GRCWatch
Sign inStart free trial

CIS Control 12.2: Establish and Maintain a Secure Network Architecture

Network architecture is the foundation of your security posture. CIS Control 12.2 requires you to design and maintain networks that enforce segmentation, apply least privilege principles, and ensure availability—preventing lateral movement and limiting breach impact.

What this means

Secure network architecture protects assets by controlling how systems and users connect. This control mandates three core elements: network segmentation (isolating critical systems), least privilege access (restricting unnecessary connections), and availability (ensuring authorized users can access resources). Together, these reduce your attack surface and contain breaches to isolated network zones.

How to comply

  1. 1.Map your current network topology and identify critical assets, data flows, and trust boundaries
  2. 2.Implement network segmentation using VLANs, firewalls, or zero-trust architecture to separate high-value systems
  3. 3.Define least privilege access rules—block all traffic by default, then explicitly allow only necessary connections between network segments
  4. 4.Configure network monitoring to detect unauthorized access attempts and anomalous traffic patterns
  5. 5.Test failover and redundancy mechanisms to ensure critical services remain available during incidents
  6. 6.Document network architecture diagrams, access control lists, and security policies for audit purposes
  7. 7.Review and update network rules quarterly or when business requirements change

Evidence auditors look for

  • Network topology diagrams showing segmentation boundaries and trust zones
  • Firewall rule documentation with business justifications for each allow rule
  • VLAN configuration records and routing policies restricting inter-segment traffic
  • Zero-trust architecture implementation (micro-segmentation, identity-based access)
  • Network access control (NAC) policies and enforcement logs
  • Load balancer and redundancy configurations for availability
  • Change logs for network rule additions, deletions, and modifications
  • Network traffic analysis reports showing segmentation enforcement

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically catalogs your network configuration, tracks firewall rule changes in real-time, and flags over-permissive access controls—eliminating manual reviews and ensuring CIS 12.2 compliance stays current.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS 3.3 — Address Unauthorized SoftwareCIS 6.1 — Establish and Maintain an Inventory of AccountsCIS 6.2 — Ensure Access to Administrative Accounts is Restricted to Dedicated Administrative HostsCIS 12.1 — Establish and Maintain a Security Baseline for Every Hardware DeviceCIS 13.1 — Establish and Maintain a Security Awareness Program