The Definitive Guide to CIS Controls for SMBs

The CIS Controls (formerly the CIS Critical Security Controls or SANS Top 20) are a prioritized set of cybersecurity best practices developed by the Center for Internet Security. Now in version 8, the CIS Controls provide a practical, actionable framework for organizations of all sizes to defend against the most common cyber threats. What sets the CIS Controls apart from other frameworks is their emphasis on prioritization and practicality. While frameworks like NIST CSF provide a comprehensive structure for cybersecurity governance, the CIS Controls tell you specifically what to do and in what order. They are attack-informed, meaning each control directly addresses a known attack technique, and they are ordered by impact — the controls that stop the most attacks come first. CIS Controls v8, released in 2021, reorganized the controls from 20 to 18 control categories, updated them for cloud-native and remote work environments, and introduced three Implementation Groups (IGs) that help organizations of different sizes and risk profiles prioritize their efforts. For SMBs, Implementation Group 1 (IG1) is the essential starting point, providing a baseline of "cyber hygiene" that addresses the most common threats without requiring enterprise-level resources. The CIS Controls are widely recognized by regulators, insurers, and auditors. Compliance with CIS Controls satisfies the technical expectations of the FTC Safeguards Rule, maps to NIST CSF 2.0, qualifies for safe harbor provisions under Ohio's data protection law, and demonstrates "reasonable security" to cyber insurance underwriters. For SMBs, the CIS Controls provide the highest return on security investment of any framework.

Implementation Group 1 (IG1) defines the minimum standard of cybersecurity for every organization. It includes 56 safeguards across 15 of the 18 control categories, focusing on the actions that defend against the most common and impactful attacks. IG1 is designed for organizations with limited IT expertise and resources — exactly the profile of most SMBs. The IG1 safeguards address fundamental security practices that, when implemented consistently, prevent the vast majority of opportunistic attacks. These are not exotic, advanced controls — they are the basics that every organization should have in place: Control 1 — Inventory and Control of Enterprise Assets: Know what devices are on your network. Maintain an inventory of all hardware assets (desktops, laptops, servers, mobile devices, IoT). You cannot protect what you do not know exists. Control 2 — Inventory and Control of Software Assets: Know what software is running in your environment. Maintain an inventory of authorized software and remove or quarantine unauthorized software. Control 3 — Data Protection: Identify and classify sensitive data. Implement encryption for data in transit and at rest. Establish data retention and disposal practices. Control 4 — Secure Configuration of Enterprise Assets and Software: Deploy secure configurations for all devices and software. Remove unnecessary services, change default credentials, and apply hardening benchmarks (CIS Benchmarks are the companion resource here). Control 5 — Account Management: Manage the lifecycle of user accounts — creation, modification, disabling, and deletion. Remove or disable default accounts. Implement unique credentials for all users. Control 6 — Access Control Management: Enforce least-privilege access. Require MFA for remote access and administrative accounts. Review access permissions regularly. These first six controls form the foundation. If you do nothing else, implementing Controls 1-6 at the IG1 level will dramatically reduce your attack surface.

The remaining IG1 safeguards round out your essential cyber hygiene: Control 7 — Continuous Vulnerability Management: Conduct regular vulnerability scans and remediate discovered vulnerabilities based on risk. Cyber Defense Agent provides continuous external vulnerability scanning that directly satisfies this control. Our weekly scans identify vulnerabilities in your public-facing infrastructure and prioritize remediation by severity. Control 8 — Audit Log Management: Enable audit logging on all enterprise assets. Ensure logs capture authentication events, access to sensitive data, and administrative actions. Retain logs for a minimum period consistent with your regulatory requirements. Control 9 — Email and Web Browser Protections: Deploy email authentication (SPF, DKIM, DMARC), block malicious attachments and URLs, and configure web browsers to block known malicious sites. Cyber Defense Agent verifies your email authentication configuration and identifies weaknesses. Control 10 — Malware Defenses: Deploy endpoint protection (EDR/antivirus) on all devices. Enable automatic signature updates and configure centralized management. Control 11 — Data Recovery: Establish and test backup procedures. Ensure backups are encrypted, stored separately from primary systems, and tested regularly for restoration capability. Control 12 — Network Infrastructure Management: Maintain secure configurations for network devices (routers, firewalls, switches). Ensure remote administration uses encrypted channels. Cyber Defense Agent identifies exposed network management interfaces and insecure configurations. Control 13 — Network Monitoring and Defense: At the IG1 level, this is limited — but basic network monitoring for unusual activity is expected. Control 14 — Security Awareness and Skills Training: Provide cybersecurity awareness training to all employees. Cover phishing recognition, password hygiene, social engineering, and incident reporting. Control 15 — Service Provider Management: Maintain an inventory of service providers. Ensure contracts include security requirements. Monitor service providers for security incidents. Control 17 — Incident Response Management: Establish an incident response plan. Designate responsible individuals. Define reporting procedures and test the plan periodically. Controls 16 (Application Software Security) and 18 (Penetration Testing) have no IG1 safeguards — they begin at IG2 and IG3 respectively, reflecting their more advanced nature.

One of the most valuable aspects of the CIS Controls is their broad mapping to other frameworks and regulations. Implementing CIS Controls simultaneously advances compliance with multiple requirements: NIST CSF 2.0 — The CIS Controls map directly to the NIST Cybersecurity Framework functions (Identify, Protect, Detect, Respond, Recover). CIS provides an official mapping document. Organizations that implement CIS Controls at the IG1 level have substantially addressed the NIST CSF Identify and Protect functions. FTC Safeguards Rule — The FTC recognizes frameworks like CIS Controls as evidence of "reasonable security." Implementing IG1 controls addresses the technical requirements of the updated Safeguards Rule, including encryption, MFA, access controls, vulnerability management, and monitoring. NIST SP 800-171 / CMMC — CIS Controls map to many of the 110 NIST SP 800-171 requirements. While CIS IG1 alone is not sufficient for CMMC Level 2, it provides a strong foundation and covers many of the same control areas. Cyber insurance — Insurance underwriters increasingly use CIS Controls as a benchmark for evaluating applicants. Demonstrating IG1 implementation can improve your insurability, reduce premiums, and strengthen your position during claims. Ohio Safe Harbor — Ohio's data protection law provides an affirmative defense against data breach lawsuits for organizations that comply with recognized frameworks, explicitly including CIS Controls. SOC 2 — CIS Controls map to SOC 2 Trust Service Criteria, particularly the Security (Common Criteria) category. Organizations pursuing SOC 2 can use their CIS Controls implementation as a foundation. For SMBs, the CIS Controls provide the best "compliance per dollar" — a single framework implementation that advances multiple regulatory and business objectives simultaneously.

Cyber Defense Agent's 100-tool external scan directly addresses multiple CIS Controls, particularly those that are externally verifiable: Control 3 — Data Protection: We verify encryption in transit (TLS/SSL configuration, certificate validity, cipher strength) and identify data exposure through misconfigured services or unprotected endpoints. Control 4 — Secure Configuration: Our scan evaluates the security configuration of your external-facing systems, including security headers (CSP, HSTS, X-Frame-Options), server software versions, and service configurations against CIS Benchmarks. Control 7 — Continuous Vulnerability Management: This is where Cyber Defense Agent provides the most direct value. Our continuous scanning identifies vulnerabilities in your external attack surface, prioritizes them by severity, and tracks remediation over time. Weekly scans satisfy the continuous vulnerability management requirement. Control 9 — Email and Web Browser Protections: We comprehensively evaluate your email authentication posture: SPF record configuration, DKIM implementation, DMARC policy and enforcement, and MX record security. Email authentication is a critical defense against phishing and business email compromise. Control 12 — Network Infrastructure Management: Our port scanning and service detection identifies exposed management interfaces, unnecessary services, and insecure network configurations that violate secure configuration requirements. Control 15 — Service Provider Management: Use Cyber Defense Agent to monitor the external security posture of your critical vendors and service providers, supporting due diligence and ongoing oversight requirements. Cyber Defense Score — Your overall score and individual control grades map to CIS Controls, giving you a clear view of where you stand and where to focus remediation efforts. Start your free scan at cyberdefenseagent.ai/check to see how your external security posture aligns with CIS Controls IG1 requirements.