CIS-CAT® FAQ

What is CIS-CAT?

CIS-Configuration Assessment Tool (CAT) is a configuration assessment tool that compares the configuration of target systems to the secure configuration settings recommended in machine-readable content. CIS-CAT can understand content that conforms with Security Content Automation Protocol (SCAP). The tool is designed to primarily assess against CIS Benchmark™ configuration recommendations. The tool provides a conformance report ranging from 0-100. Detailed output reports provide remediation guidance for each CIS Benchmark recommendation.

There are three versions of CIS-CAT:

  • CIS-CAT Lite: Our free version produces only HTML and supports a subset of CIS Benchmark assessments.
  • CIS-CAT Pro Assessor v4: Performs assessments over remote and local/shared internal networks.

Is CIS-CAT Pro v4 a NIST SCAP validated product?

No. CIS-CAT Pro Assessor v4 was built in conformance with NIST SCAP specifications, but has not yet been formally validated. CIS is planning to pursue validation in 2022.

CIS-CAT Pro Assessor v3, our SCAP 1.2 validated product, will be available in a limited capacity throughout 2022. Please contact us with your SCAP validation requirements.

What’s the difference between CIS-CAT Pro and CIS-CAT Lite?

CIS-CAT Pro offers multiple assessment reporting output formats (txt, csv, HTML, xml, json) that provide a conformance score for more than 80 CIS Benchmarks while Lite only offers HTML and very limited set of CIS Benchmarks (Windows 10, Google Chrome, and Ubuntu). Review the full list of comparisons between the versions of Lite and Pro.

How does CIS-CAT work?

CIS-CAT is a Java-based application which quickly compares a target system’s configuration settings to the settings recommended in the CIS Benchmark: secure configuration guidelines for over 100 technologies. After downloading and executing CIS-CAT Pro or CIS-CAT Lite, the program will assess the configuration of the target system(s) against the chosen CIS Benchmark recommendation and provide a conformance report ranging from 0-100.

How can I access and utilize CIS-CAT?

Try CIS-CAT Lite for free by signing up to download it. Lite does not require a license key. However, features and content are limited.

To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab.

CIS-CAT Pro Assessor v4 and v4 Service require a license to unlock full features and CIS Benchmark content. See our deployment guide on how to apply your organization’s license key. One key is provided per organization.

What versions of Java do I need for CIS-CAT Pro?

See our CIS-CAT Assessor v4 and CIS-CAT Pro Dashboard configuration guides for up to date information on JRE/JDK requirements.

Is using Java with CIS-CAT Pro safe?

The security vulnerabilities reported are not about Java (the programming language). The vulnerabilities typically reported are in the Java Sandbox, which uses a privileged model that permits safe execution of untrusted code, and risks automatic execution of Java Applets in a browser. Oracle uses the “Java” trademark both for the programming language and the browser plugin that runs applets. CIS-CAT Pro uses the Java language as it offers the broadest possible platform portability. CIS-CAT Pro does not execute code in a browser, which is the source of most Java vulnerabilities.

Why is CIS-CAT a Java-based application?

To support the broadest possible portability, CIS-CAT is a Java application and requires an available Java Runtime Environment (JRE) to execute.

Do I have to buy a Java license to use CIS-CAT Pro?

No. CIS-CAT Pro works with OpenJDK, which is free and available at jdk.java.net. OpenJDK will continue to receive security updates.

What if my organization doesn’t allow me to use OpenJDK?

If OpenJDK does not meet your organization’s needs, Oracle Java releases can be obtained through My Oracle Support (MOS), and other locations by paying a license fee. For organizations requiring security updates to Java 8, these can be obtained by paying a nominal license fee to Oracle per server.

If I choose to buy a Java license, how do I keep this cost low?

Assessor v4 offers remote scanning providing the benefit of maintaining Java only on a single server. This could help keep the cost of maintaining Java low.

What if my CIS-CAT report is not 100% compliant?

A passing score is based on your organization’s requirements and policies. If your organization can implement all of the security settings without negatively impacting your business applications or end users, then they should all be implemented. However, successfully implementing every security setting may be considered unrealistic for some organizations.

After a CIS-CAT report is produced and all applicable security recommendations have been implemented according to your organization’s requirements, it is recommended to include an exception report to document the justification as to why some recommendations were not applied. CIS-CAT Pro users may also customize these recommendations to meet organizational requirements by using the tailoring functionality available through CIS WorkBench or by manually altering content in the XCCDF file of a particular CIS Benchmark.

