complacency and paralysis. By filtering out the FUD, you can figure out what solutions you need—whether those are new products, processes, or compensating controls.

Ultimately, it’s up to you to use the IGs to guide what you’re doing. Take what you need and leave the rest.

See how Cisco’s broad security portfolio offers extensive support for CIS Controls and other best practices by visiting our Cybersecurity Framework Guidance page.
Special Projects
Sponsored Articles
  • How the State of Washington teamed with Deloitte to move to a Red Hat footprint within 100 days.
  • The State of Michigan’s Department of Technology, Management, and Budget (DTMB) reduced its application delivery times to get digital services to citizens faster.

  • Sponsored
    Like many governments worldwide, the City and County of Denver, Colorado, had to act quickly to respond to the COVID-19 pandemic. To support more than 15,000 employees working from home, the government sought to adapt its new collaboration tool, Microsoft Teams. By automating provisioning and scaling tasks with Red Hat Ansible Automation Platform, an agentless, human-readable automation tool, Denver supported 514% growth in Teams use and quickly launched a virtual emergency operations center (EOC) for government leaders to respond to the pandemic.
  • Sponsored
    Microsoft Teams quickly became the business application of choice as state and local governments raced to equip remote teams and maintain business continuity during the COVID-19 lockdown. But in the rush to deploy Teams, many organizations overlook, ignore or fail to anticipate some of the administrative hurdles to successful adoption. As more organizations have matured their use of Teams, a set of lessons learned has emerged to help agencies ensure a successful Teams rollout – or correct course on existing implementations.