CIS Control 16.11: Leverage Vetted Modules for Application Security
Building custom security components is a leading source of application vulnerabilities. CIS Control 16.11 requires organizations to use vetted, pre-built modules and services for critical security functions—reducing developer burden and minimizing design flaws that attackers exploit.
What this means
This control mandates the use of established, third-party security modules and platform-native features instead of developing custom solutions for identity management, authentication, encryption, and auditing. By relying on vetted components with proven security track records, organizations reduce the attack surface and the likelihood of implementation errors that occur when developers build these complex functions from scratch.
How to comply
- 1.Audit all applications to identify custom-built security components (authentication, encryption, key management, logging).
- 2.Evaluate and select industry-vetted security modules, libraries, and services that meet your security requirements.
- 3.Replace custom implementations with proven third-party solutions where feasible.
- 4.Document all vetted modules used, including version numbers, vendor, and security certifications.
- 5.Establish a process to monitor vendor security updates and patch vetted components promptly.
- 6.Train developers on secure usage of selected modules to prevent misconfiguration.
- 7.Review new applications in development to ensure they use approved vetted modules before deployment.
Evidence auditors look for
- Inventory of all applications with list of security modules used (authentication libraries, encryption frameworks, logging platforms).
- Documentation of module selection criteria and vendor security assessments.
- Configuration standards and secure coding guidelines for each approved module.
- Patch management records showing timely updates to vetted components.
- Code review checklists confirming developers use approved modules, not custom alternatives.
- Training records for development teams on proper module implementation.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically inventories all security modules across your application portfolio and flags outdated or unvetted components, ensuring compliance with CIS 16.11 without manual audits.
See how GRCWatch handles this control automatically
Start free trial