Does CIS-CAT Pro support assessment of remote systems?

Yes! With the release of CIS-CAT v4, remote assessments are now available! Review our CIS-CAT Pro Assessor v4 online documentation. Read our press release. View our webinar. CIS-CAT v4 also supports local and in-network scanning (Centralized) workflows for Windows and Linux.

Can content for CIS-CAT Pro be customized?

Yes, the content that CIS-CAT Pro uses can be customized. Customizations can be managed two ways. Alterations of CIS-CAT Pro content can be made through the tailoring functionality within CIS WorkBench. Modifications to the content can also be completed manually in the XML content such as the XCCDF or OVAL files in the CIS Benchmarks folder of the CIS-CAT Pro Assessor. Customizations of a CIS Benchmark could range from turning on or off a recommendation or tailoring a recommendation to properly align with your organization, such as password length. Upon saving the file with the alterations, the assessment will then run against the new modifications and the CIS-CAT report will produce results in correspondence with the changes made.

What if the CIS Benchmark I am looking for is not available in CIS-CAT Pro?

If the CIS Benchmark you are looking to assess against is not available in CIS-CAT Pro, the assessment and documentation will have to be manual.

We are always looking for technology experts to help us develop content, review recommendations, and test the CIS Benchmarks. If interested, join a community or contact us at benchmarkinfo to enquire about the process. Join the CIS Member Benchmark Wish List Community and post your request.

Can CIS-CAT Pro be used to audit mobile device configurations?

CIS-CAT Pro is not currently built to assess mobile device configurations. CIS Benchmarks are available for download through CIS WorkBench for various mobile platforms and can be audited, configured and remediated manually.

I have run CIS-CAT Pro and identified my areas of improvement. Now what?

CIS has developed build kits in an effort to save our Members time and effort when remediating failed settings or recommendations identified in the CIS-CAT Pro report. Instead of manually remediating each failed setting, CIS build kits contain automated content to streamline this process.

For Windows, this automated content takes the form of group policy objects (GPOs), available to CIS SecureSuite Members via CIS WorkBench. Upon being downloaded, the GPOs can be unzipped and imported in your group policy management console. Customizations can also be made as the GPOs are not read-only. You can continue by applying the GPO to the appropriate organizational units or individual machines and push the configuration policy out. The chosen domain members will be reconfigured to be in compliance with the recommended settings in the benchmark.

For UNIX and LINUX environments, our build kits take the form of basic shell scripts that can be run through your machine or a corresponding tool of your preference. These scripts can be run on the appropriate CIS Benchmark profile intended to be configured against; then the script will execute and apply the secure CIS Benchmark settings. We recommend reviewing the README files accompanying the scripts as they contain content that cannot be remediated by the automated shell script, such as portioning file systems or limiting root access.

What is the CIS Controls Assessment Module?

The CIS Controls Assessment Module is a semi-automated way to measure your organization’s application of CIS Controls Implementation Group 1 in Windows 10 and Windows Server environments, assessing these Sub-Controls via a combination of scripts and survey questions. It runs inside of CIS-CAT Pro Assessor v4, leveraging Assessor’s ability to conduct both local and remote assessments.

What are CIS Controls Implementation Groups?

CIS Controls Implementation Groups are a new concept in V7.1 of the CIS Controls. Organizations self-assess themselves into either group 1, 2, or 3 based on the technical resources and personnel they have available, as well as the sensitivity and the criticality of the data that the organization handles. The Implementation Groups help prioritize which CIS Sub-Controls they should implement first. There are 43 Sub-Controls in Implementation Group 1, and those are the basic cyber hygiene Sub-Controls and serve as a good starting place for organizations. To find out more about Implementation Groups, visit https://www.cisecurity.org/blog/v7-1-introduces-implementation-groups-cis-controls/.

Is the CIS Controls Assessment Module compatible with CIS-CAT?

Yes, the CIS Controls Assessment Module runs inside of CIS-CAT Pro Assessor v4. Output from the CIS Controls Assessment Module is compatible with all the familiar CIS-CAT Pro Dashboard features, enabling you to view individual assessment results and graphs showing how scores have changed over time.

To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab. Here, you’ll find the most recent version of CIS-CAT Pro pinned at the top of the page and available for download. ­Members can download CIS-CAT Pro Assessor v4 and CIS-CAT Pro Dashboard separately.

