Mapping and Compliance with the CIS Benchmarks
Collaboration Enhances Cybersecurity Compliance
At CIS, we believe in collaboration – by working together, we find real solutions for real cybersecurity threats. Our cybersecurity best practices grow more integrated every day through discussions taking place in our international communities and in the development of CIS SecureSuite Membership resources.
The cybersecurity best practices and tools developed by CIS can assist organizations who are working towards compliance. From the most detailed configuration checks in a CIS Benchmark to the organizational policies and workflows laid out in the CIS Controls, our resources are developed to work well as stand-alone resources or as companions to additional frameworks.
CIS Benchmarks – Consensus-developed secure configuration guidelines for hardening operating systems, servers, cloud environments, and more. There are more than 100 CIS Benchmarks covering 25+ vendor product families.
CIS Controls & CIS Benchmarks Working Together – At a higher level of abstraction are the CIS Controls, a prioritized set of actions to strengthen your cybersecurity posture. The CIS Benchmarks provide mappings, where applicable, to the CIS Controls. As we release new and updated content, CIS maps Benchmark recommendations to the latest version of the CIS Controls. Because many security and compliance frameworks require or recommend the use of secure configurations, such as the CIS Benchmarks, implementation can also help you work towards compliance.
CIS-CAT Pro – Combines the powerful security guidance of the CIS Controls and CIS Benchmarks into an assessment tool. Leveraging the CIS-CAT Pro Assessor and Dashboard components, users can view conformance to best practices and improve compliance scores over time.
Framework Mappings
Below are just some of the frameworks that mention the CIS Benchmarks:
Payment Card Industry Data Security Standard (PCI DSS)
The CIS Benchmarks can help with multiple aspects of PCI DSS compliance. Some of the world’s biggest retailers use resources included in CIS SecureSuite to help meet PCI DSS requirements. PCI DSS Requirement 2.2 points directly to the CIS Benchmarks, for example:
2.2 System components are configured and managed securely. Sources for guidance on configuration standards include but are not limited to: Center for Internet Security (CIS), International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), Cloud Security Alliance, and product vendors.
Department of Defense (DoD Cloud Computing Security Requirements Guide (CC SRG)
References CIS Benchmarks as an acceptable alternative to the Security Technical Implementation Guides (STIGs) and Security Requirements Guide (SRG) (Section 5.5.1.) for Impact Level 2.
Impact level 2: While the use of STIGs and SRGs by CSPs is preferable, industry standard baselines such as those provided by the Center for Internet Security (CIS) benchmarks are an acceptable alternative to the STIGs and SRGs.
Impact level 4/5/6: STIGs are applicable if the CSP uses the product a STIG addresses. SRGs are applicable in lieu of STIGs if a product-specific STIG is not available. However, the SP 800-53 control applies whether or not a STIG or SRG is available. While the DoD level 4/5/6 value for CM-6 is to use Dod SRGs and SIGs as applicable, DISA will evaluate the CSP's usage of commercial equivalencies (e.g., CIS Benchmarks) on a case-by-case basis.
Federal Risk and Authorization Management Program (FedRAMP)
Lists the CIS Benchmarks as guidelines to use if the U.S. government configuration guidelines are not available for a specific platform.
Federal Financial Institutions Examination Council (FFIEC)
The Cybersecurity Resource Guide for Financial Institutions from the Federal Financial Institutions Examination Council (FFIEC) outlines resources to assist financial institutions in strengthening their resilience to cyber threats, which includes reference to the CIS Benchmarks as a resource to safeguard systems against today’s evolving cyber threats.
National Checklist Program Repository
The National Checklist Program Repository (NCP), defined by the NIST SP 800-70, is the U.S. government repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications. The NCP includes all CIS Benchmarks to federal agencies and other organizations trying to meet FISMA compliance.
Several NIST Publications
Several publications from the National Institute of Standards and Technology (NIST) directly reference the CIS Benchmarks. Two examples are:
- NIST Special Publication 800-190 | Application Container Security Guide
Section 4.4.3 Insecure container runtime configurations of NIST SP 800-190 states:
Organizations should automate compliance with container runtime configuration standards. Documented technical implementation guidance, such as the Center for Internet Security Docker Benchmark [20], provides details on options and recommended settings, but operationalizing this guidance depends on automation. Organizations can use a variety of tools to “scan” and assess their compliance at a point in time, but such approaches do not scale. Instead, organizations should use tools or processes that continuously assess configuration settings across the environment and actively enforce them. - NIST Special Publication 800-128 | Guide for Security-Focused Configuration Management of Information Systems
Section 3.1 Planning of NIST SP 800-128 states that: SecCM [security-focused configuration management] procedures address the following, as applicable:
Common Secure Configurations – Identifies commonly recognized and standardized secure configurations to be applied to configuration items. The common secure configurations specified in the procedure are derived from established federal, organizational, or industry specifications (the National Checklist Program contains references to common secure configurations such as the United States Government Configuration Baseline (USGCB), Defense Information System Agency (DISA) Security Technical Implementation Guides (STIGs), Center for Internet Security (CIS) Benchmarks, etc.).