Documentation Index

Fetch the complete documentation index at: https://kb.northerndatasolutions.com/llms.txt

Use this file to discover all available pages before exploring further.

CIS-8.1.2.5 — Allowlist Authorized Software

  • Published on May 3, 2026
  • 6 minute(s) read
  • CT
 Prev Next

CIS-8.1.2.5 — Allowlist Authorized Software

Domain: CIS Control 2  |  Safeguard: CIS-8.1.2.5  |  Asset Class: Software  |  Security Function: Protect  |  Source: CIS Controls v8.1.2 (March 2025)

Implementation Groups:

IG1IG2IG3

Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently.

Executive Summary (For Leadership and the Board)

CIS Safeguard CIS-8.1.2.5 sits inside Control 2 (Software / Protect) and reads: Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. The Safeguard is most rigorously expected at IG3 (Audience: organizations with sensitive data and regulatory exposure (CMMC L2, ITAR, PCI Level 1, regulated FSI). Implementation cost: high; full DevSecOps, mature SOC, threat modeling, red-teaming.) Mature programs treat this as a measured, recertified, and audit-evidenced control rather than a one-time configuration. The Safeguard maps to NIST SP 800-53 Rev. 5 CM-7 (Least Functionality), CM-10/11 (Software Usage / User-Installed Software), SI-7 (Integrity) and to NIST CSF 2.0 ID.AM, PR.PS (Platform Security).

Under CIS Controls v8.1.2 (March 2025), Safeguard CIS-8.1.2.5 is one of the Safeguards a CIS-CSAT self-assessment, internal audit, or third-party validator will examine because it directly affects the integrity of software-class controls across the program. Leadership and the board should be asking: Who owns the control? When was it last validated end-to-end? What is the maximum tolerable detection-to-remediation gap, and what does our remediation plan look like when drift is detected? Failing this Safeguard cascades — every dependent Safeguard in the same Control family inherits the failure.

Business Question

What Leadership Must Confirm

Do we know every piece of software on every enterprise asset, including open-source dependencies and SaaS tools?

An authoritative software inventory exists, includes SBOM data, and is reconciled to endpoint and CI/CD telemetry on a defined cadence.

Are unsupported, unauthorized, or end-of-life software titles flagged and removed within an SLA?

A documented EOL/EOS process, a named owner, and ticketed remediation actions are in place.

Can we demonstrate which software is approved versus discovered-but-unapproved, and prove ongoing enforcement?

Allow-listing, denylisting, or attestation evidence is captured in a tooling export with timestamps.

Can we prove this Safeguard to a CIS-CSAT auditor or regulator?

The evidence package — software policy, SBOMs, allow-list config, exception tickets — is mapped directly to this Safeguard.

Executive Risk Lens: Verizon DBIR and Mandiant M-Trends reporting consistently identifies software-class control gaps as a leading enabler of ransomware lateral movement, supply-chain compromise, and undetected dwell time. A mature program treats Safeguard CIS-8.1.2.5 as one of the early indicators of overall control health, because dependent Safeguards inherit its quality.

How Protect Should Flow

CIS-8.1.2.5 — Allowlist Authorized Software Lifecycle

1. AuthorizeProtect stage2. ConfigureProtect stage3. EnforceProtect stage4. VerifyProtect stage5. RecertifyProtect stage

Every step produces audit evidence the CIS-CSAT or external auditor will request. Source of truth: authoritative system-of-record (HRIS, IdP, CMDB, GRC).

Technical Deep Dive (For Engineers, IAM Admins, and ISSOs)

What the Safeguard Requires

CIS Safeguard CIS-8.1.2.5 maps to NIST SP 800-53 Rev. 5 CM-7 (Least Functionality), CM-10/11 (Software Usage / User-Installed Software), SI-7 (Integrity); NIST CSF 2.0 ID.AM, PR.PS (Platform Security). CIS Controls v8.1.2 splits the parent Control into discrete Safeguards; CIS-8.1.2.5 is the specific Safeguard requiring that Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed. Reassess bi-annually, or more frequently. To pass — with artifacts — the implementation must demonstrate:

  • Maintain an authoritative software inventory across endpoints, servers, containers, and SaaS — including version and license posture.

  • Capture SBOM data for first-party and critical third-party packages; reconcile to runtime telemetry monthly.

  • Enforce an allow-list (or risk-based deny-list) for tier-0 systems and CMMC L2 / PCI-scoped environments.

  • Implement EOL/EOS detection with documented remediation SLA per criticality tier.

  • Block unauthorized installation paths via OS hardening (App Locker, Gatekeeper, MDM payloads).

