Deciphering Cybersecurity Standards: The CIS vs. NIST Frameworks

In the ever-evolving field of cybersecurity, the diverse range of frameworks and standards can sometimes lead to confusion. Two such frameworks which are widely adopted within the industry are the Center for Internet Security's CIS Controls (CIS) and the National Institute of Standards and Technology's Cybersecurity Framework (NIST). Though both serve a similar purpose—providing guidelines and best practices for managing cybersecurity risks—they are designed and used differently.

The CIS Controls

The Center for Internet Security (CIS) is a nonprofit organization that provides a set of 18 prioritized best practices, known as CIS Controls, designed to mitigate the most common cyber threats. These controls are straightforward, action-oriented recommendations that organizations can implement to improve their security posture.

CIS Controls fall into three implementation groups—IG1, IG2, and IG3. IG1 consists of basic cybersecurity hygiene controls and consists of 56 safeguards. This encompasses the essential actions that every organization should implement, such as inventory and control of hardware and software assets, continuous vulnerability management, and more. IG2 builds upon IG1 with an additional 74 safeguards that help security teams stay on top of organizations with more operational complexity. This includes supporting multiple teams with different risk profiles or managing regulatory compliance requirements. Lastly, IG3 adds an additional 23 safeguards to the mix. These give security teams the tools needed to address multiple aspects of cybersecurity.?

The NIST Cybersecurity Framework

The National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF) is a risk-based approach to managing cybersecurity risk. It is organized into five core functions: Identify, Protect, Detect, Respond, and Recover. Each function includes categories and subcategories describing specific security outcomes.

The NIST CSF is not a prescriptive list of actions to take but rather a set of guidelines and practices that can be customized based on an organization's risk tolerance, budget, and industry sector. It provides a common language and systematic methodology for managing cybersecurity risks.

Key Differences

1. Focus: CIS is very action-oriented, providing a list of prioritized actions. In contrast, NIST CSF is risk-based, focusing on managing overall cybersecurity risk across an organization.
2. Flexibility: While both frameworks are adaptable to different organizational contexts, NIST CSF is more customizable and offers a more holistic approach to managing cybersecurity risks.
3. Use Cases: CIS Controls are used primarily for tactical improvements to an organization's cybersecurity defenses. In contrast, NIST CSF can be used to build a strategic, risk-based cybersecurity program.
4. Complexity: CIS is relatively easier to understand and implement as it is more prescriptive. On the other hand, NIST CSF requires more interpretation and understanding of an organization's risk profile.

Ultimately, organizations should not feel compelled to choose between the two. The CIS Controls and the NIST CSF are not mutually exclusive and can be used together effectively to build a comprehensive cybersecurity program. Organizations must understand their specific needs, risks, and capabilities to choose the right framework—or combination of frameworks—that will best protect their information assets.

Want to learn more?

• Read our blog:?Focusing on the Fundamentals: Liongard Talks about the Importance of CIS Controls.
• Read our blog: Enhance Your MSP's Security Posture With The NIST Framework
• Check out our?Security & Compliance hub?to learn how to stay on top of tech stack changes and eliminate configuration drift.
• You can also visit our?Trust Center?for a complete view of our compliance and transparency standards.