CIS Certification – Assessment for CIS Benchmark
CIS (Center for Internet Security) Security Software Vendor (SSV) Membership provides companies eligibility to certify their product(s) to accurately assess a system’s conformance with the security recommendations of an associated CIS Benchmark profile.
CIS requires that a Security Software Product Vendor Member (SSV) submit for CIS Certification against the most recently released version of a CIS Benchmark. However, CIS does recognize that an SSV Member may be in the middle of completing the necessary product testing when an update to a Benchmark is released by CIS. Under these circumstances, CIS will accept submission for Certification against the previous Benchmark version with the understanding that (1) the submission is made within 60 days of the most recent Benchmark version release; and (2) the SSV Member submits a follow-on product Certification/Recertification request for the current version of the CIS Benchmark within 90 days of that most recent Benchmark version release.
The CIS SSV Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmark as “CIS Certification pending,” or similar verbiage.
A certification constitutes one CIS Benchmark and one Profile.
Steps to Submit
Submit one certification per email with the following information:
- [Company] Product & Version: ____________________________
- Indicate which CIS Benchmark & Profile: ____________________________
- Contact person for Certification: ____________________________
- A brief description of your security software product that is being submitted for CIS Certification.
- A brief description of the internal testing process that effectively demonstrates how your security software product accurately and thoroughly checks/reports as compared to the relevant CIS Benchmark and Profile.
- Include the spreadsheet with results of the testing. See below.
- Submit this information with the testing results referenced below to firstname.lastname@example.org.
Download the required certification spreadsheet from the CIS WorkBench by selecting “SSV” in the Tag area within the Download section.
The report/spreadsheet will contain the following data attributes:
- CIS Benchmark Recommendation #
- CIS Benchmark Recommendation Title
- Actual State (Pass/Fail)
- Failure State (Fail) This column should only include the fail status. Failures for each recommendation shows that the tool is capable of assessing each recommendation when it is not applied.
- Remediated State (Pass/Fail) This column can include either pass or fail. Any failures indicated in this column must be followed with:
- a detailed explanation of the failure;
- Exceptions provided should only be presented if a certain recommendation inhibits the SSV Member’s tool from performance. No exceptions beyond those inhibiting performance will be accepted. CIS reserves the right to deny any Certifications based upon the exceptions provided. See Exception section listed below.
- Request for the recommendations exemption; and
- If possible other mitigation factors that can be applied in place of the recommendation.
- An exception list of any CIS Benchmark recommendation(s) for which your security software product does not check/report. Please include an explanation for any such CIS Benchmark recommendation(s) regarding why your security software product does not check/report for that recommendation(s).
Ensure that your testing recognizes that the CIS Benchmarks are the minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular Benchmark’s recommendation(s) is considered to be in compliance with that particular Benchmark.
CIS may also request a copy of the product for testing. If the product cannot be provided to CIS, a webcast can be set up for the SSV Member to demonstrate conformance of the product to the designated Benchmark(s)/profile(s).
CIS will validate test results and upon achieving successful validation, CIS will provide the Certification award(s) via email. If incomplete or inaccurate test results are submitted, CIS will contact you to resolve the issues. This may result in a delay in awarding a Certification(s).
Award of CIS Certification and Timeline
- CIS Certification attests that your security software product’s reports enable a user to identify any and all differences between the actual configuration of a scanned system(s) and the associated CIS Benchmark’s security configuration recommendations.
- CIS Certification attests that a specific major version of your security software product accurately checks and reports the comparison of actual system configuration status to all of the scored recommendations in a specific, corresponding version of a CIS Benchmark.
- CIS Certification does not attest to your security software product’s ability to perform any other functions, including any system hardening or remediation capabilities.
- Award of CIS Certification is based initially on CIS’s review of a Certification application and supporting materials that detail the testing conducted by your company.
- Depending on the number of CIS Certifications requested and when CIS receives an application for Certification(s), CIS’s review is generally completed within two weeks of receiving the CIS provided spreadsheet.
a. This completion time will be extended if the certification submission exceeds the ten certification requests per week limitation.
- If there are issues that need to be addressed by your company, the time between your initial submission and award of CIS Certification(s) can take longer than two weeks.
- CIS may also contract for independent third party validation of a CIS-Certified security software product’s ability to meet Certification requirements. However, an initial award of CIS Certification will not be contingent upon the completion of any third party testing.
You may sell your product(s) with the CIS Product Vendor Member “Certified” Logo only after the respective product(s) has been awarded CIS Certification. CIS will provide the logo with the Certification award email.
It is CIS’s intent to provide and preserve membership equity and value. We understand that certain circumstances may not be addressed in the processes defined here. If you have any questions or particular circumstances related to your product and Certification requirements not addressed in this document, please contact CIS at email@example.com. We would be happy to discuss your particular circumstance and address your issues accordingly.