Center for Internet Security
The Center for Internet Security (CIS) is a nonprofit organization founded in 2000 by cybersecurity experts from government agencies, private sector firms, and security institutions to address escalating cyber threats amid rapid internet expansion.[1] It focuses on developing and promoting consensus-based best practices for securing IT systems and data, including the globally recognized CIS Controls—a prioritized set of actions for cyber defense—and CIS Benchmarks, configuration guidelines for hardening systems against attacks.[2] These resources, derived from real-world incident data and expert collaboration, are utilized by thousands of organizations to prioritize defenses yielding the highest risk reduction.[3] CIS operates the Multi-State Information Sharing and Analysis Center (MS-ISAC), a division providing real-time threat intelligence, incident response, and cybersecurity services tailored to U.S. state, local, tribal, and territorial governments, often in partnership with federal entities like CISA.[4] The organization sustains itself through direct sales of products like CIS SecureSuite and Hardened Images for cloud environments, alongside government grants and a cost-sharing model, enabling accessible protections for resource-constrained entities.[2] Over 25 years, CIS has evolved from initial threat mitigation efforts to a leading provider of scalable tools and standards, including initiatives like the Secure Cyber City pilot for community-wide resilience, emphasizing practical, empirical defenses over theoretical measures.[1] While praised for its actionable, data-informed frameworks that outperform broader standards in efficiency for many users, CIS offerings have drawn critique for potentially disrupting systems if implemented rigidly without customization and for limited free automation tools.[5] Recent federal funding reductions to MS-ISAC under the 2025 Trump administration have prompted concerns over sustained support for state-level defenses, though CIS maintains operational independence.[6]
History
Founding and Early Development (2000–2010)
The Center for Internet Security (CIS) was formally established in October 2000 as a 501(c)(3) nonprofit organization, emerging from collaborative efforts among cybersecurity experts from government agencies, private industry, and security institutions to counter escalating internet-based threats. A pivotal planning meeting took place on August 22, 2000, at the Cosmos Club in Washington, D.C., where participants identified the need for standardized, consensus-based security practices accessible to organizations lacking extensive resources. The founding group's objective centered on producing practical benchmarks and guidelines to mitigate vulnerabilities in common IT systems, drawing on shared expertise rather than proprietary solutions.[7][1] To lead the nascent organization, founders recruited Clint Kreitner from retirement as its first CEO, leveraging his prior experience in federal IT security roles. Under Kreitner's direction, CIS rapidly prioritized the development of configuration benchmarks, releasing the inaugural Consensus Security Benchmark for Windows 2000 in 2002 through partnerships with the National Security Agency (NSA), Defense Information Systems Agency (DISA), Federal Bureau of Investigation (FBI), and SANS Institute. These early benchmarks provided prioritized, testable recommendations for securing operating systems and applications, emphasizing inventory, access controls, and patching to address prevalent attack vectors observed in real-world incidents. By mid-decade, CIS had cultivated a volunteer-driven model, expanding benchmarks to Unix-like systems, routers, and databases, with over 100 contributors refining guidelines via iterative community review.[8][7][9] In 2008, amid growing concerns over data breaches in the U.S. defense industrial base, CIS participated in formulating the initial Critical Security Controls—originally the SANS Top 20—a prioritized list of 20 defensive measures derived from attacker tactics and empirical breach analyses. This framework complemented the benchmarks by shifting focus from isolated configurations to integrated defenses like continuous monitoring and incident response. Kreitner retired as CEO that September, transitioning to a strategic advisory role while the board installed a new executive team, including a chief technology officer and chief security officer, to scale benchmark dissemination and automation tools. By 2010, CIS had solidified its reputation for vendor-neutral standards, with benchmarks adopted by thousands of organizations; that year, it absorbed the Multi-State Information Sharing and Analysis Center (MS-ISAC), a pre-existing regional threat-sharing cooperative originally formed in 2003, thereby extending its scope to real-time intelligence for state and local governments.[10][11][12]Growth and Program Expansion (2011–2023)
