Changes to CIS Benchmark Assessment/Recommendation Scoring
With hundreds of recommendations in each CIS Benchmark, automated assessment is the key to faster implementation of secure configuration at scale. To support this, the CIS security best practices team continues to make tooling improvements for CIS SecureSuite Members. Learn about some of the improvements the team has made with relation to automation.
CIS Benchmark Assessment Status
CIS Benchmark recommendations include an assessment status. The assessment status represents whether a CIS Benchmark recommendation can evaluate a system’s state with an automated check or requires manual investigation.
CIS Benchmark Recommendation Status Defined
- Manual – Requires manual steps to determine whether a system’s configured state is as expected. A pass/fail assessment result cannot be automatically achieved.
- Automated – System’s state can be automatically evaluated against the recommended state with a configuration assessment tool such as CIS-CAT Pro Assessor. A pass/fail assessment result can be automatically achieved.
When building CIS Benchmark automation content, CIS developers automate as much as possible. However, if the recommendation cannot be fully automated the status is left as “Manual.”
It’s important to note that the expected state can vary depending on the environment. For this reason, CIS SecureSuite Members have the option to tailor CIS Benchmarks with policies that more closely represent their organizational security policies. Learn how to customize CIS Benchmarks in CIS WorkBench Support Center.
Understanding the Importance of a “Manual” Recommendation Status
Automated assessment is the key to faster implementation, understanding conformance, and identifying misalignments with recommendations in CIS Benchmarks utilizing configuration assessment tools such as CIS-CAT Pro. When fully-automated state evaluation is not possible, organizations should not ignore manual steps needed for the full evaluation of a system’s security posture. Manual recommendations are equally important to automated.
For this reason, CIS-CAT Pro reports will offer more visibility into the manual recommendations to help ensure organizations can secure systems to all security recommendations covered in each CIS Benchmark. If an IT professional is only looking at the automated pass/fail assessment results, they may be leaving security gaps if they have not equally considered recommendations identified on reports as “Manual.”
This is a change in the CIS Benchmarks and CIS-CAT Pro. Older CIS Benchmark statuses utilized terminology represented as “Scored” and “Not Scored” where “Scored” = “Automated” and “Not Scored” = “Manual.” With the change to “Automated” and “Manual,” we hope to lessen confusion on the intent of the recommendation and evaluation method. In today’s complex world, we cannot assume that “pass” scores are the only goal when considering CIS Benchmark recommendations.
CIS-CAT Pro and CIS Benchmarks
CIS-CAT Pro Assessor v4 is a configuration assessment tool offered as part of CIS SecureSuite Membership. The tool evaluates posture information collected from a target against recommended policy settings expressed in machine-readable XML format. More than 80 CIS Benchmarks are accompanied by machine-readable XML content and are supported for automated configuration assessments in CIS-CAT Pro Assessor v4.
CIS-CAT Pro Assessor is designed to coordinate with CIS Benchmark automation content. When possible, it is used during the testing process in the CIS Benchmark development lifecycle. CIS-CAT’s top priority is to coordinate and remain consistent with CIS Benchmark formatting and terminology.
CIS-CAT Pro Configuration Assessment Output Changes
In an upcoming release, CIS-CAT Pro Assessor v4 will ensure that all recommendations with a scoring status of “Manual” will be present on CIS-CAT Pro result outputs. Currently, CIS-CAT Pro supports output formats for full assessment result scores in HTML, CSV, TXT, and XML. CIS-CAT also supports JSON format, but the results include only the automated recommendations with a result of “Fail.”
The overall scoring method of a CIS-CAT Pro Assessment report is not changing. However, there will be additional occurrences of recommendations with a “score” of “Manual” on the output reports. “Manual” recommendations will continue to be excluded from the overall score of the report since the score can only be calculated by considering the fully-automated recommendations.