  • Align records to NIST SP 800-53 CM-7/10/11 and SI-7 fields for multi-framework audits.

  • Pipe inventory data into vulnerability and configuration management Safeguards (Control 2 / 7 / 16).

  • Designate a named control owner with documented review cadence and exception process.

Evidence Package the Auditor Will Request

Artifact

Where It Lives

Common Gotchas

Software Inventory Export

Endpoint mgmt / SCCM / Intune / JAMF

Shadow IT and SaaS not represented; version data missing.

SBOM for First-Party and Critical Vendors

CI/CD pipeline / SCA tool (Snyk, Black Duck, Sonatype)

SBOMs not generated for legacy apps; no third-party inclusion.

Allow-List / Deny-List Configuration

AppLocker / WDAC / OS hardening MDM payload

Bypass paths via PowerShell, scripting hosts; user-mode admin.

Patch / EOL Remediation Tickets

ITSM with SLA tracking

EOL software running past EOL date with no exception ticket.

Policy & Owner Sign-Off

GRC / SSP module

No named owner; software policy stale or undocumented.

Reference Architecture

Reference Architecture — Software Asset Class

Software InvLayer 1SBOM SourceLayer 2Allow-List EngineLayer 3Patch MgmtLayer 4GRC / SSPLayer 5

All control telemetry and configuration state must terminate in the GRC / SSP record-of-truth where the named control owner can produce evidence on demand.

Real-World Examples

Unmonitored Open-Source Library. A logging library with a critical RCE was deployed across 14 microservices. Without an SBOM, the security team could not confirm exposure during the 24 hours after disclosure. Cyberwatch identified the gap; CaaS rebuilt SBOM coverage.

Shadow SaaS Discovery. Marketing teams adopted three SaaS tools handling regulated customer data; none were in the software inventory. A CASB rollout (Cyberwatch Advanced) onboarded them under SSO and applied DLP.

EOL Database Engine on Production. A production MySQL engine ran 14 months past EOL because the upgrade ticket was never assigned an owner. The vCSO instituted an EOL-tracker dashboard and tied owner attestation to the recertification campaign.

How Northern Data Solutions Helps You Implement CIS-8.1.2.5

Service

What It Does for CIS-8.1.2.5

Cyberwatch — Risk Identification

Third-party SBOM verification, dependency-vulnerability validation, and shadow-IT enumeration to confirm the software inventory is real.

Cyberwatch Advanced

Allow-listing config, secret-scanning, attack-surface visibility, and security-training attestation for the developer population that maintains this software.

Compliance-as-a-Service

Software inventory and SBOM evidence mapped to CIS-CSAT and multi-framework controls in the GRC tool.

vCSO

Owns the SDLC policy, signs off on exceptions to allow-listing, and presents the software-risk profile to leadership.

How we engage: A typical Northern Data Solutions program for this Safeguard begins with a Cyberwatch baseline assessment (1-3 weeks), followed by a Compliance-as-a-Service onboarding into our GRC tooling, with the vCSO running the recertification cadence and presenting residual risk to your leadership team. For Cyberwatch Advanced clients, the relevant tooling — CyberSecureID adaptive MFA, PAM, attack-surface visibility, and security-training attestation — is integrated as part of the same engagement.

External References & Authoritative Sources

Are You Ready for the Audit? — 10-Point Readiness Check

  1. There is a named control owner accountable for CIS-8.1.2.5 in the SSP / GRC tool.

  2. A documented policy and review cadence for CIS-8.1.2.5 exists and is current.

  3. Tooling enforcement is in place and reconciled to authoritative sources.

  4. Evidence is exportable on demand: configurations, reports, exception tickets, and reconciliation logs.

  5. Detection-to-remediation SLA is documented and trended.

  6. Exceptions follow a documented process with vCSO sign-off.

  7. Telemetry is retained per policy and reviewed on a documented cadence.

  8. The Safeguard is mapped to NIST SP 800-53 and (where in scope) CMMC, FTC Safeguards, PCI, and HIPAA controls.

  9. Sibling Safeguards in the same Asset Class are in scope and tracked together.

  10. The board / leadership have visibility into residual risk via vCSO reporting.

Ready to operationalize CIS-8.1.2.5?

Schedule a Cyberwatch baseline engagement with the Northern Data Solutions vCSO. We will validate your current state against this Safeguard, build the evidence package, and align it to the rest of your CMMC, FTC Safeguards, PCI v4, or HIPAA program through Compliance-as-a-Service.

Contact: northerndatasolutions.com/contact

Tags: CIS-8.1.2.5, cis-controls, cis-v8-1, ig3, control-2, asset-class-software, function-protect

Related articles