Does NSAuditor map at the Control or per-Safeguard level for CIS Controls v8?

Per-Safeguard level — the atomic, attestable unit. CIS Controls v8 has 18 Controls decomposed into 153 Safeguards. Coverage is claimed at the SAFEGUARD level (e.g., 3.3, 5.4, 11.4), never the Control level. Claiming 'Control 4 covered' when only 3 of 12 Safeguards under Control 4 are evidenced is auditor-detectable overclaim — Control-level roll-up is derived, never asserted as PASS.

Why does CIS Controls v8 have 5 Security Functions and not 6 like NIST CSF 2.0?

CIS Controls v8 uses the original 5 Security Functions (Identify / Protect / Detect / Respond / Recover). NIST CSF 2.0 added Govern as a 6th Function in 2024 — but CIS Controls v8 (published May 2021) retains the 5-function model. The engine's per-Safeguard securityFunction field strictly rejects 'govern'; a schema-level test asserts no Govern value leaks into the CIS securityFunction attribute.

How does NSAuditor handle the Cloud Companion Guide v8?

Each Safeguard carries Cloud Companion Guide v8 applicability (AWS / Azure / GCP) plus a shared-responsibility-model boundary field (operator / cloud-provider / shared). Cloud-provider CIS alignment references AWS CIS v8 Quick Start + Security Hub CIS standard, Azure Security Benchmark v3 (CIS-aligned), and GCP Security Command Center CIS Benchmark (current as of 2026-Q1; revisit annually).

CIS Critical Security Controls v8

Q: What does the Implementation Group cumulative discipline mean?

The Implementation Groups are CUMULATIVE. IG1 = 56 Safeguards (the cyber-insurance baseline). IG2 cumulative = 130 Safeguards (IG1 + 74 IG2-only). IG3 cumulative = 153 Safeguards (IG2 + 23 IG3-only). Claiming 'we're IG2' means ALL 56 IG1 Safeguards AND ALL 74 IG2-only = 130 total — NEVER 74-of-74 in isolation. The IG1 base MUST be intact before any IG2/IG3 claim is valid; operators who skip IG1 Safeguards while pursuing IG2/IG3 depth are NOT IG2/IG3 compliant (cyber-insurance underwriters reject the claim and re-classify as incomplete IG1).

Q: Is this report a CIS certification?

No. CIS Controls v8 has NO formal certification body (unlike ISO 27001's ISO/IEC 17021-1 accredited bodies or PCI's QSAs). This report is INPUT to one of 3 operator-side validation paths: (1) self-attestation via CSAT (CIS Controls Self Assessment Tool) or CIS-CAT Pro Assessor; (2) a SOC 2 Type II auditor cross-validating CIS scope as part of the SOC 2 evidence package; (3) CIS-SecureSuite member peer review. Represent this report as 'substrate evidence supporting CIS Controls v8 IG[N] self-attestation', never as a CIS certification.

Q: We run CIS-Hardened-Images. Do we earn substrate-evidence credit?

Yes — for Safeguards 4.1 (Secure Configuration Process), 4.2 (Secure Configuration for Network Infrastructure, partial), and 4.6 (Securely Manage Enterprise Assets). Operators running CIS-Hardened-Images from AWS / Azure / GCP Marketplace or Docker Hub earn substantial substrate-evidence credit. The cisHardenedImageCredit field (substantial / partial / none) surfaces this per Safeguard. Live AMI-ID / image-publisher / image-project / container-label detection is a forward engine capability (EE 0.13.1+); the schema field and renderer section ship now.

TL;DR — what this does for CIS Controls v8

NSAuditor AI EE generates CIS Controls v8 per-Safeguard-level evidence — at the same institutional grade as SOC 2, HIPAA, NIST CSF 2.0, PCI DSS, and ISO 27001. It maps cloud infrastructure findings (AWS, Azure, GCP) and network scan results to specific Safeguards (3.3, 5.4, 8.2, 11.4, etc.), produces signed evidence artifacts (cover-page Scope Attestation, SHA-256 chain-of-custody sidecars, RFC 3161 trusted-timestamps, cryptographic suppression signing), and ships CIS reports in machine-readable form suitable for CIS-aware GRC platform ingestion + CSAT / CIS-CAT Pro self-attestation workflow.

