GRCWatch
Sign inStart free trial

CIS Control 9.3: Maintain and Enforce Network-Based URL Filters

Network-based URL filtering is your first line of defense against employees accessing malicious or unapproved websites. CIS Control 9.3 requires you to deploy and continuously update filters that block known threats and policy-violating content. For SMBs, this control reduces security incidents while demonstrating due diligence to auditors.

What this means

This control requires you to establish and maintain technical controls at the network level that inspect outbound web traffic and prevent connections to dangerous or unauthorized destinations. You can accomplish this through category-based filtering (blocking entire content categories), reputation-based filtering (blocking sites with known malicious activity), or maintained block lists (lists of specific URLs to deny). The filters must be actively updated as new threats emerge and your approved website list evolves.

How to comply

  1. 1.Select and deploy a network-based URL filtering solution (firewall, proxy, or DNS filter) that supports multiple filtering methods
  2. 2.Define filtering policies aligned with your business needs and security requirements
  3. 3.Configure category-based filtering rules to block high-risk content (malware, phishing, illegal material, etc.)
  4. 4.Enable reputation-based filtering using threat intelligence feeds to block newly discovered malicious sites
  5. 5.Maintain and regularly update block lists and approved site lists based on emerging threats
  6. 6.Document your filtering policy, approved exemptions, and the filtering solution's configuration
  7. 7.Review filter logs quarterly and adjust rules based on blocked traffic patterns and false positives
  8. 8.Test filter effectiveness monthly by attempting to access blocked categories and verifying denial

Evidence auditors look for

  • Network firewall or proxy configuration files showing active URL filtering rules
  • Screenshot of filtering console displaying blocked categories (malware, phishing, adult content, etc.)
  • Threat intelligence feed subscription (Cisco Talos, Proofpoint, Fortinet, etc.) with active updates enabled
  • DNS filter logs showing blocked requests to malicious domains in the past 30 days
  • Approved website exception list with business justification for each exemption
  • Monthly filter effectiveness test report documenting blocked sites and policy validation
  • Change log or audit trail showing filter rule updates and policy modifications
  • Employee awareness training acknowledgment covering acceptable use policy tied to URL filtering

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch continuously monitors your firewall and DNS filter logs, automatically compiles blocked traffic reports, and maintains your URL filtering policy documentation—so you have audit-ready evidence ready whenever you need it.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 9.1 — Ensure Use of Web Browsers with Tabbed BrowsingCIS 9.2 — Ensure Web Browser Plugins Are DisabledCIS 9.4 — Restrict Installation of Unnecessary SoftwareCIS 10.1 — Maintain an Inventory of IT AssetsNIST SP 800-53 SI-4 — System Monitoring