CIS Control 2: Inventory and Control of Software Assets

DEEP DIVE

Detailed guidance on tracking and managing software assets. Updating to connect this safeguard explicitly with the broader CIS Critical Security Controls v8 page.

Updated 4/12/2026cis, controls, software-management, v8

As a foundational pillar of the CIS Critical Security Controls Version 8 framework, CIS Control 2: Inventory and Control of Software Assets provides the blueprint for actively managing all software on the network. This involves inventorying, tracking, and correcting operating systems and applications to ensure that only authorized software can execute, while unauthorized or unmanaged software is immediately identified and prevented from running.

While CIS Control 1: Inventory and Control of Enterprise Assets ensures we know where our physical and virtual devices are, Control 2 ensures we know exactly what is running on them.

Why is this Control Critical?

A complete and highly accurate software inventory is a critical foundation for preventing cyberattacks. Threat actors continuously scan target enterprises looking for vulnerable versions of software that can be remotely exploited. For example, if a user opens a malicious website with an outdated, vulnerable browser, an attacker can silently compromise the endpoint.

Without a definitive list of authorized applications, security teams cannot effectively patch systems, monitor for unauthorized modifications, or prevent the execution of malicious payloads. This control acts as the primary enabler for CIS Control 7: Continuous Vulnerability Management.

Deep Dive: Safeguards for Software Management

The safeguards in Control 2 scale across Implementation Groups (IG1, IG2, and IG3), progressing from basic manual tracking to advanced, cryptographically enforced allowlisting.

Foundational Inventory and Hygiene (IG1, IG2, IG3)

  • 2.1 Establish and Maintain a Software Inventory: Enterprises must maintain a detailed ledger of all licensed and installed software. At a minimum, this inventory must document the title, publisher, initial install/use date, and business purpose for each entry. Where appropriate, it should also include the app store URL, specific version numbers, deployment mechanism, and decommission dates. This list must be reviewed and updated bi-annually.
  • 2.2 Ensure Authorized Software is Currently Supported: Software that has reached End-of-Life (EOL) or is otherwise unsupported by the vendor is a severe liability. Security teams must verify software support status at least monthly. Any unsupported software must be designated as unauthorized unless explicitly tied to a documented exception.
  • 2.3 Address Unauthorized Software: Once identified, unauthorized software must be systematically removed from enterprise assets or granted a formal, documented exception. This removal process should be reviewed at least monthly to ensure compliance drift does not occur.

Automation and Technical Enforcement (IG2, IG3)

  • 2.4 Utilize Automated Software Inventory Tools: Relying on manual spreadsheets is highly error-prone. Organizations in IG2 and IG3 must utilize automated software inventory tools (such as unified endpoint management systems or dedicated discovery agents) to continuously poll enterprise assets and dynamically update the software registry.
  • 2.5 Allowlist Authorized Software: Moving beyond detection, teams must use technical controls to prevent unauthorized applications from executing. Application allowlisting (using tools like Windows Defender Application Control or AppLocker) ensures that only explicitly trusted executables can run. This requires bi-annual reassessment to ensure the allowlist does not become bloated or obsolete.
  • 2.6 Allowlist Authorized Libraries: Attackers often bypass executable restrictions by hijacking legitimately running processes using malicious libraries. IG2 and IG3 organizations must allowlist specific shared libraries (e.g., .dll, .ocx, .so files), actively blocking unauthorized libraries from loading into system processes.
  • 2.7 Allowlist Authorized Scripts: Required only for IG3 (highly mature environments), this safeguard dictates the use of technical controls, such as digital signatures, to ensure only authorized scripts (e.g., PowerShell, Python, Bash) can execute.

Practical Examples and Edge Cases

Handling Legacy Systems: A common edge case involves legacy software required for mission-critical operations (e.g., an outdated operating system running an industrial control system). Under Safeguard 2.2, this software is unsupported and technically "unauthorized." To handle this, security teams must document a formal exception detailing mitigating controls (such as aggressive network segmentation or air-gapping) and secure executive sign-off for residual risk acceptance.

Browser Extensions and Plugins: A frequent blind spot in software inventories is web browser extensions. While not standalone desktop applications, malicious or vulnerable extensions possess deep system access. Your automated inventory tools (Safeguard 2.4) should be configured to query and report on installed browser extensions, which should be subjected to the same allowlisting standards.

Interoperability with Other CIS Controls

Effective software asset management does not exist in a vacuum. It integrates heavily with several other CIS Controls: