IMCE-CA MAPPING TO THE
CIS Critical Security Controls
| No. | CIS CRITICAL SECURITY CONTROL | NIST 800-53 rev 4* | NIST Core Framework | DHS CDM Program | ISO 27002:2013 | NSA MNP | Auto Top 35 | NSA Top 10 | GCHQ 10 Steps | UK Cyber Essentials | UK ICO Protecting Data | PCI DSS 3.0 | HIPAA | FFIEC Examiniers Handbook | NERC CIP V5 | Cloud Security Alliance | FY I5 FISMA Metrics | ITIL 2011 KPIs | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Inventory of Authorizhed Unautorizhed Devices | CA-7 CA-8 |
IA-3 SA-4 SC-17 |
SI-4 PM-5 |
ID.AM-1 ID.AM-3 PR.DS-3 |
• HWAM : Hardware Asset Management |
A.8.1.1 A.9.1.2 A.13.1.1 |
• Map Your Network • Baseline Management • Document Your Network |
• Personal Electronic Device Management • Network Acces Control • Log Management |
• Inappropriate Locations for Processing Data |
2.4 | • 164.310 (b): Workstation Use - R • 164.310 (c): Workstation Security - R |
• Host Security • User Equipment Security (Workstation, Laptop, Handheld) |
CIP-002-5 RI CIP-002-5 R2 |
DCS-01 MOS-09 MOS-15 |
1: System Inventory 2: Continous Monitoring |
Information Security Management | ||||||||||
| 2 | Inventory of Authorizhed Unautorizhed Devices | CA-7 CM-2 |
CM-8 CM-10 CM-11 |
SA-4 SC-18 SC-34 |
SI-4 PM-5 |
ID.AM-2 PR.DS-6 |
• HWAM : Hardware Asset Management • SWAM : Software Asset Management |
A.12.5.1 A.12.6.2 |
• Baseline Management • Executable Content Restrictions • Configuration and Change Management |
1 14 17 |
• Application Whitelisting |
• Decommissioning of Software or Services |
• 164.310(b): Workstation Use - R • 164.310(c): Workstation Security - R |
• Host Security • User Equipment Security (Workstation, Laptop, Handheld) |
CCC-04 MOS-3 MOS-04 MOS-15 |
1: System Inventory 2: Continous Monitoring |
Information Security Management | ||||||||||
| 3 | Secure configurations for Hardware & Software | CA-7 CM-2 CM-3 CM5 |
CM-6 CM-7 CM-8 CM-9 |
CM-11 MA-4 RA-5 SA-4 |
SC-15 SC-34 SI-2 SI-4 |
PR.IP-1 | • CSM : Configuration Setting Management | A.14.2.4 A.14.2.8 A.18.2.3 |
• Patch Management • Log Management • Data-at-Rest Protection • Configuration and Change Management |
2-5 21 |
• Control Administrative Privileges • Set a Secure Baseline Configuration • Take Advantage of Software Improvements |
• Secure Configuration |
• Secure Configuration • Patch Management |
2.2 2.3 6.2 11.5 |
• 164.310(b): Workstation Use - R • 164.310(c): Workstation Security - R |
• Host Security • User Equipment Security (Workstation, Laptop, Handheld) |
CIP-007-5 R2 CIP-010-5 R2 |
IVS-07 MOS-15 MOS-19 TVM-02 |
2: Continous Monitoring | Information Security Management | |||||||
| 4 | Continous Vulnerability Assesment & Remediation | CA-2 CA-7 |
RA-5 SC-34 |
SI-4 SI-7 |
ID.RA-1 ID.RA-2 PR.IP-12 |
DE.CM-8 RS.MI-3 |
• VUL : Vulnerability Management |
A.12.6.1 A.14.2.8 |
• Patch Management • Log Management • Configuration and Change Management |
2 3 |
• Take Advantage of Software Improvements |
• Patch Management |
• Software Updates | 6.1 6.2 11.2 |
• 164.310 (b): Workstation Use - R • 164.310 (c): Workstation Security - R |
• Host Security • User Equipment Security (Workstation, Laptop, Handheld) |
CIP-007-5 R2 CIP-010-5 R3 |
IVS-07 MOS-15 MOS-19 TVM-02 |
2: Continous Monitoring | Information Security Management | |||||||
