Safeguard 12.4: Establish and Maintain Architecture Diagram(s)

Safeguard 12.4: Establish and Maintain Architecture Diagram(s)

By Steve Gold
Posted in Security
On July 07, 2026

In Raiders of the Lost Ark, Indiana Jones doesn't wander into the Well of Souls hoping to stumble across the Ark of the Covenant. He has a map. More specifically, he has the headpiece of the Staff of Ra, the one piece of information that tells him exactly where to dig. Without it, Belloq and the Nazis spent weeks excavating the wrong location. They had resources, manpower, and determination. What they didn't have was accurate intelligence about the terrain.

Your network is the Well of Souls. The question is: who has the better map, you, or the attacker who's been quietly moving through your environment for the past three weeks?

What Is CIS Safeguard 12.4?

Safeguard 12.4 is part of CIS Control 12: Network Infrastructure Management, and its security function is Identify. It applies to IG2 and IG3 organizations. The requirement: Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

This isn't about producing a pretty diagram for an audit. It's about maintaining accurate operational intelligence of your own environment.

Why It Matters

You cannot defend a network you haven't mapped. That sounds obvious, but the number of organizations operating without current, accurate network documentation is striking. Networks grow organically, a new VLAN here, a cloud workload there, a legacy segment that nobody touched in four years and everyone is afraid to ask about. Over time, the map in people's heads diverges further and further from what's actually deployed.

When an incident happens, that gap becomes a crisis. Responders are trying to understand blast radius, identify affected systems, and trace lateral movement, without a reliable picture of how the environment is structured. Every minute spent reverse-engineering the network topology is a minute the attacker is still active.

Attackers, by contrast, do their reconnaissance. Before a sophisticated threat actor makes a significant move, they've already mapped your network more thoroughly than you have. If that thought is uncomfortable, it should be. It's meant to be.

Architecture diagrams also serve as the foundation for everything else you're trying to do in security, network segmentation, access control decisions, firewall rule reviews, zero trust planning. Without an accurate map of trust zones, data flows, and connectivity, all of those efforts are guesswork.

What To Do: Implementation Steps

  1. Create a current-state network architecture diagram. If you don't have one, start now. Document network segments, trust zones, key assets, data flows, external connections, and ingress/egress points. This doesn't need to be a Visio masterpiece, accurate beats beautiful every time.
  2. Include the elements that actually matter for security. Your diagram should show segmentation boundaries, firewall placement, DMZ structure, cloud connectivity, remote access paths, and where critical systems (AD, DNS, authentication infrastructure) live. Segment-level trust relationships are especially important.
  3. Store it securely and version-control it. Your network architecture diagram is sensitive, it's a roadmap for attackers if it falls into the wrong hands. Store it in a secure, access-controlled location. Version-control it so you can track what changed and when.
  4. Tie updates to your change management process. The diagram goes stale the moment you stop updating it. Build diagram reviews into your change management workflow, any significant network change should trigger a documentation update before or immediately after implementation.
  5. Review formally at least once a year. Schedule an annual documentation review even if you think nothing major has changed. Walk through the diagram with your network and security teams. You'll find drift. You always find drift.
  6. Use the diagram actively, not just as an artifact. Pull it out during firewall rule reviews, segmentation discussions, incident response tabletops, and zero trust planning sessions. A diagram that lives in a folder and never gets used isn't doing its job.

Final Thoughts

Belloq and the Nazis had an army, unlimited resources, and weeks of time. What they didn't have was the right map. Indiana Jones walked in with accurate intelligence and walked out with the prize, mostly.

The organizations that respond to incidents fastest, contain breaches most effectively, and make the best segmentation decisions are the ones with accurate, current network documentation. The ones who are still trying to figure out what's on their network after the attacker is already inside are working with Belloq's map.

Build the diagram. Keep it current. Review it regularly. Don't let the attacker have better intelligence about your own network than you do.

Free Resource: The CIS Controls are available for free at cisecurity.org. The full implementation guidance for Control 12 includes additional context on documentation requirements across implementation groups.

Have questions about where to start with network documentation? DM me, it's a common challenge and there are practical ways to approach it.

Official CIS Control and Safeguard Text

CIS Control 12: Network Infrastructure Management

CIS Safeguard 12.4: Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Shameless Marketing Information

Gotham Technology Group can help organizations build and maintain accurate network architecture documentation as part of our network security assessments, reach out if you need a hand getting started.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.