CIS Controls Tools Terms Of Use

This License Agreement sets forth the terms and conditions governing use of the CIS Controls Tools (as further described below, the "Tools") owned and delivered by Center for Internet Security, Inc. ("CIS"). By accessing or using any or all of the Tools, Licensee agrees to be bound by this Agreement. If Licensee does not agree to this Agreement, Licensee is not allowed to access or use any Tool.

1. Definitions

Agreement shall mean this document.

CIS CSAT Ransomware Business Impact Analysis tool or BIA tool shall mean a web-based analytical tool allowing organizations to self-assess the business impact of a cyber loss from the breach of an asset due to ransomware.

CIS Controls shall mean the CIS Critical Security Controls, v. 7.0 and later. Use of CIS Controls is subject to Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode ).

Confidential Information shall mean any and all information provided by Licensee in connection with the use of any Tool. Confidential information shall include, without limitation, the Tools, the information provided by Licensee in registering or using the Tools, including, without limitation, any documents uploaded by Licensee to the Tools.

Controls Self-Assessment Tool or CSAT shall mean the CIS-hosted web-based tool available at https://csat.cisecurity.org that allows Licensee to assess and document the status of their cybersecurity posture against the CIS Controls.

Delivery Date shall mean the date Licensee first registers to access a Tool.

License shall mean the right to use the Tools granted to Licensee by CIS through this Agreement.

Licensee shall mean you, or in the case of an organization, your organization as an entity and its employees accessing and using the Tools.

Tools shall collectively mean the Controls Self-Assessment Tool and the Business Impact Analysis BIA tool; each a "Tool".

2. Ownership and Copyright.

The Tools are the property of CIS, and are protected by copyright law as well as other statutory and nonstatutory intellectual property law. CIS product names are owned by CIS and are protected under trademark law. All title and copyrights in and to the Tools, trademarks and the accompanying materials and rights are and shall remain owned fully and solely by CIS. Through this Agreement, the Tools are licensed, not sold. The ownership of the data entered into any Tool by Licensee is the property of the Licensee.

3. Grant of License.

Subject to the terms and conditions of this Agreement, CIS grants Licensee a non-exclusive, perpetual non-assignable worldwide right to use of the Tools for the purpose of (1) in the case of CSAT, assessing and documenting Licensee's own cybersecurity posture against the CIS Controls and (2) in the case of BIA tool, for assessing the business impact of ransomware on a Licensee's asset(s). Access to the Tools under this License is limited to use by Licensee for its own organization's internal cybersecurity assessment and may not be used by Licensee to assist third parties with such analysis. Use of the Tools to commercially assess other organizations' cybersecurity posture against the CIS Controls and/or to estimate business impact of ransomware on third party assets requires an organization to become a CIS SecureSuite Consulting Member; additional details on this membership may be found at: https://www.cisecurity.org/cis-securesuite/pricing-and-categories/services-and-consulting/.

The License is registered in Licensee's name, commences on the Delivery Date and is effective until terminated in accordance with the terms and conditions set forth in this Agreement. Licensee undertakes not to use any Tool as part of any offerings comprising functionality that is substantially similar to that of the Tool or any other products that CIS is offering, during the term of this Agreement, and for a period of three (3) years after termination. CIS reserves all rights not expressly granted to Licensee in this Agreement. Without limiting the generality of the foregoing, Licensee acknowledges and agrees that: (a) except as specifically set forth in this Agreement, CIS retains all right, title and interest in and to the Tools, and Licensee does not acquire any right, title or interest to any Tool except as set forth herein; (b) any configuration or deployment of any Tool shall not affect or diminish CIS's rights, title or interest in and to such Tool. Licensee further acknowledges and agrees that the Tools incorporate the provisions of the CIS Controls, and that use of the Tools and the contents are subject to the license applicable to CIS Controls. Except as stated in the foregoing subsection, nothing in this Agreement shall limit in any way CIS's right to develop, use, license, create derivative works of, or otherwise exploit the Tools, or to permit third parties to do so. Licensee shall not modify, delete or obscure any notices of proprietary rights or any Tool identification or restrictions on or in any Tool found in the license-header of the code files of such Tool. Licensee undertakes not to brand any Tool as Licensee's own or declare or give the impression that Licensee owns the copyright in any Tool. Licensee may use CIS name in its marketing, promotion and website, as is reasonably necessary for the limited purpose of describing the Tool(s) and Licensee's use of the Tool(s). Licensee agrees to conduct its business with the highest standards and will do nothing to injure CIS's reputation.

4. Warranties and Representation

4.1 Scope. CIS's warranties and representations in this section are limited to the Tools provided to Licensee under this Agreement.

4.2 CIS's warranties and representations. CIS warrants and represents that: for a period of ninety (90) days following Delivery Date of a Tool, such Tool will perform substantially in accordance with CIS's written specifications, provided that it has been used in accordance with these terms of service and any instructions provided with the Tool; CIS will perform its obligations under this Agreement in accordance with all applicable laws and regulations; CIS has the full and unconditional ownership of the Tools, this Agreement does not infringe intellectual property rights of any third party; The Tools do not include any third party tool or software; Licensee may make full use of License granted to it in full knowledge of the above; CIS has the requisite knowledge, personnel, resources and know-how to deliver the Tools as contemplated by this Agreement in a professional manner; and CIS has not intentionally placed, and will use its best efforts to avoid the placement of any Harmful Codes into any Tool provided under this Agreement. For the purpose of this section 4.2 "Harmful Codes" is defined as any program that infects, damages and/or impairs another program or data, disables hardware or a Tool, or permits or assists in the breach of data.

In the event of breach, or alleged breach of any of the warranties in this section related to a particular Tool, Licensee's sole remedy in such an event shall be that CIS shall re-supply or correct the applicable Tool so that it operates according to the warranties set out in this section. The warranties shall not apply if Licensee has modified, or used a Tool improperly.

5. Limitation of Liability.

The Tools are provided by CIS 'as is' and may have errors and omissions. Thus remedies are only available to Licensee in the event of any breach of the warranties set out in section 4. UNDER NO CIRCUMSTANCES, AND EVEN IF INFORMED THEREOF BY LICENSEE OR ANY OTHER PARTY, SHALL CIS BE LIABLE FOR (i) LOSS OF, OR DAMAGE TO, DATA; (ii) SPECIAL, INCIDENTAL, CONSEQUENTIAL OR INDIRECT DAMAGES; OR (iii) LOST PROFITS, BUSINESS, REVENUE, GOODWILL, OR ANTICIPATED SAVINGS.

6. Intellectual Property Infringement.

CIS will defend, indemnify and hold Licensee harmless against any claim stating that any Tool is violating any third party copyright provided that Licensee promptly notifies CIS of the claim, such notice to be provided no later than ten (10) business days after receipt of said claim(s). A hardcopy of the notices of copyright infringement is sent to: CIS, 31 Tech Valley Drive, East Greenbush, NY 12061, Attention: Chief Counsel. Licensee shall in good faith make commercially reasonable efforts to stop any claim made against Licensee by any third party related to a Tool. Notwithstanding anything to the contrary herein, CIS shall have sole control of the defense and any related settlement negotiations in the case of legal proceedings. Licensee agrees to timely provide CIS with all necessary assistance, information and authority to perform the above. If a Tool is held by a final court ruling to be infringing any third party intellectual property rights, CIS will at its option: (i) obtain the right for Licensee to continue to use such Tool consistent with this Agreement; (ii) modify such Tool so that it is non-infringing; or solely in the event that (i) and (ii) are not feasible, terminate this Agreement.

7. Confidentiality.

For the purpose of this section each Party shall be called Disclosing Party and Receiving Party respectively. Each Party acknowledges that Confidential Information is proprietary, that it is valuable to Disclosing Party and that any disclosure or unauthorized use thereof may cause irreparable harm and loss to Disclosing Party. Confidential Information shall not include information that (i) is generally known to the public at the time of disclosure; (ii) is legally received by Receiving Party from a Third Party, which Third Party is in rightful possession of Confidential Information, (iii) becomes generally known to the public subsequent to the time of such disclosure, but not as a result of disclosure by Receiving Party, or (iv) prior to signing of this Agreement, is already in the possession of Receiving Party. Obligations of receiving Party in regards to Confidential Information: In consideration of the disclosure to Receiving Party of Confidential Information, Receiving Party agrees to receive and to treat Confidential Information on a confidential and restricted basis and to undertake the following additional obligations with respect thereto: to use Confidential Information for the sole purpose of fulfilling this Agreement unless otherwise expressly agreed to in writing by Parties; not to duplicate, in whole or in part, any Confidential Information; not to disclose Confidential Information to its members, officers, employees, Affiliates, counsel or consultants except on a need-to-know basis, and each such person Receiving Confidential Information shall be notified of and required to abide by the terms and conditions of this Agreement; not to disclose Confidential Information to any Third Party entity or individual, corporation, partnership, sole proprietorship, customer, advisor or client without the prior express written consent of Disclosing Party. This confidentiality section shall survive any termination of the Agreement however occasioned.

8. Data Privacy.

The information entered by Licensee into a Tool will be stored on an account held by CIS in AWS's US East region. The storage of the data is subject to AWS's terms of services, which can be found here: https://aws.amazon.com/service-terms/ . By agreeing to this License Agreement and accessing any Tool, Licensee agrees to be bound by the terms of service from AWS.

CIS will have access to Licensee's data in the AWS US East region and by accepting this License Agreement and using and accessing any Tool, Licensee agrees to allow CIS to use Licensee's data entered into any Tool for the following purposes: (1) to deliver a Tool's service; (2) to ensure that a Tool is working as intended and to make improvements to the Tool and the CIS Controls; (3) to identify and offer additional CIS tools and services related to cybersecurity.

Additionally, these terms of service are governed by the CIS Controls Tools Privacy Policy, a copy of which can be found here: https://csat.cisecurity.org/accounts/privacy-policy. By agreeing to these terms of service and accessing any Tool, Licensee acknowledges and agrees to such privacy policy terms.

9. Term and Termination.

Either Party may terminate this Agreement in the event of a material breach of this Agreement by the other Party by providing the other Party with written notice and an opportunity of ten (10) business days to cure such breach. On termination of this Agreement: (1) Sections 2, 5, 7, 8 and 14 shall survive; (2) Licensee shall immediately cease use and distribution of Tool; and (3) each Party must remove, delete or otherwise destroy any of other Parties material that it has received, copied or otherwise obtained, including but not limited to Confidential Information, except for information required to support any license, sublicense or maintenance obligations already granted or undertaken by Licensee towards any Third Party. A written confirmation that such deletion has been completed shall be sent to the other Party without undue delay.

10. Relationship Between Parties.

Parties are independent contractors, and this Agreement will not be construed as constituting either Party as partner, joint venture, agency or fiduciary of the other, as creating any other form of legal association that would impose liability on one Party for the act, or failure to act, of the other, or as providing either Party with the right, power, or authority (express, or implied) to create any duty or obligation of the other. Neither Party shall directly or indirectly represent to the public that it has the right or the authority to create or accept obligations on behalf of the other Party. Except as otherwise expressly provided in this Agreement, each Party has the sole right and obligation to supervise, manage, contract, direct, procure, perform or cause to be performed all work to be performed by it under this Agreement.

11. Severability.

In the event any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions of this Agreement will remain in full force.

12 Waiver.

The waiver by either CIS or Licensee of any default or breach of this Agreement shall not constitute a waiver of any other or subsequent default or breach. Except for actions for breach of CIS's intellectual proprietary rights in Tool, no action, regardless of form, arising out of this Agreement may be brought by Licensee more than one (1) year after the cause of action has occurred.

13. Non-assignment.

Licensee is not allowed to assign or transfer all, or any part of its rights under this Agreement without CIS's prior written consent. Notwithstanding the foregoing, either Party may assign this Agreement in its entirety to its Affiliate(s), or in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets. In such case, Licensee shall notify CIS in writing without undue delay, and unless otherwise agreed upon in writing, this Agreement shall bind, and inure to the benefit of Parties, their respective successors, and permitted assigns.

14. Applicable Law and Venue.

This Agreement shall be governed by and construed in accordance with the laws of the State of New York. Any dispute, controversy or claim arising out of or relating to this Agreement, or the breach, termination, or invalidity thereof, Parties shall seek to solve amicably through negotiations.

15. Amendments.

No amendment to, or modification of this Agreement will be binding unless made in writing and signed by Parties. Parties agree that any additional or different terms in any other document or arrangement not forming part of this Agreement, including any letter or terms of engagement or the like, purchase order, invoice, acknowledgment, delivery receipt, confirmation or other delivery or acceptance document issued by or on behalf of CIS, or by or on behalf of Licensee at the request of CIS, shall be void, and of no force or effect if in breach with this Agreement.

16. Entire Agreement.

This Agreement, is the entire agreement between CIS and Licensee relating to this relationship and supersedes all prior or contemporaneous oral or written communications, proposals and representations relating to that relationship.

17. Notices.

All notices to be given under this Agreement to CIS shall be sent to contracts@cisecurity.org. Information from CIS to Licensee shall be sent by email to the email address Licensee has provided upon purchase. It is Licensee's responsibility to ensure that the e-mail address is correct. CIS does not take responsibility for lost communication. All notices, demands or other communication given by a party to the other shall be deemed to have been duly given when made in writing and sent to the registered e-mail address.