The CISA (Cybersecurity & Infrastructure Security Agency) Critical Product Guidance (CPG) provides specific advice on securing various critical infrastructure products, while the CIS (Center for Internet Security) Controls V8 is a set of best practices designed to help organizations protect themselves from security threats.

The CISA CPG's mapping to the CIS V8 framework is not a one-to-one correlation because the two are designed with different purposes in mind. However, the CISA CPG's recommendations can often be seen as supporting the implementation of certain CIS Controls.

Here's how we map it in our MeasureRISK service offering 

Inventory and Control of Enterprise Assets and Software Assets (CIS Controls 1 & 2):

• CISA CPGs often include recommendations for understanding and managing the assets in your environment, which corresponds to these CIS Controls.

Data Protection (CIS Control 3):

• CPGs might have specific guidelines for ensuring that data is encrypted and stored securely, mapping to the data protection control.

Secure Configuration of Enterprise Assets and Software (CIS Control 4):

• CISA's guidance on securing specific products often aligns with the secure configuration principles outlined in CIS Control 4.

Account Management (CIS Control 5):

• Recommendations on managing user accounts and privileges in CPGs would be relevant to this CIS Control.

Access Control Management (CIS Control 6):

• CISA's guidance on ensuring appropriate access controls could support the principles in CIS Control 6.

Continuous Vulnerability Management (CIS Control 7):

• CPGs often include recommendations on regular patching and vulnerability scanning, aligning with this CIS Control.

Audit Log Management (CIS Control 8):

• CISA's recommendations for proper logging and monitoring practices can be mapped to this control.

Email and Web Browser Protections (CIS Control 9):

• Specific CPGs might offer advice on securing email systems and web browsers, aligning with this control.

Malware Defenses (CIS Control 10):

• CISA's guidance on anti-malware practices and defenses would support this control.

Data Recovery (CIS Control 11):

• CPGs that discuss backup solutions and data recovery processes would map to this control.

Network Infrastructure Management (CIS Control 12):

• CISA's advice on securing network devices and infrastructure aligns with this control.

Security Awareness and Skills Training (CIS Control 13):

• Any CPGs focusing on training and security awareness would support this control.

Service Provider Management (CIS Control 14):

• CPGs may include guidance on managing third-party risks, mapping to this CIS Control.

Application Software Security (CIS Control 15):

• Recommendations on securing application software in CPGs would be relevant here.

Incident Response and Management (CIS Control 16):

• CISA's guidance on preparing for and responding to incidents supports this control.

Penetration Testing (CIS Control 17):

• If CPGs include recommendations on conducting security assessments and penetration testing, it would map to this control.

​
Control Systems (CIS Control 18):

• For CPGs that specifically address industrial control systems or other operational technologies, there would be a strong alignment with this control.

The mapping can be more specific and nuanced based on the detailed recommendations in CISA's CPGs and the specific sub-controls and implementation groups within CIS Controls V8. Organizations looking to align these two sets of guidance should review the specific recommendations and controls in detail and consider how the advice in CPGs supports the implementation of CIS Controls in their specific environment. 

CISA has many resources available to help you be proactive about risk

Caldwell, NJ, 01/29/2024 – Proactive Risk announces a strategic partnership with Dragos Inc., a leading force in industrial control systems (ICS) and operational technology (OT) cybersecurity, to offer cutting-edge, sensor-based cybersecurity solutions for the drinking water and wastewater sectors. This collaboration empowers local municipalities with affordable, comprehensive cybersecurity services, addressing everything from policy framework and cyber resilience to regulatory compliance.
​
The Dragos Platform, renowned for its exceptional industrial cybersecurity technology, grants unparalleled visibility into ICS/OT assets, vulnerabilities, and threats, and integrates Dragos’s top-tier OT threat intelligence. This community-focused model promotes collective defense among a wide industrial network, offering extensive threat visibility.

This union allows Proactive RISK to expand its portfolio with leading cybersecurity products and services, specifically designed for the unique needs of the water sector’s OT, ICS, and SCADA systems. “As OT cybersecurity demands intensify, our alliance with Dragos strengthens our commitment to protect the vital infrastructure we rely on daily from emerging cyber threats,” remarks Robert Lee, CEO of Dragos.

Notably, the Dragos Platform was honored with the 2023 SC Award for Best Industrial Security Solution and was titled Best Incident Response Solution by SC Awards Europe in June.
​
The collaboration also leverages the Dragos Global Partner Program, enhancing Proactive RISK’s capabilities in OT cybersecurity through comprehensive technology, services, and threat intelligence.
For additional information about this partnership, visit www.proactiverisk.com/ot