STIG Compliance with CIS AWS Cloud Security Resources


Securing your IT infrastructure can be a challenge, especially if you’re working in a regulated environment. Many compliance frameworks like, Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs), require extensive resources. To help organizations meet STIG compliance, the Center for Internet Security (CIS) offers the CIS Benchmarks and CIS Hardened Images mapped to STIGs.

DISA STIGs Recognize CIS Benchmarks

Guidance from the DoD Cloud Computing SRG indicates CIS Benchmarks are an acceptable alternative in place of STIGs – configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. The DoD Cloud Computing Security Requirements Guide (SRG), version 1, Release 3 states:

“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) Benchmarks are an acceptable alternative to the STIGs and SRGs.”

Although the DoD references CIS Benchmarks specifically, many organizations are still required to align with STIGs as the configuration standards for DOD IA and IA-enabled devices/systems.

In addition to recognition from the DoD Cloud Computing SRG, many other industry frameworks recognize the CIS Benchmarks. These frameworks include the Payment Card Industry Data Security Standard (PCI DSS), HIPAA, FedRAMP, and NIST.

See all CIS Industry Frameworks Recognitions

Prescriptive STIG Guidance from CIS

CIS offers resources to configure systems according to STIGs, both on-prem and in the cloud. CIS STIG resources include CIS Benchmarks and CIS Hardened Images for three operating systems: Red Hat Enterprise Linux (RHEL) 7, Amazon Linux 2, and Microsoft Windows Server 2016.

The CIS STIG Benchmarks and associated CIS Hardened Images contain:

  • The existing consensus-based CIS Benchmark Level 1 and Level 2 profiles.
  • A new STIG profile that includes all applicable STIG configuration requirements.
  • Each recommendation is categorized by the Level 1, Level 2, and STIG profiles and Member Servers and Domain Controllers.

When users apply CIS Benchmarks recommendations and need to be STIG compliant, they’ll be able to apply the three profiles and quickly address the gaps between the original CIS Benchmark profiles and STIGs. These CIS STIG Benchmarks are available for free PDF download.

CIS STIG Hardened Virtual Machine Images

In addition to these CIS STIG Benchmarks, CIS hardens virtual machine images to CIS STIG Benchmark guidelines and offers them on Amazon Web Services (AWS) Marketplace. CIS currently offers three CIS STIG Hardened Images: Red Hat Enterprise Linux (RHEL) 7, Amazon Linux 2, and Microsoft Windows Server 2016.

Every CIS Hardened Image includes a CIS-CAT Pro assessment report showing conformance to the related CIS Benchmark. Additionally, an exception report in the Image outlines configurations that aren’t applicable in a cloud environment. CIS updates every CIS Hardened Image regularly to address patching and vulnerabilities.

Access the CIS STIG Hardened Images on AWS Marketplace: