CIS Benchmarks End of Life for Unsupported Technologies
In addition to being costly and troublesome, the continued use of unsupported technologies can expose your organization to security risks. Patching known vulnerabilities is an important part of any cyber hygiene program, as explained in CIS Controls Implementation Group 1. This becomes challenging or impossible when a vendor stops supporting a technology. Accordingly, CIS will discontinue CIS Benchmarks for technologies that are no longer supported by the vendor.
What End of Life Means for CIS Benchmarks
End of life is the date when a vendor stops delivering and supporting a particular version of their technology. CIS is working to align and plan accordingly to the vendor’s end of life plans for their products, including any extended support by the vendor. CIS will deprecate the related CIS Benchmarks. Once done, these CIS Benchmarks will be considered the final release.
We understand that not every organization has the ability to remain current with the latest release. Accordingly, CIS will continue to make the deprecated CIS Benchmarks and associated resources available. However:
- Deprecated CIS Benchmarks will be archived and no longer supported by CIS through the consensus process
- Deprecated CIS Benchmarks will not be incorporated into future releases of CIS-CAT Pro
CIS will plan accordingly to deprecate the CIS Benchmark and publish a final release (as needed) as it becomes aware that end of life is approaching for specific technologies. The final release will include derivatives such as the CIS Build Kit and assessment content (XCCDF/OVAL) as applicable.
CIS Benchmarks Community and Open Tickets
The CIS Benchmark Developer Lead will review any open tickets for CIS Benchmarks that are no longer supported by the vendor. An update will be published to address any outstanding issues. This will be the final release of that particular technology version of the CIS Benchmark.
CIS-CAT Pro Support
The final release assessment content version for a CIS Benchmark that has reached end of life will be integrated into CIS-CAT Pro for one release. The following CIS-CAT Pro release will exclude the end of life CIS Benchmark. The associated files needed for the automated assessment will be available in a compressed file on CIS WorkBench.
If you need to continue to use the end of life content, we recommend utilizing the CIS-CAT Pro version for which the CIS Benchmark was last supported. The end of life CIS Benchmarks may continue to work with newer versions of CIS-CAT Pro, but are not officially supported.
Obtain the end of life content, information regarding the last applicable CIS-CAT Pro version, and CIS Benchmarks not accompanied by a final release but have reached end of life on CIS WorkBench.
Tailoring and Exporting
CIS Benchmarks that move to end of life will be available for download on the public CIS website, and if available, on CIS WorkBench. Some older content is only available in PDF format on the public CIS website.
CIS Benchmarks that are available on CIS WorkBench can be tailored and exported according to the options available for that technology.
CIS Hardened Images in the Cloud
CIS Hardened Images will continue to be available in cloud service provider (CSP) marketplaces for up to 90 days after a related CIS Benchmark reaches end of life. After that time, the CIS Hardened Image will be removed from the CSP marketplaces.
For a complete list of CIS Benchmarks that are currently end of life, along with their supported derivatives, see the CIS WorkBench Support Center.