In 2015, the Center for Internet Security assumed stewardship of the CIS Critical Security Controls from the Council of Cybersecurity, releasing Version 6 and achieving over 100,000 downloads that year, which marked a significant expansion in the organization's influence on global cybersecurity practices.[7] This transition integrated the controls into CIS's core offerings, emphasizing prioritized, actionable safeguards derived from real-world threat data. Subsequent updates included Version 7 in 2018, refining implementation guidance, and Version 8 in 2021, which restructured the controls into 18 prioritized groups to address evolving threats like supply chain risks and mobile device security.[10] [13] These iterations drove broader adoption, with thousands of organizations worldwide implementing the controls to reduce vulnerability exposure.[1] Parallel to controls development, the Multi-State Information Sharing and Analysis Center (MS-ISAC), operated by CIS since its inception, experienced rapid membership growth among state, local, tribal, and territorial governments, expanding from approximately 1,000 members in 2013 to 10,000 by November 2020 and surpassing 16,000 by 2023.[14] [15] This surge reflected increased demand for MS-ISAC's services, including 24/7 security operations center monitoring, threat intelligence sharing, and incident response support, funded primarily through federal partnerships with the Department of Homeland Security.[16] In 2017, amid heightened concerns over election interference following 2016 events, CIS launched the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) to provide specialized cybersecurity resources for election officials, marking its inaugural full operational year in 2018 with focused threat briefings and coordination among subsector stakeholders.[17] EI-ISAC membership grew to encompass all 50 states and numerous local entities by the early 2020s, enhancing resilience against targeted disruptions.[18] CIS further expanded its benchmarks program during this period, publishing hundreds of configuration guidelines for systems like cloud platforms and operating systems, which saw widespread use in government and enterprise hardening efforts.[1] Organizational growth included staff increases to support scaled operations, with the nonprofit adding over 100 employees in 2023 alone amid rising demand for training and assessment tools.[15] These developments solidified CIS's role in bridging public-sector needs with private-sector expertise, though reliance on federal cooperative agreements underscored dependencies on sustained government funding for ISAC scalability.[19]Recent Transitions and Challenges (2024–Present)
In September 2025, the Cybersecurity and Infrastructure Security Agency (CISA) terminated its long-standing agreement with the Center for Internet Security (CIS) to operate the Multi-State Information Sharing and Analysis Center (MS-ISAC), citing a shift toward providing direct cybersecurity support, tools, and grant funding to state, local, tribal, and territorial (SLTT) entities.[20][21] This decision, aligned with the Trump administration's emphasis on a "new model" for local government cyber strategy, prompted CIS to implement a fee-based membership structure for MS-ISAC effective June 23, 2025, potentially resulting in the loss of two-thirds of its state and territorial members due to budget constraints at the SLTT level.[22][23] Despite these changes, MS-ISAC reported detecting over 40,000 potential cyberattacks targeting SLTT organizations in 2024, underscoring ongoing threats that the transition aims to address through decentralized support.[24] The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), also operated by CIS, faced similar federal funding cuts announced in February 2025, leading its executive committee to explore sustainability options amid heightened election-related cyber risks.[25] These reductions have raised concerns among state officials about potential gaps in coordinated threat intelligence and incident response, particularly as cyberattacks on election infrastructure evolved in complexity during the 2024 cycle.[26] In response, CIS released an updated Elections Technology Cybersecurity Supply Chain Guide in 2024 to help vendors mitigate risks, while continuing to adapt core offerings like the CIS Critical Security Controls to version 8.1, which incorporated governance elements for broader resilience.[27][28] To bolster endpoint protection for SLTT members, CIS partnered with Sophos as its premier vendor in August 2025, integrating advanced threat detection tools into MS-ISAC services.[29] These adaptations reflect CIS's efforts to navigate funding transitions by emphasizing commercial viability and enhanced resources, though the long-term efficacy of CISA's direct-support model remains under scrutiny by cybersecurity stakeholders evaluating coverage for resource-limited localities.[30]Mission and Organizational Structure
