The Center for Internet Security (CIS) releases to the public today the CIS Critical Security Controls for Effective Cyber Defense Version 6.0. The CIS Controls are a recommended set of actions that provide specific ways to stop today's most pervasive and dangerous cyber security attacks.

This free set of internationally recognized measures are developed, refined, and validated by a large international community of leading security experts. CIS Critical Security Controls for Effective Cyber Defense Version 6.0 document the most important actions of cyber hygiene that every organization should implement to protect their information technology (IT) networks. A recent study by the Australian government Department of Defense revealed 85% of known cybersecurity vulnerabilities can be stopped by deploying the Top 5 CIS Controls. This includes taking an inventory of IT assets, implementing secure configurations, patching vulnerabilities, and restricting unauthorized users.

The CIS Controls are highly regarded by the global IT community because they are updated by cyber experts who cull and analyze real attack data from a variety of public and private threat sources. This new CIS Critical Security Controls for Effective Cyber Defense Version 6.0 incorporate recommendations from the cybersecurity community which reflect the latest technologies and threats. They include:

  • a new Control for Email and Web Browser Protections,
  • deletion of the Control on Secure Network Engineering,
  • a re-ordering of the Controls to make Controlled Use of Administration Privileges higher in priority.

"The CIS Controls are not just another list of good things to do. They represent a concise and prioritized set of practices that align with other security frameworks, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework, US-CERT recommendations, and international guidance such as the Australian Signals Directorate's Strategies to Mitigate Targeted Cyber Intrusions," said Tony Sager, Senior Vice President and Chief Evangelist at the Center for Internet Security.

"CIS' Critical Security Controls for Effective Cyber Defense Version 6.0 is a tour de force of cybersecurity knowledge. We are immensely grateful to the global cybersecurity leaders who devoted their personal time to the development of this updated version of the Controls," said Stephen J. Spano, President, Center for Internet Security.

CIS' Critical Security Controls panel experts dedicate themselves to ensuring the Controls represent the community's best insight into threat, vulnerability, and defensive technology. The panelists also work to make sure the Controls can be supported through cost-effective solutions.

The volunteer participants in this initiative included an array of highly acknowledged cybersecurity experts including: Chirag Arora, Vilius Benetis of NRD-CS, Rick Doten of Crumpton Group, Russell Eubanks of the Federal Reserve Bank in Atlanta, Joseph Faust of Mandiant, Ron Gula of Tenable, Geoff Hancock of Advanced Cybersecurity Group, Greg Johnson of the Federal Reserve Bank of Richmond, Kent Landfield of Intel Security, Ross Leo of University of Houston-Clear Lake, Hardeep Mehrotara, Dwayne Melancon of Tripwire, Lisa Peterson, Ashley Pyles, Brian Russell of Leidos, Gary Stoneburner of Johns Hopkins Applied Physics Laboratory, James Tarala of Enclave Security, Kelli Tarala of Enclave Security, and Chris Thompson of IBM, among others.

Several members of CIS' Security team also provided development support for the new version of the Controls. CIS Critical Security Controls for Effective Cyber Defense Version 6.0 will be used by CIS to continue to educate businesses and other organizations to remain hyper vigilant on cybersecurity defense. The CIS Critical Security Controls Version 6.0 is available on the Center's website at

CIS and the SANS Institute are hosting a "Breakfast Briefing" in Washington D.C. on Friday, October 16 to offer more information about the update of the CIS Controls. The event will feature presentations from Jane Holl Lute, CIS CEO; Sr. Vice President and Chief Evangelist at CIS, Tony Sager; Director of the US-CERT Ann Barron-DiCamillo; John Pescatore, SANS Director of Emerging Security Trends; and James Tarala, Principal Consultant with Enclave Hosting. To register for the event or to live-stream the presentations, please visit the event page here.


The CIS Critical Security Controls are a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive cyber attacks. Previously developed as the SANS Institute's Top 20 Critical Security Controls, the Center for Internet Security (CIS) now updates and develops the Controls since its integration with The Council on CyberSecurity in 2015. New versions of the CIS Controls are updated and reviewed through an informal community process including practitioners from government, industry, and academia. To learn more about the CIS Critical Security Controls, please visit

About the Center for Internet Security

The Center for Internet Security (CIS) is a not-for-profit organization dedicated to enhancing the cybersecurity readiness and response among public and private sector entities. Utilizing its strong industry and government partnerships, CIS combats evolving cybersecurity challenges on a global scale and helps organizations adopt key best practices to achieve immediate and effective defenses against cyber attacks. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), CIS Security Benchmarks, and CIS Critical Security Controls. To learn more please visit or follow us at @CISecurity.

The cookies are used on this website to improve your browsing experience. Some of the cookies are essential, while others help us to obtain data about how this website is used and to improve your experience. If you agree to the use of all cookies, please click "I agree", otherwise, please click on "Cookie settings" and select which cookies you agree to use. For more information on the use of cookies, please refer to our Cookie Policy.    I agree    Cookie settings