It is not a CIS certification (CIS has no certification body — engine output is INPUT to self-attestation). It is not an IG attestation (the IG1 base requires operator-side process/endpoint artifacts beyond infrastructure scanning). It is not a Security Awareness Training program (Control 14 — operator-side LMS). It is not an Incident Response program (Control 17 — operator-side). It is not a Penetration Testing engagement (Control 18 — operator-side). It is not a complete CIS Controls v8 attestation (153 Safeguards total; engine evidences 38 at conservative-MVP density).

What it IS: the per-Safeguard technical-evidence layer covering Control 1-2 inventory substrate, Control 3 Data Protection (access control lists + encryption-in-transit + encryption-at-rest), Control 4 Secure Configuration (firewall + Config recorder + Hardened-Image credit), Control 5-6 Account + Access Management (IAM inventory + shadow-admin + MFA), Control 7 Continuous Vulnerability Management (Inspector2 substrate), Control 8 Audit Log Management (CloudTrail substrate), Control 11 Data Recovery (AWS Backup Logically Air-Gapped Vault), Control 12-13 Network Infrastructure + Monitoring (Security Group + VPC + GuardDuty), and Control 16 Application Software Security (CI/CD guardrails + WAF) — complete and self-attestation-ready. Honest about what infrastructure scanning fundamentally cannot evidence (security-awareness training, endpoint EDR, incident-response execution, penetration testing) — saves you from the textbook CIS-canonical overclaim.

The market split: CIS-aware GRC platforms (Drata CIS Controls, Vanta CIS Controls, AuditBoard CIS) automate the self-attestation workflow + continuous evidence collection but lack deep cloud-infrastructure scanning at the per-Safeguard-evidence level. Legacy compliance scanners produce voluminous CVE reports but don't map findings to Safeguards at the IG-cumulative level. NSAuditor's wedge is the bridge — deep cloud + network scanning + CIS v8 per-Safeguard-mapped output + same Zero Data Exfiltration architecture used for the five companion frameworks.

Why per-Safeguard-level mapping

CIS Controls v8 has a 2-level hierarchy:

Control (18 — e.g., Control 3 Data Protection, Control 5 Account Management) — the top-level grouping.
Safeguard (153 — e.g., 3.3 Configure Data Access Control Lists, 5.4 Restrict Administrator Privileges, 11.4 Establish an Isolated Instance of Recovery Data) — the atomic, attestable unit each Implementation Group is defined over.

Self-attestation (CSAT / CIS-CAT Pro), SOC 2 auditor CIS cross-validation, and cyber-insurance underwriters all consume coverage at the SAFEGUARD level. Claiming "Control 4 covered" when only 3 of Control 4's 12 Safeguards are evidenced is auditor-detectable overclaim — Control-level roll-up is derived (e.g., "Control 4: 3 of 12 Safeguards evidenced"), never asserted as PASS.

NSAuditor maps at the per-Safeguard level. Per-Safeguard fields in data/compliance/cis-v8.json:

Field	Type	Purpose
`safeguardId`	string	Safeguard ID in canonical CIS form: `N.M` (e.g., `3.3`, `11.4`); N = Control 1-18.
`controlNumber` / `controlTitle`	int / string	Parent Control (1-18) + title (e.g., 3 / "Data Protection").
`implementationGroup`	enum	Smallest-IG-membership: `IG1` / `IG2` / `IG3` — the FIRST IG that includes this Safeguard. Drives the IG-cumulative coverage summary.
`securityFunction`	enum	One of `identify` / `protect` / `detect` / `respond` / `recover` — 5 Functions (NOT 6 like NIST CSF 2.0; no Govern).
`assetType`	enum	One of `devices` / `software` / `data` / `users` / `network` / `applications` — the 6 CIS v8 asset types.
`cloudCompanionApplicability`	object	Cloud Companion Guide v8 per-provider applicability: `{aws, azure, gcp}`.
`sharedResponsibilityBoundary`	enum	`operator` / `cloud-provider` / `shared` — the shared-responsibility-model split for this Safeguard.
`cisHardenedImageCredit`	enum	`substantial` / `partial` / `none` — non-none only on Safeguards 4.1 / 4.2 / 4.6.
`sectorBaselineApplicability`	object	MS-ISAC / EI-ISAC / H-ISAC sector-baseline applicability.
`v71Source`	string	CIS v7.1 Sub-Control source for migration cross-reference.
`informativeReferences`	string[]	NIST SP 800-53 Rev. 5 + NIST CSF 2.0 + ISO 27001:2022 + PCI DSS v4.0.1 + HIPAA cross-refs.

