Backgroound Image

Security control mapping – CIS CSC Top 20, NIST CSF, and NIST 800-53

I am working on a security project with a colleague, and instead of tackling one of the bigger standards we decided to create a road map and work towards it.  Essentially, the goal is to align with NIST 800-53.  That framework is way too complex for an environment with essentially a non-existent security policy.  Instead, we will tackle the CIS Critical Security Controls (SANS Top 20, CSC, or whatever else you want to call it) first, then the NIST CyberSecurity Framework (CSF), and then tackle the NIST 800-53.

The CSC is designed with the idea that it focuses on the most critical controls, so it is the best starting point.  By layering NIST CSF we add more controls, but they are less critical.  Finally, NIST 800-53 is where we would hit a level of maturity.  The nice thing with all of these is that the frameworks do build on each other.  Controls in CSC can be mapped to the CSF and 800-53, and the controls in CSF can be mapped to 800-53.  This means that work done on one control isn’t wasted.  The issue that we had was actually understanding what that meant for the overall project.  How much mapping was actually happening?

Before getting into the answer to that question we’ll look at the controls discussed.

The CSC framework has 20 controls, NIST CSF has 98 controls, and NIST 800-53 has 256 controls.

Here are links to info about each control:

CSC Poster This shows all the controls, a bit of detail on each, the background of the CSC, and has the mapping info for other controls.

To actually get the CSC controls you have to sign up here.  There’s some good info there, which includes a file with the mapping info in Excel format, the controls in Excel, a PDF with more detail on each control, and a PDF on testing and validating an environment based on the CSC framework.

The NIST CSF info can be found here, and here’s the Excel file with the controls.  The Excel file also contains the mapping info.

Then there’s the NIST 800-53, which can be found here.

Now, a quick note: This info is based off CSC v.6, NIST CSF (I believe it’s 1.0, but I can’t find version info) and NIST 800-53 Rev. 4.

With the mapping of controls I only wanted to find unique controls that were mapped.  There are often times where multiple controls map to a single control.  I counted the first, and excluded the subsequent.  This means that controls later in the list are likely to have fewer mappings listed as they are not mapping to unique controls.  Also, just because a control is mapped does not mean it is complete.  It’s more like it is started, and will likely need to be revised when looking at the higher frameworks.

On to the fun-

If you complete the CSC then it would map to 67 of the 98 CSF Controls (68.37%)

If you complete the CSC then it would map to 114 of the 256 800-53 Controls (44.53%)

If you complete the CSF then it would map to 155 of the 256 800-53 Controls (60.55%)

If you complete the CSC, then do the CSF it would map to 193 of the 256 800-53 Controls (75.39%)

As you can see, there’s definately a benefit to working through the controls in this order.

Now, like a good student, I am going to show my work.  The attached Excel file is a list of all the mapping info.  I compiled information from the above sources to make this.  The layout is the same as I had previously used.  The first four tabs list the details of the controls that are mapped, as well as the controls that are missed.  Then there are three “Summary” tabs with the specific control data removed.

Download the mapping file.

17 thoughts on “Security control mapping – CIS CSC Top 20, NIST CSF, and NIST 800-53

  1. You have explained a beautiful and easy process to follow! Appreciate the details given by you! Thank you.

  2. Kudos to you! Well researched and nicely documented; You are doing several future travelers a huge favor! Thank you!

  3. Nice work on this. I work at a large decentralized organization that does not have a strong security posture. Starting with the CSC controls is easier for people to digest than digging down into NIST 800-53.
    NIST 800-53 is the end-goal but can be overwhelming for a lot of people.

    1. Exactly the same here, except large centralised organisation where the central function doesn't really get it… I can see us doing CSC as a first sweep, then defining the requirements in 800-53 terms, and I can write the architecture with this in mind now, safe in the knowledge that I know where the gaps are.

  4. I just wanted to say thank you for doing this and making it available, this is exactly what I was looking for, and I can't believe the detail.

  5. Great work! One small item – I think IA-11 should actually be included, as PR.AC-1 says it maps to the entire IA family.

    1. Thank you for the feedback. It looks like I did miss that, so I've updated the document, and the numbers above.

  6. Hi there… I had a couple of questions and wondered if you would be willing to correspond via email. Many thanks.

  7. Would you be able to send me an excel version? Do to company IT policy, I cannot view or copy or modify google docs.

    1. Hi Meg, Sorry for the delay in the response. I missed the notification of a new comment. If you're still interested I can send you the Excel file. Just let me know where to send it.

Leave a Reply

Your email address will not be published. Required fields are marked *