CIS Certification – Remediation

CIS (Center for Internet Security) Security Software Vendor-Remediation (SSV-R) Membership provides companies eligibility to certify their security remediation product(s) subsequent to adapting such product(s) to accurately remediate an IT system’s/asset’s configuration in conformance with the security recommendations of an associated CIS Security Benchmark profile. Below are the steps an SSV-R Member must take to prepare, submit and obtain a CIS Certification Award.

CIS requires that an SSV-R Member submit for CIS Certification against the most recently published version of a CIS Benchmark. However, CIS does recognize that an SSV-R Member may be in the process of completing the necessary product testing when an update to a Benchmark is released by CIS. Under these circumstances, CIS will accept submission for Certification against the previous Benchmark version with the understanding that (1) the submission is made within 60 days of the most recent Benchmark version release; and (2) the SSV-R Member submits a follow-on product Certification/Recertification request for the current version of the CIS Benchmark within 90 days of that most recent Benchmark version release.

The CIS Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmarks as “CIS Certification pending,” or similar verbiage.

A certification constitutes one CIS Benchmark and one Profile.

Steps to Submit

Submit one certification per email with the following information:

  1. [Company] Product & Version: ____________________________
  2. CIS Benchmark(s) & Profile(s): ____________________________
  3. Contact person for Certification: ____________________________
  4. A brief description of your security software product that is being submitted for CIS Remediation Certification;
  5. A brief description of the internal remediation process that effectively demonstrates how your security software product accurately and thoroughly remediates an IT system/asset in accordance with the relevant CIS Benchmark(s) and Profile(s);
  6. Provide proof of remediation. Please ensure that your remediation settings recognize that CIS Benchmarks are minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular Benchmark’s recommendation(s) is considered to be in compliance with that particular Benchmark. Results of remediation can be provided to CIS in one of the following ways:
    1. Provide recording of your tools ability to remediate a system showing a system not in conformance, the applied remediation and the remediated system in conformance with specific benchmark(s) Video not to exceed 15 minutes and should only include evidence of remediation only.
    2. Provide CIS Support access to a lab environment with your security software product installed for testing product’s remediation capabilities by including process for access in your submission.
    3. Utilize Certification Spreadsheets to provide results of a system not in compliance and at the remediated state. Download the required certification spreadsheet from the CIS WorkBench by selecting “SSV” in the Tag area within the Download section.
      • The report/spreadsheet will contain the following data attributes:
      • CIS Benchmark Recommendation #
      • CIS Benchmark Recommendation Title
      • Actual State (Pass/Fail)
      • Failure State (Fail) This column should only include the fail status. Failures for each recommendation shows that the tool is capable of assessing each recommendation when it is not applied.
      • Remediated State (Pass/Fail) This column can include either pass or fail. Any failures indicated in this column must be followed with:
      • a detailed explanation of the failure;
      • Exceptions provided should only be presented if a certain recommendation inhibits the SSV Member’s tool from performance. No exceptions beyond those inhibiting performance will be accepted. CIS reserves the right to deny any Certifications based upon the exceptions provided. See Exception section listed below.
      • Request for the recommendations exemption; and
      • If possible other mitigation factors that can be applied in place of the recommendation.
    4. A list of any CIS Benchmark recommendation(s) for which your security software product does not remediate. Please include an explanation for any such CIS Benchmark recommendation(s) regarding why your security software product does not remediate for that recommendation(s).
    5. Submit this information to support@cisecurity.org.

Award of CIS Certification and Timeline

  1. CIS Certification attests that your security software product’s remediation capability enables a user to apply the associated CIS Benchmark’s security configuration recommendations to the relevant IT system/asset.
  2. CIS Certification attests that a specific major version of your security software remediation product accurately applies all of the scored recommendations in a specific, corresponding version of a CIS Benchmark and in the associated version of the CIS Configuration Assessment Tool (CIS-CAT) used to verify such IT system/asset remediation.
  3. CIS Certification does not attest to your security software product’s ability to perform any other functions, including checking/scoring/reporting conformance/comparison with CIS Benchmark unless CIS Certification for such checking/scoring/reporting has also been awarded to your security software product.
  4. Award of CIS Certification is based initially on CIS’s review of a Certification application and supporting materials that detail the testing and preparation conducted by your company.
  5. Depending on the number of CIS Certifications requested and when CIS receives an application for Certification(s), CIS’s review is generally completed within two weeks.
  6. If there are issues that need to be addressed by your company, the time between your initial submission and award of CIS Certification(s) may take longer than two weeks.

CIS may also contract for independent third party validation of a CIS-Certified security software product’s ability to meet Certification requirements. However, an initial award of CIS Certification will not be contingent upon the completion of any third party testing.

You may release your product(s) with the CIS SSV-R Member “Certified” Logo only after the respective product(s) has been awarded CIS Certification. CIS will provide the logo with the Certification award email.

Recertification for Remediation

Recertifications differ from Certifications in that they are not deducted from an SSV-R Member’s allotted annual Certification total.

Recertification applies when product/offering:

  • Has not been altered in any way that may impact the product's ability to accurately remediate a given asset's conformance with the CIS Benchmark(s) version(s) and profile(s) for which Recertification is being submitted;
  • Is not a major version release of the product;* and
  • Has previously received Certification for the CIS Benchmark(s) version(s) and profile(s) being submitted.

Please note that a major version release of a CIS Benchmark requires a new CIS Certification. (An example of a “major version release” would be the release of CIS Windows 7 Benchmark v2.0.0 to replace the previous version of CIS Windows 7 Benchmark v1.2.0.)

*In certain circumstances, a major version release of a product may occur but without changes having been made to the product’s ability to remediate a given IT system/asset’s conformance with the CIS Benchmark(s) version(s) and profile(s) for which the product is being submitted for Recertification. If this is the case and the Recertification is for the CIS Benchmark(s) version(s) and profile(s) previously Certified, then a Recertification request may be submitted. For this type of Recertification, CIS will request a lab environment for the particular technology. Please contact CIS at support@cisecurity.org if you have any questions.

Steps to Submit for Recertification

To submit for Recertification, please submit your request to support@cisecurity.org using the following email template:

[Begin email template]

By submitting this request for CIS Recertification, [Company] agrees that the Product/Tool being submitted for Recertification:

  • Has not been altered in any way that may impact the product's ability to accurately remediate a given asset's conformance with the CIS Benchmark(s) version(s) and profile(s) for which Recertification is being submitted;
  • Is not a major version release of the product;* and
  • Has previously received Certification for the CIS Benchmark(s) version(s) and profile(s) being submitted.

[Company] would like to apply for Recertification for the following:

  • [Company] Product & Version: ____________________________
  • CIS Benchmark(s) & Profile(s): ____________________________
  • Contact person for Recertification: __________________________

This submission for Recertification is in compliance with the Recertification requirements included above and in conformance with the CIS Certification Membership Agreement.

[End email template]

It is CIS’s intent to provide and preserve membership equity and value. We understand that certain circumstances may not be addressed in the processes defined here. If you have any questions or particular circumstances related to your product and Certification requirements that not addressed in this document, please contact CIS at support@cisecurity.org, and we would be happy to discuss your particular circumstance and address your issues accordingly.

CIS SecureSuite Membership logo

 

Ready to enroll?
Arrow Apply for CIS SecureSuite Membership

 

Have questions about membership?
Arrow Contact us