The 11 load-bearing schema enrichments defend against the 16 ship-blocker classes surfaced by the EE 0.13.0 P0 skill-research synthesis (Skill #19 audit-cis-controls-v8-implementation-group-perspective + the 5 companion-framework audit-skill lenses applied PRE-author at tasks/audit-cis-v8-2026-05-24.md). The reviewer pass found 0 ship-blockers — a clean ship. Every titlePattern inherits from soc2.json's grep-verified set; where no pattern matches a Safeguard, it is marked OOS (no fabricated patterns).

Implementation Group cumulative discipline

The Implementation Groups are cumulative — this is THE central institutional mechanism of CIS Controls v8, the lens cyber-insurance underwriters + CIS-CAT self-attestation + CIS-SecureSuite peer reviewers all consume IG claims through:

IG3 cumulative = 153 Safeguards (entire universe)
  ├── IG3-only adds   = 23 Safeguards
  └── IG2 cumulative  = 130 Safeguards
        ├── IG2-only adds = 74 Safeguards
        └── IG1            = 56 Safeguards  ← cyber-insurance baseline

Cumulative means: claiming "we're IG2" = ALL 56 IG1 Safeguards AND ALL 74 IG2-only = 130 total (NEVER 74-of-74 in isolation). Claiming "we're IG3" = ALL 130 IG2-cumulative AND ALL 23 IG3-only = 153 total. The IG1 base MUST be intact before any IG2/IG3 claim is valid — operators who skip IG1 Safeguards while pursuing IG2/IG3 depth are NOT IG2/IG3 compliant (cyber-insurance underwriters reject the claim + re-classify as incomplete IG1, potentially declining or limiting coverage).

Implementation Group	Total Safeguards	Engine substrate	Intended operator
IG1 — Basic Cyber Hygiene cyber-insurance baseline	56	23 (41%)	SMB, limited IT/security expertise; untargeted-attack threat model
IG2 — Foundational Cyber Hygiene (cumulative)	130	36 (28%)	Mid-market, dedicated security team, regulatory exposure; targeted-attack threat model
IG3 — Organizational Cyber Hygiene (cumulative)	153	38 (25%)	Large org, critical infrastructure, mature program; nation-state APT threat model

The engine substrate covers a SUBSET of each IG. The remaining Safeguards are operator-side process/endpoint artifacts (security-awareness LMS training, endpoint EDR, incident-response program, third-party-risk management) that pair with your CSAT / CIS-CAT Pro self-attestation. This report is INPUT to that attestation — for each covered/partial Safeguard, your self-attestation cites this report as documentation evidence; for the operator-side remainder, your self-attestation cites your LMS / EDR / IR / TPRM platform evidence.

No-certification-body attestation discipline

CIS Controls v8 has no formal certification body (unlike ISO 27001's ISO/IEC 17021-1 accredited bodies or PCI's QSAs). This report is INPUT to one of 3 operator-side validation paths — never a "CIS certification":

Validation path	What it is	When to use
1. Self-attestation	CSAT (CIS Controls Self Assessment Tool — lighter-weight) or CIS-CAT Pro Assessor (benchmark-automated, more rigorous)	Most operators; cyber-insurance renewal; customer security questionnaires
2. SOC 2 auditor cross-validation	SOC 2 Type II auditor folds CIS Controls scope into the SOC 2 evidence package (CC6/CC7/CC8 substrate)	Operators already pursuing SOC 2 — most common path
3. CIS-SecureSuite peer review	Informal community validation from comparable-organization members	CIS-SecureSuite members seeking community baseline

Never represent this report as "CIS certified" or "CIS Controls certification" — there is no such certification. Represent it as "substrate evidence supporting CIS Controls v8 IG[N] self-attestation." Overclaiming certification is the textbook CIS-canonical misrepresentation.

