CIS Certification – Product Conformance to CIS Benchmark
CIS (Center for Internet Security) Product Vendor Certification Membership provides companies eligibility to certify their security product(s) subsequent to adapting such product(s) conformance with the security recommendations of an associated CIS Benchmark version and profile. Preparing and Submitting for CIS Certification – Please see the information and steps below for preparing product(s) for CIS Certification.
CIS requires that a Product Vendor Member submit for CIS Certification against the most recently published version of a CIS Benchmark. However, CIS does recognize that a Product Vendor Member may be in the process of completing the necessary product testing when an update to a Benchmark is released by CIS. Under these circumstances, CIS will accept submission for Certification against the previous Benchmark version with the understanding that (1) the submission is made within 60 days of the most recent Benchmark version release; and (2) the Product Vendor Member submits a follow-on product Certification/Recertification request for the current version of the CIS Benchmark within 90 days of that most recent Benchmark version release.
The CIS Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmarks as “CIS Certification pending,” or similar verbiage.
A certification constitutes one CIS Benchmark and one Profile.
Steps to Submit
Submit one certification per email with the following information:
- [Company] Product & Version or Development Build: _________________________
- CIS Benchmark(s) & Profile(s): ____________________________
- Contact person for Certification: ____________________________
- A brief description of your system/device/appliance/platform hardened in compliance that is being submitted for CIS Product Conformance Certification
- CIS-CAT’s report of the system/device/appliance/platform(s) conformance to the particular benchmark version and profile;
- Provide access to your system/device/appliance/platform for testing product’s conformance to CIS Benchmark(s) and Profile(s). Please ensure that your configuration settings recognize that CIS Benchmarks are minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular Benchmark’s recommendation(s) is considered to be in compliance with that particular Benchmark.
- A list of any CIS Benchmark recommendation(s) for which your system/device/appliance/platform does not meet a scored recommendation. Please include an explanation for any such CIS Benchmark recommendation(s) regarding why your product does is not configured to meet that recommendation(s).
- Submit this information to email@example.com.
Award of CIS Certification and Timeline
- CIS Certification attests that your product is configured according to the CIS Benchmark’s security configuration recommendations to the relevant IT system/asset.
- CIS Certification attests that a specific product accurately applies all of the scored recommendations in a specific, corresponding version of a CIS Benchmark and in the associated version of the CIS Configuration Assessment Tool (CIS-CAT) used to verify such IT system/asset.
- CIS Certification does not attest to your product’s ability to perform any other functions, including checking/scoring/reporting conformance/comparison with CIS Benchmark unless CIS Certification for such checking/scoring/reporting has also been awarded to your product.
- Award of CIS Certification is based initially on CIS’s review of a Certification application and supporting materials that detail the testing and preparation conducted by your company.
- Depending on the number of CIS Certifications requested and when CIS receives an application for Certification(s), CIS’s review is generally completed within two weeks.
- If there are issues that need to be addressed by your company, the time between your initial submission and award of CIS Certification(s) may take longer than two weeks.
CIS may also contract for independent third party validation of a CIS-Certified security software product’s ability to meet Certification requirements. However, an initial award of CIS Certification will not be contingent upon the completion of any third party testing.
You may sell your product(s) with the CIS Product Vendor Member “Certified” Logo only after the respective product(s) has been awarded CIS Certification. CIS will provide the logo with the Certification award email.
It is CIS’s intent to provide and preserve membership equity and value. We understand that certain circumstances may not be addressed in the processes defined here. If you have any questions or particular circumstances related to your product and Certification requirements that not addressed in this document, please contact CIS at firstname.lastname@example.org, and we would be happy to discuss your particular circumstance and address your issues accordingly.