Authoritative mappings from CIS Controls safeguards to DISA Control Correlation Identifiers (CCI) and NIST SP 800-53 Rev 5 controls, for compliance automation.
This repository provides validated, machine-readable mappings between:
- CIS Controls (v7, v8, v8.1) safeguards
- DISA CCI (Control Correlation Identifiers)
- NIST SP 800-53 Rev 5 security controls
These mappings enable compliance automation tools to tag security controls with authoritative CCI/NIST references required for RMF, eMASS, and STIG compliance.
DISA does not publish an official CIS Controls to CCI crosswalk. Security teams building compliance automation (InSpec profiles, SCAP content, OSCAL catalogs) need authoritative CCI/NIST mappings for CIS Controls. This dataset fills that gap.
- 472 total mappings across 3 CIS Controls versions
- 100% coverage for v8/v8.1 (150/150 safeguards)
- 99.4% coverage for v7 (171/172 safeguards, 1 sentinel)
- All confidence scores ≥ 0.80 (avg: 0.913-0.930)
- Validated via DISA CCI API (cyber.trackr.live)
- Independent verification by multiple validation agents
See validation reports for detailed methodology and results.
Using jq:
# Get CCI for CIS v8 safeguard 5.4
jq '.mappings[] | select(.cis_id == "5.4")' mappings/cis-cci-mapping-v8.json
# Output:
{
"cis_id": "5.4",
"cis_title": "Restrict Administrator Privileges to Dedicated Administrator Accounts",
"primary_cci": {
"cci": "CCI-002235",
"confidence": 0.95,
"reasoning": "AC-6(10).1 prevents non-privileged users from executing privileged functions..."
},
"nist_control": "AC-6 (5)",
...
}Ruby example:
# Load mapping data
require 'json'
mapping = JSON.parse(File.read('cis-cci-mapping-v8.json'))
control_map = mapping['mappings'].each_with_object({}) { |m, h| h[m['cis_id']] = m }
# Tag InSpec control with CCI/NIST
cis_mapping = control_map['5.4']
control 'cis-5.4' do
title cis_mapping['cis_title']
tag cis_controls: ['5.4']
tag cci: [cis_mapping['primary_cci']['cci']]
tag nist: [cis_mapping['nist_control']]
# Your describe blocks...
endimport json
with open('mappings/cis-cci-mapping-v8.json') as f:
data = json.load(f)
# Find all AC-2 (Account Management) mappings
ac2_controls = [
m for m in data['mappings']
if m['nist_control'].startswith('AC-2')
]
for ctrl in ac2_controls:
print(f"{ctrl['cis_id']}: {ctrl['primary_cci']['cci']} → {ctrl['nist_control']}")See examples/ for more usage patterns.
Each mapping file contains:
{
"cis_controls_version": "8",
"generated_at": "2026-02-12",
"source": "CIS Controls v8 + cyber.trackr.live/api CCI lookup",
"entry_count": 150,
"mappings": [
{
"cis_id": "5.4",
"cis_title": "Restrict Administrator Privileges to Dedicated Administrator Accounts",
"primary_cci": {
"cci": "CCI-002235",
"confidence": 0.95,
"reasoning": "AC-6(10).1 prevents non-privileged users from executing privileged functions..."
},
"supporting_ccis": [
{
"cci": "CCI-002227",
"confidence": 0.90,
"reasoning": "AC-6(5).2 restricts privileged accounts to defined personnel/roles"
}
],
"nist_control": "AC-6 (5)",
"coverage_assessment": "Strong coverage. AC-6(5) and AC-6(10) together...",
"mapping_status": "OFFICIAL"
}
]
}| Field | Type | Description |
|---|---|---|
cis_id |
string | CIS safeguard ID (e.g., "5.4") |
cis_title |
string | Human-readable safeguard title |
primary_cci |
object | Primary CCI used in control tags |
primary_cci.cci |
string | CCI identifier (e.g., "CCI-002235") |
primary_cci.confidence |
number | Confidence score 0.0-1.0 |
primary_cci.reasoning |
string | Why this CCI maps to this safeguard |
supporting_ccis |
array | Additional CCIs for comprehensive coverage |
nist_control |
string | NIST SP 800-53 Rev 5 control (e.g., "AC-6 (5)") |
coverage_assessment |
string | How well CCI/NIST covers the safeguard |
mapping_status |
enum | OFFICIAL, MANUAL, or NOT_MAPPED |
| Range | Meaning |
|---|---|
| 0.95-1.00 | Exact match — CCI definition directly matches safeguard |
| 0.90-0.94 | Strong match — CCI covers safeguard with minor semantic gaps |
| 0.80-0.89 | Good match — CCI provides solid coverage with some interpretation |
| <0.80 | Not used in this dataset (excluded for quality) |
| CIS Controls Version | Mapping File | Use When |
|---|---|---|
| v7.1 | cis-cci-mapping-v7.json |
Legacy systems, older compliance requirements |
| v8 | cis-cci-mapping-v8.json |
Current CIS Controls implementations |
| v8.1 | cis-cci-mapping-v8.1.json |
Latest CIS Controls (June 2024+) |
Important: v7 and v8 mappings are NOT interchangeable. All 124 overlapping safeguards have different CCI assignments between versions. Use the version matching your CIS Controls framework.
