Let's start where CIS is strong, because the strength is real and the critique only matters once you grant it.
CIS RAM v2.2 is, at its core, a risk-evaluation and legal-translation layer built on the Duty of Care Risk Analysis standard. Its value is genuine: Risk = Impact × Expectancy, the reasonableness and due-care balancing, the distinction between Safeguard Risk and residual risk, and the "universal translator" between security practitioners, business management, and regulators. When a regulator asks whether you acted as a reasonable person, CIS RAM gives you the machinery to answer. That is not nothing. That is the part most frameworks get wrong, and CIS gets right.
None of what follows touches that layer. The argument is narrower and structural: the layer underneath it — the threat categorization — is missing, and everything CIS RAM builds on top inherits the gap.
01 — THE GAPCIS has no cause axis. It only has consequences.
Ask CIS RAM what a threat is, and the glossary answers: "A potential or foreseeable event that could compromise the security of information assets." The modeling step then instructs you to "identify threats that may compromise the Confidentiality, Integrity, or Availability" of an asset.
Read that carefully. A threat is defined by the outcome it produces — a compromise of C, I, or A. In Bow-Tie terms, CIS RAM names threats on the consequence side of the pivot. It has no vocabulary for the cause side at all. The frequency input that drives Expectancy — the VCDB / VERIS commonality index — arrives pre-blurred, because VERIS classifies by actor, action, asset, and attribute mixed onto one axis.
You cannot select a Safeguard — a control that acts left of the pivot, before the compromise — coherently when your threat is named by an outcome that lives right of the pivot. The control and the threat are on opposite sides of the causal model. CIS RAM collapses the entire left side into the word "Threat" and anchors everything on the right.
The clearest symptom is the CDM v2.0 Attack Type list used in IG3: Malware, Ransomware, Web Application Hacking, Insider and Privilege Misuse, Targeted Attacks. Five "attack types" on one list — and not one of them shares an axis with the others:
| CDM "Attack Type" | What it actually is | TLCTC |
|---|---|---|
| Malware | A cause cluster | #7 |
| Ransomware | An attack path with a consequence | #1 → #7 + [DRE: Ac] |
| Web App Hacking | An asset-scoped grouping | #2 #1 #3 |
| Insider / Priv. Misuse | Actor label + effect | #1 + effect |
| Targeted Attacks | Intent metadata | orthogonal |
A cause, an outcome-chain, an asset class, an actor label, and an intent label — presented as peers. They are neither mutually exclusive nor collectively exhaustive. This is precisely the conflation that makes coherent risk assessment structurally impossible: when "ransomware" is a threat type sitting next to "malware," the commonality engine double-counts the same underlying #7 cause every time it appears inside a named campaign.
CIS RAM measures control effectiveness against threats it defines by their effects. The unit it counts and the unit it controls are not the same unit.
02 — THE MEASUREMENTWhy your Maturity Score floats.
CIS RAM's Safeguard Maturity Score ('1'–'5', "the reliability of a Safeguard's effectiveness against threats") is its own Key Control Indicator. It is trying to measure control effectiveness. The intent is right.
But effectiveness against what? The score is anchored to the outcome-blurred threat buckets above. You cannot derive a clean per-cause effectiveness from a Maturity Score when the "threat" it scores against is a mixture of causes. The number has nowhere stable to attach. It floats — per row, per assessor, per asset class — and two assessors scoring "the same" Safeguard against "the same" threat are measuring different blends.
TLCTC anchors its KCI and its DCS (detection latency at an observable edge) to mutually-exclusive clusters. Effectiveness and latency are measured per generic vulnerability. The measurement stops floating because there is finally a fixed thing to measure against. But — and this is the point — the KCI and DCS only become coherent once a categorization exists to anchor them. They are residual diagnostics. They are not the fix. The fix is the axis underneath.
03 — THE MATRIXCompleteness becomes falsifiable.
Here is the object CIS RAM cannot produce, and the reason it cannot prove its control set covers anything: the 10 × 6 × 2 matrix.
Every legitimate control objective occupies exactly one cell — one (cluster, strategy, side) coordinate. The matrix is the complete, deterministic control-objective space. And because it is closed, every gap is a named empty cell. Coverage becomes falsifiable: you can prove what you cover, and prove what you don't.
CIS RAM cannot do this. It maps Safeguards to threats ad hoc, row by row in the Risk Register, with the threat side anchored to C/I/A outcomes. The NIST CSF Function mapping (Identify / Protect / Detect / Respond / Recover) is the closest it gets to a control-strategy axis — but it is bolted onto each Safeguard externally, not derived, and it maps to outcome-blurred threats. The result is a long, flat list. A flat list cannot tell you what you are not covering, because there is no enumerated cause space to check completeness against. Your threat set is whatever the assessor happened to write down, drawn from VERIS commonality.
