CIS Benchmarks Remediation Certification
CIS SecureSuite Product Vendor Membership gives product vendors the right to integrate, reference, and support the CIS Benchmarks™ and CIS Critical Security Controls® (CIS Controls®) content into their security product and service offering(s). Product Vendor Membership allows companies eligibility to certify their security product(s) after they have demonstrated that their products comply with the CIS Benchmark version and profile.
In order to incorporate and market the CIS Benchmarks as part of a product offering, CIS Benchmarks Certification must be awarded to denote conformance with the CIS Benchmarks. CIS Benchmarks Remediation Certification certifies a product's capability to push remediation script to end point to configure to align to CIS Benchmark(s).
Please see the information and steps below for preparing product(s) for Certification.
CIS requires that a CIS SecureSuite Product Vendor Member submit for CIS Benchmarks Remediation Certification against the most recently published version of a CIS Benchmark. However, CIS does recognize that a Product Vendor Member may be in the process of completing the necessary product testing when an update to a CIS Benchmark is released by CIS. Under these circumstances, CIS will accept submission for Remediation Certification against the previous CIS Benchmark version with the understanding that (1) the submission is made within 60 days of the most recent CIS Benchmark version release; and (2) the Product Vendor Member submits a follow-on product Certification/Recertification request for the current version of the CIS Benchmark within 90 days of that most recent CIS Benchmark version release.
The Product Vendor Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmark as “CIS Certification pending,” or similar verbiage.
A certification constitutes one CIS Benchmark and one Profile.
Steps to Submit
Submit one certification via our support portal here: https://www.cisecurity.org/support/ under the CIS SecureSuite Vendor Certification option. Include the following information in the form:
- Certification Request Type
- Tool Name
- Tool Version
- CIS Benchmark(s) & Profile(s)
- A brief description of your security software product that is being submitted for CIS Remediation Certification;
- A brief description of the internal remediation process that effectively demonstrates how your security software product accurately and thoroughly remediates an IT system/asset in accordance with the relevant CIS Benchmark(s) and Profile(s);
- Provide proof of remediation. Please ensure that your remediation settings recognize that CIS Benchmarks are minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular Benchmark’s recommendation(s) is considered to be in compliance with that particular Benchmark. Results of remediation can be provided to CIS in one of the following ways:
- Provide recording of your tools ability to remediate a system showing a system not in conformance, the applied remediation and the remediated system in conformance with specific benchmark(s) Video not to exceed 15 minutes and should only include evidence of remediation only.
- Provide CIS Support access to a lab environment with your security software product installed for testing product’s remediation capabilities by including process for access in your submission.
- Utilize Certification Spreadsheets to provide results of a system not in compliance and at the remediated state. Download the required certification spreadsheet from the CIS WorkBench by selecting “SSV” in the Tag area within the Download section.
- Request for the recommendation’s exemption; and
- If possible, other mitigation factors that can be applied in place of the recommendation.
- The report/spreadsheet will contain the following data attributes:
- CIS Benchmark Recommendation #
- CIS Benchmark Recommendation Title
- Actual State (Pass/Fail)
- Failure State (Fail) This column should only include the fail status. Failures for each recommendation shows that the tool is capable of assessing each recommendation when it is not applied.
- Remediated State (Pass/Fail) This column can include either pass or fail. Any failures indicated in this column must be followed with:
- A detailed explanation of the failure;
- Exceptions provided should only be presented if a certain recommendation inhibits the tool from performance. No exceptions beyond those inhibiting performance will be accepted. CIS reserves the right to deny any Certifications based upon the exceptions provided. See Exception section listed below.
- A list of any CIS Benchmark recommendation(s) for which your security software product does not remediate. Please include an explanation for any such CIS Benchmark recommendation(s) regarding why your security software product does not remediate for that recommendation(s).
Ensure that your testing recognizes that the CIS Benchmarks are the minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular Benchmark’s recommendation(s) is considered to be in compliance with that particular Benchmark.
CIS may also request a copy of the product for testing. If the product cannot be provided to CIS, a webcast can be set up for the Product Vendor Member to demonstrate conformance of the product to the designated Benchmark(s)/profile(s).
CIS will validate test results and upon achieving successful validation, CIS will provide the Certification award(s) via email. If incomplete or inaccurate test results are submitted, CIS will contact you to resolve the issues. This may result in a delay in awarding a Certification(s).
Award of CIS Certification and Timeline
- CIS Certification attests that your security software product’s reports enable a user to identify any and all differences between the actual configuration of a scanned system(s) and the associated CIS Benchmark’s security configuration recommendations.
- CIS Certification attests that a specific major version of your security software product accurately checks and reports the comparison of actual system configuration status to all of the scored recommendations in a specific, corresponding version of a CIS Benchmark.
- Award of CIS Certification is based initially on CIS’s review of a certification application and supporting materials that detail the testing and preparation conducted by your company.
- Depending on the number of CIS Certifications requested and when CIS receives an application for certification(s), CIS’s review is generally completed within two weeks.
- If there are issues that need to be addressed by your company, the time between your initial submission and award of CIS Certification(s) may take longer than two weeks.
You may market and sell your product(s) with the CIS Benchmarks Certified Badge corresponding to the specific certification type only after the respective product(s) has been awarded CIS Benchmarks Certification. CIS will provide the badge with the certification award email.
It is CIS’s intent to provide and preserve membership equity and value. We understand that certain circumstances may not be addressed in the processes defined here. If you have any questions or particular circumstances related to your product and certification requirements that not addressed in this document, please submit a request for assistance via our support portal, and we would be happy to discuss your particular circumstance and address your issues accordingly.