Coverage matrix by Control

Source of truth is data/compliance/cis-v8.json; this matrix mirrors it. The anchor-drift defense test asserts every (source, titlePattern) pair in cis-v8.json exists in soc2.json (inheritance contract — closes the silent false-CLEAN class at the CIS mapping layer, parallel to the HIPAA + NIST CSF + PCI DSS + ISO 27001 inheritance defenses).

Control	Safeguards	Covered	Partial	OOS
1 Inventory Enterprise Assets	5	0	1	4
2 Inventory Software Assets	7	1	1	5
3 Data Protection	14	3	4	7
4 Secure Configuration	12	1	5	6
5 Account Management	6	2	1	3
6 Access Control Management	8	2	0	6
7 Continuous Vulnerability Mgmt	7	2	0	5
8 Audit Log Management	12	1	3	8
9 Email & Web Browser Protections	7	0	0	7
10 Malware Defenses	7	0	0	7
11 Data Recovery	5	3	2	0
12 Network Infrastructure Mgmt	8	1	1	6
13 Network Monitoring & Defense	11	1	2	8
14 Security Awareness Training	9	0	0	9
15 Service Provider Management	7	0	0	7
16 Application Software Security	14	0	1	13
17 Incident Response Management	9	0	0	9
18 Penetration Testing	5	0	0	5
TOTAL	153	17	21	115

Conservative-MVP density: substrate-evidenceable Safeguards concentrate in Controls 1-8 + 11-13 + 16 (cloud-API-enumerable). Controls 9 + 10 + 14 + 15 + 17 + 18 are entirely operator-side (endpoint / LMS / IR / TPRM / pentest). Density expansion is deferred to EE 0.13.1+ patches.

How to run a CIS Controls v8 scan

$ nsauditor-ai scan <target> --compliance cis-v8

# Output: reports/compliance/cis-v8-<scan-id>.md + .html + .json
#   + IG-cumulative coverage summary (IG1 56 / IG2 130 / IG3 153 denominators)
#   + chain-of-custody envelope + SHA-256 sidecars + RFC 3161 .tsr sidecars

Hexa-framework: SOC 2 + HIPAA + NIST CSF + PCI DSS + ISO 27001 + CIS v8 in one scan

The engine is framework-agnostic — single scan, six compliance reports, zero duplicate scanning effort:

$ nsauditor-ai scan <target> --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8

# Output: 6 framework-specific reports from 1 finding stream
#   reports/compliance/soc2-<scan-id>.md + .html + .json
#   reports/compliance/hipaa-<scan-id>.md + .html + .json
#   reports/compliance/nist-csf-<scan-id>.md + .html + .json
#   reports/compliance/pci-dss-<scan-id>.md + .html + .json
#   reports/compliance/iso-27001-<scan-id>.md + .html + .json
#   reports/compliance/cis-v8-<scan-id>.md + .html + .json
# All share the same chain-of-custody envelope + signed artifacts

Cross-framework citation isolation defended by test: CIS v8 renderer output cites only CIS Safeguard IDs + IG-cumulative framing; SOC 2 CC IDs / HIPAA §164 IDs / NIST CSF Subcategory IDs / PCI Requirement numbers / ISO Annex A codes never leak into CIS reports (and vice versa).

What you get — output artifacts

Cover-page Scope Attestation — operator's scan scope + per-Safeguard coverage matrix
Implementation Group Coverage Summary — IG1 / IG2-cumulative / IG3-cumulative engine-substrate table with cyber-insurance-baseline framing (the central CIS cover-page section)
Attestation-discipline disclaimer — explicit "no certification body; INPUT to CSAT / CIS-CAT Pro" prompt
Cloud Companion Guide + Hardened-Image section — per-Safeguard shared-responsibility boundary + Hardened-Image-eligible (4.1/4.2/4.6) table + sector-baseline applicability
Per-Safeguard findings — covered / partial / OOS sections with full rationale + informativeReferences cross-refs
SHA-256 chain-of-custody sidecars — per-artifact tamper-evidence
RFC 3161 trusted-timestamps — optional .tsr sidecars (operator-configured TSA)
Markdown + HTML + JSON outputs — self-attestation-friendly markdown + browser-viewable HTML + machine-readable JSON

