Hubbry Logo
Center for Internet SecurityCenter for Internet SecurityMain
Open search
Center for Internet Security
Community hub
Center for Internet Security
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Center for Internet Security
Center for Internet Security
Center for Internet Security
View on Wikipedia
from Wikipedia

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization,[2] formed in October 2000.[1] Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

Key Information

The organization is headquartered in East Greenbush, New York, US, with members including large corporations, government agencies, and academic institutions.[1]

History and Governance

[edit]

CIS began as a volunteer-based initiative to create actionable, consensus based security configuration benchmarks aimed at helping organizations of all sizes decrease cyber risk. Over time, CIS evolved into a significant entity in cybersecurity coordination at the national level. In 2003, it collaborated with the SANS Institute to establish the CIS Controls, a ranked collection of best practices aimed at protecting against prevalent cyber threats. The organization also established a Center (MS-ISAC), a federally supported organization to assist U.S state, local, tribal, and territorial (SLTT) governments in identifying addressing, and averting cyber incidents. CIS became registered as a 501(c)(3) nonprofit organization located in East Greenbush, New York, with an additional office in Washington, D.C. The governance of CIS consists of a Board of Directors featuring cybersecurity experts various industries. The board offers strategic guidance, while daily operations are overseen by a Chief Executive Office and an executive team. As of 2025, John Gilligan is President and CEO of CIS, and he has emphasized the significance of strengthening collaboration with DHS, CISA, and other global cybersecurity entities.

Program areas

[edit]

CIS has several program areas, including MS-ISAC, CIS Controls, CIS Benchmarks, CIS Communities, and CIS CyberMarket. Through these program areas, CIS works with a wide range of entities, including those in academia, the government, and both the private sector and the general public to increase their online security by providing them with products and services that improve security efficiency and effectiveness.[5][6]

Multi-State Information Sharing and Analysis Center (MS-ISAC)

[edit]

The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a "round-the-clock cyber threat monitoring and mitigation center for state and local governments" operated by CIS under a cooperative agreement with the U.S. Department of Homeland Security[7] (DHS), Cybersecurity and Infrastructure Security Agency[8] (CISA).[9] The MS-ISAC was established in late 2002, and officially launched in January 2003, by William F. Pelgrin, then Chief Security Officer of the state of New York.[10] Beginning from a small group of participating states in the Northeast, MS-ISAC came to include all 50 U.S. States and the District of Columbia, as well as U.S. State, Local, Tribal, and Territorial (SLTT) governments. In order to facilitate its expanding scope, in late 2010, MS-ISAC "transitioned into a not-for-profit status under the auspices of the Center for Internet Security."[10][11] In March 2025, CISA ended funding for MC-ISAC.[12]

MS-ISAC "helps government agencies combat cyberthreats and works closely with federal law enforcement",[13][14] and is designated by DHS as a key cyber security resource for the nation's SLTT governments.

The main objectives of MS-ISAC are described as follows:[15]

  • provide two-way sharing of information and early warnings on cyber security threats
  • provide a process for gathering and disseminating information on cyber security incidents
  • promote awareness of the interdependencies between cyber and physical critical infrastructure as well as between and among the different sectors
  • coordinate training and awareness
  • ensure that all necessary parties are vested partners in this effort

The MS-ISAC offers a variety of federally funded, no-cost, cybersecurity products and services to its members through the DHS CISA cooperative agreement. It also offers fee-based products and services for SLTT members who want additional protection in addition to what is offered under the cooperative agreement. In 2021, the MS-ISAC announced[16] it was undergoing a digital transformation, making major infrastructure upgrades including the implementation of a new cloud-based threat intelligence platform, security information and event management (SIEM) capability, security orchestration, automation, and response (SOAR) tool, and data lake capabilities for threat hunting.

Some of the offerings for SLTTs include:

Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)

[edit]

The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), as established by the Election Infrastructure Subsector Government Coordinating Council (GCC), is a critical resource for cyber threat prevention, protection, response and recovery for the nation's state, local, territorial, and tribal (SLTT) election offices. The EI-ISAC is operated by the Center for Internet Security, Inc. under the same cooperative agreement with DHS CISA as the MS-ISAC. By nature of election offices being SLTT organizations, each EI-ISAC member is automatically an MS-ISAC member and can take full advantage of the products and services provided to both ISACs.

The mission of the EI-ISAC is to improve the overall cybersecurity posture of SLTT election offices, through collaboration and information sharing among members, the U.S. Department of Homeland Security (DHS) and other federal partners, and private sector partners are the keys to success. The EI-ISAC provides a central resource for gathering information on cyber threats to election infrastructure and two-way sharing of information between and among public and private sectors in order to identify, protect, detect, respond and recover from attacks on public and private election infrastructure. And the EI-ISAC comprises representatives from SLTT election offices and contractors supporting SLTT election infrastructure.[21]

CIS Controls and CIS Benchmarks

[edit]

Formerly known as the SANS Critical Security Controls (SANS Top 20) and the CIS Critical Security Controls, the CIS Controls as they are called today is a set of 18 prioritized safeguards to mitigate the most prevalent cyber-attacks against today's modern systems and networks. The CIS Controls are grouped into Implementation Groups[22] (IGs), which allow organizations to use a risk assessment in order to determine the appropriate level of IG (one through three) that should be implemented for their organization. The CIS Controls can be downloaded from CIS, as can various mappings to other frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework[23] (CSF), NIST Special Publication (SP) 800-53,[24] and many others. CIS also offers a free hosted software product called the CIS Controls Assessment Tool[25] (CIS-CAT) that allows organizations to track and prioritize the implementation of the CIS Controls.

The CIS Controls advocate "a defense-in-depth model to help prevent and detect malware".[26] A May 2017 study showed that "on average, organizations fail 55% of compliance checks established by the Center for Internet Security", with more than half of these violations being high severity issues.[27] In March 2015, CIS launched CIS Hardened Images for Amazon Web Services, in response to "a growing concern surrounding the data safety of information housed on virtual servers in the cloud".[28] The resources were made available as Amazon Machine Images, for six "CIS benchmarks-hardened systems", including Microsoft Windows, Linux and Ubuntu, with additional images and cloud providers added later.[28] CIS released Companion Guides to CIS Controls, recommendations for actions to counter cybersecurity attacks, with new guides having been released in October and December 2015.[29] In April 2018, CIS launched an information security risk assessment method to implement CIS Controls, called CIS RAM which is based upon the risk assessment standard by the DoCRA (Duty of Care Risk Analysis) Council.[30] Version of CIS RAM v2.0[31] was released October 2021.[32] CIS RAM v2.1 was released in 2022.