| 5 | Controlled Use of Administrative Privilige | AC-2 AC-6 AC-17 |
AC-19 CA-7 IA-4 |
IA-5 SI-4 |
PR.AC-4 PR.AT-2 |
PR.MA-2 PR.PT-3 |
A.9.1.1 A.9.2.2 - A.9.2.6 A.9.3.1 A.9.4.1 - A.9.4.4 |
• User Acces • Baseline Management • Log Management |
4 9 11 25 |
• Control Administrative Privileges |
• Monitoring | • Acces Control | • Configuration of SSL and TLS • Default Credentials |
2.1 7.1 - 7.3 8.1 - 8.3 8.7 |
• 164.310 (b): Workstation Use - R • 164.310 (c): Workstation Security - R |
• Authentication and Acces Controls |
CIP-004-5 R2 CIP-004-5 R5 CIP-007-5 R5 |
IAM-09 - IAM-13 MOS-16 MOS-20 |
3. identity Credential & Acces Management |
Information Security Management | |||||||
| 6 | Maintenance, Monitoring, & Analysis of Audit Logs | AC-23 AU-2 AU-3 AU-4 AU-5 |
AU-6 AU-7 AU-8 AU-9 AU-10 |
AU-11 AU-12 AU-13 AU-14 CA-7 |
IA-10 SI-4 |
PR.PT-1 DE.AE-3 DE.DP-1 DE.DP-2 |
DE.DP-3 DE.DP-4 DE.DP-5 |
• Generic Audit Monitoring | A.12.4.1 - A.12.4.4 A.12.7.1 |
• Log Management | 15-16 35 |
• Monitoring | 10.1 - 10.7 | • 164.31(a)(1): Security Management Process - Information System Activity Review R • 164.308(a)(5): Security Awareness and Training - Log-in Monitoring A |
• Security Monitoring | CIP-007-5 R4 | IVS-01 IVS-03 |
Information Security Management | |||||||||
| 7 | Email & Web Browser Protections | CA-7 CA-2 CA-3 CA-5 |
CM-6 CM-7 CM-8 CM-9 |
CM-11 MA-4 RA-5 SA-4 |
SC-15 SC-34 SI-2 SI-4 |
PR.IP-1 | • CSM : Configuration Setting Management |
A.14.2.4 A.14.2.8 A.18.2.3 |
• Patch Management • Baseline Management • Data-at-Rest Protection • Configuration and Change Management |
2-5 21 |
• Control Administrative Privileges • Set a Secure Baseline Configuration • Take Advantage of Software Improvements |
• Secure Configuration |
• Secure Configuration • Patch Management |
2.2 2.3 6.2 11.5 |
• 164.310(b): Workstation Use - R • 164.310(c): Workstation Security - R |
• Host Security • User Equipment Security (Workstation, Laptop, Handheld) |
CIP-007-5 R2 CIP-010-5 R2 |
IVS-07 MOS-15 MOS-19 TVM-02 |
2: Continous Monitoring | Information Security Management | |||||||
| 8 | Malware & Defenses | CA-7 SC-39 |
SC-44 S1-3 |
SI-4 SI-8 |
PR.PT-2 DE.CM-4 DE.CM-5 |
A.8.3.1 A.12.2.1 A.13.2.3 |
• Device Accesbility • Virus Scanners & Host Intrusion Prevention Systems • Security Gateways, Proxies, & Firewalls |
• Network Security Monitoring • Log Management |
7 17 22 |
26 30 |
• Use Anti-virus File Reputation Services • Enable Anti Exploitation Features |
• Removable Media Controls • Malware Protection |
• Malware Protection |
5.1 - 5.4 | • 164.308(a)(5): Security Awareness and Training - Protection from Malicious Software A • 164.310(d)(1): Device and Media Controls - Accountability A • 164.310(b): Workstation Use - R • 164.310(c): Workstation Security - R |
• Host Security • User Equipment Security (Workstation, Laptop, Handheld) |
CIP-007-5 R3 | MOS-01 MOS-15 TVM-01 TV-03 |
4: Anti-Phising & Malware Defense |
Information Security Management | |||||||
| 9 | Limitation & Control of Network Ports | AT-1 AT-2 AT-3 |
AT-4 SA-11 SA-16 |
PM-13 PM-14 PM-16 |
PR.AC-5 DE.AE-1 |
• Boundary Protection | A.9.1.2 A.13.1.1 A.13.1.2 A.14.1.2 |
• Baseline Management • Configuration and Change Management |
2 3 12 |
13 27 |
