CIS Control 12.3: Securely Manage Network Infrastructure
Network infrastructure is the backbone of your security posture. CIS Control 12.3 requires you to implement version-controlled infrastructure-as-code and secure protocols to prevent unauthorized access and configuration drift. Without proper network management, even strong access controls can be bypassed.
What this means
CIS 12.3 mandates secure management of all network infrastructure through documented, version-controlled configurations and encrypted communication protocols. This means treating your network setup like application code—tracked, reviewed, and auditable—while enforcing encryption standards like SSH and HTTPS across all connections. The goal is eliminating manual, undocumented changes that create security gaps and compliance violations.
How to comply
- 1.Implement infrastructure-as-code (IaC) tools to define all network configurations in version-controlled repositories
- 2.Require SSH (not Telnet) for all remote administrative access to network devices
- 3.Enforce HTTPS across all web applications and APIs; disable HTTP
- 4.Use code review workflows before deploying any network infrastructure changes
- 5.Document and track all network configuration changes with audit trails
- 6.Encrypt all inter-node communication on your network using TLS 1.2 or higher
- 7.Regularly audit network configurations against approved baselines
Evidence auditors look for
- Git repository containing all infrastructure-as-code with commit history and change approvals
- SSH key audit showing no password-based remote access to network devices
- HTTPS certificate inventory and SSL/TLS configuration scan results
- Code review logs demonstrating approval of infrastructure changes before deployment
- Network device configuration exports with timestamps and responsible parties
- Encryption protocol audit confirming TLS 1.2+ for all inter-service communication
- Compliance scan reports showing zero HTTP endpoints in production
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically tracks your infrastructure-as-code repositories, validates SSH/HTTPS enforcement across your network, and flags configuration drift against your approved baselines—eliminating manual audits for CIS 12.3 compliance.
See how GRCWatch handles this control automatically
Start free trial