CIS Benchmarks Remediation Certification
CIS SecureSuite Product Vendor Membership gives product vendors the right to integrate, reference, and support the CIS Benchmarks™ and CIS Critical Security Controls® (CIS Controls®) content into their security product and service offering(s). Product Vendor Membership allows companies eligibility to certify their security product(s) after they have demonstrated that their products comply with the CIS Benchmark version and profile.
In order to incorporate and market the CIS Benchmarks as part of a product offering, CIS Benchmarks Certification must be awarded to denote conformance with the CIS Benchmarks. CIS Benchmarks Remediation Certification certifies a product's capability to push remediation script to end point to configure to align to CIS Benchmark(s).
Please see the information and steps below for preparing product(s) for Certification.
CIS requires that a CIS SecureSuite Product Vendor Member submit for CIS Benchmarks Remediation Certification against the most recently published version of a CIS Benchmark. However, CIS does recognize that a Product Vendor Member may be in the process of completing the necessary product testing when an update to a CIS Benchmark is released by CIS. Under these circumstances, CIS will accept submission for Remediation Certification against the previous CIS Benchmark version with the understanding that (1) the submission is made within 60 days of the most recent CIS Benchmark version release; and (2) the Product Vendor Member submits a follow-on product Certification/Recertification request for the current version of the CIS Benchmark within 90 days of that most recent CIS Benchmark version release.
The Product Vendor Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmark as “CIS Certification pending,” or similar verbiage.
A certification constitutes one CIS Benchmark and one Profile.
Steps to Submit
Submit one certification via our support portal here: https://www.cisecurity.org/support/ under the CIS SecureSuite Vendor Certification option. Include the following information in the form:
- Certification Request Type
- Tool Name
- Tool Version
- CIS Benchmark(s) & Profile(s)
- A brief description of your security software product that is being submitted for CIS Remediation Certification;
- A brief description of the internal remediation process that effectively demonstrates how your security software product accurately and thoroughly remediates an IT system/asset in accordance with the relevant CIS Benchmark(s) and Profile(s);
- Provide proof of remediation. Please ensure that your remediation settings recognize that CIS Benchmarks are minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular Benchmark’s recommendation(s) is considered to be in compliance with that particular Benchmark. Results of remediation can be provided to CIS in one of the following ways:
- Provide recording of your tools ability to remediate a system showing a system not in conformance, the applied remediation and the remediated system in conformance with specific benchmark(s) Video not to exceed 15 minutes and should only include evidence of remediation only.
- Provide CIS Support access to a lab environment with your security software product installed for testing product’s remediation capabilities by including process for access in your submission.
- Utilize Certification Spreadsheets to provide results of a system not in compliance and at the remediated state. Download the required certification spreadsheet from the CIS WorkBench by selecting “SSV” in the Tag area within the Download section.
- Request for the recommendation’s exemption; and
- If possible, other mitigation factors that can be applied in place of the recommendation.
- The report/spreadsheet will contain the following data attributes:
- CIS Benchmark Recommendation #
- CIS Benchmark Recommendation Title
- Actual State (Pass/Fail)
- Failure State (Fail) This column should only include the fail status. Failures for each recommendation shows that the tool is capable of assessing each recommendation when it is not applied.
- Remediated State (Pass/Fail) This column can include either pass or fail. Any failures indicated in this column must be followed with:
- A detailed explanation of the failure;
- Exceptions provided should only be presented if a certain recommendation inhibits the tool from performance. No exceptions beyond those inhibiting performance will be accepted. CIS reserves the right to deny any Certifications based upon the exceptions provided. See Exception section listed below.
- A list of any CIS Benchmark recommendation(s) for which your security software product does not remediate. Please include an explanation for any such CIS Benchmark recommendation(s) regarding why your security software product does not remediate for that recommendation(s).