Covered Safeguards (17)

Strongest substrate match — engine evidences the implemented control state:

2.2 Ensure Authorized Software is Currently Supported IG1 — EOL / deprecated-runtime / CVE detection
3.3 Configure Data Access Control Lists IG1 — public-bucket / public-blob / allUsers detection
3.10 Encrypt Sensitive Data in Transit IG2 — TLS policy + RDS SSL + SecureTransport + HSTS
3.11 Encrypt Sensitive Data at Rest IG2 — default-encryption + RDS/SQS/SNS at-rest encryption
4.4 Implement and Manage a Firewall on Servers IG1 — Security Group / firewall public-ingress detection
5.1 Establish and Maintain an Inventory of Accounts IG1 — IAM / RBAC principal enumeration
5.4 Restrict Administrator Privileges IG1 — SHADOW ADMIN / privilege-escalation / Owner-role detection
6.3 Require MFA for Externally-Exposed Applications IG1 — no-MFA detection
6.5 Require MFA for Administrative Access IG1 — no-MFA / MFA-Delete detection
7.5 Perform Automated Vulnerability Scans (Internal) IG2 — Inspector2 coverage
7.6 Perform Automated Vulnerability Scans (External) IG2 — Inspector2 external-target coverage
8.2 Collect Audit Logs IG1 — CloudTrail enablement / log-validation
11.2 Perform Automated Backups IG1 — Backup plan / RDS retention / DynamoDB PITR
11.3 Protect Recovery Data IG1 — Vault Lock / recovery-point encryption
11.4 Establish an Isolated Instance of Recovery Data IG1 — AWS Backup Logically Air-Gapped Vault substrate
12.2 Establish and Maintain a Secure Network Architecture IG2 — VPC endpoint / transitive-reachability / lateral-movement
13.1 Centralize Security Event Alerting IG2 — GuardDuty alerting-destination

Partial Safeguards (21)

Substrate present, operator-side completion needed (each carries a partialReason + manualProcedure naming the operator-side dimension):

1.1 Detailed Enterprise Asset Inventory IG1 — cloud-resource enumeration; operator CMDB completes
2.1 Software Inventory IG1 — Lambda-runtime enumeration; operator SBOM completes
3.2 Data Inventory IG1 — S3/RDS/DynamoDB enumeration; operator data-classification completes
3.4 Enforce Data Retention IG1 — S3 lifecycle; operator retention schedule completes
3.5 Securely Dispose of Data IG1 — S3 lifecycle-expiration + KMS key-deletion; operator disposal records complete
3.14 Log Sensitive Data Access IG3 — CloudTrail data-events; operator sensitive-data tagging completes
4.1 Secure Configuration Process IG1 — Config recorder + Hardened-Image credit; operator process doc completes
4.2 Secure Configuration for Network Infrastructure IG1 — Security Group / NSG; operator network-config baseline completes
4.6 Securely Manage Enterprise Assets IG1 — Config + IaC-tags + Hardened-Image credit; operator asset-management process completes
4.7 Manage Default Accounts IG1 — IAM enumeration; operator default-account identification completes
4.8 Uninstall/Disable Unnecessary Services IG2 — Telnet/SNMP/RPC/FTP perimeter detection; operator host-level enumeration completes
5.3 Disable Dormant Accounts IG1 — stale-access-key detection; operator disable-cadence completes
8.3 Ensure Adequate Audit Log Storage IG1 — trail S3 destination + encryption; operator sizing completes
8.5 Collect Detailed Audit Logs IG2 — data-event + service-log coverage; operator detail-completeness completes
8.9 Centralize Audit Logs IG2 — multi-region trail aggregation; operator SIEM-centralization completes
11.1 Data Recovery Process IG1 — AWS Backup plans; operator RPO/RTO + recovery-process doc completes
11.5 Test Data Recovery IG2 — Restore Testing Plans + job outcomes; operator test-scope adequacy completes
12.6 Secure Network Management & Communication IG2 — SSH-password / management-port / deprecated-TLS detection; operator protocol inventory completes
13.3 Deploy a Network Intrusion Detection Solution IG2 — GuardDuty enablement + detector coverage; operator full-segment IDS completes
13.11 Tune Security Event Alerting Thresholds IG3 — GuardDuty publishing-frequency; operator threshold-tuning completes
16.1 Secure Application Development Process IG2 — CodeBuild/CodePipeline guardrails + API Gateway auth/WAF; operator SDLC doc completes

