x
Limited Time Offer: Save up to 20% on a new CIS SecureSuite Membership | Learn more
×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In CIS Hardened Images CIS Hardened Images Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

secure your organization
Secure Your Organization


secure specific platforms
Secure Specific Platforms


cis securesuite CIS SecureSuite® Learn More      Apply Now  
u s state local tribal and territorial governments
U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

resources
Resources


learn
Learn


filter by topic
Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

How to Meet STIG Compliance and Achieve OS Security with CIS

Organizations tasked with meeting regulatory framework compliance know the difficulties they will face. On top of the resource hours, it can be costly to ensure compliance. Public sector organizations as well as their contractors and consultants also understand the importance of Defense Information Security Agency Security Technical Implementation Guides or DISA STIG compliance. These configuration standards apply to DoD Information Assurance (IA) and IA-enabled devices/systems.

The Center for Internet Security (CIS) builds CIS Benchmarks and CIS Hardened Images mapped to these guides to more easily assist with DISA STIG compliance.

CIS Benchmarks and Hardened Images for OS Security

CIS maintains more than 100 secure configuration guidelines across 25+ product families. This prescriptive guidance is developed by communities of cybersecurity experts. In fact, CIS manages the communities that develop the only consensus-based cybersecurity guidelines both created and accepted by industry, government, academia, and business. Notably, one of the largest areas of CIS Benchmark technology coverage are operating systems.

In addition to utilizing CIS Benchmarks for OS security, organizations can turn to CIS Hardened Images for security in the cloud. These pre-configured virtual machine images bring CIS Benchmark configurations to the public cloud. Every CIS Hardened Image includes a CIS-CAT Pro assessment report to quickly provide evidence of compliance. Also, CIS patches these VMs regularly for vulnerabilities. CIS Hardened Images are available on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Marketplaces.

OS Security and DISA STIG Compliance from CIS

While complying with regulatory frameworks like PCI DSS, HIPAA, DoD Cloud Computing SRG, and DISA STIGs can be challenging, these frameworks recognize CIS Benchmarks as an acceptable standard to help meet compliance. And CIS Hardened Images already apply these standards to virtual machine images, saving both time and resources.

More specifically, guidance from the DoD Cloud Computing SRG indicates CIS Benchmarks are an acceptable alternative in place of STIGs. The DoD Cloud Computing SRG, version 1, Release 3 states:

“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) Benchmarks are an acceptable alternative to the STIGs and SRGs.”

Although the DoD references CIS Benchmarks specifically, many organizations still must utilize STIGs for DoD IA and IA-enabled devices/systems. That's why CIS offers CIS Benchmarks mapped directly to STIG standards for OS security. Furthermore, CIS builds CIS Hardened Images to CIS STIG Benchmark standards. Thus, these virtual machine images also provide OS security to help meet STIG compliance in the public cloud.

What's New: CIS STIG Compliance Resource Updates

If you're familiar with CIS STIG resources, you'll now find structural updates to the profiles. Previously, the CIS STIG Benchmarks included a Level 3 profile to address recommendations needed to meet STIG compliance not covered in Levels 1 and 2. Now, a new STIG profile will replace the Level 3 profile. This new STIG profile allows users to easily identify all recommendations specific to the STIG. Overlaps from other profiles, i.e., Level 1, 2, and Next Generation, will exist in the STIG profile as well. If the recommendation in the STIG profile contradicts with the CIS Benchmark recommendation, that will be indicated in the description of the recommendation.

To make STIG compliance even simpler, here's the breakdown of information you'll find in the CIS STIG Benchmark 'additional information' section:

  • Name, version and date of STIG release
  • Vulnerability ID
  • Rule ID
  • STIG ID
  • Severity
Download a CIS Benchmark

What's Coming for STIG Compliance from CIS

Currently, CIS offers four CIS STIG Benchmarks as well as four CIS STIG Hardened Images across AWS, Azure, GCP, and Oracle Cloud Marketplaces.

The following CIS STIG Benchmarks are available for enhanced OS security: Amazon Linux 2, Microsoft Windows Server 2016, Microsoft Windows Server 2019, Red Hat Enterprise Linux 7. CIS is also excited to announce three additional CIS Benchmarks coming soon to help with STIG compliance: Apple macOS 11, Ubuntu Linux 20.04, and Red Hat Enterprise Linux 8.

Lastly, CIS STIG Hardened Images provide enhanced OS security in the public cloud. Access the pre-configured VMs for STIG compliance:

CIS is proud to provide users multiple resources to help OS security and meet STIG compliance.