CIS Benchmarks are a collaboration of the Consensus Community and CIS SecureSuite members (a class of CIS members with access to additional sets of tools and resources).[33] The Consensus Community is made up of experts in the field of IT security who use their knowledge and experience to help the global Internet community. CIS SecureSuite members are made up of several different types of companies ranging in size, including government agencies, colleges and universities, nonprofits, IT auditors and consultants, security software vendors and other organizations. CIS Benchmarks and other tools that CIS provides at no cost allow IT workers to create reports that compare their system security to universal consensus standard. This fosters a new structure for internet security that everyone is accountable for and that is shared by top executives, technology professionals and other internet users throughout the globe. Further, CIS provides internet security tools with a scoring feature that rates the configuration security of the system at hand. For example, CIS provides SecureSuite members with access to CIS-CAT Pro, a "cross-platform Java app" which scans target systems and "produces a report comparing your settings to the published benchmarks".[5] This is intended to encourage and motivate users to improve the scores given by the software, which bolsters the security of their internet and systems. The universal consensus standard that CIS employs draws upon and uses the accumulated knowledge of skillful technology professionals. Since internet security professionals volunteer in contributing to this consensus, this reduces costs for CIS and makes it cost effective.[34]

CIS CyberMarket

[edit]

CIS CyberMarket is a "collaborative purchasing program that serves U.S. State, Local, Tribal, and Territorial (SLTT) government organizations, nonprofit entities, and public health and education institutions to improve cybersecurity through cost-effective group procurement".[35] The intent of the CIS CyberMarket is to combine the purchasing power of governmental and nonprofit sectors to help participants improve their cybersecurity condition at a lower cost than they would have been able to attain on their own. The program assists with the "time intensive, costly, complex, and daunting" task of maintaining cybersecurity by working with the public and private sectors to bring their partners cost-effective tools and services. The combined purchasing opportunities are reviewed by domain experts.[15]

There are three main objectives of the CIS CyberMarket:

  • to contribute a trusted environment to improve the condition of the cybersecurity of the previously mentioned entities
  • to lower the cost of cybersecurity needs
  • to work with companies to bring services and security products to their partners[15]

CIS CyberMarket, like the MS-ISAC, serves government entities and non-profits in achieving greater cyber security. On its "resources" page, multiple newsletters and documents are available free of charge, including the "Cybersecurity Handbook for Cities and Counties".[36]

CIS Communities

[edit]

CIS Communities are "a volunteer, global community of IT professionals" who "continuously refine and verify" CIS best practices and cybersecurity tools.[37] To develop and structure its benchmarks, CIS uses a strategy in which members of the organization first form into teams. These teams then each collect suggestions, advice, official work and recommendations from a few participating organizations. Then, the teams analyze their data and information to determine what the most vital configuration settings are that would improve internet system security the most in as many work settings as possible. Each member of a team constantly works with their teammates and critically analyzes and critiques a rough draft until a consensus forms among the team. Before the benchmark is released to the general public, they are available for download and testing among the community. After reviewing all of the feedback from testing and making any necessary adjustments or changes, the final benchmark and other relevant security tools are made available to the public for download through the CIS website. This process is so extensive and so carefully executed that thousands of security professionals across the globe participate in it. According to ISACA, "during the development of the CIS Benchmark for Sun Microsystems Solaris, more than 2,500 users downloaded the benchmark and monitoring tools."[38]

Participating organizations

[edit]

The organizations that participated in the founding of CIS in October 2000 include ISACA, the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), the International Information Systems Security Certification Consortium (ISC2) and the SANS Institute (System Administration, Networking and Security). CIS has since grown to have hundreds of members with varying degrees of membership and cooperates and works with a variety of organizations and members at both the national and international levels. Some of these organizations include those in both the public and private sectors, government, ISACs and law enforcement.[1]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Center for Internet Security

View on Grokipedia
from Grokipedia

The Center for Internet Security (CIS) is a nonprofit organization founded in 2000 by cybersecurity experts from government agencies, private sector firms, and security institutions to address escalating cyber threats amid rapid internet expansion. It focuses on developing and promoting consensus-based best practices for securing IT systems and data, including the globally recognized CIS Controls—a prioritized set of actions for cyber defense—and CIS Benchmarks, configuration guidelines for hardening systems against attacks. These resources, derived from real-world incident data and expert collaboration, are utilized by thousands of organizations to prioritize defenses yielding the highest risk reduction. CIS operates the Multi-State Information Sharing and Analysis Center (MS-ISAC), a division providing real-time threat intelligence, incident response, and cybersecurity services tailored to , local, tribal, and territorial governments, often in with federal entities like CISA. The organization sustains itself through direct sales of products like CIS SecureSuite and Hardened Images for cloud environments, alongside government grants and a cost-sharing model, enabling accessible protections for resource-constrained entities. Over 25 years, CIS has evolved from initial threat mitigation efforts to a leading provider of scalable tools and standards, including initiatives like the Secure Cyber City pilot for community-wide resilience, emphasizing practical, empirical defenses over theoretical measures. While praised for its actionable, data-informed frameworks that outperform broader standards in efficiency for many users, CIS offerings have drawn critique for potentially disrupting systems if implemented rigidly without customization and for limited free automation tools. Recent federal funding reductions to MS-ISAC under the 2025 Trump administration have prompted concerns over sustained support for state-level defenses, though CIS maintains operational independence.

History

Founding and Early Development (2000–2010)

The (CIS) was formally established in October 2000 as a 501(c)(3) , emerging from collaborative efforts among cybersecurity experts from government agencies, private industry, and security institutions to counter escalating internet-based threats. A pivotal meeting took place on August 22, 2000, at the in , where participants identified the need for standardized, consensus-based security practices accessible to organizations lacking extensive resources. The founding group's objective centered on producing practical benchmarks and guidelines to mitigate vulnerabilities in common IT systems, drawing on shared expertise rather than proprietary solutions. To lead the nascent organization, founders recruited Clint Kreitner from retirement as its first CEO, leveraging his prior experience in federal IT security roles. Under Kreitner's direction, CIS rapidly prioritized the development of configuration benchmarks, releasing the inaugural Consensus Security Benchmark for in 2002 through partnerships with the (NSA), (DISA), (FBI), and . These early benchmarks provided prioritized, testable recommendations for securing operating systems and applications, emphasizing inventory, access controls, and patching to address prevalent attack vectors observed in real-world incidents. By mid-decade, CIS had cultivated a volunteer-driven model, expanding benchmarks to Unix-like systems, routers, and databases, with over 100 contributors refining guidelines via iterative community review. In 2008, amid growing concerns over data breaches in the U.S. , CIS participated in formulating the initial Critical Security Controls—originally the SANS Top 20—a prioritized list of 20 defensive measures derived from attacker tactics and empirical breach analyses. This framework complemented the benchmarks by shifting focus from isolated configurations to integrated defenses like continuous monitoring and incident response. Kreitner retired as CEO that September, transitioning to a strategic advisory role while the board installed a new executive team, including a and chief security officer, to scale benchmark dissemination and automation tools. By 2010, CIS had solidified its reputation for vendor-neutral standards, with benchmarks adopted by thousands of organizations; that year, it absorbed the (MS-ISAC), a pre-existing regional threat-sharing originally formed in 2003, thereby extending its scope to real-time intelligence for state and local governments.

