Mapping and Compliance
At CIS, we believe in collaboration - that by working together, we can find real solutions for real threats. The CIS Controls and CIS Benchmarks grow more integrated every day through discussions taking place in our international communities and the development of CIS SecureSuite Membership resources. CIS Controls annotations have been completed for the following CIS Benchmarks:
- Microsoft Windows Server 2008, 2012, 2012 R2, & 2016
- Microsoft Windows 10
- Microsoft Windows 7 Workstation
- Red Hat Enterprise Linux 6 & 7
- CentOS Linux 6 & 7
Organizations often use multiple frameworks to guide their cybersecurity strategy. From the organizational policies and workflows laid out in the CIS Controls to the most detailed configuration checks in a CIS Benchmark, our resources are developed to work well as stand-alone resources or as companions to additional frameworks:
"Where we get the biggest bang for our buck is in the CIS Controls. They help us to prioritize the other compliance frameworks."
- Security Analyst
Some of the world's biggest retailers use the CIS SecureSuite resources to help meet Payment Card Industry Data Security Standard (PCI DSS) requirements. PCI DSS Requirement 2 points directly to the CIS Benchmarks:
2.2.a. Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards—for example, SysAdmin Audit Network Security (SANS), National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS).
The CIS Benchmarks and CIS Controls can help with multiple aspects of PCI DSS compliance, including:
- 1.1 Firewall and Router Configurations
- 6.1 Patch Management
- 7.1 Access Control
- 6.4 Change Control
The National Checklist Program Repository recommends the CIS Benchmarks to federal agencies and other organizations trying to meet Federal Information Security Modernization Act (FISMA) compliance. CIS-CAT Pro, our automated configuration assessment tool, has been validated by the NIST Security Content Automation Protocol (SCAP) to audit systems subject to FISMA requirements in the following categories:
- FDCC Scanner
- Authenticated Configuration Scanner
The European Union (E.U.) Regulation 2016/679 GDPR (General Data Protection Regulation) becomes enforceable on May 25, 2018. Any organization which holds E.U. citizen data, regardless of its location, is responsible for following these new guidelines. Learn how CIS can help with GDPR Compliance.
The HIPAA security rule establishes the baseline for protecting the security of patient information within the healthcare industry. The CIS Controls are a recommended set of prioritized actions for cyber defense that provide actionable ways to stop today's most pervasive and dangerous attacks. The CIS Controls help to complement the HIPAA security rule and contain many of the same provisions. Since the CIS Controls and Sub-Controls are frequently updated based on real-world attack patterns, the CIS Controls can help healthcare organizations “round out” their cybersecurity program to address risks outside the HIPAA security rule.
Additionally, the CIS Benchmarks can be used to securely configure workstations used to manage electronic protected health information. This means that CIS Controls and HIPAA can work together to help protect both your personal and cyber hygiene.
Department of Defense (DoD) Security Technical Implementation Guides (STIGs)
With CIS STIG Hardened Images, you can rely on CIS Benchmarks and Hardened Images for Department of Defense (DoD) STIG compliance.
The CIS STIG Benchmark recommendations map the existing Level 1 and 2 profiles of the Benchmark to the STIG where applicable, and includes a Level 3 profile to expand recommendations to support the STIG.
Guidance from the DoD indicates that CIS Benchmarks can be utilized in place of Security Technical Implementation Guidelines (STIGs) - configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. The DoD Cloud Computing Security Requirements Guide (SRG), version 1, Release 3 states:
Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) benchmarks are an acceptable alternative to the STIGs and SRGs.
Aerospace Industries Association (AIA)
AIA’s new, voluntary National Aerospace Standard on cybersecurity (NAS 9933) consists of 20 control families published by CIS and two additional control families AIA developed with Exostar. Each control family consists of several sub-controls better known as the CIS Controls and within each family, the CIS Controls have been categorized into five capability levels. The goals of the standard are to provide industry partners an indication of a company’s cybersecurity profile as a way to measure a company’s cybersecurity risk and to align the fragmented and conflicting requirements that the Department of Defense (DOD) contracting process imposes on industry.
Additional security standards
Because the CIS Controls and CIS Benchmarks provide guidance addressing major cybersecurity needs such as asset classification, authentication methods and privileges, event logging, and encryption, they are also frequently used by organizations seeking compliance with:
- ISO / IEC 27002