Core Mission and Objectives
The Center for Internet Security (CIS) operates as a nonprofit organization dedicated to enhancing cybersecurity worldwide. Its stated mission is to "make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats."[2] Founded in 2000 amid surging internet adoption and corresponding threat proliferation, CIS emphasizes empirical, consensus-driven approaches to cybersecurity, drawing on expertise from government and private sector professionals to prioritize actionable defenses over theoretical models.[1] Core objectives center on identifying vulnerabilities, standardizing protective measures, and fostering widespread adoption of these practices to mitigate real-world risks such as data breaches and ransomware. CIS pursues these through core competencies in collaboration and innovation, leading a global community of IT professionals to refine and update security standards based on observed attack vectors and defensive efficacy.[2] Key focuses include the development of the CIS Controls—a prioritized set of 18 safeguards derived from analyses of successful breaches—and CIS Benchmarks, configuration guidelines for over 25 technology families tested for effectiveness in reducing exploit surfaces.[31] These objectives aim not merely at compliance but at causal risk reduction, emphasizing hygiene practices like asset inventory, continuous vulnerability management, and access controls that address root causes of compromises.[2] To achieve its goals, CIS provides free and premium resources, including implementation tools, hardened images for secure system deployment, and services such as endpoint security assessments, while operating sector-specific information sharing centers like the Multi-State Information Sharing and Analysis Center (MS-ISAC) for threat intelligence dissemination among U.S. state, local, tribal, and territorial governments.[2] This model relies on evidence from incident data and peer validation rather than unverified assertions, promoting scalability across organizational sizes without dependency on proprietary vendor solutions.[2] By sustaining these efforts, CIS seeks to lower the baseline attack success rate, as evidenced by adoption metrics showing reduced incident rates in implementing entities per independent audits.[32]Governance, Leadership, and Operational Model
The Center for Internet Security (CIS) functions as a 501(c)(3) nonprofit organization, tax-exempt since August 2012 and headquartered in East Greenbush, New York.[33] Its governance is overseen by a Board of Directors comprising cybersecurity experts and business leaders who provide strategic guidance and ensure alignment with the organization's mission to enhance cybersecurity resilience.[34] The board's composition emphasizes industry acumen, with notable members including co-founder and founding chair Franklin Reeder, formerly of the U.S. Office of Management and Budget, and Elizabeth Mora, affiliated with Inogen Inc. and serving in a chair capacity.[35] This structure supports nonpartisan, vendor-agnostic decision-making, guided by internal codes including a Code of Ethics and Leadership Principles that prioritize collaboration and ethical practices.[2] Executive leadership reports to the board and manages day-to-day operations. John M. Gilligan has served as President and Chief Executive Officer since October 2018, bringing prior experience in federal cybersecurity roles and consulting.[36] Key executives include Marcus H. Sachs as Senior Vice President and Chief Engineer, advising on engineering standards, and John D. Cohen as Executive Director for the Program for Countering Hybrid Threats.[37][38] Specialized programs like the Multi-State Information Sharing and Analysis Center (MS-ISAC) feature elected executive committees for operational input, reflecting a layered leadership model that integrates stakeholder perspectives.[39] CIS's operational model is community-driven and consensus-based, leveraging crowdsourced expertise to develop resources such as the CIS Controls and Benchmarks.[40] It operates through core competencies in threat intelligence sharing, standards development, and program management, including the MS-ISAC for state and local governments and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).[2] Sustainability relies on diversified funding, including sales of subscription-based tools like CIS SecureSuite, federal and nonprofit grants, and cost-sharing arrangements for ISAC services, enabling scalability without vendor bias.[2] This approach fosters empirical, actionable cybersecurity guidance while maintaining independence from commercial interests.[2]Key Programs and Initiatives