Cloud Companion Guide v8 + CIS-Hardened-Image credit

The CIS Critical Security Controls Cloud Companion Guide v8 (ratified by the v8 cloud working group) provides per-Safeguard AWS / Azure / GCP applicability + shared-responsibility-model boundary. Each Safeguard carries cloudCompanionApplicability + sharedResponsibilityBoundary (operator / cloud-provider / shared). Cloud-provider CIS alignment:

AWS — CIS v8 Quick Start Guide + Security Hub CIS standard
Azure — Security Benchmark v3 (CIS-aligned)
GCP — Security Command Center CIS Benchmark

(current as of 2026-Q1; revisit annually per cloud-provider reissue cadence.)

CIS-Hardened-Image substrate-evidence credit

Operators running CIS-Hardened-Images (AWS / Azure / GCP Marketplace, Docker Hub) earn substantial substrate-evidence credit for these Safeguards:

Safeguard	Title	Hardened-Image credit
4.1	Establish and Maintain a Secure Configuration Process	substantial — Hardened-Image pre-applies CIS Benchmark configuration
4.2	Secure Configuration Process for Network Infrastructure	partial — network-device Hardened-Images available for some platforms
4.6	Securely Manage Enterprise Assets and Software	substantial — Hardened-Image auto-updates apply security patches

Live detection (AMI-ID / image-publisher = center-for-internet-security-inc / image-project = cis-public / container-label org.cis.benchmark.profile) is a forward engine capability (EE 0.13.1+); the cisHardenedImageCredit schema field + this renderer section ship now so operators already running Hardened-Images know which Safeguards earn credit toward their self-attestation.

Sector baselines — MS-ISAC / EI-ISAC / H-ISAC

The Cloud Companion Guide v8 cross-references sector-specific baseline requirements; each Safeguard carries sectorBaselineApplicability:

Sector ISAC	Sector	Baseline
MS-ISAC	State / local government	IG1 required; IG2 recommended for regulatory-exposed departments (HIPAA-touching health, FERPA education-records)
EI-ISAC	Elections infrastructure	IG2 required; IG3 for federally-designated critical-elections-infrastructure
H-ISAC	Healthcare	IG2 required; substantially overlaps the HIPAA Security Rule Technical Safeguards

Other sector baselines: FS-ISAC (financial services — IG2-IG3 + FFIEC alignment), A-ISAC (aviation — IG2-IG3 + RTCA DO-326A), WaterISAC (water/wastewater — IG1-IG2 + AWWA + EPA water-sector cybersecurity rule). Sector operators select their target IG per the sector baseline + cyber-insurance requirements.

5 Security Functions + 6 Asset Types

CIS Controls v8 uses 5 Security Functions — Identify / Protect / Detect / Respond / Recover. NOT 6 like NIST CSF 2.0: NIST added Govern as a 6th Function in 2024, but CIS Controls v8 (published May 2021) retains the original 5-function model. The engine's per-Safeguard securityFunction field strictly rejects govern; a schema-level test asserts no Govern value leaks into the CIS securityFunction attribute (defending against cross-framework drift from the NIST CSF engine).

Each Safeguard also applies to one of 6 Asset Types — Devices / Software / Data / Users / Network / Applications. Engine substrate is strongest for Devices / Software / Data / Network (cloud-API-enumerable); weakest for Users (partial — IAM principals only) and operator-process Safeguards (OOS).

v7.1-to-v8 transition discipline

CIS v7.1 had 20 Controls + 171 Sub-Controls; v8 consolidated to 18 Controls + 153 Safeguards ("Sub-Controls" renamed to "Safeguards"). Each covered/partial Safeguard carries a v71Source field for migration cross-reference.

