What are the benchmarks?

CIS Benchmarks

CIS is the only distributor of consensus best practice standards for security configuration. The Benchmarks are widely accepted by U.S. government agencies for FISMA compliance, and by auditors for compliance with the ISO standard as well as GLB, SOx, HIPAA, FIRPA and other the regulatory requirements for information security. End user organizations that build their configuration policies based on the consensus benchmarks can not acquire them elsewhere.

For the first time ever, a large group of user organizations, information security professionals, auditors and software vendors have defined consensus technical control specifications that represent a prudent level of due care and best-practice security configurations for computers connected to the Internet.

Now you can determine how your systems measure up to these widely accepted security benchmarks.

In accordance with the CIS not-for-profit mission, the Benchmarks and Scoring Tools are available free on this web site.

Click Here for the Benchmarks and Scoring Tools that are in public release.
Click Here for a list of the benchmarks that are in release and those that are in development.
Click Here to see a list of individuals who contributed to the consensus Benchmarks and Scoring Tools.

What Are CIS Benchmarks?

CIS Benchmarks enumerate security configuration settings and actions that "harden" your systems. They are unique, not because the settings and actions are unknown to any security specialist, but because consensus among hundreds of security professionals worldwide has defined these particular configurations.

CIS Level-I Benchmarks – the prudent level of minimum due care

Level-I Benchmark settings/actions meet the following criteria.

System administrators with any level of security knowledge and experience can understand and perform the specified actions.
The action is unlikely to cause an interruption of service to the operating system or the applications that run on it.
The actions can be automatically monitored, and the configuration verified, by Scoring Tools that are available from the Center or by CIS-certified Scoring Tools

Many organizations running the CIS scoring tools report that compliance with a CIS "Level-1" benchmark produces substantial improvement in security for their systems connected to the Internet.

CIS Level-II Benchmarks – prudent security beyond the minimum level.

Level-II security configurations vary depending on network architecture and server function. These are of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the operating systems and applications running in their particular environments.

The Windows XP Professional and Windows Server 2003 Benchmarks: These benchmarks contains multiple "levels" within one document. The levels are:

Legacy: Settings in this level are designed for XP Professional/2003 Server systems that need to operate with older systems such as Windows NT, or in environments where older third party applications are required. The settings will not affect the function or performance of the operating system or of applications that are running on the system.
Enterprise Standalone: Settings in this level are designed for XP Professional/Server 2003 systems operating in a managed environment where interoperability with legacy systems is not required. It assumes that all operating systems within the enterprise are Windows 2000 or later, therefore able to use all possible security features available within those systems. In such environments, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended XP Professional technical controls.
Enterprise Mobile: These settings are nearly identical to the Enterprise Standalone settings, but with modifications appropriate for mobile users whose systems must operate both on and away from the corporate network. In environments where all systems are Windows 2000 or later, these Enterprise-level settings are not likely to affect the function or performance of the OS. However, one should carefully consider the possible impact to software applications when applying these recommended XP Professional technical controls.
Specialized Security - Limited functionality: Settings in this level are designed for XP Professional/2003 Server systems in which security and integrity are the highest priorities, even at the expense of functionality, performance, and interoperability. Therefore, each setting should be considered carefully and only applied by an experienced administrator who has a thorough understanding of the potential impact of each setting or action in a particular environment.

What Are the Scoring Tools?

CIS Scoring Tools enable end users to verify the security configuration of systems prior to network deployment, monitor systems and network devices for ongoing conformity with the benchmarks, and demonstrate to auditors and business partners their compliance with the internationally accepted standard for security configuration. The Tools are host based and produce reports that guide users and system administrators to secure both new installations and production systems.

CIS Scoring Tools are available on the CIS web site for most of the CIS Benchmarks.In addition, CIS is in the process of rolling out a new tool, CIS-CAT (CIS Configuration Assessment Tool). CIS-CAT is a Java application designed to test for compliance with many CIS platform, device, and application benchmarks. Currently the production version is available for download from the CIS Members/Licensees web site at https://members.cisecurity.org for Solaris, SUSE, Red Hat, Slackware, AIX, Oracle on UNIX and Oracle on Windows. CIS-CAT reads benchmarks expressed in XML (XCCDF) format. For more information on XCCDF, please go to http://nvd.nist.gov/xccdf.cfm.

CIS-CAT for the Windows benchmarks went into beta testing on 7/16/2007, and will be released soon.

Until a fully functional version of CIS-CAT is available for Microsoft Windows platforms, the NG Scoring tool will remain available. The NG Scoring tool is also a Java based application that consumes XCCDF and OVAL, and will score a Windows system for compliance against CIS Windows benchmarks.

CIS Members have access to Scoring Tools with added features not available to the general user community.
Click Here for more information.

Enterprise software tools that check systems for conformity with CIS benchmarks are also commercially available from information security software vendors.

Click Here for a roster of CIS certified software tools.
Click Here to see what users say about the CIS Benchmarks and Scoring Tools.

How Are CIS Benchmarks Developed?

The Benchmarks are developed through a unique global consensus process. The process is effective because it pools the security knowledge of technical professionals, and cost-efficient because it taps voluntary involvement by security specialists in organizations that share the benefits of the technical work. The four steps of this process are:

Teams of CIS members typically begin the benchmark development process with the published work or recommendations from one or more large member organizations. They work together to identify the critical configuration settings that will produce the most significant enhancements to system security in a wide variety of organizational settings.

Members review and comment on evolving drafts until a consensus is reached.

The benchmarks and scoring tools are then made available publicly via download from this website.

They are updated periodically as a result of user feedback, software upgrades and identification of new vulnerabilities.

To learn more about CIS membership, go to Membership Information.

How Are They Kept Up to Date?

Benchmarks and Scoring Tools are kept up to date as new vulnerabilities are discovered through Internet Storm Center (www.incidents.org), the CERT Coordination Center (www.cert.org), and other security incident tracking sources.

Continuous feedback from Members and other users also ensures that broad consensus is always reflected in the configurations. Level-II settings are updated as users continuously discover how much they can further harden systems without interfering with operating systems and applications in particular environments.

A revision history is maintained at the end of each of the Benchmarks.

How Will the Benchmarks Influence Software Vendors?

Vendors ship systems with operating system security settings disabled as the default. User organizations recognize that this practice is plainly unacceptable, and are already beginning to require vendors to deliver systems with default security settings defined by the CIS Benchmarks.

The CIS Scoring Tools provide a quick and easy way to evaluate systems and networks, comparing their security configurations against the CIS benchmarks. They automatically create reports that guide users and system administrators to secure both new installations and production systems. The tool is also effective for monitoring systems to assure that security settings continuously conform with CIS Benchmark configurations.

Software tools that check systems for conformity with CIS benchmarks are also commercially available from information security software vendors.

Click Here for a roster of CIS certified software tools.
Click Here to see what users say about the CIS Benchmarks and Scoring Tools.