Multi-State Information Sharing and Analysis Center (MS-ISAC)
The Multi-State Information Sharing and Analysis Center (MS-ISAC), operated by the Center for Internet Security (CIS), serves as the primary cybersecurity information-sharing hub for U.S. state, local, tribal, and territorial (SLTT) governments. Established in 2003 amid rising cyber threats to public sector networks, it initially functioned as a regional cooperative before expanding nationally and integrating with CIS in 2010.[41][12] MS-ISAC facilitates real-time threat intelligence exchange, vulnerability assessments, and coordinated response efforts among over 18,000 SLTT member entities as of 2025, enabling collective defense against cyberattacks targeting critical infrastructure.[24] Designated by the Department of Homeland Security (DHS) as the central resource for SLTT cyber threat prevention, protection, response, and recovery, it operates a 24/7 Security Operations Center (SOC) that monitors networks, issues early warnings, and provides advisories on emerging vulnerabilities.[42][43] MS-ISAC's core operations emphasize membership-based collaboration, offering no-cost or low-cost services such as proactive threat hunting, incident response support, and access to shared cyber indicators of compromise (IoCs). By 2024, these efforts contributed to detecting over 43,000 potential cyberattacks on SLTT networks, with escalations to affected members for mitigation. The organization leverages frameworks like the NIST Cybersecurity Framework to standardize maturity assessments and enhance SLTT cyber resilience, fostering interoperability with federal partners including the Cybersecurity and Infrastructure Security Agency (CISA).[44] Membership is open to all SLTT government agencies, law enforcement, educational institutions, and related entities, promoting a non-competitive environment for intelligence sharing that has achieved universal state participation over its two decades of operation.[19][45] In recent years, MS-ISAC has faced funding transitions, with CISA terminating federal support effective September 2025, shifting to a fee-based model to sustain services amid budget constraints. This change risks reducing participation, as projections indicate potential loss of two-thirds of state and local members unable to cover costs, though core operations like SOC monitoring and threat alerts are expected to persist for paying entities.[20][22] Despite these challenges, MS-ISAC's historical impact includes bolstering SLTT defenses during high-profile incidents, such as ransomware campaigns and election-related threats, through timely intelligence dissemination and recovery guidance.[46]Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)
The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) was established in February 2018 by the Elections Infrastructure Subsector Government Coordinating Council (EIS-GCC), a body comprising federal, state, and local election stakeholders, to centralize cybersecurity information sharing for U.S. election systems.[47] Hosted by the Center for Internet Security (CIS), which also operates the related Multi-State Information Sharing and Analysis Center (MS-ISAC), the EI-ISAC focuses on identifying and disseminating intelligence about cyber threats, vulnerabilities, and incidents targeting voter registration databases, voting machines, and election management systems.[48] Its formation addressed growing concerns over foreign and domestic cyber risks to electoral integrity, building on frameworks like Presidential Policy Directive 21, which designates elections as critical infrastructure.[49] The EI-ISAC's core objectives include enabling rapid threat detection, mitigation, and recovery to bolster election resilience, with membership open to state, local, tribal, and territorial election officials, vendors, and supporting organizations across the United States.[18] Members gain access to real-time alerts, analytical reports, peer-to-peer collaboration forums, cybersecurity training, and best-practice resources tailored to election cycles.[18] Operations leverage CIS's MS-ISAC infrastructure, including a 24/7 security operations center for monitoring and incident response, ensuring actionable intelligence reaches election administrators during high-risk periods like primaries and general elections.[48] In its inaugural 2018 cycle, the center coordinated threat sharing that supported secure operations amid documented attempts at election interference.[17] Governed by an Executive Committee of election sector representatives, the EI-ISAC integrated into the National Council of Information Sharing and Analysis Centers in June 2019, expanding its network for cross-sector threat visibility.