New Options from CIS for STIG Compliance
Securing your IT infrastructure can be a challenge, especially if you’re working in a regulated environment. To help organizations with this challenge, the Center for Internet Security (CIS) offers the CIS Benchmarks. These are consensus-based security configuration guidelines for numerous technologies. Many industry frameworks recognize the CIS Benchmarks, including the Payment Card Industry (PCI), HIPAA, and even the Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG).
CIS continues to work with a global community of cybersecurity experts to release new and updated guidance. Our latest offerings provide resources to help comply with Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG) requirements.
Compliance with DISA STIGs and CIS Benchmarks
Guidance from the DoD Cloud Computing SRG indicates CIS Benchmarks are an acceptable alternative in place of STIGs - configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. The DoD Cloud Computing Security Requirements Guide (SRG), version 1, Release 3 states:
“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) Benchmarks are an acceptable alternative to the STIGs and SRGs.”
Although the DoD references CIS Benchmarks specifically, many organizations are still required to align with STIGs as the configuration standards for DOD IA and IA-enabled devices/systems.
Prescriptive STIG Guidance from CIS
CIS offers resources to configure systems according to STIGs, both on-prem and in the cloud. Current CIS STIG resources include CIS Benchmarks and CIS Hardened Images for three operating systems: Red Hat Enterprise Linux (RHEL) 7, Amazon Linux 2, and Microsoft Windows Server 2016.
The CIS STIG Benchmarks and associated CIS Hardened Images contain:
- The existing consensus-based CIS Benchmark Level 1 and Level 2 profiles mapped to applicable STIG recommendations.
- A new Level 3 profile that includes additional requirements from the STIG that were not covered in the Level 1 and Level 2 profiles.
When users apply CIS Benchmarks recommendations and need to be STIG compliant, they’ll be able to apply the three profiles and quickly address the gaps between the original CIS Benchmark profiles and STIGs. These CIS STIG Benchmarks are available for free PDF download.
CIS STIG Virtual Machine Images
In addition to these CIS STIG Benchmarks, CIS hardens virtual machine images to CIS STIG Benchmark guidelines and offers them on public cloud marketplaces. Three CIS STIG Hardened Images are currently available: Red Hat Enterprise Linux (RHEL) 7, Amazon Linux 2, and Microsoft Windows Server 2016. The RHEL 7 Image is available on AWS, Azure, and GCP Marketplaces. The Amazon Linux 2 Image is available on AWS Marketplace, and the Microsoft Windows Server 2016 Image is available on AWS, Azure, GCP, and Oracle Cloud Marketplaces.
Access the CIS STIG Hardened Images:
- CIS Red Hat Enterprise Linux 7 STIG Hardened Images
- CIS Amazon Linux 2 STIG Hardened Image on AWS
- CIS Microsoft Windows Server 2016 STIG Hardened Images
Every CIS Hardened Image includes a CIS-CAT Pro report showing conformance to the related CIS Benchmark. An exception report is included that outlines configurations that aren’t applicable in a cloud environment. Every CIS Hardened Image is updated monthly to address patching and vulnerabilities.
CIS is proud to offer CIS Benchmarks and CIS Hardened Images to help public sector organizations secure their on-prem and cloud environments.