• Limit Workstation-to- Workstation Communication |
• Network Security |
• Decommissioning of Software or Services • Unnecessary Services |
1.4 | • 164.310(b): Workstation Use - R • 164.310(c): Workstation Security - R |
• Network Security | CIP-007-5 RI | DSI-02 IVS-06 IPY-04 |
Information Security Management | ||||||||
| 10 | Data Recovery Capability | CP-9 CP-10 MP-4 |
PR.IP-4 | A.10.1.1 A.12.3.1 |
• Backup Strategy | 4.3 9.5 - 9.7 |
• 164.308(a)(7): Contingency Plan - Data Backup Plan R • 164.308(a)(7): Contingency Plan - Disaster Recovery Plan R • 164.308(a)(7): Contingency Plan - Testing & Revision Procedure A • 164.310(d)(1): Device & Media Controls - Data Backup & Storage A |
• Encryption | MOS-11 | Information Security Management | |||||||||||||||||
| 11 | Secure Configurations for Network Devices | AC-4 CA-3 CA-7 |
CA-9 CM-2 CM-3 |
CM-5 CM-6 CM-8 |
MA-4 SC-24 SI-4 |
PR.AC-5 PR.IP-1 PR.PT-4 |
• CSM : Configuration Setting Management • Boundary Protection |
A.9.1.2 A.13.1.1 A.13.1.3 |
• Map Your Network • Patch Management • Baseline Management • Document Your Network |
• Security Gateways, Proxies, and Firewalls • Configuration and Change Management |
2 3 10 |
• Set a Secure Baseline Configuration • Segregate Networks and Functions |
• Secure Configuration • Network Security |
• Boundary Firewalls & Internet Gateways • Secure Configuration • Patch Management |
• Software Updates • Inappropriate Locations for Processing Data |
1.1 - 1.2 2.2 6.2 |
• Network Security | CIP-005-5 RI CIP-007-5 R2 |
DSI-02 IAM-03 IVS06 |
IVS-09 MOS-19 TVM-02 |
3: Identity Credential & Acces Management |
Information Security Management | |||||
| 12 | Boundary Devense | AC-4 AC-17 AC-20 CA-3 |
CA-7 CA-9 CM-2 SA-9 |
SC-7 SC-8 SI-4 |
PR.AC-3 PR.AC-5 PR.MA-2 DE.AE-1 |
• Boundary Protection | A.9.1.2 A.12.4.1 A.12.7.1 A.13.1.1 |
A.13.1.3 A.13.2.3 |
• Network Architecture • Device Accesbility • Security Gateways, Proxies, and Firewalls • Network Security Monitoring |
10-11 18-20 23 32-34 |
• Segregate Network and Function |
• Home and Mobile Working • Monitoring • Network Security |
• Boundary Firewalls & Internet Gateways |
• Configuration of SSl and TLS • Inappropriate Locations for Processing Data |
1.1 - 1.3 8.3 10.8 11.4 |
• Network Security • Security Monitoring |
CIP-005-5 RI CIP-007-5 R2 CIP-007-5 R4 |
DSI-02 IVS-01 IVS-06 IVS-09 MOS-16 |
3: Identity Credential & Acces Management 6: Network Defense 7: Boundary Protection |
Information Security Management | |||||||
| 13 | Data Protection | AC-3 AC-4 AC-23 CA-7 |
CA-9 IR-9 MP-5 SA-18 |
SC-8 SC-28 SC-31 SC-41 |
SI-4 | PR.AC-5 PR.DS-2 PR.DS-5 PR.PT-2 |
A.8.3.1 A.10.1.1 - A.10.1.2 A.13.2.3 A.18.1.5 |
• Network Architecture • Device Accesbility • User Acces |
• Data-at-Rest Protection • Log Management |
26 | • Removable Media Controls |
3.6 4.1 - 4.3 |
• 164.308(a)(4): Information Acces Management - Isolating Health Care Clearinghouse Function R • 164.310(d)(1): Device and Media Controls - Accountability A • 164.312(a)(1): Acces Cpntrols - Encryption and Decryption A • 164.312(e)(1): Transmission Security - Integrity Controls A • 164.312(e)(1): Transmission Security - Encryption A |
• Encryption • Data Security |
CIP-011-5 RI | DSI-02 DSI-05 EKM-01 - EKM-04 MOS-11 |
