Mapping: Nexus SecOps ↔ CIS Controls v8
This document maps Nexus SecOps benchmark controls to CIS Controls Version 8. CIS Controls are organized into three Implementation Groups (IG1, IG2, IG3) based on organization size and security maturity.
CIS Implementation Groups
| Group | Target | Description |
| IG1 | Small organizations | Essential cyber hygiene; all organizations SHOULD implement |
| IG2 | Medium organizations | Additional controls for organizations with IT staff |
| IG3 | Large/mature organizations | Advanced controls for security expertise and resources |
Control Mapping by CIS Group
CIS Control 1 — Inventory and Control of Enterprise Assets
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 1.1 | IG1 | Establish and maintain detailed enterprise asset inventory | Nexus SecOps-001, Nexus SecOps-136 |
| 1.2 | IG1 | Address unauthorized assets | Nexus SecOps-001, Nexus SecOps-136 |
| 1.3 | IG2 | Utilize an active discovery tool | Nexus SecOps-001, Nexus SecOps-151 |
| 1.4 | IG2 | Use DHCP logging to update asset inventory | Nexus SecOps-001, Nexus SecOps-013 |
CIS Control 2 — Inventory and Control of Software Assets
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 2.1 | IG1 | Establish and maintain software inventory | Nexus SecOps-001, Nexus SecOps-151 |
| 2.2 | IG1 | Ensure authorized software is currently supported | Nexus SecOps-151, Nexus SecOps-153 |
| 2.3 | IG2 | Address unauthorized software | Nexus SecOps-031, Nexus SecOps-141 |
| 2.5 | IG1 | Allowlist authorized software | Nexus SecOps-136, Nexus SecOps-141 |
| 2.6 | IG2 | Allowlist authorized libraries | Nexus SecOps-136, Nexus SecOps-141 |
CIS Control 3 — Data Protection
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 3.1 | IG1 | Establish and maintain data management process | Nexus SecOps-027, Nexus SecOps-030 |
| 3.2 | IG1 | Establish and maintain data inventory | Nexus SecOps-027, Nexus SecOps-030 |
| 3.3 | IG2 | Configure data access control lists | Nexus SecOps-114, Nexus SecOps-215 |
| 3.4 | IG2 | Enforce data retention | Nexus SecOps-004, Nexus SecOps-029 |
| 3.5 | IG2 | Securely dispose of data | Nexus SecOps-029 |
| 3.9 | IG3 | Encrypt data on removable media | Nexus SecOps-215 |
| 3.11 | IG2 | Encrypt sensitive data at rest | Nexus SecOps-005, Nexus SecOps-215 |
| 3.12 | IG3 | Segment data processing and storage | Nexus SecOps-121, Nexus SecOps-215 |
| 3.13 | IG2 | Deploy DLP solutions | Nexus SecOps-049, Nexus SecOps-127 |
| 3.14 | IG2 | Log sensitive data access | Nexus SecOps-002, Nexus SecOps-049 |
CIS Control 4 — Secure Configuration of Enterprise Assets and Software
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 4.1 | IG1 | Establish and maintain secure configuration process | Nexus SecOps-136, Nexus SecOps-202 |
| 4.2 | IG1 | Establish and maintain secure configuration for network infrastructure | Nexus SecOps-121, Nexus SecOps-122 |
| 4.3 | IG1 | Configure automatic session locking | Nexus SecOps-136 |
| 4.4 | IG2 | Implement and manage firewall on servers | Nexus SecOps-121, Nexus SecOps-136 |
| 4.5 | IG2 | Implement and manage host-based firewalls | Nexus SecOps-136, Nexus SecOps-137 |
CIS Control 5 — Account Management
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 5.1 | IG1 | Establish and maintain inventory of accounts | Nexus SecOps-111, Nexus SecOps-114 |
| 5.2 | IG1 | Use unique passwords | Nexus SecOps-112 |
| 5.3 | IG2 | Disable dormant accounts | Nexus SecOps-114, Nexus SecOps-115 |
| 5.4 | IG2 | Restrict administrator privileges to dedicated admin accounts | Nexus SecOps-114, Nexus SecOps-116 |
| 5.5 | IG1 | Establish and maintain inventory of service accounts | Nexus SecOps-111, Nexus SecOps-117 |
| 5.6 | IG3 | Centralize account management | Nexus SecOps-111 |
CIS Control 6 — Access Control Management
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 6.1 | IG1 | Establish access granting and revoking process | Nexus SecOps-114, Nexus SecOps-115 |
| 6.2 | IG1 | Establish least-privilege access | Nexus SecOps-114, Nexus SecOps-116 |
| 6.3 | IG2 | Require MFA for externally exposed applications | Nexus SecOps-113 |
| 6.4 | IG2 | Require MFA for remote access | Nexus SecOps-113 |
