CIS Controls Self-Assessment Tool CSAT and Create Assessment (On Prem or CIS Hosted) - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Sunday, September 25, 2022

CIS Controls Self-Assessment Tool CSAT and Create Assessment (On Prem or CIS Hosted)

The CIS Controls Self-Assessment Tool, or CIS CSAT, is a free web application that enables security leaders to track and prioritize their implementation of the CIS Controls. CIS CSAT’s questions are based off the popular Critical Security Manual Assessment Tool excel document and the platform was developed by our partners at EthicalHat . For each CIS Control and sub-control, CSAT helps organizations track its documentation, implementation, automation, and reporting.

CIS CSAT Features

CIS CSAT enables security teams to track and prioritize their implementation of the CIS Controls. For each CIS Control and CIS Safeguard, CIS CSAT helps an organization track its documentation, implementation, automation, and reporting.

Use CIS CSAT to:
  • Collaborate across teams and assign user roles
  • Choose which specific Safeguards to include in your assessments
  • Upload documentation as supporting evidence
  • Track assessments over time and view graphs of your progress
  • Monitor alignment to other security frameworks with CIS Controls mappings to frameworks including NIST CSF and NIST SP 800-53
  • Anonymously compare results to industry averages
  • Coming Soon. Estimate an enterprise’s likelihood of being affected by a ransomware attack with the Ransomware Business Impact Analysis tool (created in partnership with Foresight Resilience Strategies (4RS))

There are two versions of CIS CSAT: a CIS-hosted version and an on-premises version for CIS SecureSuite Members called CIS CSAT Pro.


The CIS-hosted version of CIS CSAT is free to every organization for use in a non-commercial capacity to conduct CIS Controls assessments of their organization. This free, CIS-Hosted version of CSAT was released in early 2019 and is available at CIS CSAT.

Log in with your registered account. 
Your account will be verified with an OTP sent to your registered email. 

After log in with your free account, you will be prompted to create your organization:

From Administration menu, you will be able to create multiple organizations and define implementation group and critical controls version:


Create a new assessment

Assign user and due time

User will get an email for each sub-control assigned to him/her. 

Complete the questions

Based on the implementation group assigned to the assessment, you will get different questions for the safeguards:
  • IG1 (Minimum, 56 Safeguards) 
  • IG2 (Recommended, 56 + 74 Safeguards) 
  • IG3 (Full, 56 + 74 + 23 Safeguards) 

Complete each sub-control



The on-premises version of CIS CSAT is available exclusively for CIS SecureSuite Members. This version offers additional features and benefits:
  • Save time by using a simplified scoring method with a reduced number of questions
  • Decide whether to opt in to share data and see how scores compare to industry average
  • Greater flexibility with organization trees for tracking organizations, sub-organizations, and assessments
  • Assign users to different roles for different organizations/sub-organizations as well as greater separation of administrative and non-administrative roles
  • Track multiple concurrent assessments in the same organization
  • Easily access your tasks, assessments, and organizations from a consolidated home page
  • Includes CIS Controls Safeguard mappings to NIST CSF, NIST SP 800-53, and PCI


CIS CSAT Pro Deployment Steps


System Recommendations: 

  • 16GB RAM
  • 4 quad core vCPUs
But in my testing, 8G RAM with 4 vCPU is enough. 

  • 1. Download  CIS CSAT Pro from  the Downloads section of CIS WorkBench.
  • 2. Extract the bundle on the machine you are using to host CIS CSAT Pro.
  • 3. Execute the CIS CSAT Pro Installer ( or CSAT_Pro_windows-x64_Installer.exe) as root or user that has root/local admin privileges.
  • 4. Download neo4j 3.5 server as zip file. Don't unzip the file.
  • Please make sure there are no restrictions in your system that will prevent applications that run inside C:\Users\MYUSER~1\AppData from accessing other directories like c:/Program Files/CSATPro/neo4j. If such restrictions are in place, you will need to install CSAT Pro after either temporarily disabling the restriction, or after configuring a bypass for CSAT Pro and related applications like Neo4j (for instance, allowlisting these applications). For example, certain malware prevention GPO settings can prevent successful installation of CSAT Pro.

CIS CSAT Pro Web Interfaces

Login Interface:




Admin Configuration



No comments:

Post a Comment