The Controls Assessment Module for Implementation Group 1 in Windows 10 and Windows Server is also available for free in CIS-CAT Pro Assessor v4 Lite, though the Lite version is not compatible with CIS-CAT Pro Dashboard. To access CIS-CAT Lite, download it here.

How do the automated checks work?

The automated checks utilize PowerShell scripts. In the CIS Controls Assessment Module v1.0.2, there are 13 automated Sub-Controls checks. Some of these checks have values that can be customized in the Assessor Properties file.

Why am I failing a particular automated check?

Each automated check is looking for something different. Refer to that check’s “Remediation” section for more information about the check and how to pass it. The “Remediation” section for each check is available in either the HTML output or the CIS-CAT Pro Dashboard output associated with each check. Additionally, the script output for each automated check can be viewed in the HTML output file by expanding the “Show Rule Result XML” under that check and looking between the and tags.

Will I need to change my PowerShell settings so that the CIS Controls Assessment Module can run?

You should not need to change your PowerShell settings. It is important to note that when calling PowerShell scripts, CIS-CAT Assessor invokes the script with an “-ExecutionPolicy bypass” temporarily bypassing the PowerShell execution policy for just the run of each of these scripts, without changing the system’s overall PowerShell Execution Policy. Additionally, the Unblock-File PowerShell command will be run against the scripts when CIS-CAT Assessor calls them; this will result in the CIS Controls Assessment Module scripts remaining unblocked/trusted even after running the CIS Controls Assessment Module. These scripts are only designed to read configuration data from target systems. The use of the “-ExecutionPolicy bypass” and “Unblock-File” are meant to contribute to a smoother user experience, but it is important that you consider any policy and security implications for your organization prior to running the CIS Controls Assessment Module.

How do the survey questions work?

The non-automated Sub-Controls are assessed via survey questions. These are a series of 30 yes/no questions, one for each of the non-automated Sub-Controls. Answers to these survey questions can be saved in the Assessor Properties file (assessor-cli.properties), and these saved answers will be used for each assessment. If the organization changes its implementation status for a Sub-Control (i.e., implements a new Sub-Control), the corresponding saved answer can be updated in the Assessor Properties file and that new answer will be used for future assessments.

Alternatively, a question can be set to be answered interactively in the Assessor Properties file (by commenting out its answer line). This will result in the question being asked in the Assessor command prompt, once for each machine in the assessment. The user can enter a ‘y’ or ‘n’ for each of these questions, and these entered values will be used for the interactive questions rather than saved values from the Properties file.

Survey questions are yes/no. Affirmative answers can be provided with “y” or “yes” (case insensitive) and will result in a PASS for that Sub-Control check. Anything not recognized as an affirmative answer (yes), will be treated as a negative answer (no) and will result in a FAIL for that Sub-Control check.

Why aren’t all of the Sub-Controls automated?

Some Sub-Controls are more procedural in nature and don’t really lend themselves to being automated. For example, many of the Organizational Sub-Controls in CIS Controls 17-20 fall into this category. The CIS Controls Assessment Module uses survey questions so that organizations can still track their implementation of these Sub-Controls.

Why am I failing all of the survey questions?

The default saved answer for all survey questions is set to “no”; you should adjust these answers in the Assessor Properties file to reflect your organization’s implementation status for each Sub-Control survey question.

How do I run the CIS Controls Assessment Module?

You can assess Windows 10 and Windows Server endpoints using the CIS Controls Assessment Module in much the same way that you perform other assessments via the command line using supporting sessions and configuration files.

Which profiles are available in the CIS Controls Assessment Module?

The CIS Controls Assessment Module has three profiles available:

  • Automated checks only
  • Survey questions only
  • Automated checks and survey questions

Where can I find out more about using the CIS Controls Assessment Module?

More information is available in the CIS Controls Assessment Module User Guide.

How can I contribute to the development of the CIS Controls Assessment Module?

We welcome you to join the CIS Controls Assessment Module community on CIS WorkBench. . There you can start a discussion, ask questions, and make comments or suggestions to help shape the future of the CIS Controls Assessment Module.

Want to learn more?

Join our next webinar to see CIS-CAT demonstrated by a developer. See Webinar Details.

Still have questions? Contact us



Ready to enroll in CIS SecureSuite Membership?
Arrow Apply here

CIS-CAT Lite is our free configuration assessment tool with the CIS Controls Assessment Module, coverage for Google Chrome, and more.
Arrow Download CIS-CAT Lite

Questions about CIS-CAT?
Arrow Contact us