5: Data Protection | Information Security Management | |||||||||
| 14 | Controlled Acces Based on the Need to Know | AC-1 AC-2 AC3 |
AC-6 AC-24 CA-7 MP-3 |
RA-2 SC-16 SI4 |
PR.AC-4 PR.AC-5 PR.DS-1 |
PR.DS-2 PR.PT-2 PR.PT-3 |
• TRUST : Acces Control Management • PRIV : Priviliges |
A.8.3.1 A.9.1.1 A.10.1.1 |
• Map Your Network • Baseline Management • Document Your Network |
• Personal Electronic Device Management • Network Acces Control |
26 | • Segregate Networks and Functions |
• Managing User Privileges • Network Security |
• Acces Control | • Inappropriate Locations for Processing Data |
1.3 - 1.4 4.3 7.1 - 7.3 8.7 |
• 164.308(a)(1): Security Management Process - Information System Activity Review R • 164.308(a)(4): Information Acces Management - Isolating Health Care Clearinghouse Function R • 164.308(a)(4): Informatiojn Acces Management - Acces Authorization A • 164.312(a)(1): Accces Control - Encryption and Decryption A |
• 164.312(c)(1): Integrity - Mechanism to Authenticate Electronic Protected Health Information A • 164.312(a)(1): Acces Control Automatic Lofoff A • 164.312(d): Person or Entity Authentication - R • 164.312(e)(1): Transmission Security - Integrity Controls A • 164.312(e)(1):Transmission Security - Encryption A |
• Authentication and Acces Controls • Encryption • Security Monitoring |
CIP-005-5 RI CIP-005-5 R2 CIP-007-5 R4 CIP-011-5 R1 |
DSI-02 IVS-09 MOS-11 |
Information Security Management | |||||
| 15 | Wireless Acces Control | AC-18 AC-19 CA-3 CA-7 |
CM-2 IA-3 SC-8 SC-17 |
SC-40 SI-4 |
A.10.1.1 A.12.4.1 A.12.7.1 |
• User Acces • Baseline Management • Log Management |
• Monitoring • Network Security |
4.3 11.1 7.1 - 7.3 8.7 - 8.8 |
• Network Security • Encryption • Security Monitoring |
CIP-007-5 R4 | IVS-01 IVS-06 IVS-12 MOS-11 |
Information Security Management | |||||||||||||||
| 16 | Account Monitoring & Control | AC-2 AC-3 AC-7 AC-11 AC-12 |
CA-7 IA-5 IA-10 SC-17 SC-23 |
SI-4 | PR.AC-1 PR.AC-4 PR.PT-3 |
• CRED : Credentials and Authentication Management |
A.9.1.1 A.9.2.2 - A.9.2.6 A.9.3.1 A.9.4.1 - A.9.4.3 A.11.2.8 |
• Training | 25 | • Managing User Privileges |
• Acces Control | • Configuration of SSL and TLS | 7.1 - 7.3 8.7 - 8.8 |
• 164.308(a)(1): Security Management Process - Information System Activity Review R • 164.308(a)(4): Information Acces Management - Acces Authorization A • 164.308(a)(4): Information Acces Management - Acces Establishment and Modification A • 164.308(a)(5): Security Awareness and Training - Pasword Management A |
• 164.312(a)(1): Acces Control - Unique User Identification R • 164.312(a)(1): Acces Control - Automatic Logoff A • 164.312(d): Person or Entity Authentication - R • 164.312(e)(1): Transmission Security - Integrity Controls A • 164.312(e)(1): Transmission Security - Encryption A |
• Authentication and Acces Control |
CIP-005-5 R1 CIP-005- R2 CIP-007-5 R4 |
IAM-02 IAM-09 - IAM-12 MOS-14 MOS-16 MOS-20 |
3: Identity Credential & Acces Management |
Information Security Management | |||||||
| 17 | Security Skills Assesment and Appropriate Training ti Fill Gaps | AT-1 AT-2 AT-3 |
AT-4 SA-11 SA-16 |
PM-13 PM-14 PM-16 |
PR.AT-1 PR.AT-2 PR.AT-3 |
PR.AT-4 PR.AT-5 |
• BEHV : Security Related Behavior Management |
A.7.2.2 | • Training | 28 | • User Education & Awareness |