| 6.5 | IG3 | Require MFA for administrative access | Nexus SecOps-113, Nexus SecOps-116 |
| 6.6 | IG3 | Establish and maintain inventory of authentication and authorization systems | Nexus SecOps-111 |
| 6.7 | IG2 | Centralize access control | Nexus SecOps-111, Nexus SecOps-114 |
CIS Control 7 — Continuous Vulnerability Management
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 7.1 | IG1 | Establish and maintain vulnerability management process | Nexus SecOps-151, Nexus SecOps-152 |
| 7.2 | IG2 | Establish and maintain remediation process | Nexus SecOps-153, Nexus SecOps-154 |
| 7.3 | IG2 | Perform automated operating system patch management | Nexus SecOps-153 |
| 7.4 | IG2 | Perform automated application patch management | Nexus SecOps-153 |
| 7.5 | IG3 | Perform automated vulnerability scans of internal enterprise assets | Nexus SecOps-151, Nexus SecOps-152 |
| 7.6 | IG3 | Perform automated vulnerability scans of externally exposed assets | Nexus SecOps-151, Nexus SecOps-152, Nexus SecOps-155 |
| 7.7 | IG3 | Remediate detected vulnerabilities | Nexus SecOps-153, Nexus SecOps-154 |
CIS Control 8 — Audit Log Management
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 8.1 | IG1 | Establish and maintain audit log management process | Nexus SecOps-004, Nexus SecOps-201 |
| 8.2 | IG1 | Collect audit logs | Nexus SecOps-001, Nexus SecOps-002, Nexus SecOps-010 |
| 8.3 | IG1 | Ensure adequate audit log storage | Nexus SecOps-004, Nexus SecOps-015 |
| 8.4 | IG2 | Standardize time synchronization | Nexus SecOps-017 |
| 8.5 | IG2 | Collect detailed audit logs | Nexus SecOps-001, Nexus SecOps-016 |
| 8.6 | IG2 | Collect DNS query audit logs | Nexus SecOps-013 |
| 8.7 | IG2 | Collect URL request audit logs | Nexus SecOps-001, Nexus SecOps-013 |
| 8.8 | IG2 | Collect command-line audit logs | Nexus SecOps-010, Nexus SecOps-140 |
| 8.9 | IG3 | Centralize audit logs | Nexus SecOps-015 |
| 8.10 | IG3 | Retain audit logs | Nexus SecOps-004, Nexus SecOps-029 |
| 8.11 | IG2 | Conduct audit log reviews | Nexus SecOps-031, Nexus SecOps-051, Nexus SecOps-210 |
| 8.12 | IG3 | Collect service provider logs | Nexus SecOps-008, Nexus SecOps-121 |
CIS Control 9 — Email and Web Browser Protections
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 9.1 | IG2 | Ensure use of only fully supported browsers and email clients | Nexus SecOps-136 |
| 9.2 | IG2 | Use DNS filtering services | Nexus SecOps-013, Nexus SecOps-121 |
| 9.3 | IG2 | Maintain and enforce network-based URL filters | Nexus SecOps-121 |
| 9.4 | IG3 | Restrict unnecessary or unauthorized browser and email client extensions | Nexus SecOps-136 |
| 9.5 | IG2 | Implement DMARC | Nexus SecOps-012 |
| 9.6 | IG2 | Block unnecessary file types | Nexus SecOps-012, Nexus SecOps-121 |
| 9.7 | IG3 | Deploy and maintain email server anti-malware protections | Nexus SecOps-012, Nexus SecOps-140 |
CIS Control 10 — Malware Defenses
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 10.1 | IG1 | Deploy and maintain anti-malware software | Nexus SecOps-140, Nexus SecOps-141 |
| 10.2 | IG2 | Configure automatic anti-malware signature updates | Nexus SecOps-140 |
| 10.3 | IG1 | Disable autorun and autoplay for removable media | Nexus SecOps-136 |
| 10.4 | IG2 | Configure automatic anti-malware scanning of removable media | Nexus SecOps-140 |
| 10.5 | IG2 | Enable anti-exploitation features | Nexus SecOps-136, Nexus SecOps-141 |
| 10.6 | IG3 | Centrally manage anti-malware software | Nexus SecOps-140 |
| 10.7 | IG3 | Use behavior-based anti-malware software | Nexus SecOps-140, Nexus SecOps-044 |
CIS Control 11 — Data Recovery
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 11.1 | IG1 | Establish and maintain data recovery practices | Nexus SecOps-080 |
| 11.2 | IG1 | Perform automated backups | Nexus SecOps-080 |
| 11.3 | IG2 | Protect recovery data | Nexus SecOps-080, Nexus SecOps-215 |
| 11.4 | IG2 | Establish and maintain isolated instances of recovery data | Nexus SecOps-080 |
| 11.5 | IG3 | Test data recovery | Nexus SecOps-080, Nexus SecOps-077 |
CIS Control 12 — Network Infrastructure Management
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 12.1 | IG2 | Ensure network infrastructure is up-to-date | Nexus SecOps-121, Nexus SecOps-153 |
