Home CIS SecureSuite® Membership CIS SecureSuite® Categories and Pricing Product VendorCIS Benchmarks Assessment Certification

CIS Benchmarks Assessment Certification

CIS Benchmark Certification Process for Product Vendors

To submit under the prior process, please contact your Account Manager.

Why Get Certified?

Build Trust: Show customers your product meets globally recognized security standards.
Market Advantage: Use the official CIS Benchmarks Certified Badge in your marketing.
Stay Current: Demonstrate compliance with the latest CIS Benchmarks.
Visibility: Get listed on the CIS website as a certified vendor.

*If the Member’s tool or product includes one or more CIS Benchmarks, the Member must obtain annual CIS Benchmarks Certification in advance of any sale, distribution, or marketing.

In order to incorporate and market the CIS Benchmarks as part of a product offering, CIS Benchmarks Certification must be awarded to denote conformance with the CIS Benchmark. CIS Benchmarks Assessment Certification certifies a product's ability to accurately assess and report to the security recommendations in the associated CIS Benchmark(s).

Please see the information and steps below for preparing product(s) for Certification.

The CIS SecureSuite Product Vendor Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmark as “CIS Certification pending,” or similar verbiage.

Step 1: Submit Annually

Each tool and certification type (Assessment, Remediation, Configuration) must be submitted once per year.

The annual submission will certify all Benchmarks identified for integration during your attestation process.
Please note: certification only applies to actively supported Benchmarks. Archived Benchmarks are not available for certification.

Example: Tool A (Assessment + Remediation), Tool B (Assessment) = 3 submissions.

Step 2: Meet Requirements

Your tool must:

Automate 90% or more of benchmark recommendations (or have CIS approval if less, see additional guidance below).
Accurately represent CIS recommendations and include QA/testing processes.
Update to the latest benchmark version within 90 days of release.
Provide screenshots showing manual recommendations or exceptions, or link to CIS Benchmarks PDF.

Step 3: Submit via Support Portal

Go to Support → CIS Benchmarks Certification.
Provide:
- Company and contact information
- Tool name and Version
- In the Benchmark field, please write “Provided during annual attestation process”.
  - Your Account Manager will supply the list on your behalf.
  - If you did not complete this during the attestation process or your list of integrated Benchmarks has changed, please contact your Account Manager.
Select:

Request Type: Certification or List Update
- Certification – use this option to submit your annual certification request.
- List Update – use this option when additional Benchmarks have been integrated that were not included on the annual Benchmark list and need to be added to the list of integrated and certified Benchmarks.
  - This includes Benchmarks that were listed as Expected on the Benchmark list during the attestation process but not integrated when annual certification was submitted.
Certification Type: Assessment/Remediation/Configuration
How can we support you? Please write a summary of description for the request.
- Example: Annual certification submission
- Example: Adding Benchmarks to certified product/tool

Include in the Request Description the following information:
- Initial testing processes summary
  - Explain how you verify your tool’s accuracy against CIS Benchmarks.
    - Example: “We validate accuracy by scanning two environments:
    - One hardened to 100% of CIS Benchmarks (should pass).
    - One non hardened (should fail).
    - This confirms the tool reports expected results.”
- QA process explanation after release
  - Describe your QA process for accuracy and reliability.
  - Example: “After developer testing, we repeat the same tests for validation and perform regression and release testing.”
- Automation percentage attestation
  - Confirm your tool automates 90% or more of benchmark recommendations for the selected level.
  - If less than 90%, CIS approval is required.
  - Example: “The benchmark has 100 recommendations; 90 are automatable. Our tool automates at least 81 (90% of 90).”
- Attestation to maintain the most recent Benchmark version
  - Confirm you will update to the latest CIS Benchmark version within 90 days of its release.
  - Example: “I attest that all CIS Benchmarks will be updated within 90 days of release.”
Attach:

Screenshots of manual recommendations
- All Benchmark information must be provided to the end user including Benchmark recommendations that cannot be automated (manual recommendation or tool limitation). Product Vendor members are required to disclose these recommendations to the end user by clearly indicating that the tool cannot assess against all recommendations in the CIS Benchmark and the customer should refer to the CIS Benchmarks PDFs to identify which recommendations require manual assessment. A screenshot demonstrating how this information is shared with the end user must be included as an attachment to the certification ticket.
- Option A (preferred): When capable, show all details of the manual and excluded recommendations – title, description, impact, audit, and remediation (remaining sections are optional).
- Option B: If you are not able to show all details of the manual and excluded recommendation sections as described above or if you are not able to show the manual and excluded recommendations at all, provide a link to the CIS Benchmarks webpage (https://www.cisecurity.org/cis-benchmarks) prominently within the tool to provide users a pathway to access the free for non-commercial use CIS Benchmarks PDFs for manual assessment. Use this language within your tool, “Not all recommendations from the CIS Benchmarks are included in this tool. Please refer to the CIS website to access the free CIS Benchmarks PDFs for manual assessment instructions.”