Migration pitfalls:

Control numbering changed (20 → 18) — Controls 19 (Incident Response) + 20 (Penetration Tests) folded into v8 Controls 17 + 18; v7.1 Control 19/20 IDs are stale and rejected at the schema layer.
Some Sub-Controls merged; terminology renamed Sub-Control → Safeguard.
5 brand-new Safeguards added in v8 (no v7.1 source).
~20 Sub-Controls changed IG assignment across versions — re-verify your IG scoping.

For the comprehensive v7.1-to-v8 mapping table, refer to CIS's published CIS Controls v7.1 to v8 Mapping document.

Cyber-insurance IG1 baseline

~50-70% of mid-market cyber-insurance policies require IG1 attestation as a coverage prerequisite (as of 2024+). IG1 is the "essential cyber hygiene" baseline. The engine evidences 23 of the 56 IG1 Safeguards via infrastructure scanning; the remaining 33 are operator-side (unique-passwords / IdP policy, endpoint encryption / MDM, security-awareness LMS, access-granting/revoking process, IR designation).

IG1 gaps are commercial-impact findings — potential coverage-invalidation, not just compliance findings. Verify the full IG1 base (engine substrate + operator-side process artifacts) is intact BEFORE submitting a cyber-insurance attestation. Underwriters commonly ask: "Show me your IG1 attestation" (must be 100% 56/56 for most policies); "How many IG1 Safeguards are in-progress vs covered?" (in-progress count as gaps for coverage-prerequisite purposes); "What's your remediation timeline for IG1 gaps?" (90-day or 180-day plan with named owner expected).

Zero Data Exfiltration — operator-controlled boundary

NSAuditor AI EE inherits the same Zero Data Exfiltration architecture across all 6 supported frameworks:

Local-only scanning — no scan data leaves the operator's environment; no SaaS dependency
Local-only AI — Claude API integration is OPTIONAL (operator-configured); air-gapped fallback for federal-contractor + classified-data scope
Operator-controlled signing — TSA configuration + Ed25519 suppression signing operator-side
Chain-of-custody manifest — SHA-256 sidecars + RFC 3161 trusted-timestamps + envelope artifact integrity verification
Configurable scope — operator excludes targets via CLI; scope-attestation cover page documents exclusions + justifications

This architecture matters for CIS Controls v8 because Control 3 Data Protection + Control 15 Service Provider Management scrutinize where sensitive data flows — a SaaS compliance tool that ingests scan data into a third-party cloud environment introduces a new service provider per Control 15 that the operator must inventory, classify, assess, and monitor (Safeguards 15.1-15.6). Zero Data Exfiltration sidesteps that service-provider expansion entirely.

Comparison vs the CIS Controls market

Surface	NSAuditor AI EE	Drata / Vanta CIS Controls	CIS-CAT Pro Assessor
Safeguard coverage	17 covered + 21 partial = 38 substrate-evidenced	Self-attestation workflow + checklist tracking	Benchmark configuration assessment
Per-Safeguard-mapped cloud findings	✅ (24 plugins across AWS / Azure / GCP / network)	Surface-level	Host-level (CIS Benchmark)
IG-cumulative coverage summary	✅ (IG1 56 / IG2 130 / IG3 153 with substrate breakout)	Limited	Per-benchmark scoring
Cloud Companion Guide v8 alignment	✅ (per-Safeguard shared-responsibility boundary)	Partial	N/A (host-focused)
CIS-Hardened-Image credit framing	✅ (4.1 / 4.2 / 4.6)	Limited	✅ (assesses Hardened-Images directly)
Signed evidence (SHA-256 + RFC 3161)	✅	Platform-managed	Report export
Zero Data Exfiltration	✅	SaaS (data leaves operator env)	✅ (local tool)

Positioning: NSAuditor + CIS-aware GRC platform (or CIS-CAT Pro) = full CIS Controls v8 coverage. NSAuditor handles the cloud-infrastructure substrate-evidence dimension where it's strongest (per-Safeguard technical configuration across AWS / Azure / GCP + signed evidence + IG-cumulative framing); the GRC platform / CIS-CAT handles host-level benchmark assessment + the self-attestation workflow + the operator-side process Safeguards (awareness training, IR, TPRM). The bundle is institutionally complete; each tool standalone leaves gaps the other fills.

CIS Controls auditor FAQ

Is this report a CIS certification?

