Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In Support CIS Support


Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world

About Us Leadership Principles Testimonials


Secure Your Organization

Secure Specific Platforms

U.S. State, Local, Tribal & Territorial Governments

View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities

CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers


Secure Your Organization


Filter by Topic

View All Resources  
CIS Logo Show Search Expand Menu

CIS Cloud Security Resources for STIG Compliance

Securing your IT infrastructure can be a challenge, especially if you’re working in a regulated environment. To help organizations with this challenge, the Center for Internet Security (CIS) offers the CIS Benchmarks. These are consensus-based security configuration guidelines for numerous technologies. Many industry frameworks recognize the CIS Benchmarks, including the Payment Card Industry (PCI), HIPAA, and even the Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG).

CIS continues to work with a global community of cybersecurity experts to release new and updated guidance. Our latest offerings provide resources to help comply with Defense Information Systems Agency Security Technical Implementation Guides (DISA STIG) requirements.


Compliance with DISA STIGs and CIS Benchmarks

Guidance from the DoD Cloud Computing SRG indicates CIS Benchmarks are an acceptable alternative in place of STIGs - configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. The DoD Cloud Computing Security Requirements Guide (SRG), version 1, Release 3 states:

“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) Benchmarks are an acceptable alternative to the STIGs and SRGs.”

Although the DoD references CIS Benchmarks specifically, many organizations are still required to align with STIGs as the configuration standards for DOD IA and IA-enabled devices/systems.

Prescriptive STIG Guidance from CIS

CIS offers resources to configure systems according to STIGs, both on-prem and in the cloud. Current CIS STIG resources include CIS Benchmarks and CIS Hardened Images for three operating systems: Red Hat Enterprise Linux (RHEL) 7, Amazon Linux 2, and Microsoft Windows Server 2016.

The CIS STIG Benchmarks and associated CIS Hardened Images contain:

  • The existing consensus-based CIS Benchmark Level 1 and Level 2 profiles mapped to applicable STIG recommendations.
  • A new Level 3 profile that includes additional requirements from the STIG that were not covered in the Level 1 and Level 2 profiles.

When users apply CIS Benchmarks recommendations and need to be STIG compliant, they’ll be able to apply the three profiles and quickly address the gaps between the original CIS Benchmark profiles and STIGs. These CIS STIG Benchmarks are available for free PDF download.

CIS STIG Virtual Machine Images

In addition to these CIS STIG Benchmarks, CIS hardens virtual machine images to CIS STIG Benchmark guidelines and offers them on public cloud marketplaces. Three CIS STIG Hardened Images are currently available: Red Hat Enterprise Linux (RHEL) 7, Amazon Linux 2, and Microsoft Windows Server 2016. The RHEL 7 Image is available on AWS, Azure, and GCP Marketplaces. The Amazon Linux 2 Image is available on AWS Marketplace, and the Microsoft Windows Server 2016 Image is available on AWS, Azure, GCP, and Oracle Cloud Marketplaces.

Access the CIS STIG Hardened Images:

Every CIS Hardened Image includes a CIS-CAT Pro report showing conformance to the related CIS Benchmark. An exception report is included that outlines configurations that aren’t applicable in a cloud environment. Every CIS Hardened Image is updated monthly to address patching and vulnerabilities.

CIS is proud to offer CIS Benchmarks and CIS Hardened Images to help public sector organizations secure their on-prem and cloud environments.