Growth and Program Expansion (2011–2023)

In 2015, the Center for Internet Security assumed stewardship of the CIS Critical Security Controls from the Council of Cybersecurity, releasing Version 6 and achieving over 100,000 downloads that year, which marked a significant expansion in the organization's influence on global cybersecurity practices. This transition integrated the controls into CIS's core offerings, emphasizing prioritized, actionable safeguards derived from real-world threat data. Subsequent updates included Version 7 in 2018, refining implementation guidance, and Version 8 in 2021, which restructured the controls into 18 prioritized groups to address evolving threats like supply chain risks and mobile device security. These iterations drove broader adoption, with thousands of organizations worldwide implementing the controls to reduce vulnerability exposure. Parallel to controls development, the Multi-State (MS-ISAC), operated by CIS since its inception, experienced rapid membership growth among state, local, tribal, and territorial governments, expanding from approximately 1,000 members in 2013 to 10,000 by November 2020 and surpassing 16,000 by 2023. This surge reflected increased demand for MS-ISAC's services, including 24/7 monitoring, threat intelligence sharing, and incident response support, funded primarily through federal partnerships with the . In 2017, amid heightened concerns over interference following 2016 events, CIS launched the Elections Information Sharing and Analysis Center (EI-ISAC) to provide specialized cybersecurity resources for election officials, marking its inaugural full operational year in 2018 with focused threat briefings and coordination among subsector stakeholders. EI-ISAC membership grew to encompass all 50 states and numerous local entities by the early 2020s, enhancing resilience against targeted disruptions. CIS further expanded its benchmarks program during this period, publishing hundreds of configuration guidelines for systems like cloud platforms and operating systems, which saw widespread use in and enterprise hardening efforts. Organizational growth included staff increases to support scaled operations, with the nonprofit adding over 100 employees in 2023 alone amid rising demand for and assessment tools. These developments solidified CIS's role in bridging public-sector needs with private-sector expertise, though reliance on federal cooperative agreements underscored dependencies on sustained funding for ISAC scalability.

Recent Transitions and Challenges (2024–Present)

In September 2025, the Cybersecurity and Infrastructure Security Agency (CISA) terminated its long-standing agreement with the Center for Internet Security (CIS) to operate the Multi-State Information Sharing and Analysis Center (MS-ISAC), citing a shift toward providing direct cybersecurity support, tools, and grant funding to state, local, tribal, and territorial (SLTT) entities. This decision, aligned with the Trump administration's emphasis on a "new model" for local government cyber strategy, prompted CIS to implement a fee-based membership structure for MS-ISAC effective June 23, 2025, potentially resulting in the loss of two-thirds of its state and territorial members due to budget constraints at the SLTT level. Despite these changes, MS-ISAC reported detecting over 40,000 potential cyberattacks targeting SLTT organizations in 2024, underscoring ongoing threats that the transition aims to address through decentralized support. The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), also operated by CIS, faced similar federal funding cuts announced in February 2025, leading its executive committee to explore sustainability options amid heightened election-related cyber risks. These reductions have raised concerns among state officials about potential gaps in coordinated threat intelligence and incident response, particularly as cyberattacks on election infrastructure evolved in complexity during the 2024 cycle. In response, CIS released an updated Elections Technology Cybersecurity Guide in 2024 to help vendors mitigate risks, while continuing to adapt core offerings like the to version 8.1, which incorporated governance elements for broader resilience. To bolster endpoint protection for SLTT members, CIS partnered with as its premier vendor in August 2025, integrating advanced threat detection tools into MS-ISAC services. These adaptations reflect CIS's efforts to navigate funding transitions by emphasizing commercial viability and enhanced resources, though the long-term efficacy of CISA's direct-support model remains under scrutiny by cybersecurity stakeholders evaluating coverage for resource-limited localities.

Mission and Organizational Structure

Core Mission and Objectives

The Center for Internet Security (CIS) operates as a dedicated to enhancing cybersecurity worldwide. Its stated mission is to "make the connected world a safer place by developing, validating, and promoting timely solutions that help people, businesses, and governments protect themselves against pervasive cyber threats." Founded in 2000 amid surging adoption and corresponding threat proliferation, CIS emphasizes empirical, consensus-driven approaches to cybersecurity, drawing on expertise from government and professionals to prioritize actionable defenses over theoretical models. Core objectives center on identifying vulnerabilities, standardizing protective measures, and fostering widespread adoption of these practices to mitigate real-world risks such as data breaches and . CIS pursues these through core competencies in collaboration and innovation, leading a global community of IT professionals to refine and update standards based on observed attack vectors and defensive efficacy. Key focuses include the development of the CIS Controls—a prioritized set of 18 safeguards derived from analyses of successful breaches—and CIS Benchmarks, configuration guidelines for over 25 technology families tested for effectiveness in reducing exploit surfaces. These objectives aim not merely at compliance but at causal risk reduction, emphasizing hygiene practices like , continuous , and access controls that address root causes of compromises. To achieve its goals, CIS provides free and premium resources, including implementation tools, hardened images for secure system deployment, and services such as assessments, while operating sector-specific information sharing centers like the Multi-State (MS-ISAC) for threat intelligence dissemination among U.S. state, local, tribal, and territorial governments. This model relies on evidence from incident data and peer validation rather than unverified assertions, promoting scalability across organizational sizes without dependency on proprietary vendor solutions. By sustaining these efforts, CIS seeks to lower the baseline attack success rate, as evidenced by adoption metrics showing reduced incident rates in implementing entities per independent audits.

Governance, Leadership, and Operational Model

The Center for Internet Security (CIS) functions as a 501(c)(3) , tax-exempt since August 2012 and headquartered in . Its governance is overseen by a comprising cybersecurity experts and business leaders who provide strategic guidance and ensure alignment with the organization's mission to enhance cybersecurity resilience. The board's composition emphasizes industry acumen, with notable members including co-founder and founding chair Franklin Reeder, formerly of the U.S. , and Elizabeth Mora, affiliated with Inogen Inc. and serving in a chair capacity. This structure supports nonpartisan, vendor-agnostic decision-making, guided by internal codes including a Code of Ethics and Leadership Principles that prioritize collaboration and ethical practices. Executive reports to the board and manages day-to-day operations. John M. Gilligan has served as President and since October 2018, bringing prior experience in federal cybersecurity roles and consulting. Key executives include Marcus H. Sachs as Senior Vice President and Chief Engineer, advising on engineering standards, and John D. Cohen as for the Program for Countering Hybrid Threats. Specialized programs like the Multi-State (MS-ISAC) feature elected executive committees for operational input, reflecting a layered model that integrates stakeholder perspectives. CIS's operational model is community-driven and consensus-based, leveraging crowdsourced expertise to develop resources such as the CIS Controls and Benchmarks. It operates through core competencies in threat intelligence sharing, standards development, and , including the MS-ISAC for state and local governments and the (EI-ISAC). Sustainability relies on diversified funding, including sales of subscription-based tools like CIS SecureSuite, federal and nonprofit grants, and cost-sharing arrangements for ISAC services, enabling scalability without vendor bias. This approach fosters empirical, actionable cybersecurity guidance while maintaining independence from commercial interests.