12.6 | • 164.308(a)(5): Security Awareness and Training - Security Reminders A • 164.308(a)(5): Security Awareness and Training - Protection from Malicious Software • 164.308(a)(5): Security Awareness and Training - Log-in Monitoring A • 164.308(a)(5): Security Awareness and Training - Pasword Management A |
• Personel Security | CIP-004-5 R1 CIP-004-5 R2 |
HRS-10 MOS-20 |
8. Training and Education | Information Security Management | |||||||||
| 18 | Application Software Security | SA-13 SA-15 SA-16 SA-17 |
SA-20 SA-21 SC-39 SI-10 |
SI-11 SI-15 SI-16 |
PR.DS-7 | • VUL : Vulnerability Management |
A.9.4.5 A.12.1.4 A.14.2.1 A.14.2.6 - A.14.2.8 |
• Training | 24 | • SQL Injection | 6.3 6.5 - 6.7 |
• Application Security • Software Development & Acquisition |
AIS-01 AIS-03 AIS-04 CCC-01 |
CCC-02 CCC-03 IVS-08 |
Information Security Management | ||||||||||||
| 19 | Incident Response & Management | IR-1 IR-2 IR-3 |
IR-4 IR-5 IR-6 |
IR-7 IR-8 IR-10 |
PR.IP-10 DE.AE-2 DE.AE.-4 DE.AE-5 DE.CM.1-7 RS.RP-1 RS.CO-1-5 |
RS.AN-1-4 RS.MI-1-2 RS.IM-1-2 RC.RP-1 RC.IM-1-2 RC.CO-1-3 |
• Plan for Events • Respond to Events |
A.6.1.3 A.7.2.1 A.16.12 A.16.1.4 - A.16.1.7 |
• Incident Response and Disaster Recovery Plans |
• Incident Management |
12.10 | • 164.308(a)(6): Security Incident Procedures - Response and Reporting R |
CIP-008-5 R1 CIP-008-5 R2 CIP-008-5 R3 |
SEF-01 - SEF-05 | 9: Incident Response | Information Security Management | |||||||||||
| 20 | Penetration Test & Red Team Exercises | CA-2 CA-5 CA-6 |
CA-8 RA-6 SI-6 |
PM-6 PM-14 |
A.14.2.8 A.18.2.1 A.18.2.3 |
• Audit Strategy | 11.3 | Information Security Management | |||||||||||||||||||
| *NIST 800-53 Listings | |||||||||||||||||||||||||||
| AC-1 | : Acces Control Policy and Procedures | AC-20 | : Use of External Information Systems | AU-6: | Audit Review, Analysis, and Reporting | CA-6: | Security Authorization | CM-11: | User-Installed Software | IR-7: | Incident Response Assistance | PM-16: | Threat Awareness Program | ||||||||||||||
| AC-2 | : Account Management | AC-23 | : Data Mining Protection | AU-7: | Audit Reduction and Report Generation | CA-7: | Continous Monitoring | CP-9: | Information System Backup | IR-8: | Incident Response Plan | RA-2: | Security Categorization | ||||||||||||||
| AC-3 | : Acces Enforcement | AC-24 | : Acces Control Decisions | AU-8: | Time Stamps | CA-8: | Penetration Testing | CP-10: | Information System Recovery and Reconstitution | IR-9: | Information Spillage Response | RA-5: | Vulnerability Scanning | ||||||||||||||
| AC-4 | : Information Flow Enforcement | AT-1 | : Security Awareness and Training Policy and Procedures | AU-9: | Protection of Audit Information | CA-9: | Internal System Connections | IA-3: | Device Identification and Authentication | IR-10: | Integrated Information Security Analysis Team | RA-6: | Technical Surveillance Countermeasures Survey | ||||||||||||||
| AC-6 | : Least Privilege | AT-2 | : Security Awareness Training | AU-10: | Non-repuditation | CM-2 | Baseline Configuration | IA-5: | Authenticator Management | MA-4: | Nonlocal Maintenance | SA-4: | Acquisition Process | ||||||||||||||