04 — THE FLOORAn umbrella control cannot prevent a target-zero.
This is the argument that turns everything above from a matter of elegance into a matter of correctness.
A control objective must be granular enough to map to exactly one cell. An umbrella control that spans multiple cells cannot achieve any of them to target-zero — the index compromise, the zero-patient event you are trying to prevent from occurring at all — because its effectiveness is averaged across causes that demand structurally different mechanisms.
One Safeguard, spanning at least three cells: #2 server-side exploitation, #3 client-side exploitation, and the supply-chain re-anchoring window #10 → #1. Three different clusters. Three different velocity classes. Three different detection edges. One KCI cannot measure it, because there is no single thing being measured.
Target-zero requires the control to act on the specific generic vulnerability the cluster names — the cluster is the vulnerability. An umbrella control acts on a blend, so its effectiveness against the actual cause is necessarily sub-unity. It leaks at exactly the cell where the attacker enters. The breadth that makes a control look efficient is the same averaging that guarantees it cannot reach zero on any single path.
An objective that cannot be measured to target-zero against a single cell is not a control objective. It is a control aspiration.
And this is where the due-care standard — CIS RAM's own crown jewel — turns against the umbrella. The moment a specific cluster-path causes harm, an umbrella control is indefensible: you cannot argue you took reasonable care against cause X when your control's effectiveness against X was never separately measurable. It was buried in an average. "We had a patch program" loses in front of a regulator. "Our KCI against cluster #2 server-side exploitation was at target-zero on the date of the incident" is the DoCRA standard actually delivered. Cell-purity is not taxonomic hygiene. It is the difference between evidence and aspiration.
05 — THE PREDICTIONThe redesign cuts both ways at once.
If CIS were to re-anchor the Controls onto the matrix, the objective set would move toward a structural minimum from two directions simultaneously:
- De-aggregate the umbrellas.Safeguards that span multiple cells must split. "Patch Management" becomes distinct objectives per cluster, per side. This raises the apparent count where it was hiding coarseness.
- De-duplicate the repeats.The same generic strategy restated across asset classes and outcome labels collapses to one cell, one objective. Mutual exclusivity makes the redundancy visible for the first time. This lowers the count sharply.
The two forces meet at a smaller set of cell-pure objectives — each one granular enough to hit target-zero, none of them duplicated. The CIS Controls v8.1 set of ~150+ Safeguards is, today, simultaneously too coarse (umbrellas that can't reach zero on any cell) and too redundant (the same cell restated per asset class). The matrix fixes both at once.
We have not yet performed the full cell-by-cell mapping of every v8.1 Safeguard. As a structural prediction: de-aggregation plus de-duplication collapses the objective set toward the matrix floor, and we expect a net reduction on the order of 60 control objectives — pending that mapping. Treat 60 as the hypothesis the mapping would test, not as a verified figure.
06 — THE RELATIONSHIPNot a competitor. A foundation.
The headline is not "CIS RAM is broken." It isn't. The headline is that the two frameworks occupy different strata, and CIS RAM is missing its bottom one.
| Layer | CIS RAM | TLCTC |
|---|---|---|
| Cause taxonomy | absent — borrows VERIS / CDM | the 10 clusters |
| Bow-Tie pivot | none — Threat → C/I/A directly | SRE / DRE / BRE |
| Control space | flat row list | 10×6×2 matrix |
| Effectiveness (KCI) | Maturity Score — floats | per-cell, per-cause |
| Risk math | Impact × Expectancy (DoCRA) | out of scope — sits above |
| Mode | probabilistic | deterministic / axiomatic |
Slot TLCTC underneath CIS RAM as the cause axis. Replace the VCDB / CDM threat input with the ten clusters. Keep DoCRA's Impact × Expectancy, keep the reasonableness machinery, keep the legal translator — all untouched. The Expectancy engine even improves, because commonality measured per cluster eliminates the ransomware-as-a-threat-type double-counting it currently carries.
So: can CIS answer your cyber threat risk? It can answer whether a given risk is reasonable to accept — superbly. It cannot answer whether your control set is complete, whether any single control reaches target-zero, or whether your effectiveness measurement is anchored to anything stable. Those three questions all require a cause axis. CIS doesn't have one.
It is catalog-agnostic which controls you adopt. It is not optional whether you can name your causes.
Notes
Critique target: CIS RAM v2.2 Core (Nov 2025) / CIS Controls v8.1. The ≥60 figure is a structural prediction pending full cell mapping.
TLCTC Framework · CC BY 4.0 · github.com/Barnes70/TLCTC