No. CIS Controls v8 has no formal certification body. This report is INPUT to one of 3 operator-side validation paths: (1) self-attestation via CSAT or CIS-CAT Pro Assessor; (2) a SOC 2 Type II auditor cross-validating CIS scope; (3) CIS-SecureSuite peer review. Represent it as "substrate evidence supporting CIS Controls v8 IG[N] self-attestation."

Does NSAuditor map at the Control or per-Safeguard level?

Per-Safeguard — the atomic, attestable unit. 18 Controls decompose into 153 Safeguards; coverage is claimed at the SAFEGUARD level (3.3, 5.4, 11.4). Control-level roll-up is derived ("Control 4: 3 of 12 Safeguards evidenced"), never asserted as PASS.

What does "IG2 cumulative = 130" mean?

The Implementation Groups are cumulative. Claiming IG2 means ALL 56 IG1 Safeguards AND ALL 74 IG2-only = 130 total — never 74-of-74 in isolation. The IG1 base must be intact before any IG2/IG3 claim. Operators who skip IG1 while pursuing IG2/IG3 depth are NOT IG2/IG3 compliant — cyber-insurance underwriters re-classify them as incomplete IG1.

Why does CIS v8 have 5 Security Functions and not 6 like NIST CSF 2.0?

CIS Controls v8 (published May 2021) retains the original 5 Functions (Identify / Protect / Detect / Respond / Recover). NIST CSF 2.0 added Govern as a 6th Function in 2024 — but that's NIST CSF, not CIS. The engine's securityFunction field rejects govern; a schema-level test asserts no Govern value leaks into the CIS attribute.

We run CIS-Hardened-Images. Do we earn substrate-evidence credit?

Yes — for Safeguards 4.1, 4.2 (partial), and 4.6. Operators running CIS-Hardened-Images from AWS / Azure / GCP Marketplace or Docker Hub earn substantial substrate-evidence credit. The cisHardenedImageCredit field surfaces this. Live detection is a forward capability (EE 0.13.1+); the schema field + renderer section ship now.

How does IG1 coverage affect our cyber-insurance?

~50-70% of mid-market cyber-insurance policies require IG1 attestation as a coverage prerequisite (2024+). The engine evidences 23 of 56 IG1 Safeguards; the remaining 33 are operator-side. IG1 gaps are commercial-impact findings — potential coverage-invalidation. Verify the full IG1 base is intact before submitting a cyber-insurance attestation.

We're on CIS v7.1. How do we migrate to v8?

v7.1 had 20 Controls + 171 Sub-Controls; v8 has 18 Controls + 153 Safeguards. Each covered/partial Safeguard carries a v71Source field. Pitfalls: Controls 19/20 are v7.1-stale (rejected at schema layer); some Sub-Controls merged; 5 brand-new Safeguards in v8; ~20 changed IG assignment. Refer to CIS's published "CIS Controls v7.1 to v8 Mapping" document.

Can NSAuditor evidence Control 14 (Security Awareness Training), Control 17 (Incident Response), or Control 18 (Penetration Testing)?

No — these are entirely operator-side and OOS-by-design for any infrastructure scanner. Control 14 = LMS (KnowBe4 / Proofpoint / SANS); Control 17 = IR program (pair with SOAR — TheHive / Cortex XSOAR / Splunk SOAR); Control 18 = independent pentest engagement. The engine enumerates these as OOS with named operator-side platform pairings so your self-attestation knows exactly what to attach.

What's the difference between the engine substrate and a full IG attestation?

The engine substrate-evidences the cloud-infrastructure-observable Safeguards within each IG (IG1 23/56, IG2-cumulative 36/130, IG3-cumulative 38/153). A full IG attestation also requires the operator-side process/endpoint Safeguards (training, EDR, IR, TPRM) that infrastructure scanning fundamentally cannot observe. Pair the engine substrate with your CSAT / CIS-CAT Pro self-attestation for the complete IG picture.

CIS Critical Security Controls v8 evidence at the per-Safeguard level — with the Implementation Group cumulative discipline auditors and cyber-insurance underwriters actually consume.

CIS Controls v8 introduction — Implementation Group cumulative discipline + no-certification-body attestation + Cloud Companion Guide v8 + CIS-Hardened-Image credit

On this page