What are CIS Benchmarks?

CIS Benchmarks are developed through a consensus-based process involving communities of cybersecurity professionals from around the world. These experts continuously identify, refine and validate security best practices within their areas of focus to help organizations protect their digital assets from cyber risks.

CIS has published over 100 CIS Benchmarks, spanning 8 core technology categories and covering over 25 vendor-product families.¹ They are available through free PDF download for non-commercial use.

CIS Benchmarks help organizations improve their security posture by following prescriptive, globally recognized security standards and cyber defense guidelines. CIS Benchmarks also support business use cases like regulatory compliance, IT governance and security policy.

Established in October 2000, CIS is a nonprofit organization whose mission is to "make the connected world a safer place by developing, validating and promoting timely best practice solutions that help people, businesses and governments protect themselves against pervasive cyber threats.”²

CIS Benchmarks Communities, a group of more than 12,000 IT security professionals who contribute to developing CIS Benchmarks best practices, are open to anyone who wants to contribute. The communities are comprised of volunteers and include subject-matter experts, vendors, technical writers, testers and other CIS members from around the world.

CIS is also home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), which provides cyber threat prevention, protection, response and recovery resources for US State, Local, Tribal and Territorial (SLTT) government entities. It is also the headquarters for the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which supports the cybersecurity needs of US election offices.³

The CIS profile levels refer to different security recommendation tiers and contain multiple configurations for different products.

Level 1 covers base-level configurations that are easier to implement and have minimal impact on business functionality.

Level 2 applies to high-security environments that require more coordination and planning to implement with minimal business disruption.

STIG is a set of configuration baselines that address the Security Technical Implementation Guide (STIG)—security standards published and maintained by the US Department of Defense (DOD) to meet US government requirements.

The STIG profile from CIS helps organizations comply with STIG. Security systems configured with STIG meet both CIS and STIG compliance requirements.

As previously mentioned, there are over 100 CIS Benchmarks grouped across 8 IT technology categories, including the following:

• Operating systems

• Server software

• Cloud provider

• Mobile device

• Network device

• Desktop software

• Multi-function print device

• DevSecOps tools

This category covers security configurations of core operating systems, such as Microsoft Windows, Linux® and Apple's macOS. These include best-practice guidelines for local and remote access restrictions, user profiles, authentication, driver installation protocols and internet browser configurations.

This category covers security configurations of widely used server software, including Microsoft Windows Server, SQL Server and VMware. It also supports open-source containerization platforms, such as Docker and Kubernetes.

The Benchmarks include recommendations for configuring Kubernetes PKI (Public Key Infrastructure) certificates, application programming interface (API) server settings, server admin controls, vNetwork policies and storage restrictions.

This category addresses security configurations for Amazon Web Services (AWS), Microsoft Azure, Google, IBM and other popular public cloud environments. The Benchmarks include cloud security guidelines for configuring identity and access management (IAM), system logging protocols, network configurations and regulatory compliance safeguards.

This category addresses mobile operating systems, including iOS and Android, and focuses on areas like developer options and settings, OS privacy configurations, browser settings and app permissions.

This category offers general and vendor-specific security configuration guidelines for network devices and applicable hardware from Cisco, Palo Alto Networks, Juniper and others.

This category covers security configurations for some of the most commonly used desktop software applications, including Microsoft Office and Exchange Server, Google Chrome, Mozilla Firefox and Safari browser. These Benchmarks focus on email privacy and server settings, mobile device management, default browser settings and third-party software blocking.

This category outlines security best practices for configuring multi-function printers in office settings. It covers firmware updating, TCP/IP configurations, wireless access configuration, user management, file sharing and more.

This category covers the software supply chain and helps teams secure DevSecOps pipelines. It offers best practices for security controls throughout the software development lifecycle, from initial design through integration, testing, delivery and deployment.

Over the years, CIS has produced and distributed other free tools and paid solutions that support the CIS Benchmarks. These resources help organizations to strengthen their cybersecurity readiness further.

Formerly known as the SANS Critical Security Controls (SANS Top 20 Controls), CIS Critical Security Controls (CSC) is a comprehensive guide of 18 safeguards and countermeasures for effective cyber defense. Also referred to as CIS Controls, they are free to use and provide a prioritized checklist that organizations can implement to reduce their cyberattack surface significantly.