Key Programs and Initiatives

Multi-State Information Sharing and Analysis Center (MS-ISAC)

The Multi-State Information Sharing and Analysis Center (MS-ISAC), operated by the Center for Internet Security (CIS), serves as the primary cybersecurity information-sharing hub for U.S. state, local, tribal, and territorial (SLTT) governments. Established in 2003 amid rising cyber threats to public sector networks, it initially functioned as a regional cooperative before expanding nationally and integrating with CIS in 2010. MS-ISAC facilitates real-time threat intelligence exchange, vulnerability assessments, and coordinated response efforts among over 18,000 SLTT member entities as of 2025, enabling collective defense against cyberattacks targeting critical infrastructure. Designated by the Department of Homeland Security (DHS) as the central resource for SLTT cyber threat prevention, protection, response, and recovery, it operates a 24/7 Security Operations Center (SOC) that monitors networks, issues early warnings, and provides advisories on emerging vulnerabilities. MS-ISAC's core operations emphasize membership-based collaboration, offering no-cost or low-cost services such as proactive threat hunting, incident response support, and access to shared cyber indicators of compromise (IoCs). By 2024, these efforts contributed to detecting over 43,000 potential cyberattacks on SLTT networks, with escalations to affected members for mitigation. The organization leverages frameworks like the to standardize maturity assessments and enhance SLTT cyber resilience, fostering interoperability with federal partners including the (CISA). Membership is open to all SLTT government agencies, law enforcement, educational institutions, and related entities, promoting a non-competitive environment for intelligence sharing that has achieved universal state participation over its two decades of operation. In recent years, MS-ISAC has faced funding transitions, with CISA terminating federal support effective September 2025, shifting to a fee-based model to sustain services amid budget constraints. This change risks reducing participation, as projections indicate potential loss of two-thirds of state and local members unable to cover costs, though core operations like SOC monitoring and threat alerts are expected to persist for paying entities. Despite these challenges, MS-ISAC's historical impact includes bolstering SLTT defenses during high-profile incidents, such as campaigns and election-related threats, through timely intelligence dissemination and recovery guidance.

Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)

The Elections Infrastructure (EI-ISAC) was established in February 2018 by the Elections Infrastructure Subsector Government Coordinating Council (EIS-GCC), a body comprising federal, state, and local stakeholders, to centralize cybersecurity information sharing for U.S. systems. Hosted by the Center for Internet Security (CIS), which also operates the related Multi-State (MS-ISAC), the EI-ISAC focuses on identifying and disseminating intelligence about cyber threats, vulnerabilities, and incidents targeting databases, voting machines, and management systems. Its formation addressed growing concerns over foreign and domestic cyber risks to , building on frameworks like Presidential Policy Directive 21, which designates as . The EI-ISAC's core objectives include enabling rapid threat detection, , and recovery to bolster election resilience, with membership open to state, local, tribal, and territorial officials, vendors, and supporting organizations across the . Members gain access to real-time alerts, analytical reports, collaboration forums, cybersecurity training, and best-practice resources tailored to cycles. Operations leverage CIS's MS-ISAC , including a 24/7 for monitoring and incident response, ensuring actionable intelligence reaches administrators during high-risk periods like primaries and general . In its inaugural cycle, the center coordinated threat sharing that supported secure operations amid documented attempts at interference. Governed by an Executive Committee of election sector representatives, the EI-ISAC integrated into the National Council of Information Sharing and Analysis Centers in 2019, expanding its network for cross-sector visibility. Key activities encompass scanning, awareness campaigns, and post-incident debriefs, with annual reports highlighting mitigated risks such as targeting local election offices. By October 2023, it had marked five years of operations, contributing to nationwide efforts that verified no widespread cyber disruptions to vote tabulation in multiple cycles. As of March 2025, the EI-ISAC faces sustainability challenges following a $10 million funding cut from the (CISA), which had previously supported its expansion through grants tied to the Help America Vote Act and related programs. The Executive Committee is evaluating membership expansions, private partnerships, and operational efficiencies to maintain services, amid concerns from state secretaries that reduced federal backing could strain local resources for defending against persistent threats like supply-chain attacks on vendors. This transition underscores the program's historical reliance on taxpayer-funded mechanisms, potentially shifting costs to state budgets or voluntary contributions while preserving core threat-sharing functions.

Security Standards and Resources

CIS Critical Security Controls

The CIS Critical Security Controls are a prioritized framework of cybersecurity best practices designed to help organizations defend against the most common and severe cyber threats by focusing on actionable safeguards derived from real-world attack data. Developed through consensus among cybersecurity experts, the controls emphasize offense-informed defense, prioritizing measures that address attacker tactics over theoretical risks, and are structured to be measurable, scalable, and aligned with standards such as NIST and . Originating in 2008 from collaborative efforts involving U.S. defense contractors and the —initially as the "SANS Top 20"—they evolved to counter data breaches in the defense industrial base and have been iteratively refined based on evolving threats. The current version, CIS Controls v8.1, released in 2024, incorporates updates for hybrid cloud environments, supply chain risks, virtualization, mobility, and operational technology (OT), reducing the number of safeguards from 171 in v7.1 to 153 while enhancing focus on modern attack vectors like ransomware and phishing. The framework organizes its 18 controls into three Implementation Groups (IGs) to accommodate varying organizational sizes and maturity: IG1 for foundational hygiene suitable for smaller entities, IG2 for progressive risk mitigation, and IG3 for advanced, proactive defenses. Each control consists of specific safeguards—discrete actions with defined metrics—that organizations can implement to achieve compliance with regulations like PCI DSS, HIPAA, and GDPR, while shifting from checklist-driven approaches to risk-based cybersecurity. CIS quantifies the controls' effectiveness against prevalent threats, claiming high returns on investment through reduced breach likelihood, though broader empirical validation relies on case-specific metrics rather than large-scale longitudinal studies. The 18 controls are as follows:
  • 1. Inventory and Control of Enterprise Assets: Identify and manage all hardware devices to establish a baseline for security monitoring.
  • 2. Inventory and Control of Software Assets: Catalog and control software installations to prevent unauthorized or vulnerable applications.
  • 3. Data Protection: Protect sensitive data through encryption and access restrictions.
  • 4. Secure Configuration of Enterprise Assets and Software: Harden systems by applying secure baselines to reduce attack surfaces.
  • 5. Account Management: Minimize administrative privileges and enforce least-privilege access to limit lateral movement by attackers.
  • 6. Access Control Management: Implement granular controls based on need-to-know principles for data and systems.
  • 7. Continuous Vulnerability Management: Establish processes to assess, prioritize, and remediate vulnerabilities in assets and software.
  • 8. Audit Log Management: Maintain, monitor, and analyze logs for security events.
  • 9. Email and Web Browser Protections: Secure email and browsing against phishing and drive-by downloads.
  • 10. Malware Defenses: Deploy anti-malware tools and behavioral monitoring.
  • 11. Data Recovery Capabilities: Ensure backup and recovery processes for resilience.
  • 12. Network Infrastructure Management: Securely configure network devices like firewalls and routers.
  • 13. Network Monitoring and Defense: Monitor traffic for malicious activity.
  • 14. Security Awareness and Skills Training: Educate users on security practices.
  • 15. Service Provider Management: Manage risks from third-party providers.
  • 16. Application Software Security: Secure custom and third-party applications.
  • 17. Incident Response Management: Develop and test response capabilities.
  • 18. Penetration Testing: Perform regular testing to identify weaknesses.
These controls are freely downloadable in PDF and Excel formats, with tools like CIS-CAT for assessment, and are maintained via community input to ensure relevance without vendor bias, including the CIS Controls Ambassadors program—a volunteer initiative that selects individuals to promote the framework globally, featuring regular spotlights sharing ambassadors' stories. Organizations adopting them report improved incident response times and threat detection, as the framework targets the 80-90% of attacks preventable through basic hygiene, per CIS analysis of breach data.

