Skip to content
Documentation
Compliance Rules
CIS Controls v8

CIS Controls v8

22 rules checking Center for Internet Security Controls v8 compliance, with Implementation Group (IG) classification. IG1 rules apply to all organizations, IG2 adds controls for organizations handling sensitive data, and IG3 covers mature security programs.

Rule IDSeverityCIS ReferenceIGCategorySummary
CIS-NET-001HIGH3.10IG2Insecure ProtocolsUnencrypted protocol detected
CIS-NET-002CRITICAL12.1IG1Deprecated ProtocolsDeprecated/broken protocol detected
CIS-NET-004HIGH12.5, 12.6IG2Insecure AuthenticationInsecure authentication protocol detected
CIS-NET-010CRITICAL13.4IG2Overly PermissiveAny-to-any unrestricted traffic
CIS-NET-011CRITICAL12.2IG2Overly PermissiveOverly broad source address
CIS-NET-012CRITICAL12.2IG2Overly PermissiveOverly broad destination address
CIS-NET-013CRITICAL13.4IG2Overly PermissiveAll ports or wide port range allowed
CIS-NET-014HIGH13.4IG2Overly PermissiveAll protocols (ANY) allowed
CIS-NET-022CRITICAL3.12IG2Network Segmentation ViolationDirect database access from non-application source
CIS-NET-023CRITICAL12.7IG2Network Segmentation ViolationExternal source directly to internal resource
CIS-NET-030CRITICAL12.2, 13.4IG2Risky Service ExposureHigh-risk port inbound from broad source
CIS-NET-032CRITICAL12.2IG2Risky Service ExposureHigh-risk port from overly broad source
CIS-NET-033CRITICAL12.2IG2Risky Service ExposureDatabase port exposed to internet
CIS-NET-034CRITICAL4.4, 12.2IG2Risky Service ExposureContainer/orchestration API exposed
CIS-NET-035CRITICAL4.4, 12.2IG2Risky Service ExposureIPMI/BMC exposed from outside management
CIS-NET-036CRITICAL12.2, 13.4IG2Risky Service ExposureICS/SCADA protocols crossing zone boundaries
CIS-NET-040HIGH12.8IG3Administrative AccessAdmin protocol from broad source
CIS-NET-041HIGH4.6IG1Administrative AccessManagement traffic from public to internal
CIS-NET-042CRITICAL12.7IG2Administrative AccessRemote access without VPN
CIS-NET-051MEDIUM9.2IG1DNS PolicyDNS-over-HTTPS to known DoH providers
CIS-NET-052MEDIUM4.9, 13.4IG2DNS PolicyDNS as covert channel from sensitive segment
PCI-DSS v4.0.1NIST SP 800-53