CIS Controls v8, by Implementation Group.
The Center for Internet Security's prioritized control catalog. 18 controls, 153 safeguards, three Implementation Groups. The operational baseline behind every Movalo-managed environment.
What CIS Controls v8 is.
CIS Controls v8 is a prioritized set of 18 controls and 153 safeguards developed by the Center for Internet Security, derived from real-world attack data. Unlike compliance frameworks, it's not a regulatory requirement; it's a practical hardening playbook the security community treats as a default baseline.
The structure that makes CIS unique is its three Implementation Groups. IG1 is the minimum essential set every organization should achieve (56 safeguards). IG2 adds controls for organizations with elevated risk or compliance pressure (74 additional safeguards). IG3 covers the highest-risk environments with the most stringent requirements (23 additional safeguards on top of IG2).
CIS Controls map cleanly to NIST CSF, NIST 800-53, ISO 27001, and most compliance frameworks. Where regulations describe outcomes, CIS describes the operational practices that produce those outcomes.
IG1: Foundational
56 safeguards. Basic cyber hygiene. The minimum every organization should reach.
IG2: Risk-informed
74 additional safeguards. For organizations with elevated risk, regulatory pressure, or insurer requirements.
IG3: Highest assurance
23 additional safeguards. For organizations defending highly sensitive assets or facing sophisticated adversaries.
When teams pick CIS.
CIS Controls are used as the operational baseline across nearly every mid-market security program because they're concrete:
- Cyber insurance carriers increasingly require CIS IG1 (or equivalent) as table stakes.
- Boards and audit committees want a defensible standard, and CIS is widely recognized.
- Organizations between compliance frameworks use CIS as the bridge: too small for ISO 27001, too informal for nothing at all.
- Programs under multiple compliance regimes use CIS as the single operational language all the others map back to.
What we implement.
Every Movalo-managed environment starts at IG1 by default and extends to IG2 or IG3 where the risk profile justifies it. Cards below cover the 18 control areas grouped by theme.
Inventory (1 & 2)
Authoritative asset inventory of hardware and software. Without this, nothing else is trustworthy.
Data protection (3)
Data classification, encryption, secure disposal. Tied to backup and access control.
Configuration (4 & 5)
Hardened baselines, configuration monitoring, account management.
Vulnerability and patching (7)
Continuous scanning, patch SLA per asset class, exception tracking.
Logging and monitoring (8)
Centralized log collection, correlation, alerting tuned to your environment.
Email and web (9)
Anti-phishing, URL filtering, DMARC/DKIM/SPF, attachment scanning.
Malware and recovery (10 & 11)
EDR on every endpoint, backup integrity verified by restore.
Network and access (6, 12, 13)
Segmentation, intrusion detection, MFA, privileged access management.
Awareness, app sec, IR, pen tests (14 to 18)
Training program, app security where you build software, IR runbooks tested annually, penetration testing on cadence.
Who owns what.
On us
- Technical implementation of safeguards across IG1 by default, IG2/IG3 by engagement
- Continuous monitoring and tuning
- Patch and vulnerability management cadence
- Centralized logging, EDR, backup operations
- Penetration test coordination and remediation
- Annual safeguard-level program review
On you
- Risk appetite that determines IG2/IG3 extensions
- Executive sponsor and security committee
- Workforce awareness program execution (we provide content)
- Application security ownership if you build software
- Budget for safeguard tooling
- Sign-off on quarterly maturity reports
Common pitfalls we see.
Skipping Control 1 (asset inventory).
Every other safeguard depends on an authoritative inventory. Teams that defer Control 1 because it's tedious end up with patch coverage gaps, license waste, and incident response blind spots. We start here.
Aiming straight at IG3 day one.
IG3 assumes IG1 and IG2 are operating well. Trying to implement the highest tier first produces shallow coverage everywhere. We sequence IG1 first, then add IG2/IG3 safeguards where risk justifies them.
Tool sprawl that doesn't map to safeguards.
Buying tools without mapping them to specific safeguards produces redundant coverage and gaps simultaneously. We map every tool to the safeguards it actually supports.
Pen tests that find nothing.
If pen tests consistently find nothing, the scope is wrong or the testers are wrong. We help select a tester who will find what's actually exploitable, and we close findings in the next quarter, not the next year.
Related frameworks.
CIS is the operational baseline underneath these.
Let's talk for 30 minutes.
No slides.
Bring your last cyber insurance questionnaire, your audit findings, or a list of tools you're not sure are doing anything. We'll come back with a written CIS scoresheet, and what it would cost to reach IG1 or extend to IG2.
- 30-min discovery, no slide deck
- Free written assessment, yours to keep
- A clear proposal, no pressure
Or call us directly: 904-639-0003
Schedule a call →