CIS Control 12.1: Ensure Network Infrastructure is Up-to-Date
Outdated network software is a critical vulnerability vector that attackers exploit daily. CIS Control 12.1 requires you to maintain current software versions and supported NaaS offerings across your infrastructure. This control directly reduces your attack surface and ensures you're protected against known vulnerabilities.
What this means
Network infrastructure must run supported, current software versions to prevent exploitation of known vulnerabilities. This includes on-premises equipment, cloud services, and network-as-a-service solutions. You need a documented process to review software versions at least monthly, identify unsupported releases, and plan timely updates while maintaining system stability.
How to comply
- 1.Inventory all network infrastructure components including routers, switches, firewalls, and NaaS solutions with current version numbers
- 2.Establish a monthly software version review schedule with documented findings and sign-off
- 3.Check vendor support timelines to identify software versions nearing end-of-life
- 4.Create a patching schedule that balances security requirements with operational stability
- 5.Test patches in a non-production environment before production deployment
- 6.Document patch application dates, versions applied, and any rollback incidents
- 7.Maintain a hardware refresh schedule aligned with vendor support windows
Evidence auditors look for
- Software inventory spreadsheet with version numbers and support end dates
- Monthly version review meeting minutes or audit logs
- Vendor support lifecycle documentation for each infrastructure component
- Change management records showing patch deployment dates and versions
- Test environment patch deployment logs prior to production rollout
- Hardware asset register with purchase dates and projected replacement timelines
- Automated scan results showing current software versions across the network
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically discovers your network infrastructure versions, tracks vendor support lifecycles, and alerts you 60 days before end-of-support—turning monthly manual reviews into continuous compliance.
See how GRCWatch handles this control automatically
Start free trial