How to Meet STIG Compliance and Achieve OS Security with CIS
Organizations tasked with meeting regulatory framework compliance know the difficulties they will face. On top of the resource hours, it can be costly to ensure compliance. Public sector organizations as well as their contractors and consultants also understand the importance of Defense Information Security Agency Security Technical Implementation Guide or DISA STIG compliance. These configuration standards apply to DoD Information Assurance (IA) and IA-enabled devices/systems.
The Center for Internet Security (CIS) builds CIS Benchmarks and CIS Hardened Images mapped to these guides to more easily assist with DISA STIG compliance.
CIS Benchmarks and Hardened Images for OS Security
CIS maintains more than 100 secure configuration guidelines across 25+ product families. This prescriptive guidance is developed by communities of cybersecurity experts. In fact, CIS manages the communities that develop the only consensus-based cybersecurity guidelines both created and accepted by industry, government, academia, and business. Notably, one of the largest areas of CIS Benchmark technology coverage is operating systems.
In addition to utilizing CIS Benchmarks for OS security, organizations can turn to CIS Hardened Images for security in the cloud. These pre-configured virtual machine images bring CIS Benchmark configurations to the public cloud. Every CIS Hardened Image includes a CIS-CAT Pro assessment report to quickly provide evidence of compliance. Also, CIS patches these VMs regularly for vulnerabilities. CIS Hardened Images are available on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Marketplaces.
OS Security and DISA STIG Compliance from CIS
While complying with regulatory frameworks like PCI DSS, HIPAA, DoD Cloud Computing SRG, and DISA STIGs can be challenging, these frameworks recognize CIS Benchmarks as an acceptable standard to help meet compliance. And CIS Hardened Images already apply these standards to virtual machine images, saving both time and resources.
More specifically, guidance from the DoD Cloud Computing SRG indicates CIS Benchmarks are an acceptable alternative in place of STIGs. The DoD Cloud Computing SRG, version 1, Release 3 states:
“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) Benchmarks are an acceptable alternative to the STIGs and SRGs.”
Although the DoD references CIS Benchmarks specifically, many organizations still must utilize STIGs for DoD IA and IA-enabled devices/systems. That’s why CIS offers CIS Benchmarks mapped directly to STIG standards for OS security. Furthermore, CIS builds CIS Hardened Images to CIS STIG Benchmark standards. Thus, these virtual machine images also provide OS security to help meet STIG compliance in the public cloud.
What’s New: CIS STIG Compliance Resource Updates
If you’re familiar with CIS STIG resources, you’ll now find structural updates to the profiles. Previously, the CIS STIG Benchmarks included a Level 3 profile to address recommendations needed to meet STIG compliance not covered in Levels 1 and 2. Now, a new STIG profile will replace the Level 3 profile. This new STIG profile allows users to easily identify all recommendations specific to the STIG. Overlaps from other profiles, i.e., Level 1, 2, and Next Generation, will exist in the STIG profile as well. If the recommendation in the STIG profile contradicts the CIS Benchmark recommendation, that will be indicated in the description of the recommendation.
To make STIG compliance even simpler, here’s the breakdown of information you’ll find in the CIS STIG Benchmark ‘additional information’ section:
- Name, version, and date of STIG release
- Vulnerability ID
- Rule ID
- STIG ID
Download a CIS Benchmark
What’s Coming for STIG Compliance from CIS
Currently, CIS offers five CIS STIG Benchmarks as well as five CIS STIG Hardened Images across AWS, Azure, GCP, and Oracle Cloud Marketplaces.
The following CIS STIG Benchmarks are available for enhanced OS security: Amazon Linux 2, Microsoft Windows Server 2016 and 2019, Red Hat Enterprise Linux 7, and Ubuntu Linux 20.04 LTS. CIS is also excited to announce two additional CIS Benchmarks coming soon to help with STIG compliance: Apple macOS 11 and Red Hat Enterprise Linux 8.
Lastly, CIS STIG Hardened Images provide enhanced OS security in the public cloud. Access the pre-configured VMs for STIG compliance:
- Amazon Linux 2 STIG on AWS Marketplace
- Microsoft Windows Server 2016 STIG
- Microsoft Windows Server 2019 STIG
- Red Hat Enterprise Linux 7 STIG
- Ubuntu Linux 20.04 LTS STIG
CIS is proud to provide users with multiple resources to help attain OS security and meet STIG compliance.