| AC-7 | : Unsuccessful Logon Attempts | AT-3 | : Role-Based Security Training | AU-11: | Audit Record Retention | CM-3 | Configuration Change Control | IA-10: | Adaptive Identification and Authentication | MP-3: | Media Marking | SA-9: | External Information System Services | ||||||||||||||
| AC-11 | : Session Lock | AT-4 | : Security Training Records | AU-12: | Audit Generation | CM-5 | Acces Restrictions for Change | IR-1: | Incident Response Policy and Procedures | MP-4: | Media Storage | SA-11: | Developer Security Testing and Evaluation | ||||||||||||||
| AC-12 | : Session Termination | AU-2 | : Audits Events | AU-13: | Monitoring for Information Disclosure | CM-6 | Configuration Settings | IR-2: | Incident Response Training | MP-5: | Media Transport | SA-13: | Trustworthiness | ||||||||||||||
| AC-17 | : Remote Acces | AU-3 | : Content of Audit Records | AU-14: | Session Audit | CM-7 | Least Functionality | IR-3: | Incident Response Testing | PM-5: | Information System Inventory | SA-15: | Development Process, Standars, and Tools | ||||||||||||||
| AC-18 | : Wireless Acces | AU-4 | : Audit Storage Capacity | CA-2: | Security Assessments | CM-8 | Information System Component Inventory | IR-4: | Incident Handling | PM-6: | Information Security Measures of Performance | SA-16: | Developer-Provided Training | ||||||||||||||
| AC-19 | : Acces Contro; for Mobile Devices | AU-5 | : Response to Audit Processing Failures | CA-3: | System Interconnections | CM-9 | Configuration Management Plan | IR-5: | Incident Monitoring | PM-13: | Information Security Workforce | SA-17: | Developer Security Architecture and Design | ||||||||||||||
| CA-5: | Plan of Action and Milestone | CM-10 | Software Usage Restrictions | IR-6: | Incident Reporting | PM-14: | Testing, Training, & Monitoring | SA-18: | Tamper Resistance and Detection | ||||||||||||||||||
| SA-20: | Customized Development of Critical Components |
SC-22: | Architecture and Provisioning for Name/Addres Resoltion Service |
SI-3: | Malicious Code Protection | ||||||||||||||||||||||
| SA-21: | Developer Screening | SC-23: | Session Authenticity | SI-4: | Information System Monitoring | ||||||||||||||||||||||
| SC-7: | Boundary Protection | SC-24: | Fail in Known State | SI-6: | Security Function Verification | ||||||||||||||||||||||
| SC-8: | Transmission Confidentiality and Integrity | SC-28: | Protection of Information at Rest | SI-7: | Software, Firmware, and Information Integrity | ||||||||||||||||||||||
| SC-15: | Collaborative Computing Devices | SC-31: | Covert Channel Analysis | SI-8: | Spam Protection | ||||||||||||||||||||||
| SC-16: | Transmission of Security Attributes | SC-34: | Non-Modifiable Executable Programs | SI-10: | Information Input Validation | ||||||||||||||||||||||
| SC-17: | Public Key Infrastructure Certificate | SC-39: | Process Isolation | SI-11: | Error Handling | ||||||||||||||||||||||
| SC-18: | Mobile Code | SC-40: | Wireless Link Protection | SI-15: | Information Output Filtering | ||||||||||||||||||||||
| SC-20: | Secure Name/Address Resolution Services (Authoritative Source) |
SC-41: | Port and I/O Device Acces | SI-16: | Memory Protection | ||||||||||||||||||||||
| SC:21: | Secure Name/Address Resolution Services (Recursive or Chacing Resolver) |
SC-44: | Detonation Chambers | ||||||||||||||||||||||||
| SI-2: | Flaw Remediation | ||||||||||||||||||||||||||
