IG1 IG2 IG3

Ensure Network Infrastructure is Up>to>Date

Control Group: 12. Network Infrastructure Management

Asset Type: Network

Security Function: Protect

Description

Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Cisco Secure Firewall Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall with application visibility, IPS, malware defense, and encrypted traffic analytics

Cisco · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Exploitation of Unpatched Network Device Firmware

Confidentiality

Attackers exploit known vulnerabilities in outdated router, switch, and firewall firmware (such as CVEs in Cisco IOS, Fortinet FortiOS, or Palo Alto PAN-OS) to gain control of network infrastructure and intercept, redirect, or disrupt all traffic flowing through compromised devices.

Network Device Compromise via End-of-Life Software

Integrity

Network infrastructure running end-of-life firmware that no longer receives security patches accumulates exploitable vulnerabilities, and attackers who compromise these devices gain persistent network-level access that is difficult to detect and remediate.

Service Disruption from Unsupported Network Equipment Failure

Availability

Network devices running unsupported software experience stability issues and crashes that cannot be resolved because vendor support has ended, causing unpredictable network outages that affect business operations.

Vulnerabilities (When Safeguard Absent)

Outdated Network Device Firmware Without Update Schedule

Routers, switches, firewalls, and other network devices run firmware versions that are months or years behind current releases, containing known and publicly documented vulnerabilities with no scheduled update cadence.

No Network Infrastructure Software Version Tracking

The organization does not maintain an inventory of network device software versions or track them against vendor support timelines, making it impossible to identify devices running unsupported or vulnerable firmware.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Secure Configuration Management Policy

Control 4, Control 9, Control 12

Network Security Policy

Control 12, Control 13

Network Change Management Policy

Control 12

Related Safeguards in Control 12

12.2 Establish and Maintain a Secure Network Architecture

12.3 Securely Manage Network Infrastructure

12.4 Establish and Maintain Architecture Diagram(s)

12.5 Centralize Network Authentication, Authorization, and Auditing (AAA)

12.6 Use of Secure Network Management and Communication Protocols

12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work