NSAuditor AI Enterprise Edition 0.13.0 is live, extending compliance evidence coverage to CIS Critical Security Controls v8 — the sixth supported framework in the platform’s one-scan workflow alongside SOC 2 (AICPA TSC 2017), HIPAA Security Rule §164.312, NIST Cybersecurity Framework 2.0, PCI DSS v4.0.1, and ISO/IEC 27001:2022.
What ships in this release
CIS Controls v8, published by the Center for Internet Security in May 2021 with v8.1 errata in June 2024, organizes defensive practice as 18 Controls and 153 Safeguards. NSAuditor AI EE maps coverage at the per-Safeguard level because that is the atomic, attestable unit — coverage is claimed per Safeguard and the Control-level roll-up is derived from those claims, never the other way around. The matrix at ship is 17 covered + 21 partial + 115 out of scope.
Implementation Group cumulative discipline
CIS v8’s three Implementation Groups (IG1, IG2, IG3) are explicitly cumulative. NSAuditor AI EE enforces that structure in the renderer:
- IG1: 56 Safeguards — the cyber-insurance baseline. Approximately 50–70% of mid-market cyber-insurance policies require IG1 attestation as a coverage prerequisite, so an IG1 gap is reported as a commercial-impact finding rather than a purely technical control gap.
- IG2 cumulative: 130 Safeguards (IG1 plus 74 IG2-only).
- IG3 cumulative: 153 Safeguards (IG2 plus 23 IG3-only).
The IG Coverage Summary in every CIS report uses the cumulative denominators, so partial IG1 coverage is visibly weighted against the IG2 and IG3 substrate — reports never claim “IG2 74-of-74” in isolation.
No certification body
Unlike ISO 27001, which is assessed by ISO/IEC 17021-1 accredited certification bodies, or PCI DSS, which is assessed by Qualified Security Assessors, CIS Controls has no formal certification body. EE 0.13.0 surfaces this with an explicit Attestation Discipline section in every CIS report: engine output is an INPUT to either CSAT / CIS-CAT Pro Assessor self-attestation, a SOC 2 auditor cross-validating CIS scope, or CIS-SecureSuite peer review. The word “certified” is intentionally never used in a CIS context.
Cloud Companion Guide and Hardened-Image credit
Every in-scope Safeguard carries a shared-responsibility-model tag per the CIS Cloud Companion Guide v8, distinguishing operator, cloud-provider, and shared responsibilities. Safeguards 4.1, 4.2, and 4.6 additionally credit operators running CIS-Hardened-Images on AWS, Azure, or GCP — the report differentiates organizations that inherit a CIS-published baseline from those that built their own configuration set.
Five Security Functions, not six
CIS v8 organizes its Safeguards across five Security Functions (Identify, Protect, Detect, Respond, Recover). It does not include the Govern function, which is unique to NIST CSF 2.0. Reports are explicit about this so the two frameworks are not conflated when both are run in the same scan.
One-scan hexa-framework workflow
The CLI accepts CIS v8 as a first-class target in the multi-framework flag:
nsauditor-ai scan <target> --compliance soc2,hipaa,nist-csf,pci-dss,iso-27001,cis-v8One run produces six separate evidence packs, each rendered with framework-specific cover-page sections. All five prior framework coverage matrices are unchanged in this release; the CIS Controls v8 introduction is additive-only.
The full coverage matrix, per-Safeguard tables, sector-baseline pairings (MS-ISAC / EI-ISAC / H-ISAC), and v7.1-to-v8 cross-reference are documented on the CIS Controls v8 landing page. NSAuditor AI EE remains local-first — all evidence is generated inside the operator’s infrastructure with zero data exfiltration.
Install: npm install -g nsauditor-ai @nsasoft/nsauditor-ai-ee
Sources:
- CIS Controls v8 landing page — nsauditor.com
- NSAuditor AI EE enterprise overview
- Center for Internet Security — CIS Controls v8
