CIS vs. NIST: Understanding the Key Differences

The Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST) both provide cybersecurity frameworks, but they serve different purposes and audiences.

• CIS Controls: CIS Controls are a prescriptive set of prioritized security actions designed to help organizations quickly improve their security posture, making them particularly useful for small to medium-sized businesses (SMBs) or organizations seeking a straightforward, actionable security strategy. CIS focuses on practical implementation and provides step-by-step guidance that organizations can follow to protect against common cyber threats.
• NIST: NIST provides broader, more flexible cybersecurity frameworks tailored to a wide range of industries and compliance needs. The NIST Cybersecurity Framework (CSF) and NIST Special Publications (such as NIST 800-53 and NIST 800-171) offer risk-based guidelines for cybersecurity best practices. These frameworks are often used by government agencies, large enterprises, and organizations dealing with compliance-heavy industries. While CIS offers a more tactical, prioritized approach, NIST provides a strategic, customizable framework that organizations can tailor to their specific security requirements.

Ultimately, organizations may use CIS for a more straightforward, prescriptive approach and NIST for a comprehensive, risk-based cybersecurity strategy. Many businesses combine both frameworks—using CIS Controls as an initial security baseline and NIST for long-term cybersecurity maturity.

A Roadmap to the CIS Critical Security Controls

CIS has developed a guide to help adopters of the CIS Controls to understand what is available to them, where to start, and how to put it all together. The guide is broken down into six main sections that will help to answer what to do first, what tools are available for implementation/measurement, and how to get help, if needed.

• Assess and Measure
• Implementation Resources / Tools
• Minimization of Threats
• External Frameworks
• Collaboration
• Training and Speaking Engagements

Note that the resources mentioned throughout this guide support adoption of CIS Controls v8.1, v8, and/or v7.1. The v8.1 guide can be found here.

The CIS Critical Security Controls

In version 8.1 of the Controls, there are 18 top-level Controls, followed by a subset of 153 “actions” called Safeguards.

Our focus is on Control 14: Security Awareness and Skills Training. CIS Control 14 (version 8.1) emphasizes the importance of providing regular and relevant Security Awareness Training to all employees, including new hires and third-party contractors.

CIS Control 14 Breakdown

CIS Control 14 covers a broad range of critical security awareness topics, ensuring organizations build a culture of cyber resilience and vigilance. However, managing an effective Security Awareness Training program can be time-consuming and complex. This is why it’s important to consider your employee resource needs to run an effective Security Awareness Training program. Alternatively, you can seek out vendor partners that automate much of your workload.

• 14.1: Establish and Maintain a Security Awareness Program Organizations must develop, implement and maintain a comprehensive Security Awareness Training program to educate workforce members on the secure use of enterprise assets and data. Training should be conducted upon hire and at least annually, with more frequent updates as needed based on emerging threats and organizational risk changes. The program’s content should be reviewed and updated annually or as required to align with evolving security risks.
• 14.2: Train Workforce Members to Recognize Social Engineering Attacks Organizations must train workforce members to recognize, respond to, and mitigate social engineering attacks. These attacks can take many forms, including phishing, pretexting, tailgating and other deceptive tactics used by cybercriminals to manipulate individuals into revealing sensitive information or compromising security.
• 14.3: Train Workforce Members on Authentication Best Practices Security awareness training must include authentication best practices, covering essential topics such as multi-factor authentication (MFA), password hygiene, credential management and secure authentication methods to reduce the risk of unauthorized access.
• 14.4: Train Workforce on Data Handling Best Practices Workforce members must be trained on secure data handling practices, including proper identification, storage, transfer, archiving, and disposal of sensitive data. This training should also reinforce clear desk and screen policies, such as locking workstations when unattended, erasing physical and digital whiteboards after meetings, and securely storing sensitive documents and assets.
• 14.5: Train Workforce Members on Causes of Unintentional Data Exposure Employees should be educated on the risks associated with unintentional data exposure, including accidental sharing of sensitive information, misdirected emails, loss of portable devices and unintended public disclosures. Training should focus on prevention strategies to minimize these risks.
• 14.6: Train Workforce Members on Recognizing and Reporting Security Incidents Organizations must equip employees with the skills to identify and report security incidents, including insider threats and suspicious activities. Training should cover common indicators of compromise and the appropriate reporting procedures to ensure timely incident response.
• 14.7: Train Workforce on How to Identify and Report Missing Security Updates Employees must be trained to recognize and report missing security patches, outdated software and concerns with automated security update processes. Training should also provide clear reporting procedures for escalating these concerns to IT or security personnel.
• 14.8: Train Workforce on the Dangers of Insecure Networks and Data Transmission Organizations must educate employees about the risks of transmitting enterprise data over insecure networks and provide best practices for ensuring secure connectivity. For remote and hybrid workers, training should include guidance on securing home network infrastructure to protect organizational data.
• 14.9: Conduct Role-Specific Security Awareness and Skills Training Security training should be customized to employees’ specific roles and responsibilities, ensuring that personnel develop the necessary security skills for their job functions. Examples include:
  • Secure system administration training for IT professionals.
  • OWASP® (Open Web Application Security Project) Top 10 vulnerability awareness training for web developers.
  • Advanced social engineering awareness training for high-risk roles, such as executives or customer service representatives handling sensitive data.

Ensuring Effective Security Awareness Training

CIS Control 14 covers a broad range of critical security awareness topics, ensuring organizations build a culture of cyber resilience and vigilance. However, managing an effective Security Awareness Training program can be time-consuming and complex. This is why it’s important to consider your employee resource needs to run an effective Security Awareness Training program. Alternatively, you can seek out vendor partners that automate much of your workload.

Thank you to the great minds at the Center for Internet Security for their continued work in securing our workplaces and staff. Note that we've used their section titles verbatim and shared our understanding of the requirements.

Disclaimer: our attorneys make sure we remind you that none of the above is legal advice, and all services are governed by our Terms of Service and End User License Agreement.