CIS Benchmarks Assessment Certification
CIS SecureSuite Product Vendor Membership gives product vendors the right to integrate, reference, and support the CIS Benchmarks™ and CIS Controls® content into their security product and service offering(s). Product Vendor Membership allows companies eligibility to certify their security product(s) after they have demonstrated that their products comply with the CIS Benchmark version and profile.
In order to incorporate and market the CIS Benchmarks as part of a product offering, CIS Benchmarks Certification must be awarded to denote conformance with the CIS Benchmarks Assessment Certification certifies a product's ability to accurately assess and report to the security recommendations in the associated CIS Benchmark(s).
Please see the information and steps below for preparing product(s) for Certification.
CIS requires that a CIS SecureSuite Product Vendor Member submit for CIS Benchmarks Assessment Certification against the most recently published version of a CIS Benchmark. However, CIS does recognize that a Product Vendor Member may be in the process of completing the necessary product testing when an update to a CIS Benchmark is released by CIS. Under these circumstances, CIS will accept submission for Assessment Certification against the previous CIS Benchmark version with the understanding that (1) the submission is made within 60 days of the most recent CIS Benchmark version release; and (2) the Product Vendor Member submits a follow-on product Certification/Recertification request for the current version of the CIS Benchmark within 90 days of that most recent CIS Benchmark version release.
The CIS SecureSuite Product Vendor Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmark as “CIS Certification pending,” or similar verbiage.
A certification constitutes one CIS Benchmark and one Profile.
Steps to Submit
Submit one certification via our support portal here: https://www.cisecurity.org/support/ under the CIS SecureSuite Vendor Certification option. Include the following information in the form:
- Certification Request Type
- Tool Name
- Tool Version
- CIS Benchmark(s) & Profile(s)
- A brief description of your security software product that is being submitted for CIS Benchmarks Assessment Certification.
- A brief description of the internal testing process that effectively demonstrates how your security software product accurately and thoroughly checks/reports as compared to the relevant CIS Benchmark(s) and Profile.
- Include the spreadsheet with results of the testing. See below.
- Submit this information with the testing results referenced below via our support portal.
Download the required certification spreadsheet from the CIS WorkBench by selecting “SSV” in the Tag area within the Download section.
The report/spreadsheet will contain the following data attributes:
- CIS Benchmark Recommendation #
- CIS Benchmark Recommendation Title
- Actual State (Pass/Fail)
- Failure State (Fail) This column should only include the fail status. Failures for each recommendation shows that the tool is capable of assessing each recommendation when it is not applied.
- Remediated State (Pass/Fail) This column can include either pass or fail. Any failures indicated in this column must be followed with:
- a detailed explanation of the failure;
- Exceptions provided should only be presented if a certain recommendation inhibits the Product Vendor Member’s tool from performance. No exceptions beyond those inhibiting performance will be accepted. CIS reserves the right to deny any Certifications based upon the exceptions provided. See Exception section listed below.
- Request for the recommendations exemption; and
- If possible other mitigation factors that can be applied in place of the recommendation.
- An exception list of any CIS Benchmark recommendation(s) for which your security software product does not check/report. Please include an explanation for any such CIS Benchmark recommendation(s) regarding why your security software product does not check/report for that recommendation(s).
Ensure that your testing recognizes that the CIS Benchmarks are the minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular Benchmark’s recommendation(s) is considered to be in compliance with that particular Benchmark.
CIS may also request a copy of the product for testing. If the product cannot be provided to CIS, a webcast can be set up for the Product Vendor Member to demonstrate conformance of the product to the designated Benchmark(s)/profile(s).
CIS will validate test results and upon achieving successful validation, CIS will provide the Certification award(s) via email. If incomplete or inaccurate test results are submitted, CIS will contact you to resolve the issues. This may result in a delay in awarding a Certification(s).
Award of CIS Certification and Timeline
- CIS Certification attests that your security software product’s reports enable a user to identify any and all differences between the actual configuration of a scanned system(s) and the associated CIS Benchmark’s security configuration recommendations.
- CIS Certification attests that a specific major version of your security software product accurately checks and reports the comparison of actual system configuration status to all of the scored recommendations in a specific, corresponding version of a CIS Benchmark.
- Award of CIS Certification is based initially on CIS’s review of a certification application and supporting materials that detail the testing and preparation conducted by your company.
- Depending on the number of CIS Certifications requested and when CIS receives an application for certification(s), CIS’s review is generally completed within two weeks.
- If there are issues that need to be addressed by your company, the time between your initial submission and award of CIS Certification(s) may take longer than two weeks.
You may market and sell your product(s) with the CIS Benchmarks Certified Badge corresponding to the specific certification type only after the respective product(s) has been awarded CIS Benchmarks Certification. CIS will provide the badge with the certification award email.
It is CIS’s intent to provide and preserve membership equity and value. We understand that certain circumstances may not be addressed in the processes defined here. If you have any questions or particular circumstances related to your product and certification requirements that not addressed in this document, please submit a request for assistance via our support portal , and we would be happy to discuss your particular circumstance and address your issues accordingly.
Access Instructions for CIS Benchmarks Assessment Recertification.