CIS v8 vs CMMC — Framework Comparison | ControlMap

CIS v8 vs CMMC

Side-by-side comparison of CIS Controls v8 and CMMC Level 2 across 49 cybersecurity controls.

44

Shared

0

CIS v8 Only

2

CMMC Only

3

Neither

Covered by Both (44 controls)

Controls recognized by both CIS v8 and CMMC.

Gp Governance Policy

CIS 1.1 | CA.L2-3.12.1, CA.L2-3.12.4

Aw Awareness & Training

CIS 14.1, CIS 14.2 | AT.L2-3.2.1, AT.L2-3.2.2

Rm Risk Management

CIS 1.2 | RM.L2-3.11.1, RM.L2-3.11.2

Rr Roles & Responsibilities

CIS 1.3 | PS.L2-3.9.2

Am Asset Management

CIS 1.1, CIS 2.1 | CM.L2-3.4.1, CM.L2-3.4.2

Ra Risk Assessment

CIS 7.1 | RM.L2-3.11.1, RA.L2-3.11.2

Da Data Classification

CIS 3.1, CIS 3.7 | MP.L2-3.8.1, MP.L2-3.8.2

Vn Vulnerability Mgmt

CIS 7.1, CIS 7.2, CIS 7.4 | RA.L2-3.11.2, SI.L2-3.14.1

Ti Threat Intelligence

CIS 13.8 | RA.L2-3.11.3

Ac Access Control

CIS 5.1, CIS 6.1, CIS 6.2 | AC.L2-3.1.1, AC.L2-3.1.2

Mf Multi-Factor Auth

CIS 6.3, CIS 6.4, CIS 6.5 | IA.L2-3.5.3

CIS 3.6, CIS 3.9, CIS 3.10 | SC.L2-3.13.8, SC.L2-3.13.11

Dp Data Protection

CIS 3.1, CIS 3.10, CIS 3.12 | MP.L2-3.8.1, SC.L2-3.13.16

Bk Backup & Recovery

CIS 11.1, CIS 11.2, CIS 11.4 | RE.L2-3.8.9

Pa Privileged Access

CIS 5.4, CIS 6.5 | AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.7

Fw Firewall / Net Seg

CIS 9.2, CIS 9.3, CIS 12.2 | SC.L2-3.13.1, SC.L2-3.13.5, SC.L2-3.13.6

Ep Endpoint Protection

CIS 10.1, CIS 10.2 | SI.L2-3.14.2, SI.L2-3.14.4

Pm Patch Management

CIS 7.3, CIS 7.4 | SI.L2-3.14.1

Cf Secure Config

CIS 4.1, CIS 4.2, CIS 4.6 | CM.L2-3.4.1, CM.L2-3.4.2, CM.L2-3.4.6

Sd Secure Development

CIS 16.1, CIS 16.2 | SA.L2-3.16.1, SA.L2-3.16.2

Ml Email Security

CIS 9.6, CIS 9.7 | SI.L2-3.14.5

Ws Web Security

CIS 9.5, CIS 16.4 | SC.L2-3.13.1

CIS 6.1, CIS 12.2 | AC.L2-3.1.1, SC.L2-3.13.1

Mb Mobile Security

CIS 1.4, CIS 1.5 | AC.L2-3.1.18, AC.L2-3.1.19

Cl Cloud Security

CIS 4.1, CIS 6.1 | SC.L2-3.13.1, AC.L2-3.1.1

Ds DNS Security

CIS 9.2 | SC.L2-3.13.1

CIS 13.10 | SC.L2-3.13.1

CIS 3.12 | MP.L2-3.8.3, SC.L2-3.13.16

Sm Cont. Monitoring

CIS 8.2, CIS 8.5, CIS 8.11 | SI.L2-3.14.6, SI.L2-3.14.7

Lg Logging & Audit

CIS 8.1, CIS 8.2, CIS 8.9 | AU.L2-3.3.1, AU.L2-3.3.2

Id Intrusion Detection

CIS 13.1, CIS 13.3 | SI.L2-3.14.6

An Anomaly Detection

CIS 8.5, CIS 8.6 | SI.L2-3.14.6, SI.L2-3.14.7

CIS 8.2, CIS 8.11 | AU.L2-3.3.1, SI.L2-3.14.6

Ir Incident Response

CIS 17.1, CIS 17.2, CIS 17.3 | IR.L2-3.6.1, IR.L2-3.6.2

CIS 17.6 | IR.L2-3.6.1

Co Communication

CIS 17.2 | IR.L2-3.6.2

CIS 17.4 | IR.L2-3.6.1

CIS 17.3 | IR.L2-3.6.2, IR.L2-3.6.3

Rc Recovery Planning

CIS 11.1, CIS 17.7 | RE.L2-3.8.9

Bc Business Continuity

CIS 11.3, CIS 11.4 | RE.L2-3.8.9

Ll Lessons Learned

CIS 17.8 | IR.L2-3.6.3

Dr Disaster Recovery

CIS 11.1, CIS 11.5 | RE.L2-3.8.9

Ap API Security

CIS 16.4 | SC.L2-3.13.1, SA.L2-3.16.1

It Insider Threat

CIS 6.1, CIS 6.2, CIS 8.6 | AC.L2-3.1.1, AU.L2-3.3.1, PS.L2-3.9.2

Only in CMMC (2 controls)

Controls covered by CMMC but not CIS v8. Organizations using CIS v8 should consider supplementing with these.

Cr Comms & Restore

Not Covered by Either Framework (3 controls)

These controls are not addressed by either CIS v8 or CMMC. Consider additional frameworks for coverage.

Sc Supply Chain Risk

Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR

Be Business Environment

Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR

Vr Vendor Risk Mgmt

Covered by: NIST CSF 2.0, ISO 27001, SOC 2, PCI DSS, 800-53, HIPAA, GDPR

Summary: CIS v8 vs CMMC

CIS Controls v8 and CMMC Level 2 share 44 controls in common out of 49 total. CIS v8 uniquely covers 0 controls that CMMC does not. CMMC uniquely covers 2 controls that CIS v8 does not, including Compliance, Comms & Restore. 3 controls are not covered by either framework. For comprehensive cybersecurity coverage, organizations often adopt both frameworks or supplement with other frameworks.

View Interactive Dashboard