CIS Benchmarks and Implementation Tools

The CIS Benchmarks consist of prescriptive configuration recommendations developed by the Center for Internet Security (CIS) to secure systems against cyber threats. These guidelines cover more than 25 product families, including operating systems such as Microsoft Windows and various distributions, cloud platforms like and , databases, network devices from vendors like , and applications such as Microsoft 365. They emerge from a consensus process involving hundreds of global cybersecurity practitioners who evaluate and refine recommendations based on real-world applicability and threat intelligence. Benchmarks are structured into two implementation levels: Level 1, which focuses on basic security hygiene with minimal operational impact suitable for most environments, and Level 2, which incorporates advanced defenses for higher-risk scenarios despite potential performance trade-offs. Each benchmark includes detailed rationales for controls, scored profiles for automated validation, and mappings to frameworks like the CIS Controls and regulatory standards such as NIST or PCI DSS. As of 2025, CIS maintains over 100 active benchmarks, with regular updates—for instance, new versions for and AWS services released in response to emerging vulnerabilities. Free community editions provide core recommendations, while full versions with scoring and implementation details require CIS SecureSuite membership. To facilitate adoption, CIS provides implementation tools that automate assessment, remediation, and deployment of benchmark configurations. The CIS Configuration Assessment Tool (CIS-CAT) is a key offering, available in a free Lite version for basic scans and a Pro edition for enterprise-scale reporting; it evaluates system compliance against benchmarks, generates XML/HTML reports mapped to CIS Controls, and supports platforms including Windows, Unix/, and . CIS-CAT Lite, for example, delivers a compliance score post-scan, enabling users to identify deviations without membership. CIS Build Kits complement assessment by providing automated hardening resources, such as Group Policy Objects (GPOs) for Windows environments and shell scripts for , derived directly from benchmark recommendations. Sample kits are freely available for select platforms like and common distributions, while comprehensive kits for broader use cases require membership; they enable scalable deployment via tools like or image builders. Additionally, CIS Hardened Images offer pre-configured virtual machine templates compliant with benchmarks for rapid deployment in infrastructures, reducing manual configuration errors. These tools collectively support a cycle of continuous assessment and remediation, with CIS reporting that organizations using them achieve measurable reductions in configuration vulnerabilities.

Additional Offerings (CyberMarket and Communities)

CIS CyberMarket operates as a specialized cybersecurity marketplace tailored for U.S. State, Local, Tribal, and Territorial (SLTT) government organizations, leveraging the collective purchasing power of over 18,000 members from the (MS-ISAC) to procure rigorously vetted solutions at reduced costs. The program simplifies access to essential tools such as , email security, cybersecurity training, management, and compliance automation, with more than 16 vendor-provided services available through group purchasing agreements. Vendors gain exclusive marketing opportunities to this established customer base by applying through a designated process, ensuring products align with SLTT needs while maintaining affordability and trustworthiness. In parallel, CIS Communities consist of volunteer-driven groups comprising thousands of IT security practitioners worldwide who collaborate to develop and refine core CIS resources, including the CIS Critical Security Controls and CIS Benchmarks. The CIS Benchmarks Community, involving over 12,000 professionals from , industry, and academia, employs a consensus-based process—utilizing subject matter experts, editors, writers, testers, and contributors via ticketing systems and forums—to create and maintain secure configuration recommendations for various technologies. Similarly, the CIS Critical Security Controls Communities draw on hundreds of experts to review and update threat mitigation guidance, produce companion guides, map controls to compliance frameworks, and develop supporting resources like translations and peer assistance tools. Participation in these communities is facilitated through a free CIS WorkBench account, enabling members to engage in discussions, volunteer for specific tasks, and influence global cybersecurity standards, with perks such as professional collaboration, recognition in publications, and continuing professional education credits for editors via partnerships like (ISC)². This volunteer model underscores CIS's emphasis on practitioner-led validation, ensuring outputs reflect practical, empirically grounded best practices rather than isolated institutional perspectives.

Funding, Partnerships, and Dependencies

Historical Reliance on Federal Funding

The , founded in as a non-profit organization dedicated to developing cybersecurity standards and resources, established its Multi-State Information Sharing and Analysis Center (MS-ISAC) in 2003 to facilitate threat intelligence sharing among state, local, tribal, and territorial (SLTT) governments. From inception, the MS-ISAC relied heavily on federal grants from the Department of Homeland Security (DHS), which designated it as the primary cybersecurity information sharing organization for SLTT entities, providing core operational funding for incident response, vulnerability assessments, and training programs. This support enabled the MS-ISAC to serve over 3,000 SLTT members without membership fees initially, as federal allocations covered approximately 80-90% of its budget in early years, allowing prioritization of under-resourced participants over commercial viability. By 2004, when full MS-ISAC operations commenced, DHS grants had become the foundational revenue stream, totaling millions annually and scaling with evolving threats such as campaigns targeting public infrastructure. For example, between fiscal years 2010 and 2024, CIS secured over $115 million in federal awards from DHS and the Department of Defense (DoD), primarily through cooperative agreements for MS-ISAC and related initiatives like election security via the Elections Infrastructure (EI-ISAC), launched in 2017. These funds supported expansion to include real-time threat feeds, on-site incident response deployments, and free tools like automated , which would have otherwise required substantial private funding or fees prohibitive for many SLTT governments. This federal dependency persisted through legislative reinforcements, such as the State and Local Government Cybersecurity Act of 2021, which codified DHS's role in bolstering MS-ISAC capabilities with dedicated appropriations. Prior to 2025, annual DHS contributions peaked at around $27 million for MS-ISAC alone, representing a majority of CIS's government-facing program expenditures and enabling services that supplemented limited state budgets amid rising cyber incidents, including over 1,000 reported SLTT breaches annually by the early . While CIS supplemented with membership dues from entities and product sales, federal grants remained indispensable for scaling non-commercial public defense efforts, fostering a model where taxpayer dollars underwrote national cybersecurity coordination without direct cost recovery from beneficiaries.

