CIS Benchmarks Mappings and CIS-CAT Pro Updates for CIS Controls v8

The CIS Controls are a prioritized set of Safeguards that can mitigate the most prevalent cyber-attacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory, and policy frameworks such as NIST, ISO, HIPAA, PCI, and others. Enterprises that implement the CIS Controls can demonstrate compliance with these other policies. This extends a step further to the CIS Benchmarks – configuration guides for specific technologies. The recommendations found in the CIS Benchmarks are also mapped back to the CIS Controls, yet another way to demonstrate compliance across frameworks.

CIS Benchmarks are being updated to map to the recently-released CIS Controls v8. Mappings will include the specific Control(s), Safeguards (formerly Sub-Controls), and relevant Implementation Groups (IGs). Updated CIS Benchmarks will also be made available within CIS-CAT Pro Assessor v4.7.0.

CIS Benchmarks Map to CIS Controls v8

As of June 2021, all CIS Linux, Docker, Microsoft Windows, and Microsoft Intune Benchmarks now map to CIS Controls v8. Select other CIS Benchmarks already contain CIS Controls v8 mappings, and more will be updated in the near future.

CIS Benchmarks now mapped to CIS Controls v8:

• CIS Microsoft Windows Server 2019 Benchmark v1.2.1
• CIS Microsoft Windows Server 2019 STIG Benchmark v1.0.1
• CIS Docker Benchmark v1.3.1
• CIS Microsoft Windows 10 Enterprise Release 20H2 Benchmark v1.10.1
• CIS Microsoft Intune for Windows 10 Release 2004 Benchmark v1.0.1
• CIS Red Hat Enterprise Linux 7 Benchmark v3.1.0
• CIS CentOS Linux 7 Benchmark v3.1.0
• CIS Oracle Linux 7 Benchmark v3.1.0
• CIS Kubernetes V1.20 Benchmark v1.0.0
• CIS Azure Kubernetes (AKS) Benchmark v1.0.0
• CIS Red Hat Linux 8 Benchmark v1.0.1
• CIS CentOS Linux 8 Benchmark v1.0.1
• CIS Oracle Linux 8 Benchmark v1.0.1
• CIS Debian Linux 8 Benchmark v2.0.2
• CIS AWS Foundations Benchmark v1.4.0

Example of a CIS Controls Mapping in a CIS Benchmark

The example below is from the CIS Microsoft Windows Server 2019 Benchmark v1.2.1. It reflects how this Benchmark maps to the CIS Controls version, Safeguard, and Implementation Groups:

Recommendation 1.1.4 (L1) Ensure ‘Minimum password length’ is set to ’14 or more character(s)’

A few CIS Benchmarks will include bug fixes on top of the v8 mappings. Please consult the change log in each CIS Benchmark for updates.

CIS Benchmarks with CIS Controls v8 Mappings Available in CIS-CAT Pro

CIS-CAT Pro Assessor automates the evaluation of the cybersecurity posture of a system against recommended policy settings such as those recommended in CIS Benchmarks. CIS SecureSuite Members who currently use CIS-CAT Pro Assessor can upgrade to view CIS Controls v8 mappings in the HTML output.

Please note that:

• Older CIS Benchmarks that map to CIS Controls v6 will not provide information in the CIS-CAT Pro Assessor v4.7.0 HTML report.
• CIS-CAT Pro v3 will not display the new mappings.
• Some CIS Benchmarks are not available in CIS-CAT Pro (i.e., Docker and AWS Foundations) and do not apply.

CIS Controls v7.1 will still be available in CIS-CAT Pro. This will allow users time to migrate and become familiar with CIS Controls v8. Several state legislatures specify v7.1 as a standard to help meet compliance requirements. See State Legislation Leveraging the CIS Controls. CIS-CAT Pro Dashboard v2.2.0 Coming Soon

An update to CIS-CAT Pro Dashboard consumes assessment reports and shows system(s) compliance to the CIS Benchmarks over a period of time. The updated v2.2.0 will be released in mid-June 2021. Please look for upcoming announcements on the release.