Amendments in CIS V8.0

Note: CVSS score 8.8(for databases) and 9.8(WebLogic servers).

Main Hero Image

The CIS controls, earlier known as critical security controls, are an approved set of measures that provides certain actionable methods to curtail or bring an end to today’s prevalent and threatening attacks.

The latest version of CIS, v.8 has introduced some interesting updates. To keep in line with the fast-changing cybersecurity infrastructure and threat landscape.

Upgraded to keep in line with the emerging trends in the Cyber Ecosystem.

The “CIS controls V8 has been boosted in such a way that it blends easily with modern systems and software. A major shift towards cloud-based computing, virtualization, mobility, and work from home were the key reasons that prompted this update.

Nonetheless, this newest version also underpins an enterprise’s security as they move to both full cloud and hybrid environments.

Change in Approach

These updated CIS controls are more task-based and accompanied by activities rather than who controls the devices. Physical devices, marked boundaries and distinct islands of security application now hold lesser significance

These characteristics are evident in v8 through revised terminologies and the arrangement of safeguards. Therefore, lessening the number of controls from 20 to 18.

Changes in Terminologies, and numbers.

The 18 controls, as stated above, consist of 153 ‘safeguards’ which were previously known as ‘Sub-controls’. The former version, on the contrary, had 171 ‘Sub controls.

Not only that, formally known as the SANS Critical Security Controls (SANS Top 20) and the CIS Critical Security Controls, the tight controls are now officially termed as the CIS Controls.

Compatible and easy to understand

Each safeguard asks for one thing at a time; this approach aids in communicating the message less vaguely and more straightforwardly. By doing so, it eases the understanding of the whole matter to a greater extent respectively.

Every safeguard not only concentrates upon actions that could be measured but also incorporates those measurements into the whole process altogether. This results in a more simplified language that avoids duplication.

Defines Implementation Group 1 (IG1)

IG1 is the definition of “Basic cyber hygiene”. It talks primarily about the emerging minimum standard of information security across all enterprises.

IG1 could be easily regarded as the foundational set of cyber defense safeguards. That every organization should implement to shield itself from any potential cyber-attack, mostly common ones.

IG3 and IG2 are built based on previous IGs, whereas IG1 could be considered as the on-ramp of controls.

Leverages Other Best Practice Guidance

The latest updated version of CIS controls assists with and draws attention to existing independent standards and security recommendations wherever they exist.

SAFE Code was an important contributor to the application software security Control.

Goals for CIS Security Controls v8

The goals of CIS version 8 are as follows,

  1. Break down the Language into simpler terms that are used for every Critical Security Control, to include safeguards and their descriptions to make it more understandable and consumable.
  2. Whenever possible or feasible, leverage MITRE ATT&CK, CSAT/tooling, and other data to:
    • Establish a critical Security Control that mitigates against attack(s).
    • Ensure Critical Security Control is appropriately prioritized.
    • Update Implementation Groups appropriately.
  3. One of the key aims of v8 is to provide ample technical detail within a Critical Security Control to enable the measurement of that Critical Security Control.
  4. In addition, it also focuses on the update of Security controls to embed modern technology (e.g., cloud mobility) to keep up with the modern systems and software in use by the industry.
  5. Moreover, it includes critical security controls that are practical and accommodate real-world business/IT scenarios.
  6. Besides this, it can write the document with a vision of measuring costs to organizations.
  7. As much as possible, provide backwards compatibility with previous versions of Critical Security Controls and a migration path for users of prior versions to move to V8.
  8. Furthermore, it leverages other best practice guidance (i.e., SW Development, Workforce Development) as appropriate.


There isn’t any general mandate that obliges compliance with the CIS Controls. However, there are plenty of individual companies, states as well as local government bodies that have adopted CIS Control compliance at various levels and track that compliance regularly.

The CIS controls, with the least shadow of a doubt, are an excellent medium to adopt the best industry practices for data security and a great way to begin preparing for other compliance efforts that are apparent for your organization.

By Hira Saleem