For new projects: Use v8 or v8.1 (higher confidence, more precise CCIs).
All mappings independently validated:
- CCI verification: API-validated against DISA CCI database
- Schema compliance: All files validated against JSON Schema
- Confidence threshold: Minimum 0.80 across all 472 mappings
- Independent review: Multiple validation agents confirmed accuracy
See validation reports for:
- v7 completeness validation (20/20 CCI samples verified)
- v8 quality validation (15/15 samples verified)
- Cross-version consistency analysis
| Version | Safeguards | Mapped | Gaps | Avg Confidence |
|---|---|---|---|---|
| v7 | 171 + 1 sentinel | 171 (100%) | 0 | 0.913 |
| v8 | 150 | 150 (100%) | 0 | 0.930 |
| v8.1 | 150 | 150 (100%) | 0 | 0.930 |
Top 5 NIST families:
- SI (System and Information Integrity): 16.0%
- AC (Access Control): 13.3%
- CM (Configuration Management): 12.0%
- SC (System and Communications Protection): 10.7%
- AU (Audit and Accountability): 9.3%
See cross-version analysis for detailed distribution.
Tag InSpec controls with CCI/NIST for STIG-ready output:
tag cci: ['CCI-002235']
tag nist: ['AC-6 (5)']Map CIS benchmarks to CCIs for XCCDF checklists used in DISA STIGs.
Generate OSCAL control mappings for FedRAMP/RMF compliance.
Cross-reference CIS Controls coverage with NIST 800-53 baselines.
Generate eMASS-ready documentation with proper CCI attributions.
Mappings were created through:
- Semantic analysis of CIS safeguard requirements
- NIST control matching based on control statements and supplemental guidance
- CCI lookup via cyber.trackr.live API for authoritative DISA CCI data
- Expert review for edge cases and manual overrides
- Independent validation via multiple verification agents
All primary CCIs use the first assessment procedure (e.g., AC-6.1) to ensure foundational coverage.
See METHODOLOGY.md for detailed mapping process.
We welcome contributions! See CONTRIBUTING.md for:
- Reporting incorrect mappings
- Proposing new CCI assignments
- Adding supporting CCIs
- Updating for new CIS Controls versions
Found a mapping that doesn't look right? Open an issue with:
- CIS Controls version and safeguard ID
- Current CCI/NIST mapping
- Proposed correction with reasoning
- Link to CCI API verification
Apache License 2.0. See LICENSE and NOTICE.
- CIS Controls: Center for Internet Security (CIS)
- CCI Database: Defense Information Systems Agency (DISA)
- NIST SP 800-53: National Institute of Standards and Technology (NIST)
- API Provider: cyber.trackr.live
This is an independent mapping effort. Not endorsed by or affiliated with CIS, DISA, or NIST.
- MITRE SAF Team — InSpec profile development and CCI/NIST expertise
- cyber.trackr.live — CCI API for authoritative DISA data
- CIS Security — CIS Controls framework
- MITRE SAF — Security Automation Framework
- InSpec — Compliance testing framework
- Heimdall — Security results visualization
- SAF CLI — Security automation utilities
- Aaron Lippold (@aaronlippold) - MITRE SAF Team
See CHANGELOG.md for release notes.
Current Release: v1.0.0 (2026-02-12)
- Initial release with v7, v8, v8.1 mappings
- 472 total CIS safeguard → CCI/NIST mappings
- Independent validation with 100% CCI API verification