New Options from CIS for STIG Compliance
Staying secure can be a challenge, especially if you’re working in a regulated environment. Resources from the Center for Internet Security (CIS) such as the CIS Benchmarks are consensus-based security configuration guidelines for numerous technologies. They are recognized by many industry frameworks including the Payment Card Industry (PCI), HIPAA, and even the Department of Defense (DoD). CIS continues to work with a global community to release new and updated guidance. Our latest offering provides a new option for those who must comply with DoD requirements.
Compliance with DoD STIGs and CIS Benchmarks
Guidance from the DoD has indicated CIS Benchmarks can be utilized in place of Security Technical Implementation Guidelines (STIGs) - configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. The DoD Cloud Computing Security Requirements Guide (SRG), version 1, Release 3 states:
“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) benchmarks are an acceptable alternative to the STIGs and SRGs.”
Although the DoD references CIS Benchmarks specifically, CIS has received feedback that many organizations are still required to align with STIGs as the configuration standards for DOD IA and IA-enabled devices/systems.
New STIG-specific guidance from CIS
CIS has developed a new option for configuring systems according to STIGs, both on-premises and in the cloud. The first release is for a single operating system (OS) and there are plans to continue to expand coverage accordingly based on additional feedback from our stakeholders.
The first STIG-specific CIS release is the CIS Red Hat Enterprise Linux (RHEL) 7 STIG Benchmark. This expanded Benchmark contains:
- The existing consensus-based CIS RHEL 7 Benchmark Level 1 and Level 2 profiles mapped to applicable STIG recommendations.
- A new Level 3 profile that includes additional requirements from the STIG that were not covered in the Level 1 and Level 2 profiles.
When users are applying CIS Benchmarks and need to be STIG compliant, they’ll be able to apply all three profiles and quickly address the gaps between the original CIS Benchmark profiles and STIGs. This new Benchmark is available as a free PDF download.
A new CIS Hardened Image for RHEL 7 that is configured according to the new Benchmark has been released in AWS Marketplace. It is the first CIS STIG-compliant RHEL 7 Amazon Machine Image (AMI) in AWS Marketplace.
Working securely in the cloud with CIS
The CIS AWS Foundations Benchmark provides recommendations for securing the AWS account and related services. It is a good first step for any organization that wants to work securely in the cloud. Download the free PDF for non-commercial use.
CIS Hardened Images are base operating systems in the cloud that have been preconfigured to meet the security recommendations of the CIS Benchmarks. There are more than two dozen available in AWS Marketplace. See the full list.
Every CIS Hardened Image includes a CIS-CAT Pro report showing conformance to the related CIS Benchmark. An exception report is included that outlines configurations that aren’t applicable in a cloud environment. Every CIS Hardened Image is updated monthly to address patching and vulnerabilities.