CIS Configuration Certified Combines Security and Function
Working in an environment that's configured to a secure standard such as the CIS Benchmarks brings both peace of mind and compliance with other frameworks. Historically, however, security and function have not always gone hand-in-hand. Recommended security settings may cause issues with software functionality in some environments. To that end, the Center for Internet Security (CIS) worked with three vendors to pilot a new certification, to demonstrate that a product will work in an environment hardened to the CIS Benchmarks.
The new CIS Benchmarks Configuration Certification enables vendors to develop new products with the CIS Benchmarks built in, tested, and certified at outset. Building this confidence into the products takes the guesswork out of knowing whether or not a CIS Benchmarks-hardened environment will work without impact.
CIS Benchmarks Certification: a Brief Overview
Certification from CIS is nothing new. CIS SecureSuite Product Vendor Membership gives product vendors the right to integrate, reference, and support the CIS Benchmarks and the CIS Controls into their product and service offering(s) as defined in the membership agreement.
Certification is a benefit of Product Vendor Membership, allowing companies eligibility to certify their security product(s) and/or service offering(s). Certification requirements vary by type of certification, but ultimately demonstrates that products comply with, are configured to, or have the ability to run in environments in the CIS Benchmark version and profile.
The newest option recently piloted, CIS Benchmarks Configuration Certified, certifies a product or service's configuration is in conformance with or can run in an environment configured to the CIS Benchmark. This option provides assurance that a product will run without impact on or from the hardened environment.
Certifying at this level removes the concern of customers who have an environment hardened to CIS Benchmarks. They won't have to reconfigure anything in order to run the application, because the certification has demonstrated it'll work, out of the box.
Additionally, with various use cases for this certification type, the vendor can certify the underlying configuration of the environment to CIS Benchmarks. They test accordingly to ensure applications and use of platform will work on the hardened environment without issue. Together, this provides confidence in the product and the underlying security being aligned with an industry standard like CIS Benchmarks, without modifications.
Configuration Certified Pilot
To provide proof of concept, CIS worked with a few vendors to pilot the process. Their collaboration with us was essential to the release and success of this new offering and we greatly appreciate their support. Each vendor provided a different type of scenario for which their products were able to run in a Level 1 CIS Benchmark-configured environment.
CIS is happy to award and highlight the following partners and their products that achieved the first-ever CIS Benchmarks Configuration Certification:
- Cimcor, Inc. has certified its CimTrak Integrity Suite running on CIS CenOS Linux 7 Benchmark Level 1 and Level 2
- Tenable Core has been certified to be configured to the CIS CentOS Linux 7 Benchmark
- Refactr’s DevSecOps Automation Platform has been certified running on the CIS Azure Foundations Benchmark
CIS worked closely with the vendors to ensure that their products worked correctly without requiring any modifications to the Level 1 CIS Benchmarks recommendations. Here's what one participant had to say:
“Refactr is excited to continue innovating with CIS and to certify with the new Configuration Certification leveraging our DevSecOps Automation Platform,” said Mike Fraser, CEO of Refactr. “Our continued mission is to stay secure with CIS Controls and Benchmarks, and to provide these capabilities to our joint customers through DevSecOps pipelines.”
CIS Benchmarks Certified Options
The new Configuration Certification pilot is open to a number of environments and use cases, including:
- Vendor seeking certification to promote their product (software) will run successfully on an environment hardened to CIS Benchmarks
- Vendor product sold configured to CIS Benchmark(s) with assurance that software will run without impact on an environment hardened to CIS Benchmarks
- Product configured to CIS Benchmark for said vendor product/offering (i.e., CIS Hardened Images, infrastructure, stack)
- One or more Benchmark(s) configured within another product/offering (i.e., device ships secure)
- Vendor service providing option to deploy configured environment to CIS Benchmark(s)
Additional CIS Benchmarks Certification options include:
- Assessment: CIS Benchmarks Assessment Certification certifies a product’s ability to assess endpoints for conformance to CIS Benchmark(s) version and profile(s)
- Remediation: CIS Benchmarks Remediation Certification certifies a product’s ability to remediate endpoints for conformance to CIS Benchmark(s) version and profile(s)
Creating Confidence in Security
CIS-certified security software products demonstrate a strong commitment by the vendor to provide their customers with the ability to ensure their assets are secured according to consensus-based best practice standards. CIS is excited to offer opportunities for vendors to demonstrate conformance to the CIS Benchmarks without adverse impact on functionality. It's just another way we're creating confidence in the connected world.