The CIS Benchmarks reference these cybersecurity best practices when referring to recommendations for better-secured system configurations.

CIS also offers pre-configured Hardened Images that enable enterprises to perform computing operations cost-effectively without needing to invest in additional hardware or software. Hardened images are much more secure than standard virtual images, and they significantly limit the security vulnerabilities that can lead to a cyberattack.

CIS Hardened Images are designed and configured in compliance with CIS Benchmarks and CIS Controls and are recognized to be fully compliant with various regulatory compliance organizations. CIS Hardened Images are available in nearly all major cloud computing platforms and are easy to deploy and manage.

The CIS SecureSuite membership program provides organizations with cybersecurity tools and resources. Membership is free for US SLTT (state, local, tribal and territorial) government and academic institutions in the US, while payment options vary for commercial users and government entities overseas.

CIS WorkBench is a centralized platform that brings together CIS Controls and CIS Benchmarks Communities, enabling collaboration for the ongoing development of the CIS Benchmarks.

Available to CIS SecureSuite members, the CIS SecureSuite Build Kit consists of resources that provide security automation and the remediation of systems to the CIS Benchmarks.

The CIS Configuration Assessment Tool (CAT) provides automated scans of a system's configuration settings against the CIS Benchmarks. It is available to CIS SecureSuite members.

The CIS-CAT Lite is a free tool for assessing IT systems. Compared to the CIS-Cat Pro, this limited version offers basic-level assessments against fewer CIS Benchmarks.

CIS Benchmarks help organizations with governance, risk and compliance (GRC) strategies to manage governance and risks while maintaining compliance with industry and government regulations.

CIS Benchmarks align closely with—or "map to"—security and data privacy regulatory frameworks. As a result, any organization operating in an industry governed by types of regulations can make significant progress toward compliance by adhering to CIS Benchmarks. Such regulatory bodies include the following:

• National Institute of Standards and Technology (NIST) Cyber Security Framework provides comprehensive guidance and best practices that private sector organizations can follow to improve information security (InfoSec) and cybersecurity risk management.

• Payment Card Industry Data Security Standard (PCI DSS) is a set of security requirements to protect cardholder data—cardholders' primary account numbers (PANs), names, expiration dates, service codes—and other sensitive cardholder information throughout its lifecycle.

• Health Insurance Portability and Accountability Act (HIPAA) establishes the requirements for the use, disclosure and safe storage of protected health information (PHI).

• ISO/IEC 27001, also referred to as ISO 27001, is the leading globally recognized information security standard, developed jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It provides a systematic, structured and risk-based approach to managing and protecting sensitive information assets.

• GDPR (General Data Protection Regulation) is the European Union (EU) law that governs how organizations within and outside the EU handle the personal data of EU residents.

While enterprises are always free to make their own choices around security configurations, CIS Benchmarks offer an array of benefits:

• Industry-recognized standards: Developed by a global community of IT and cybersecurity professionals, the CIS Benchmarks help businesses establish a strong commitment to cybersecurity and increase customer and stakeholder trust.

• Regularly updated guidance: CIS Benchmarks offer regularly updated, step-by-step guidance to help organizations secure all aspects of IT infrastructure. For example, the CIS Benchmark related to Windows is regularly updated to the latest version within 90 days of its release. Additionally, CIS Hardened Images are updated every month to keep them current with the latest security best practices.

• Support for governance, risk and compliance (GRC): CIS Benchmarks provide a framework to help organizations address governance, risk and compliance (GRC)—an organizational strategy to manage governance and risks while maintaining compliance with industry and government regulations.

• Customization: The CIS Benchmarks provide a flexible template for securely adopting new cloud services and workloads and executing digital transformation strategies. For example, CIS SecureSuite members can tailor the CIS Benchmarks within the CIS WorkBench platform to meet their specific business and technology mandates.

• Flexibility: CIS Benchmarks provide a baseline recommendation for security settings, including firewalls, routers and servers. They also offer vendor-specific guidelines to help set up and manage systems and devices. This combination of neutral and vendor-specific features supports flexibility so systems can adapt to evolving needs.

• Ease of deployment: DevSecOps and other teams rely on CIS Benchmarks for easy-to-deploy security configurations for improved operational efficiency and sustainability.