Shift to Membership Models and Private Partnerships (Post-2025)

In September 2025, the Cybersecurity and Infrastructure Security Agency (CISA) terminated its cooperative agreement with the Center for Internet Security (CIS), ending approximately $27 million in annual federal funding that had supported the Multi-State Information Sharing and Analysis Center (MS-ISAC) since its inception. This decision marked the planned conclusion of the agreement, prompting CIS to implement a fee-based membership model for MS-ISAC effective October 1, 2025, with fees scaled according to members' operating budgets to sustain operations independently of federal grants. To bridge the immediate funding gap, CIS committed $1 million in monthly emergency support starting October 2025, enabling continuity of core services such as threat intelligence sharing, incident response, and for state, local, tribal, and territorial (SLTT) governments. The membership structure prioritizes SLTT entities but extends eligibility to participants, including end-user organizations, consulting firms, and product vendors, through CIS's broader SecureSuite offerings that integrate MS-ISAC access with tools like CIS Benchmarks and Controls. This expansion fosters private partnerships by allowing commercial entities to leverage MS-ISAC data feeds and collaborative platforms, potentially increasing revenue streams via tiered subscriptions that bundle cybersecurity assessments and implementation guidance. CISA has stated it will provide direct cyber support to SLTT governments to mitigate service disruptions, including enhanced regional advisors and joint vulnerability scanning, while emphasizing that the shift aligns with a strategy to promote self-reliance amid fiscal constraints. However, cybersecurity experts have raised concerns that the fee model may exclude smaller jurisdictions with limited budgets, potentially fragmenting information sharing and increasing reliance on private vendors for equivalent services. CIS counters that the model ensures long-term viability, with early webinars in October 2025 outlining tiered pricing to accommodate varying entity sizes and projecting sustained threat mitigation through diversified funding.

Impact and Reception

Adoption Rates and Empirical Effectiveness

The CIS Critical Security Controls have been downloaded more than 200,000 times as of May 2021, reflecting broad interest from organizations aiming to implement prioritized cybersecurity practices derived from real-world incident analysis. The CIS Benchmarks, which provide configuration guidelines for over 25 vendor product families, have seen adoption across government agencies, businesses, and industries, with endorsements from entities including the U.S. Department of Defense and various private-sector programs. However, precise global adoption rates remain undocumented in public surveys, with framework usage varying by sector; for instance, a 2023 report noted that while multiple frameworks are common (44% of respondents), specific CIS uptake depends on organizational maturity and regulatory alignment. The Multi-State Information Sharing and Analysis Center (MS-ISAC) has achieved membership exceeding 10,000 entities as of 2020, encompassing state, local, tribal, and territorial governments, with a focus on "whole-of-state" participation that extends to educational institutions and election offices in participating jurisdictions. All 50 U.S. states engage with MS-ISAC services to varying degrees, often through coordinated threat intelligence sharing designated by the Department of as the primary cybersecurity resource for these sectors. The Elections Infrastructure (EI-ISAC), integrated within CIS operations, maintains open membership for election-supporting organizations across state, local, tribal, and territorial levels, though exact participation figures are not publicly quantified; it supports over 2,900 election-related entities indirectly through MS-ISAC overlaps. Empirical effectiveness of CIS offerings stems primarily from their development methodology, which analyzes thousands of actual breaches to prioritize actions—such as inventory management and continuous vulnerability scanning—that demonstrably block common attack paths in post-incident reviews. Implementation of the first six CIS Controls, for example, targets foundational defenses that address over 80% of confirmed breach techniques per analyses by CIS and affiliated experts, reducing exploitable misconfigurations and unauthorized access risks. Independent verification tools, including metrics in the CIS Controls Measurement Companion, enable organizations to test control efficacy through automated assessments, correlating compliance levels with lowered incident rates in self-reported data; however, large-scale, peer-reviewed longitudinal studies quantifying breach reductions across adopters remain limited, with effectiveness often inferred from alignment with frameworks like NIST CSF rather than controlled trials. For MS-ISAC and EI-ISAC, threat sharing has facilitated rapid response to incidents, as evidenced by participation in nationwide reviews where 2023 data highlighted improved vulnerability management but persistent funding gaps as barriers to fuller impact measurement. Overall, while CIS resources demonstrate practical risk mitigation in targeted implementations, claims of broad empirical superiority rely heavily on originator-derived data, warranting caution against overgeneralization absent third-party RCTs.

Case Studies in Threat Mitigation

The Multi-State Information Sharing and Analysis Center (MS-ISAC), operated by the (CIS), assisted U.S. state, local, tribal, and territorial (SLTT) governments in responding to the 2020 SolarWinds Orion supply chain compromise, a cyber espionage campaign attributed to Russian state actors that affected thousands of organizations worldwide. MS-ISAC provided targeted guidance on identifying compromised systems, isolating affected networks, and applying patches, drawing from CIS Benchmarks and Critical Security Controls to prioritize asset inventory and . This support enabled SLTT entities to limit lateral movement by intruders and reduce risks, with post-incident analyses indicating that proactive hardening aligned with CIS recommendations prevented broader operational disruptions in participating jurisdictions. In the aftermath of the December 2023 PowerSchool , which exposed sensitive information on millions of students and educators across U.S. districts due to a third-party , MS-ISAC offered incident response support to at least one affected district. Leveraging CIS tools for endpoint detection and threat intelligence sharing, the assistance focused on forensic analysis, containment of propagation, and recovery planning, including recommendations to implement and continuous monitoring as per CIS Controls v8. Outcomes included swift restoration of services and enhanced future resilience, with the district reporting minimized downtime compared to unassisted peers facing similar exposures. CIS's 18-month pilot program in (2023–2024), under the Secure Cyber City initiative, demonstrated threat mitigation for small to mid-sized municipalities against , , and business email compromise targeting like water and power systems. Participants utilized CIS vulnerability assessments, simulations, and multidimensional threat intelligence from MS-ISAC to conduct endpoint and community-wide briefings, resulting in heightened awareness and preemptive defenses that thwarted simulated attacks and reduced success rates in exercises. The program culminated in plans for a whole-community exercise in spring 2025, with metrics showing improved detection times for threats through integrated CIS Controls implementation. Through the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), CIS facilitated collaboration among election officials for the 2024 U.S. s, sharing real-time threat intelligence on foreign influence operations and DDoS attempts, which contributed to organizers deeming it the most cyber-secure federal to date with no successful disruptions to voting infrastructure. EI-ISAC's efforts included distributing CIS-aligned best practices for securing databases and polling systems, enabling states to patch vulnerabilities ahead of known exploits; independent reviews confirmed zero material cyber incidents altering vote tallies, attributing efficacy to pre- hardening and inter-jurisdictional flows.

