Last month I sat across from the owner of a mid-size manufacturing shop in Newburgh. He had a folder on his desk with two printouts: the NIST Cybersecurity Framework and a summary of CIS Controls. His IT person had recommended one, his insurance broker had mentioned the other, and he wanted to know which one to actually do. "I have 65 employees, Jim. I don't have a security team. I just need to know where to start."
That conversation happens more than you'd think across the Hudson Valley. From Kingston to Poughkeepsie, Middletown to Beacon, SMBs are getting squeezed from every direction: cyber insurance questionnaires demanding evidence of controls, contracts with downstate firms requiring security attestations, and a general awareness that ransomware doesn't care whether you have 60 employees or 6,000. The question isn't whether you need a framework. It's which one gets you protected fastest with the staff and budget you actually have.
For most sub-100-employee firms in our region, the answer is CIS Controls v8.1, Implementation Group 1. Here's why, and here's how to get it done.
What CIS Controls v8.1 Actually Is
The Center for Internet Security (CIS) maintains a set of 18 top-level security controls, each broken into specific sub-controls called Safeguards. Version 8.1, the current release, organizes these Safeguards into three Implementation Groups based on organizational size and risk profile.
Implementation Group 1 (IG1) is what CIS calls "essential cyber hygiene." It contains 56 Safeguards drawn from across all 18 Controls. These 56 items represent the minimum set of actions any organization should take, regardless of size. They assume you have limited IT expertise, no dedicated security staff, and a constrained budget. In other words, they assume you're a typical Hudson Valley SMB.
Implementation Group 2 (IG2) adds 74 more Safeguards aimed at organizations with moderate risk exposure and some dedicated IT staff. IG3 adds another 23 Safeguards for organizations handling sensitive data or facing sophisticated adversaries. IG2 and IG3 are cumulative—they include everything from the group below them.
CIS Controls vs. NIST CSF: When to Use Which
NIST's Cybersecurity Framework (CSF 2.0) is an excellent tool. It organizes security thinking into six Functions—Govern, Identify, Protect, Detect, Respond, Recover—and provides a common vocabulary for talking about risk. But CSF is intentionally non-prescriptive. It tells you what to think about, not what to do. For a firm with a CISO and a security team, that flexibility is valuable. For a manufacturing owner in Newburgh with one IT generalist, it's paralyzing.
CIS Controls are prescriptive. Safeguard 1.1 says "Establish and Maintain Detailed Enterprise Asset Inventory." It tells you to build a specific thing, maintain it on a specific cadence, and produce a specific artifact you can show to an auditor or insurer.
The two frameworks map well. CIS publishes a mapping showing which Controls satisfy which CSF Subcategories. If a contract requires NIST CSF alignment, completing CIS IG1 gets you substantial coverage across all six Functions. But the work itself is easier to plan and execute when you're following CIS.
Use CIS Controls IG1 as your operational roadmap—the tasks your people actually perform. Use NIST CSF as your communication framework when you need to speak the language of risk management with boards, insurers, or enterprise customers.
The 56 IG1 Safeguards, Grouped by Priority
Walking through all 56 Safeguards individually would fill a book. Instead, let's group them by the order a sub-100-employee firm should tackle them, prioritized by the threats I see hitting Hudson Valley businesses hardest: ransomware via phishing, compromised credentials, and unpatched internet-facing systems.
Priority 1: Know What You Have (Controls 1 and 2)
Control 1 (Enterprise Asset Inventory) and Control 2 (Software Asset Inventory) are where everything starts. You cannot protect what you haven't identified. IG1 asks you to maintain a detailed inventory of every device—workstations, servers, laptops, mobile devices, network equipment—and every piece of software installed on them. Track which are authorized and investigate anything that isn't.
For a 40- to 80-person firm, this doesn't require expensive tooling. A well-maintained spreadsheet updated quarterly can satisfy the Safeguard. If you're running Microsoft 365 Business Premium or a similar endpoint management solution, you likely have asset data already; it just needs to be exported and reviewed. The point is accountability: someone in your organization owns this list and verifies it regularly.
Priority 2: Lock Down Access (Controls 5 and 6)
Control 5 (Account Management) and Control 6 (Access Control Management) address who can log into what. IG1 Safeguards here include establishing a process for granting and revoking access, requiring unique credentials for every user, disabling dormant accounts, and restricting admin privileges to dedicated admin accounts. The single most impactful sub-control in this group is Safeguard 6.5: require multi-factor authentication (MFA) for all externally-exposed applications and remote access.
If you do nothing else from this entire blog post, turn on MFA everywhere. For Hudson Valley firms using Microsoft 365, Google Workspace, or any cloud-based line-of-business application, enabling MFA eliminates the vast majority of credential-based attacks. It is the single highest-ROI security action a small business can take.
Priority 3: Patch and Configure (Controls 4 and 7)
Control 4 (Secure Configuration of Enterprise Assets and Software) and Control 7 (Continuous Vulnerability Management) address the state of your systems. IG1 requires you to establish secure configuration baselines for your operating systems, applications, and network devices—and to run a process for deploying security patches on a regular cadence.
For most SMBs, this means ensuring Windows Update is actually working across all machines, that firewall firmware is current, and that default passwords have been changed on every device. It means establishing a monthly patching window and tracking which machines received updates and which didn't. The Safeguards don't demand a commercial vulnerability scanner at IG1 level; they demand a process and evidence that the process runs.
Priority 4: Protect Data and Recover (Controls 3 and 11)
Control 3 (Data Protection) and Control 11 (Data Recovery) cover what happens to your information and how you get it back after an incident. IG1 Safeguards ask you to establish a data management process, encrypt data on end-user devices, and maintain regular automated backups with tested recovery procedures.
The backup requirement is straightforward but often poorly executed. IG1 expects automated backups of in-scope data, stored in a way that a ransomware infection on your network cannot reach them (air-gapped or immutable cloud storage), and tested at least annually by performing an actual restore. A backup you've never tested is not a backup. It's a hope.
Priority 5: Defend the Perimeter and Endpoints (Controls 8, 9, and 10)
Control 8 (Audit Log Management), Control 9 (Email and Web Browser Protections), and Control 10 (Malware Defenses) round out the technical core. At IG1, these Safeguards ask you to collect and retain audit logs, deploy DNS filtering and email security to block known malicious content, and run anti-malware software on all endpoints with centralized management.
Many Hudson Valley businesses already have pieces of this in place—Defender for Business, a Fortinet or SonicWall with content filtering, or a managed DNS service. The gap is usually in log retention and in centralized endpoint management (knowing that every laptop, including the one the sales rep uses from home, is actually reporting in).
Priority 6: Awareness, Incident Response, and the Rest (Controls 12–18)
The remaining Controls at IG1 level address security awareness training (Control 14), service provider management (Control 15), and incident response (Control 17). Safeguard 14.1 requires a security awareness program. Safeguard 17.1 requires a designated person responsible for incident handling. These are organizational rather than technical, and they matter.
Controls 12, 13, 15, 16, and 18 have fewer IG1 Safeguards but still include important items: ensuring network devices are securely configured, maintaining an inventory of service providers who handle sensitive data, and keeping application software current.
The Free CIS CSAT Tool: Your Self-Assessment Starting Point
CIS provides a free tool called the CIS Controls Self-Assessment Tool (CSAT) that lets you evaluate your current state against any Implementation Group. CSAT is a web-hosted survey that walks you through each Safeguard, lets you rate your current implementation status, and generates a report showing your coverage gaps.
Here's how to use it effectively. Register for a free CIS account and access CSAT through the CIS website. Select CIS Controls v8.1, scope your assessment to IG1, then sit down with your IT lead (or your managed service provider) and answer honestly. For each Safeguard, CSAT asks whether you've implemented it, partially implemented it, or not addressed it. Don't inflate your scores. The value is in identifying gaps, not generating a flattering report.
CSAT produces a scored report showing your IG1 coverage by Control and overall. That report becomes the starting artifact in your evidence pack and the basis for your remediation roadmap. Most firms I work with in the Hudson Valley score between 30% and 55% on their first IG1 assessment—which is fine. The point is to establish a baseline and improve from it.
