Mapping and Compliance
At CIS, we believe in collaboration - that by working together, we can find real solutions for real threats. The CIS Controls and CIS Benchmarks grow more integrated every day through discussions taking place in our international communities and the development of CIS SecureSuite Membership resources. CIS Controls annotations have been completed for the following CIS Benchmarks:
- Microsoft Windows Server 2008, 2012, 2012 R2, & 2016
- Microsoft Windows 10
- Microsoft Windows 7 Workstation
- Red Hat Enterprise Linux 6 & 7
- CentOS Linux 6 & 7
Organizations often use multiple frameworks to guide their cybersecurity strategy. From the organizational policies and workflows laid out in the CIS Controls to the most detailed configuration checks in a CIS Benchmark, our resources are developed to work well as stand-alone resources or as companions to additional frameworks:
"Where we get the biggest bang for our buck is in the CIS Controls. They help us to prioritize the other compliance frameworks."
- Security Analyst
Some of the the world's biggest retailers use the CIS SecureSuite resources to help meet Payment Card Industry Data Security Standard (PCI DSS) requirements. PCI DSS Requirement 2 points directly to the CIS Benchmarks:
2.2.a. Examine the organization’s system configuration standards for all types of system components and verify the system configuration standards are consistent with industry accepted hardening standards—for example, SysAdmin Audit Network Security (SANS), National Institute of Standards and Technology (NIST), and the Center for Internet Security (CIS).
The CIS Benchmarks and CIS Controls can help with multiple aspects of PCI DSS compliance, including:
- 1.1 Firewall and Router Configurations
- 6.1 Patch Management
- 7.1 Access Control
- 6.4 Change Control
The National Checklist Program Repository recommends the CIS Benchmarks to federal agencies and other organizations trying to meet Federal Information Security Modernization Act (FISMA) compliance. CIS-CAT Pro, our automated configuration assessment tool, has been validated by the NIST Security Content Automation Protocol (SCAP) to audit systems subject to FISMA requirements in the following categories:
- FDCC Scanner
- Authenticated Configuration Scanner
The European Union (E.U.) Regulation 2016/679 GDPR (General Data Protection Regulation) becomes enforceable on May 25, 2018. Any organization which holds E.U. citizen data, regardless of its location, is responsible for following these new guidelines.
Aerospace Industries Association (AIA)
AIA’s new, voluntary National Aerospace Standard on cybersecurity (NAS 9933) consists of 20 control families published by CIS and two additional control families AIA developed with Exostar. Each control family consists of several sub-controls better known as the CIS Controls and within each family, the CIS Controls have been categorized into five capability levels. The goals of the standard are to provide industry partners an indication of a company’s cybersecurity profile as a way to measure a company’s cybersecurity risk and to align the fragmented and conflicting requirements that the Department of Defense (DOD) contracting process imposes on industry.
Additional security standards
Because the CIS Controls and CIS Benchmarks provide guidance addressing major cybersecurity needs such as asset classification, authentication methods and privileges, event logging, and encryption, they are also frequently used by organizations seeking compliance with:
- ISO / IEC 27002