Criticisms and Controversies

Debates on Control Efficacy and Resource Allocation

The CIS Critical Security Controls are derived from analyses of prevalent attack vectors and effective defenses observed in breach data, with advocates asserting that basic implementation—particularly the first six controls—can prevent or detect approximately 80-85% of intrusion techniques used in common cyberattacks. This estimate stems from reviews of incident reports, such as those emphasizing inventory management, secure configurations, and continuous vulnerability remediation as high-impact measures against automated and opportunistic threats. However, rigorous, peer-reviewed empirical studies isolating CIS implementation's causal effects on breach reduction are limited, with much relying on self-reported organizational outcomes or correlational from frameworks like the Verizon Data Breach Investigations Report, complicating definitive claims of efficacy. Debates on control efficacy often center on their scope relative to evolving threats. Proponents, including CIS and affiliated experts, maintain the controls' prioritization reflects real-world defenses that have demonstrably lowered risk in sectors like and by focusing on "do-first" actions informed by attack data. Critics, including cybersecurity practitioners, contend that while effective for baseline hygiene, the framework underemphasizes adaptive responses to advanced persistent threats, supply chain compromises, or zero-day vulnerabilities, potentially fostering a false sense of security without integration into broader like NIST or ATT&CK. For example, rigid application of CIS Benchmarks has been linked to compatibility issues with legacy systems or operational inefficiencies, where hardening measures conflict with business needs, prompting arguments for contextual customization over prescriptive adherence. Resource allocation debates highlight tensions between the controls' structured Implementation Groups (IG1 for essentials, IG2-3 for advanced) and practical constraints, particularly for smaller organizations. The tiered approach aims to scale efforts by risk profile, directing limited budgets toward high-yield basics like asset inventories and patching before escalating to monitoring or incident response. Yet, implementation challenges include substantial upfront demands for personnel, tools, and expertise—such as automating compliance checks—which can strain entities with constrained resources, leading to incomplete adoption or diversion from tailored priorities like user awareness training. Analysts note that while IG1 promises quick wins, debates arise over opportunity costs, as exhaustive benchmarking may yield marginal gains against niche threats compared to investing in threat intelligence or zero-trust architectures, especially amid rising attack sophistication.

Government Ties and Funding Cut Implications

The Center for Internet Security (CIS) has maintained close operational ties with the U.S. federal government, particularly through its management of the (MS-ISAC), which facilitates cybersecurity threat sharing among state, local, tribal, and territorial (SLTT) entities. Established in 2003, MS-ISAC received substantial federal funding from the Department of Homeland Security (DHS) via the (CISA), totaling over $43 million in grants by 2025 for services including a and incident response support. These partnerships positioned CIS as a key intermediary, delivering federally backed tools like vulnerability scanning and alerts to more than 18,000 government members without direct cost to participants. In early 2025, the Trump administration initiated funding reductions to CIS programs, citing duplicative services and a need to refocus CISA on core statutory missions. On March 6, 2025, DHS announced a $10 million cut to grants for MS-ISAC and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), both operated by CIS, as part of broader budget efficiencies. This was followed by the termination of the primary MS-ISAC agreement on September 30, 2025, ending 21 years of federal support and forcing a pivot to a paid membership model for SLTT participants. The cuts, amounting to over 50% of MS-ISAC's remaining annual budget in some estimates, eliminated no-cost access to critical services for many smaller jurisdictions. The implications of these funding cuts include heightened financial pressures on CIS, which has responded by emphasizing partnerships and membership dues to sustain operations, potentially reducing its reach to resource-constrained local governments. Critics argue the shift disproportionately affects impoverished or rural areas reliant on free federal-subsidized sharing, risking slower incident detection and response amid rising cyber to . Conversely, CISA has pledged direct SLTT support through grants, no-cost assessments, and enhanced coordination, aiming to streamline delivery without intermediaries and align with a "new model" prioritizing federal efficiency over nonprofit dependencies. Early assessments indicate short-term disruptions in election security and local defenses, with CIS evaluating service reductions that could impair rapid remediation nationwide.