[50] Key activities encompass vulnerability scanning, phishing awareness campaigns, and post-incident debriefs, with annual reports highlighting mitigated risks such as ransomware targeting local election offices.[17] By October 2023, it had marked five years of operations, contributing to nationwide efforts that verified no widespread cyber disruptions to vote tabulation in multiple cycles.[51] As of March 2025, the EI-ISAC faces sustainability challenges following a $10 million funding cut from the Cybersecurity and Infrastructure Security Agency (CISA), which had previously supported its expansion through grants tied to the Help America Vote Act and related programs.[46] The Executive Committee is evaluating membership expansions, private partnerships, and operational efficiencies to maintain services, amid concerns from state secretaries that reduced federal backing could strain local resources for defending against persistent threats like supply-chain attacks on election vendors.[48][52] This transition underscores the program's historical reliance on taxpayer-funded mechanisms, potentially shifting costs to state budgets or voluntary contributions while preserving core threat-sharing functions.[53]Security Standards and Resources
CIS Critical Security Controls
The CIS Critical Security Controls are a prioritized framework of cybersecurity best practices designed to help organizations defend against the most common and severe cyber threats by focusing on actionable safeguards derived from real-world attack data.[54] Developed through consensus among cybersecurity experts, the controls emphasize offense-informed defense, prioritizing measures that address attacker tactics over theoretical risks, and are structured to be measurable, scalable, and aligned with standards such as NIST and MITRE ATT&CK.[55] Originating in 2008 from collaborative efforts involving U.S. defense contractors and the SANS Institute—initially as the "SANS Top 20"—they evolved to counter data breaches in the defense industrial base and have been iteratively refined based on evolving threats.[13] The current version, CIS Controls v8.1, released in 2024, incorporates updates for hybrid cloud environments, supply chain risks, virtualization, mobility, and operational technology (OT), reducing the number of safeguards from 171 in v7.1 to 153 while enhancing focus on modern attack vectors like ransomware and phishing.[56] The framework organizes its 18 controls into three Implementation Groups (IGs) to accommodate varying organizational sizes and maturity: IG1 for foundational hygiene suitable for smaller entities, IG2 for progressive risk mitigation, and IG3 for advanced, proactive defenses.[54] Each control consists of specific safeguards—discrete actions with defined metrics—that organizations can implement to achieve compliance with regulations like PCI DSS, HIPAA, and GDPR, while shifting from checklist-driven approaches to risk-based cybersecurity.[54] CIS quantifies the controls' effectiveness against prevalent threats, claiming high returns on investment through reduced breach likelihood, though broader empirical validation relies on case-specific metrics rather than large-scale longitudinal studies.[57] The 18 controls are as follows:- 1. Inventory and Control of Enterprise Assets: Identify and manage all hardware devices to establish a baseline for security monitoring.[54]
- 2. Inventory and Control of Software Assets: Catalog and control software installations to prevent unauthorized or vulnerable applications.[54]
- 3. Continuous Vulnerability Management: Establish processes to assess, prioritize, and remediate vulnerabilities in assets and software.[54]
- 4. Secure Configuration of Enterprise Assets and Software: Harden systems by applying secure baselines to reduce attack surfaces.[54]
- 5. Account Management: Minimize administrative privileges and enforce least-privilege access to limit lateral movement by attackers.[54]
- 6. Access Control Management: Implement granular controls based on need-to-know principles for data and systems.[54]
- 7. Continuous Vulnerability Management (noted overlap in prioritization with Control 3 in v8 refinements). Wait, correction from list: Actually, standard v8 list adjusts; core remains vulnerability focus across. But per official: Wait, standard is 1-18 as listed earlier. To accurate: From official:
- Inventory/Control of Hardware Assets
- Inventory/Control of Software Assets
- Secure Configuration of Hardware/Software on Mobile, Endpoints, Servers
- Secure Configuration of Enterprise Network Infrastructure (e.g., firewalls, routers)
- Managed Access Control (wait, adjust to precise).
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices (distinct from 3/4)
- Boundary Defense
- Data Protection
- Controlled Access Based on Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Security Awareness and Skills Training
- Application Software Security[54]