CIS Critical Security Controls v8

Prioritized set of cybersecurity best practices. Three implementation groups mapped to organization size. Widely used as a practical baseline independent of regulatory requirement.

All organizations, security teams, SMBs

14

control domains mapped

32

products applicable

6

other frameworks cross-mapped

Official doc

CIS Critical Security Controls v8

CIS-6.3 Require MFA for externally-exposed applications

Phishing-resistant MFA using hardware security keys. Software TOTP and SMS are explicitly excluded from "phishing-resistant" in NIST 800-63B and most modern framework guidance.

CIS-4.4 Use unique passwords and MFA for all admin access

Hardened mobile OS with per-app sensor controls, verified boot, and no background telemetry. Satisfies mobile device management and bring-your-own-device security requirements.

CIS-12.2 Establish and maintain a secure network architecture

VM-level compartmentalization means a compromise of one domain (e.g. browser) cannot reach another (e.g. keys, vault). No other consumer laptop provides this by default.

CIS-12.3 Securely manage network infrastructure

Stateful firewall with IPS at the network perimeter. All inbound/outbound traffic inspected with Suricata rule sets. VPN gateway replaces consumer VPN dependency.

Products that satisfy this control:

CIS-4.8 Uninstall or disable unnecessary services on assets

Intel Management Engine disabled at the firmware level across every open-firmware machine we carry (NitroPad, NitroPC, PrivacyGuard, SecurityTitan); SecurityTitan models go further — camera and microphone physically removed, anti-tamper seals verified by Heads + Nitrokey attestation. Least functionality, enforced in hardware.

CIS-11.5 Manage access control for remote assets

Rated safes and vaults protect physical assets, documents, and hardware backups with UL-certified burglary ratings — from UL 1037 RSC (residential) up to UL 687 TL-15/TL-30 vault-grade for insurance-mandated or enterprise specialty storage (the tier insurers and auditors recognize; see the ratings ladder on /safe). SecurityTitan laptops extend physical protection to devices in transit: glitter-sealed tamper-evident screws with photographic verification make case intrusion detectable.

CIS-11.3 Protect recovery data with equivalent controls to the original

UL 72 fire-rated safes keep interiors under 350°F through 30-minute to 4-hour furnace exposure — plus explosion and 30-foot drop tests — so original records, storage media, seed-phrase plates, and offline backups survive a facility fire. Distinct from burglary protection: enterprises with records-retention or continuity obligations typically need BOTH ratings on one unit (dual-rated Gardall UL line or TL-rated composite safes — see /safe).

Products that satisfy this control:

CIS-17 Incident Response Management (out-of-band communications)

Encrypted LoRa mesh radios (Meshtastic / MeshCore / Reticulum) move text and GPS with no cellular, WiFi, internet, or subscription — every node relays for every other, on FCC Part 15 unlicensed 915 MHz spectrum. The out-of-band channel for disaster response, incident communications when primary networks are down or untrusted, remote sites, and executive contingency plans.

Products that satisfy this control:

CIS-3 Data Protection (device data outside controlled environments)

MIL-STD 188-125 / IEEE 299-tested Faraday shielding (80+ dB) physically severs every radio — cellular/5G, WiFi, Bluetooth, GPS, RFID, NFC — so devices cannot be tracked, remotely wiped, or exfiltrated over RF. Covers executive travel through hostile networks, forensic chain-of-custody transport (a seized phone that must not phone home), and anti-relay protection for keyless-entry fobs.

Products that satisfy this control: