CIS Benchmarks™ FAQ
What are CIS Benchmarks?
CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 100 CIS Benchmarks across 25+ vendor product families, CIS Benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.
How are CIS Benchmarks developed?
CIS Benchmarks are developed through the generous volunteer efforts of subject matter experts, technology vendors, public and private community members and the CIS Benchmark Development team.
The initial benchmark development process defines the scope of the benchmark and begins the discussion, creation and testing process of working drafts. Using the CIS WorkBench community website, discussion threads are established to continue dialogue until a consensus has been reached on proposed recommendations and the working drafts. Once consensus has been reached in the CIS Benchmark community, the final benchmark is published and released online.
CIS Benchmarks are free to download in PDF format, with additional file formats (XCCDF, Word, etc.) available to CIS SecureSuite Members.
Please do not hesitate to join in on community discussions, become a volunteer to lead the development of a new benchmark via CIS WorkBench, or submit a ticket via our support portal to provide feedback.
How often are new benchmarks or new versions of older benchmarks released?
The release of new CIS Benchmarks can vary depending on the community as well as the major release schedule of the technology the benchmark supports.
Keeping up to date on new CIS Benchmark releases is easy! Monthly emails are distributed announcing new benchmarks and updates to existing benchmarks that have been released. To sign up for these emails, login to CIS Workbench (registration is free) and click on the “receive newsletter” checkbox within your profile.
Want to track a benchmark’s development? Each community within CIS WorkBench allows the user to view milestones associated with a particular CIS Benchmark to show where it stands in the development and update process.
What are the Level 1, Level 2, and STIG Profiles within a CIS Benchmark?
Most CIS Benchmarks include multiple configuration profiles. A profile definition describes the configurations assigned to benchmark recommendations.
The Level 1 profile is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.
The Level 2 profile is considered to be "defense in depth" and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.
The STIG profile replaces the previous Level 3. The STIG profile provides all recommendations that are STIG specific. Overlap of recommendations from other profiles, i.e. Level 1 and Level 2, are present in the STIG profile as applicable.
Every recommendation within each CIS Benchmark is associated with at least one profile. Regardless of which level profile you plan to implement in your environment, we recommend applying CIS Benchmark guidance in a test environment first to determine potential impact.
What if I find a dispute in the Benchmark or disagree with a setting?
First and foremost, please let us know! We thrive on the feedback from those that are entrenched in using and implementing our benchmarks. Any discrepancies in CIS Benchmark content provides us an opportunity to improve.
An integral component of the CIS Benchmark lifecycle includes maintenance once the benchmark has been released. The maintenance process includes reviewing tickets and discussion threads that have been assigned to that benchmark since its release. If the content within the tickets and discussion threads are deemed applicable to the CIS Benchmark, the revisions or updates will be integrated into the next release of the CIS Benchmark. You can create a ticket or begin a discussion thread by logging into CIS WorkBench (registration is free), joining a particular CIS Benchmark community, and navigating to the Community Dashboard menu listing on the left.
What formats are CIS Benchmarks available in?
CIS Benchmarks are distributed free of charge in PDF format. Download CIS Benchmarks
CIS SecureSuite Members can also download CIS Benchmarks in additional formats via CIS WorkBench, such as Word, Excel, XML, etc.
Why am I receiving a 404 error when attempting to download a Benchmark from CIS WorkBench?
In order to download a CIS Benchmark from Workbench, you will need to join the CIS WorkBench community for that particular benchmark. To join a community, simply login to CIS WorkBench (registration is free), select the "Communities" tab on the top menu bar and select your community of interest. Upon navigating to the community dashboard, select "Join".
If you continue to experience a 404 error despite being a member that of that CIS Benchmark community, please contact us via the support portal.
I have an account on CIS WorkBench and am an active participant in the communities. How do I manage the email notifications received from the site?
Thanks for participating! To manage your preferences and notifications, select your user profile in the upper right corner of the top menu bar and click on your username in the drop-down below. This selection will navigate to your personal CIS WorkBench page. From here, click on “Subscription Preferences” in the left-hand menu. The Subscription Preferences page will allow you to customize your interaction with the platform to your liking.