I believe in using every tool available to put your best foot forward. The thoughts and experiences on this page are my own; I use AI to help ensure grammar is accurate.
*This is Week 2 of the Community Tools series — free and low-cost resources built for Iowa’s small municipalities, school districts, and local governments. Week 1 covered CISA’s CSET tool.
You run IT for a school district, a small city, or a county office. You probably handle everything — the printers, the email accounts, the phones, the website — and now people expect you to handle cybersecurity, too. Maybe you have a part-time help desk tech. Maybe it’s just you.
You’re not looking for an enterprise security program. You’re looking for a list. Something that tells you: here’s what actually matters, do these things first.
That’s exactly what CIS Controls Implementation Group 1 is.
What Are the CIS Controls?
The CIS Controls are a set of 18 security categories developed by the Center for Internet Security a nonprofit that works directly with federal agencies, state governments, and organizations like CISA and the MS-ISAC. These aren’t invented in a boardroom. They’re built from real-world attack data, refined over years, and updated as threats evolve.
The controls are organized into three tiers, called Implementation Groups (IG1, IG2, IG3), based on the amount of IT expertise and resources an organization has.
IG1 is the starting tier. It’s designed specifically for small-to-medium organizations with limited cybersecurity expertise. The people who built IG1 described it this way: implementable with limited cybersecurity expertise, aimed at thwarting general attacks, designed to work with off-the-shelf hardware and software.
That’s your school district. That’s your city hall. That’s your county office.
IG1 gives you 56 safeguards across the 18 control categories. Not 56 complicated projects — 56 specific, actionable steps. The kind of steps that make a real difference.
Why 56 Safeguards, Not 18?
Each of the 18 CIS Controls is a category of things like “Inventory and Control of Enterprise Assets” or “Data Recovery.” Inside each category are individual safeguards: specific things you do. IG1 pulls out the most essential safeguard from each category and gives you a focused list to work from.
You don’t need to implement all 18 controls to completion before moving on. IG1 tells you: in each area, start here.
The Safeguards That Matter Most for Small Iowa Orgs
Rather than dump all 56 on you, here are the ones that show up in the most incidents affecting small organizations, and the ones you should tackle first.
1. Know What Devices Are on Your Network (Control 1)
You can’t protect what you don’t know you have. IG1 asks you to maintain a basic inventory of all devices connected to your network. That means computers, servers, printers, access points, and anything else with an IP address.
This doesn’t require expensive software. A spreadsheet works. The point is knowing what’s there so you can notice when something unexpected shows up.
2. Know What Software Is Installed (Control 2)
Same idea, applied to software. IG1 asks for a basic inventory of what’s installed on your systems. Unapproved or unknown software is one of the most common ways attackers gain a foothold, either because a staff member installed something unsafe or because an attacker installed something and nobody noticed.
3. Keep Software Updated (Control 7)
Patching is the single highest-return security activity for most small organizations. The majority of successful attacks exploit vulnerabilities that already have patches available attackers know that small organizations often fall behind on updates.
IG1 calls for automated patch management for operating systems and applications where possible. For a small org, that means making sure Windows Update is actually running, and that you have a process to push updates to all machines, not just the ones you happen to walk past.
4. Protect Administrative Accounts (Control 5)
Admin accounts are the keys to everything. IG1 requires MFA (multi-factor authentication) for all administrative accounts. If an attacker gets into an admin account they can do almost anything — create new accounts, turn off security tools, access sensitive data, and lock you out.
MFA stops credential theft attacks cold. Even if a password is stolen, MFA means the attacker still can’t get in without the second factor. This is non-negotiable.
5. Limit Who Has Admin Access (Control 5 + 6)
Every person with admin rights is a potential entry point. IG1 calls for using dedicated admin accounts only when admin tasks are actually being performed not as everyday accounts. It also calls for disabling or removing accounts that are no longer in use.
In a small school or city office, it’s common to find old employee accounts still active, or for everyone in IT to be running as a local admin all day long. Both are unnecessary risks.
6. Back Up Your Data (Control 11)
Ransomware is the most common threat to small government and school networks. The entire leverage of ransomware is that attackers encrypt your data and hold recovery hostage. If you have recent, tested backups stored somewhere the ransomware can’t reach, their leverage disappears.
IG1 calls for automated backups of critical data, stored separately from the primary environment, and tested regularly. “Tested regularly” is the part most organizations skip. An untested backup is just an assumption.
7. Protect Your Email (Control 9)
Phishing is still the number-one delivery mechanism for attacks against small organizations. IG1 calls for email filtering to block malicious links and attachments before they reach inboxes, and for anti-spoofing configurations (like SPF, DKIM, and DMARC) to make it harder for attackers to impersonate your domain.
Most email platforms such as Microsoft 365 and Google Workspace have these features built in. They need to be turned on and configured correctly.
Why IG1 Is Right for Iowa SLTT Organizations
IG1 was designed for organizations that are exactly where most Iowa school districts, municipalities, and county offices are: limited budgets, no dedicated security staff, and technology that must stay operational above all else.
The framework is also recognized by the two organizations most relevant to Iowa SLTT orgs. CISA references CIS Controls as a foundational framework for improving cybersecurity posture. The MS-ISAC, which serves state and local governments has built guidance around CIS Controls IG1 as essential cyber hygiene.
For organizations that need to demonstrate security posture to state agencies, grant reviewers, or insurance carriers, IG1 provides a recognized, documented standard. It’s not just good security practice — it’s a defensible baseline.
How to Get Started
The full CIS Controls v8 guide is available for free download at cisecurity.org/controls. No vendor demo, no sales call required.
When you open the guide, look for the IG1 column in the safeguard tables. Every safeguard tagged IG1 is on your list. Start with the ones above—assets, patching, admin accounts, backups, and email. Build from there.
If you want to see exactly which safeguards apply to IG1 without digging through the full document, the CIS Controls Navigator lets you filter by implementation group.
You don’t have to finish all 56 at once. Pick three. Document what you did. Move to the next three. That’s how this works in the real world.
If you found this useful, follow NGCC on LinkedIn for more plain-language security guidance built for Iowa’s smaller organizations. Next week in the Community Tools series, we’ll cover another free resource that belongs in every SLTT toolkit.
Jose Caro is the founder of Nueva Guardia Cyber Consulting (NGCC) and an Information Security Analyst based in Iowa. He serves as a Staff Sergeant in the Iowa Army National Guard and advocates for underrepresented communities in cybersecurity.
