3. One CIS
Part 3 of 5
In its first decade - what we sometimes call “Legacy CIS” - the Center for Internet Security’s work revolved around one big idea: effective security configuration guidance that anyone could use, from a trusted, independent, community-based source. Out of that idea came the CIS Benchmarks, a model built on volunteer expertise, consensus, and free distribution. The results were remarkable: dozens of Benchmarks published, new areas like industrial control systems and virtualization explored, tools to assess systems, and even certification programs for vendor products. Within a few years, downloads of CIS Benchmarks and tools topped one million per year.
CIS also grew into a trusted voice in the broader cybersecurity community. We partnered on NIST’s Security Content Automation Program (where the CIS-CAT tool became certified), led consensus projects on security metrics, and saw CIS Benchmarks referenced in key industry standards like PCI/DSS. And all of this happened with fewer than 10 employees - proof of the power of a community working together.
But the next phase of CIS (2010–2015) brought two major changes that expanded both our mission and our structure: the Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Critical Security Controls.
The roots of the MS-ISAC go back to New York’s Office of Technology in the early 2000s, where state leaders began sharing threat data and best practices. By 2003–2004, the MS-ISAC was formally established, and in 2010 it became part of CIS. Overnight, CIS grew from a handful of people into dozens, with a national, 24x7 operational mission - real-time threat detection, information sharing, and tools like the Albert Intrusion Detection System.
This wasn’t just a new line of work; it was a defining moment. It gave CIS a way to live its own advice, to confront the “real world” challenges that state, local, tribal, and territorial governments face every day - especially those with limited funding and expertise. Serving the “cyber underserved” became a guiding principle for everything we do.
In 2015, CIS added another key piece: the Council on Cybersecurity, home of the Critical Security Controls. The Controls had their origins in DoD Red/Blue Team experience at NSA (2008). This grew into a community project known as the “Consensus Audit Guidelines” led by the Center for Strategic and International Studies (CSIS). It moved to the SANS Institute for sustainment, becoming widely known as the “SANS Top 20” , then eventually to the nonprofit Council on CyberSecurity. When they found their permanent home at CIS, they gave us the system management context to complement the configuration guidance of the Benchmarks.
From these roots, CIS has evolved into two core missions:
Operations – running the MS-ISAC and other services that deliver real-time protection and information sharing.
Best Practices – developing and supporting the Benchmarks, Hardened Images, and the CIS Critical Security Controls.
This combination makes CIS unique. The MS-ISAC gives us live data and operational reality. The Benchmarks and Controls turn that reality into practical guidance. And as we grew rapidly as a company and workforce (from dozens to hundreds), our IT operations became the place where we practice what we preach. Remote work, BYOD, supply chain challenges, compliance pressures? We live them every day, and we “drink our own champagne” of guidance, tools, and products.
CIS was never meant to just write documents. It was built to make a measurable difference in global cybersecurity. That means two things:
Helping people fight today’s fight with practical tools and guidance.
Shaping the long game by working with markets, regulators, insurers, and policymakers to change the system itself.
“One CIS” means bringing these elements together into a single, coherent mission.
Operations inform guidance. Guidance informs policy. Policy shapes the ecosystem. And through it all, we rely on the same formula that’s been with us since day one: community. Experts, volunteers, and partners, working together under a nonprofit umbrella, producing consensus-driven solutions, and tearing down barriers that keep people from using them.
That’s the heart of CIS - an idea that started small, but grew into a force for large-scale change.