GRCWatch
Sign inStart free trial

CIS Control 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients

Outdated or unsupported browsers and email clients expose your organization to known vulnerabilities and security gaps. CIS Control 9.1 requires enforcing the use of only fully supported, vendor-maintained applications to minimize attack surface. This control is critical for preventing exploitation through compromised software components.

What this means

CIS Control 9.1 mandates that enterprises deploy only browsers and email clients that receive active vendor support and security updates. This means blocking or disabling legacy or end-of-life software, enforcing the latest stable versions across all users, and maintaining a whitelist of approved applications. Unsupported software cannot receive security patches, leaving your organization vulnerable to publicly disclosed exploits.

How to comply

  1. 1.Identify all browsers and email clients currently in use across your enterprise
  2. 2.Determine vendor support status and end-of-life dates for each application
  3. 3.Establish a policy allowing only fully supported versions (e.g., Chrome, Firefox, Edge, Outlook, Thunderbird latest versions)
  4. 4.Configure endpoint management tools to block or disable unsupported applications
  5. 5.Implement automatic updates to ensure users always run the latest stable version
  6. 6.Create a whitelist of approved browsers and email clients in your security controls
  7. 7.Document exceptions and require security review for any deviations
  8. 8.Audit compliance monthly and generate reports for your audit trail

Evidence auditors look for

  • Endpoint security policy document listing only supported browsers and email clients
  • Configuration screenshots showing blocked or disabled legacy applications
  • Mobile device management (MDM) rules enforcing approved browsers on mobile devices
  • Automated update logs confirming latest versions deployed across devices
  • Whitelist of approved applications in your endpoint protection platform
  • Compliance audit report showing 100% enforcement across user devices
  • Change management records documenting version updates and approvals
  • User communication confirming policy rollout and approved application list

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates CIS 9.1 compliance by continuously monitoring deployed browser and email client versions, flagging unsupported applications, and generating audit-ready evidence reports—eliminating manual version tracking and enforcement overhead.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Control 2.1 — Inventory and Control of Software AssetsCIS Control 4.1 — Establish and Maintain a Secure Configuration BaselineCIS Control 10.2 — Configure Log Settings on Devices