CIS Benchmarks Configuration Certification
CIS SecureSuite Product Vendor Membership gives product vendors the right to integrate, reference, and support the CIS Benchmarks™ and CIS Controls® content into their security product and service offering(s). Product Vendor Membership allows companies eligibility to certify their security product(s) after they have demonstrated that their products comply with the CIS Benchmark version and profile.
In order to incorporate and market the CIS Benchmarks as part of a product offering, CIS Benchmarks Configuration Certification must be awarded to denote conformance with the CIS Benchmark. Configuration Certification certifies a system’s configuration is in conformance with CIS Benchmark(s), assuring that a system’s performance will not be negatively impacted when product is running in a CIS hardened environment.
Configuration Certification enables Product Vendor Members to implement “security by design” with the CIS Benchmarks built in, tested, and certified at the outset. Along with our other certifications, Configuration Certification provides Product Vendor Members a streamlined way to bring CIS Benchmark security to their customers. Use cases include:
- Organization seeking certification to promote that their solution will run efficiently in a CIS hardened environment
- Organization’s solution sold configured to CIS Benchmark(s) with assurance that their solution will run without impact on a CIS hardened environment
- Organization’s solution configured to CIS Benchmark for said vendor product/offering (i.e., CIS Hardened Images®, infrastructure, stack)
- One or more CIS Benchmark(s) configured within another product/offering (i.e., device ships secure)
- Vendor service providing option to deploy configured environment to CIS Benchmark(s)
Please see the information and steps below for preparing product(s) for Certification.
CIS requires that a CIS SecureSuite Product Vendor Member submit for CIS Benchmarks Configuration Certification against the most recently published version of a CIS Benchmark. However, CIS does recognize that a Product Vendor Member may be in the process of completing the necessary product testing when an update to a CIS Benchmark is released by CIS. Under these circumstances, CIS will accept submission for Configuration Certification against the previous CIS Benchmark version with the understanding that (1) the submission is made within 60 days of the most recent CIS Benchmark version release; and (2) the Product Vendor Member submits a follow-on product Certification/Recertification request for the current version of the CIS Benchmark within 90 days of that most recent CIS Benchmark version release.
The Product Vendor Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmark as “CIS Certification pending,” or similar verbiage.
A certification constitutes one CIS Benchmark and one Profile.
Steps to Submit
Submit one certification via our support portal here: https://www.cisecurity.org/support/ under the CIS SecureSuite Vendor Certification option. Include the following information in the form:
- Certification Request Type
- Tool Name
- Tool Version
- CIS Benchmark(s) & Profile(s): ____________________________
- CIS-CAT report to show conformance to the CIS Benchmark version(s) and Profile(s) as applicable. If CIS-CAT is not applicable or does not provide coverage for the CIS Benchmark you are seeking certification please submit and note accordingly so CIS Support can assist.
- Exception report, if applicable. A list of any CIS Benchmark recommendation(s) for which your system/device/appliance/platform does not meet a scored recommendation. Please include an explanation for any such CIS Benchmark recommendation(s) regarding why your product does is not configured to meet that recommendation(s).
- A brief description of your system/device/appliance/platform hardened in compliance that is being submitted for CIS Benchmarks Configuration Certification.
- First Name
- Last Name
- Business Email Address
Upon submission you will receive an email confirming receipt. CIS may reach out to request access to check/test product’s conformance to CIS Benchmark(s) and Profile(s). Please ensure that your configuration settings recognize that CIS Benchmarks are minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular CIS Benchmark’s recommendation(s) is considered to be in compliance with that particular CIS Benchmark.
Award of CIS Certification and Timeline
- CIS Certification attests that your product is configured according to the CIS Benchmark’s security configuration recommendations to the relevant IT system/asset.
- CIS Certification attests that a specific product accurately applies all of the scored recommendations in a specific, corresponding version of a CIS Benchmark and in the associated version of the CIS Configuration Assessment Tool (CIS-CAT) used to verify such IT system/asset.
- CIS Certification does not attest to your product’s ability to perform any other functions, including checking/scoring/reporting conformance/comparison with CIS Benchmark unless CIS Certification for such checking/scoring/reporting has also been awarded to your product.
- Award of CIS Certification is based initially on CIS’s review of a certification application and supporting materials that detail the testing and preparation conducted by your company.
- Depending on the number of CIS Certifications requested and when CIS receives an application for certification(s), CIS’s review is generally completed within two weeks.
- If there are issues that need to be addressed by your company, the time between your initial submission and award of CIS Certification(s) may take longer than two weeks.
CIS may also contract for independent third-party validation of a solution’s ability to meet CIS Certification requirements. However, an initial award of CIS Certification will not be contingent upon the completion of any third-party testing.
You may market and sell your product(s) with the CIS Benchmarks Certified Badge corresponding to the specific certification type only after the respective product(s) has been awarded CIS Benchmarks Certification. CIS will provide the badge with the certification award email.
It is CIS’s intent to provide and preserve membership equity and value. We understand that certain circumstances may not be addressed in the processes defined here. If you have any questions or particular circumstances related to your product and certification requirements that not addressed in this document, please contact CIS at [email protected], and we would be happy to discuss your particular circumstance and address your issues accordingly.