| 12.2 | IG2 | Establish and maintain secure network architecture | Nexus SecOps-121, Nexus SecOps-122 |
| 12.3 | IG2 | Securely manage network infrastructure | Nexus SecOps-121, Nexus SecOps-202 |
| 12.4 | IG2 | Establish and maintain architecture diagram | Nexus SecOps-121 |
| 12.5 | IG2 | Centralize network authentication, authorization, accounting | Nexus SecOps-111, Nexus SecOps-121 |
| 12.6 | IG3 | Use of secure network management and communication protocols | Nexus SecOps-003, Nexus SecOps-121 |
| 12.7 | IG3 | Ensure remote devices utilize a VPN and are connecting to an enterprise AAA infrastructure | Nexus SecOps-113, Nexus SecOps-121 |
| 12.8 | IG3 | Establish and maintain dedicated computing resources for administrative tasks | Nexus SecOps-116, Nexus SecOps-121 |
CIS Control 13 — Network Monitoring and Defense
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 13.1 | IG2 | Centralize security event alerting | Nexus SecOps-015, Nexus SecOps-031 |
| 13.2 | IG2 | Deploy a host-based intrusion detection solution | Nexus SecOps-140, Nexus SecOps-031 |
| 13.3 | IG2 | Deploy a network intrusion detection solution | Nexus SecOps-001, Nexus SecOps-031 |
| 13.4 | IG3 | Perform traffic filtering between network segments | Nexus SecOps-121, Nexus SecOps-122 |
| 13.5 | IG3 | Manage access control for remote assets | Nexus SecOps-113, Nexus SecOps-114 |
| 13.6 | IG3 | Collect network traffic flow logs | Nexus SecOps-001 |
| 13.7 | IG3 | Deploy a host-based intrusion prevention solution | Nexus SecOps-140, Nexus SecOps-141 |
| 13.8 | IG3 | Deploy a network intrusion prevention solution | Nexus SecOps-121, Nexus SecOps-031 |
| 13.9 | IG3 | Deploy port-level access control | Nexus SecOps-121 |
| 13.10 | IG3 | Perform application layer filtering | Nexus SecOps-121 |
| 13.11 | IG3 | Tune security event alerting thresholds | Nexus SecOps-031, Nexus SecOps-035 |
CIS Control 16 — Application Software Security
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 16.1 | IG2 | Establish and maintain secure application development process | Nexus SecOps-202 |
| 16.2 | IG2 | Establish and maintain a process to accept and address software vulnerabilities | Nexus SecOps-151, Nexus SecOps-154 |
| 16.3 | IG3 | Perform root cause analysis on security vulnerabilities | Nexus SecOps-072, Nexus SecOps-154 |
| 16.5 | IG2 | Use up-to-date and trusted third-party software components | Nexus SecOps-151 |
| 16.6 | IG3 | Establish and maintain application security testing | Nexus SecOps-151, Nexus SecOps-155 |
CIS Control 17 — Incident Response Management
| CIS Safeguard | IG | Description | Nexus SecOps Controls |
| 17.1 | IG1 | Designate personnel to manage incident handling | Nexus SecOps-068, Nexus SecOps-205 |
| 17.2 | IG2 | Establish and maintain contact information for reporting incidents | Nexus SecOps-069 |
| 17.3 | IG2 | Establish and maintain enterprise process for reporting incidents | Nexus SecOps-066, Nexus SecOps-069 |
| 17.4 | IG2 | Establish and maintain incident response process | Nexus SecOps-066, Nexus SecOps-070 |
| 17.5 | IG3 | Assign key roles and responsibilities | Nexus SecOps-068, Nexus SecOps-205 |
| 17.6 | IG3 | Define mechanisms for communicating during incident response | Nexus SecOps-069, Nexus SecOps-079 |
| 17.7 | IG2 | Conduct routine incident response exercises | Nexus SecOps-077, Nexus SecOps-219 |
| 17.8 | IG2 | Conduct post-incident reviews | Nexus SecOps-072, Nexus SecOps-220 |
| 17.9 | IG2 | Establish and maintain security incident thresholds | Nexus SecOps-067 |
Coverage Summary by IG Level
| IG Level | CIS Safeguards | Nexus SecOps Controls Satisfying |
| IG1 (Essential) | ~56 | Nexus SecOps-001–005, 010, 013, 066, 080, 111–114, 136, 140, 201 (core set) |
| IG2 (Intermediate) | ~74 | All IG1 + Nexus SecOps-004, 007, 015, 029, 031, 044, 049, 070, 083, 121, 153 |
| IG3 (Advanced) | ~153 | Full Nexus SecOps catalog at maturity Level 3–4 |
Organizations at Nexus SecOps Maturity Level 3 typically meet IG2 requirements. Level 4–5 organizations typically satisfy IG3.
See Controls Catalog for full Nexus SecOps control specifications.