I missed this getting announced, but a few weeks ago a new CIS Top 20 Critical Security Controls doc came out, version 7. There is a registration wall to get past (and one of the few times I had mailinator denied ever), but that shouldn’t be a problem for anyone in security.
This new version chops the list of 20 slightly differently, and actually moves the previous #3 item about secure configurations down to #5. Instead of typically advising to tackle the top 5 items as a priority, the top 6 items are now considered “Basic” controls. Items 7 through 16 are “Foundational” controls, and 17 through 20 are “Organizational.” While adding a different visualization/chunking to the list, this really doesn’t change anything. I do like that this results in vulnerability management appearing at #3 right below the two inventory controls. I think this is appropriate. Secure configurations are hard (“yuck, documentation!”), and so many people lose steam at that control.
I do like the change to 17 away from the awkward skills assessment and gaps wording to being more standard as a “Security Awareness and Training Program.” Previously, this always sounded like a way to train internal security staff (and was probably worded that way to promote training from the previous custodians of the list, SANS), which then left questions about security awareness programs in general.
There are also many more individual sub-controls under each control, which I really like. In the past, I could usually add one or two extra bullets under each control just to fill it out a bit, but I feel like these are fairly solid so far.
There are still some minor gaps, however. For instance, traditional physical security isn’t present, though that usually falls into a facilities sort of department. Cloud security isn’t really a thing on its own, though clearly every control on-prem will have analogous controls in the cloud, depending on what sort of cloud presence is maintained. I’d love to see Threat Hunting functions get rolled into Pen Test/Red Team Exercises. I always have to think twice about control #7: Web and Email Security. It just seems like it should be included in other items, but it’s a large enough attack surface that I get pulling it out. And I also always wince that an entire appsecdev section gets shoved into a single control down at #18.
There are also very few call-outs to documentation and diagrams. They’re so valuable for insiders, outsiders, new employees, new vendors, and so on to get a quick handle on how a network is laid out, critical data flows, attack surface, and high level posture. No space ship general lacks for a holographic display of the important pieces, and I wish most items called out more artifacts like policies, diagrams, and such in the sub-controls.
Lastly, #10 Data Recovery Capabilities is always a tough one for me. In my mind, this is control #0 that every organization should have: Backups! And it’s also probably the one control that has the smallest infosec scope in the list. Do you do it? Is recovery proven and ready? Retention is set in policy? Cool, move on! Eliminating this as a top 20 control would free up a slot for something else. Some inflate this item into BCP/DR processes or otherwise blow it up into Availability or Resiliency in general. I get it, but the sub-controls don’t reflect it.
Overall, are these huge changes? No, but they do reflect incremental changes in our landscape that bring the list up to modern standards. And this list remains one of my primary and initial roadmaps for infosec in organizations.