Building Your Evidence Pack
Whether you're satisfying a cyber insurance questionnaire or responding to a vendor security assessment, you'll need evidence that your controls are in place. Here's what a solid IG1 evidence pack looks like.
| Evidence Artifact | Relevant CIS Controls | Description | Update Cadence |
|---|---|---|---|
| CSAT Assessment Report | All 18 Controls | Scored output from CIS CSAT showing IG1 Safeguard implementation status, gap analysis, and trend over time | Quarterly |
| Enterprise Asset Inventory | Control 1 | Spreadsheet or system export listing all hardware assets: device name, type, owner, IP/MAC, OS version, location, authorization status | Monthly review, quarterly full audit |
| Software Inventory | Control 2 | List of all authorized software titles, versions, and license status; process for approving new software | Monthly review |
| Secure Configuration Baselines | Controls 4, 12 | Documented standard configurations for workstations, servers, firewalls, and wireless access points; evidence of deployment via Group Policy, MDM, or manual checklist | Reviewed semi-annually |
| Patch Management Report | Control 7 | Monthly report showing patch compliance rates across endpoints and servers; list of exceptions with remediation timelines | Monthly |
| Access Control Review | Controls 5, 6 | Roster of all user accounts, privilege levels, and MFA status; record of terminated-user access revocation; admin account inventory | Quarterly |
| Backup and Recovery Test Log | Control 11 | Documentation of backup configuration, retention policy, offsite/immutable storage, and results of most recent restore test | Backup daily; restore test semi-annually |
| Security Awareness Training Records | Control 14 | Training completion records for all employees, phishing simulation results, and annual training plan | Training annually; phishing simulations quarterly |
| Incident Response Plan | Control 17 | Written plan identifying response team, communication procedures, containment steps, and contact information for legal, insurance, and forensics resources | Reviewed annually; updated after each incident |
| Service Provider Inventory | Control 15 | List of all third-party vendors with access to company data or systems, including their security responsibilities and contractual obligations | Reviewed annually |
You don't need to produce all of these on day one. The table above represents your target state. Build them incrementally as you work through your implementation roadmap.
Your 30/60/90-Day IG1 Implementation Roadmap
Days 1–30: Foundation and Quick Wins
Start with your CSAT self-assessment. Block two to three hours with your IT lead and complete it honestly. The output gives you your gap list and baseline score. Simultaneously, tackle quick wins: enable MFA on Microsoft 365 (or whatever your primary cloud platform is), verify that backups are running with at least one target unreachable by ransomware, and confirm endpoint protection is deployed on every company-owned device.
During this first month, also compile your initial asset inventory. Export device lists from your endpoint management tool, your DHCP server, and your Active Directory. Merge them into a single tracked document. It won't be perfect. That's fine. The goal is a first draft you can refine.
Days 31–60: Core Controls Build-Out
In the second month, focus on access control hygiene and patching. Audit all user accounts: disable dormant ones, verify that admin privileges are limited to people who genuinely need them using separate admin accounts, and document your access provisioning and de-provisioning process, even if it's a one-page checklist.
Establish a formal patching cadence. For most SMBs, this means weekly automatic Windows updates with a monthly compliance review, plus quarterly firmware reviews on network equipment. Track what was patched, when, and which machines remain non-compliant.
This is also the month to deploy DNS filtering if you haven't already. Cisco Umbrella or Cloudflare Gateway can be configured in under an hour and provide meaningful protection against phishing and malware at the network level.
Days 61–90: Documentation, Training, and Process
The final month is about closing organizational gaps. Write your incident response plan—for a sub-100-employee firm, five to eight pages covering roles, communication chains, containment procedures, and vendor contacts is sufficient. Make sure your team knows it exists and where to find it.
Launch your security awareness program. A quarterly thirty-minute training session using free or low-cost tools from KnowBe4 or CIS's own awareness resources works well. Add quarterly phishing simulations for measurable data on employee resilience.
Compile your service provider inventory. List every vendor that touches your data or connects to your network: your MSP, payroll provider, cloud application vendors, even the copier company if they have network access. Document what data they access and what security commitments they've made.
Finally, re-run CSAT. Compare your 90-day score to your baseline and document the improvement. Set targets for the next quarter. IG1 compliance is not a one-time project; it's an ongoing operational discipline. But by the end of 90 days, you'll have a defensible security posture, a stack of evidence artifacts, and a clear story to tell your insurer, your customers, and yourself.