How CIS & ATO on AWS Can Ease the Compliance Process

Cybercriminals target public sector organizations every day. From ransomware attacks to data theft, systems need defense-in-depth best practices and modern computing solutions to fend off cyber threats. Luckily, the Center for Internet Security (CIS) participates in the Amazon Web Services (AWS) Authority to Operate (ATO) program. ATO’s partner-driven process helps organizations converge common cloud security frameworks to simultaneously address both security and compliance requirements.

CIS’s participation in the ATO program is just one part of a larger collaboration with AWS. Through this strong relationship, CIS offers tools, guidance, and resources to help organizations leverage the power of AWS cloud computing.

AWS Security Automation and Orchestration (SAO)

CIS and other Amazon Web Services Partner Network (APN) partners worked with AWS to develop the AWS Security Automation and Orchestration (SAO) methodology. By following the SAO methodology, AWS customers can accelerate ATO and create an automated capability to maintain accreditations of their workloads. These are proven techniques, delivered through reusable artifacts, tools, and pre-built templates.

SAO enables AWS customers to constrain, track, and publish continuous risk treatments (CRT), a process and technology approach using AWS services and partner solutions to detect, maintain, and correct security, compliance, and threats.

CIS plays a key role in SAO through the CIS Benchmarks, consensus-based configuration guidelines for technologies. Numerous security frameworks including FedRAMP, DoD Cloud Computing SRG, and PCI DSS reference CIS Benchmarks as an acceptable standard to help meet compliance. The CIS Benchmarks help simplify and accelerate compliance authorization and management, and are available for free download in PDF format.

Download a CIS Benchmark

CIS Working in Partnership with AWS

In addition to the ATO program, CIS works closely with AWS to help organizations operate safely in the cloud. To develop our consensus-based CIS Benchmarks, CIS leads a community of cybersecurity professionals to contribute their expertise. AWS is one of the vendor organizations that participates in the CIS Benchmark communities. Their expertise helps develop and maintain many of the CIS Benchmarks for Amazon products. For example, the CIS AWS Foundations Benchmark provides account-level security recommendations for the AWS cloud.

Additionally, the CIS AWS End User Compute Services Benchmark includes configuration recommendations for Amazon WorkSpaces, Amazon WorkDocs, Amazon AppStream 2.0, and Amazon WorkLink.

Cloud Security Resource for Regulatory Framework Compliance

What’s more, CIS builds the CIS Benchmark configuration standards into virtual machine images available in AWS, Microsoft Azure, Google Cloud Platform, and Oracle Cloud Marketplaces. These pre-configured, hardened images offer assistance to regulatory framework compliance for operating systems and container environments. In addition to the secure Benchmark configuration standards, every CIS Hardened Image includes a CIS-CAT Pro assessment report. This report allows organizations to easily display evidence of CIS Benchmark compliance and, as an extension, the regulatory frameworks that reference them. Since 2015, CIS Hardened Images helped protect just over 1 billion compute hours on the AWS cloud.