CIS v8 citations are children of Control Objectives instead of a Citation

Ana41 · 6 hours ago

Hey all! As the title summarizes, I am trying to understand why CIS v8 citations are implemented like this OOTB. In the current instances I am working with, the CIS v8 authority document is already provided OOTB. We want to use its Control Objectives as a common layer between CIS v8 and NIS2, since there is some relevant overlap between the two documents.

While I was testing some options on how to achieve this, I noticed something weird: the top-level Citations for CIS v8 (Control 1 to Control 18) are NOT the parents of the corresponding sub-level Citations. For example, as shown in the screenshot, the citation "10.1 Deploy and (...)" is not a child of the citation "10 Malware Defenses". It's actually the child of the related control objective.

So Citation 10 has its own control objective, but then Citation 10.1 also has its own control objective. I am struggling to understand the architecture here - why would it be implemented like this? What are the advantages in using a Control Objective as the parent of a Citation? Won't this also cause issues with the compliance score roll-up?

Thanks in advance for any tips regarding this!

Tanushree Maiti · 4 hours ago

Hi @Ana41

Refer this links:

Why we have control objective in citation

Relate a control objective to a citation

https://www.youtube.com/watch?v=_GYgHJZ4nOs

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin: