Mapping CISA CPG to CIS V8 Controls to measurerisk

The CISA (Cybersecurity & Infrastructure Security Agency) Critical Product Guidance (CPG) provides specific advice on securing various critical infrastructure products, while the CIS (Center for Internet Security) Controls V8 is a set of best practices designed to help organizations protect themselves from security threats.

The CISA CPG's mapping to the CIS V8 framework is not a one-to-one correlation because the two are designed with different purposes in mind. However, the CISA CPG's recommendations can often be seen as supporting the implementation of certain CIS Controls.

Here's how we map it in our MeasureRISK service offering 

Inventory and Control of Enterprise Assets and Software Assets (CIS Controls 1 & 2):

• CISA CPGs often include recommendations for understanding and managing the assets in your environment, which corresponds to these CIS Controls.

Data Protection (CIS Control 3):

• CPGs might have specific guidelines for ensuring that data is encrypted and stored securely, mapping to the data protection control.

Secure Configuration of Enterprise Assets and Software (CIS Control 4):

• CISA's guidance on securing specific products often aligns with the secure configuration principles outlined in CIS Control 4.

Account Management (CIS Control 5):

• Recommendations on managing user accounts and privileges in CPGs would be relevant to this CIS Control.

Access Control Management (CIS Control 6):

• CISA's guidance on ensuring appropriate access controls could support the principles in CIS Control 6.

Continuous Vulnerability Management (CIS Control 7):

• CPGs often include recommendations on regular patching and vulnerability scanning, aligning with this CIS Control.

Audit Log Management (CIS Control 8):

• CISA's recommendations for proper logging and monitoring practices can be mapped to this control.

Email and Web Browser Protections (CIS Control 9):

• Specific CPGs might offer advice on securing email systems and web browsers, aligning with this control.

Malware Defenses (CIS Control 10):

• CISA's guidance on anti-malware practices and defenses would support this control.

Data Recovery (CIS Control 11):

• CPGs that discuss backup solutions and data recovery processes would map to this control.

Network Infrastructure Management (CIS Control 12):

• CISA's advice on securing network devices and infrastructure aligns with this control.

Security Awareness and Skills Training (CIS Control 13):

• Any CPGs focusing on training and security awareness would support this control.

Service Provider Management (CIS Control 14):

• CPGs may include guidance on managing third-party risks, mapping to this CIS Control.

Application Software Security (CIS Control 15):

• Recommendations on securing application software in CPGs would be relevant here.

Incident Response and Management (CIS Control 16):

• CISA's guidance on preparing for and responding to incidents supports this control.

Penetration Testing (CIS Control 17):

• If CPGs include recommendations on conducting security assessments and penetration testing, it would map to this control.

​
Control Systems (CIS Control 18):

• For CPGs that specifically address industrial control systems or other operational technologies, there would be a strong alignment with this control.

The mapping can be more specific and nuanced based on the detailed recommendations in CISA's CPGs and the specific sub-controls and implementation groups within CIS Controls V8. Organizations looking to align these two sets of guidance should review the specific recommendations and controls in detail and consider how the advice in CPGs supports the implementation of CIS Controls in their specific environment. 

CISA has many resources available to help you be proactive about risk

LEARN MORE ABOUT PROACTIVERISK MEASURERISK