References

  1. https://www.cisecurity.org/about-us/history
  2. https://www.cisecurity.org/about-us
  3. https://learn.microsoft.com/en-us/compliance/regulatory/offering-cis-benchmark
  4. https://www.cisecurity.org/ms-isac
  5. https://ar5iv.labs.arxiv.org/html/1910.01721
  6. https://www.news10.com/top-stories/center-for-internet-security-facing-federal-funding-cuts/
  7. https://www.cisecurity.org/insights/blog/cis-celebrating-20-years-of-cybersecurity
  8. https://www.linkedin.com/pulse/center-internet-security-early-years-tony-sager-uhsde
  9. https://www.cisecurity.org/insights/blog/getting-to-know-the-cis-benchmarks
  10. https://www.cisecurity.org/insights/blog/ongoing-evolution-cis-critical-security-controls
  11. https://www.scworld.com/brief/clint-kreitner-retires-from-cis
  12. https://www.cisecurity.org/insights/blog/20-years-of-creating-confidence-in-the-connected-world
  13. https://www.sans.org/blog/cis-controls-v8
  14. https://statescoop.com/ms-isac-10000-members-cis-20th-anniversary/
  15. https://www.cisecurity.org/about-us/media/press-release/making-a-difference-and-building-capacity-in-2023
  16. https://www.cisecurity.org/insights/blog/ms-isac-20-years-as-your-trusted-cyber-defense-community
  17. https://www.cisecurity.org/wp-content/uploads/2019/02/EI-ISAC-2018-YIR.pdf
  18. https://www.cisa.gov/resources-tools/groups/join-elections-infrastructure-information-sharing-and-analysis-center-ei-isac
  19. https://www.cisa.gov/resources-tools/services/multi-state-information-sharing-and-analysis-center
  20. https://statescoop.com/cisa-confirms-its-ending-ms-isac-support/
  21. https://www.infosecurity-magazine.com/news/us-cuts-funding-ms-isac/
  22. https://www.cybersecuritydive.com/news/ms-isac-loses-federal-funding-cyber-impacts/761367/
  23. https://industrialcyber.co/cisa/cisa-advances-national-cyber-resilience-with-direct-support-to-strengthen-sltt-partners/
  24. https://www.cisecurity.org/ms-isac/defending-americas-critical-infrastructure
  25. https://statescoop.com/cisa-state-local-cyber-ms-isac-2025/
  26. https://www.cisecurity.org/insights/white-papers/2024-election-threat-landscape
  27. https://www.scribd.com/document/915254574/Center-for-Internet-Security-CIS-Releases-New-Elections-Technology-Cybersecurity-Supply-Chain-Guide
  28. https://compliancescorecard.com/2024/06/updated-cis-controls-includes-governance/
  29. https://www.sophos.com/en-us/press/press-releases/2025/08/center-internet-security-selects-sophos-premier-partner-endpoint
  30. https://insidecybersecurity.com/daily-news/cisa-ends-contract-center-internet-security-move-provide-direct-support-state-local
  31. https://www.cisecurity.org/cis-controls
  32. https://www.cisecurity.org/insights/white-papers/cis-year-in-review-2024
  33. https://projects.propublica.org/nonprofits/organizations/522278213
  34. https://www.cisecurity.org/about-us/board
  35. https://www.cisecurity.org/about-us/board/franklin-reeder
  36. https://www.cisecurity.org/about-us/leadership/john-m-gilligan
  37. https://www.cisecurity.org/about-us/leadership/marcus-h-sachs
  38. https://www.cisecurity.org/about-us/leadership/john-d-cohen
  39. https://www.cisecurity.org/about-us/media/press-release/the-center-for-internet-security-and-ms-isac-announce-newly-elected-executive-committee-members
  40. https://panorays.com/blog/what-is-cis-and-how-does-it-relate-to-third-parties/
  41. https://www.linkedin.com/pulse/long-term-importance-ms-isac-protecting-americas-public-makshood-em9pe
  42. https://documents.ncsl.org/wwwncsl/Task-Forces/Cybersecurity-Privacy/MS_ISAC.pdf
  43. https://gta.georgia.gov/sites/gta.georgia.gov/files/event_docs/technology_summit_2016/Security%2520MS-ISAC%2520Services%2520Guide%2520v1.0.pdf
  44. https://www.nist.gov/cyberframework/success-stories/ms-isac
  45. https://www.govtech.com/blogs/lohrmann-on-cybersecurity/The-MSISAC-Story-More-Than-a-Decade-of-Growing-Membership-and-Influence.html
  46. https://www.naco.org/news/multi-state-information-sharing-and-analysis-center-ms-isac-loses-federal-funding
  47. https://www.cisecurity.org/wp-content/uploads/2018/05/EI-ISAC-Handout.pdf
  48. https://www.cisecurity.org/ei-isac
  49. https://www.cisa.gov/sites/default/files/publications/19_0531_cisa_election-security-resources-guide-may-2019.pdf
  50. https://www.nationalisacs.org/post/2019/06/04/elections-infrastructure-isac-is-now-a-member-of-the-national-council-of-isacs
  51. https://electionline.org/electionline-weekly/2023/10-05/
  52. https://statescoop.com/federal-cuts-election-security-secretaries-state-2025/
  53. https://www.democracydocket.com/news-alerts/cybersecurity-agency-ends-support-to-election-security-program/
  54. https://www.cisecurity.org/controls
  55. https://www.cisecurity.org/controls/v8
  56. https://www.cisecurity.org/controls/v8-1
  57. https://www.cisecurity.org/controls/cis-critical-security-controls-a-global-de-facto-standard
  58. https://www.cisecurity.org/insights/blog/cis-controls-ambassador-spotlight-chirag-arora
  59. https://www.cisecurity.org/cis-benchmarks
  60. https://www.puppet.com/blog/cis-benchmarks
  61. https://www.cisecurity.org/benchmark/microsoft_windows_desktop
  62. https://learn.cisecurity.org/cis-cat-lite
  63. https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro
  64. https://learn.cisecurity.org/build-kits
  65. https://www.cisecurity.org/cis-securesuite/cis-securesuite-build-kit-content
  66. https://www.cisecurity.org/cis-hardened-images
  67. https://www.cisecurity.org/insights/blog/assess-remediate-and-implement-with-cis-securesuite
  68. https://www.cisecurity.org/services/cis-cybermarket
  69. https://www.cisecurity.org/communities
  70. https://www.cisecurity.org/communities/benchmarks
  71. https://www.cisecurity.org/communities/controls
  72. https://www.route-fifty.com/cybersecurity/2025/10/federal-funding-runs-out-cyber-info-sharing-center/408612/
  73. https://www.influencewatch.org/non-profit/center-for-internet-security-cis/
  74. https://www.usaspending.gov/award/ASST_NON_19PDMSI00002_7061
  75. https://www.govinfo.gov/content/pkg/CRPT-117srpt42/html/CRPT-117srpt42.htm
  76. https://blueradius.io/government-cybersecurity-crisis-federal-funding-cuts/
  77. https://www.cisa.gov/news-events/news/cisa-strengthening-our-nations-security-direct-cyber-support-state-and-local-governments
  78. https://www.cisecurity.org/ms-isac/ms-isac-membership-faq
  79. https://www.theregister.com/2025/09/30/cisa_kills_cis_agreement/
  80. https://www.cisecurity.org/cis-securesuite/pricing-and-categories
  81. https://www.helpnetsecurity.com/2025/09/30/cisa-ms-isac-funding/
  82. https://www.govtech.com/security/federal-government-acknowledges-end-of-ms-isac-support
  83. https://www.cisecurity.org/controls/cis-controls-faq
  84. https://www.nist.gov/document/11062023-cis-comments-nist-cyber-security-framework-core-2-final-nov-6-2023
  85. https://www.tenable.com/whitepapers/trends-in-security-framework-adoption
  86. https://www.cisecurity.org/ms-isac/ms-isac-charter
  87. https://www.dhs.gov/sites/default/files/2023-03/CYBERSECURITY%2520AND%2520INFRASTRUCTURE%2520SECURITY%2520AGENCY_Remediated.pdf
  88. https://www.dlt.com/sites/default/files/resource-attachments/2019-09/White%252520Paper%252520-%252520Focus%252520on%252520the%252520First%252520Six%252520CIS%252520Critical%252520Security%252520Controls_0_13.pdf
  89. https://www.tml.org/DocumentCenter/View/70/Measurement-Companion-to-the-CIS-Critical-Security-Controls-PDF
  90. https://www.cisecurity.org/about-us/media/press-release/nationwide-cybersecurity-review-sees-record-participation-highlights-key-challenges
  91. https://www.cisecurity.org/insights/case-study/guiding-sltts-through-the-solarwinds-supply-chain-attack
  92. https://www.cisecurity.org/insights/case-study/enhanced-cyber-resilience-as-a-secure-cyber-city
  93. https://statescoop.com/cybersecurity-secure-election-day-2024/
  94. https://ordr.net/article/complete-guide-to-cis-critical-security-controls
  95. https://www.tml.org/DocumentCenter/View/71/The-CIS-Critical-Security-Controls-Effective-Cyber-Defense-PDF
  96. https://www.sans.org/media/critical-security-controls/critical-controls-poster-2016.pdf
  97. https://www.linkedin.com/pulse/enhancing-your-organizations-security-pros-cons-cis-disa-sohail-aamir-nncuf
  98. https://www.reddit.com/r/cybersecurity/comments/15uk3ur/comparison_of_security_benchmarks_and_dangers_of/
  99. https://www.reddit.com/r/sysadmin/comments/gszrir/is_using_all_recommend_benchmarks_from_cis/
  100. https://www.cisecurity.org/controls/implementation-groups
  101. https://oneclickcomply.com/blog/what-are-the-challenges-of-implementing-cis-v8
  102. https://nordicdefender.com/blog/benefits-and-challenges-of-cis-controls
  103. https://www.dhs.gov/sites/default/files/2025-08/25_0825_CISA__2023_2024_JCDC_SLTT_ISAC_Continuation%2520Award_CSD.pdf
  104. https://www.businessofgovernment.org/blog/ai-and-cybersecurity-strategies-local-governments-%25E2%2580%2593-addressing-challenges-and-leveraging
  105. https://x.com/DHSgov/status/1897771732611559430
  106. https://www.cisecurity.org/about-us/media/media-mention/center-for-internet-security-facing-federal-funding-cuts
Add your contribution
Related Hubs
User Avatar
No comments yet.