What Makes CIS Hardened Images Secure Enough for the U.S. IC

Cloud security remains a U.S. national cybersecurity priority — even as U.S. Presidential Administrations change. For instance, in Executive Order (EO) 14306, the Trump Administration amended two EOs released by the Biden Administration. One of those changes reaffirmed the need to secure cloud services supporting U.S. federal information systems.

This need is especially clear for the U.S. Intelligence Community (IC), which relies on cloud services to analyze and provide information in defense of the United States’ national security interests.

The question is: how can U.S. IC organizations strengthen their cloud security in a way that meets their unique needs?

In this blog post, we’ll discuss some of the cloud security requirements and challenges facing the U.S. IC. We’ll then explore how the CIS Hardened Images^® can help.

3 Cloud Security Challenges Confronting the U.S. IC

When securing their use of the cloud, the U.S. IC faces the following three challenges: complex compliance obligations, a cyber talent gap, and budget constraints.

Complex Compliance Obligations

FedRAMP

Like all federal agencies, U.S. IC organizations are subject to the Federal Risk and Authorization Management Program (FedRAMP). Based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, FedRAMP provides a standardized approach for security authorization and assessment of cloud services used by the U.S. federal government.

U.S. federal agencies don't consistently comply with FedRAMP, however. Between July 2019 and April 2023, the 24 Chief Financial Officers (CFO) Act agencies increased the number of cloud services authorizations by approximately 60%, according to the U.S. Government Accountability Office. Nine agencies reported they were using services without FedRAMP authorization.

If U.S. IC organizations don’t use services that are FedRAMP-compliant, they could leave their cloud-based systems exposed, potentially compromising mission-critical information.

Other Compliance Considerations

Beyond FedRAMP, U.S. IC organizations are also subject to U.S. Department of Defense (DoD) regulations, including the following:

• DoD Cloud Computing Security Requirements Guide (SRG)
• Defense Information Systems Agency (DISA) Security Technical Implementation Guides (STIGs)

Both regulations introduce additional security controls beyond NIST SP 800-53 for meeting the unique requirements of the DoD.

A Dedicated AWS Marketplace

Reflecting the unique compliance requirements of the U.S. IC, Amazon Web Services (AWS) created its own secure procurement channel. This AWS Intelligence Community Marketplace (ICMP), which expanded in early 2024, requires advanced, hardened, and compliant operating system (OS) images for workloads. These OS images make it easier for U.S. IC customers to procure solutions from vendors and spin them up in a cloud not connected to the public internet.

Cyber Talent Gap

On the one hand, cybersecurity jobs continue to go unfilled around the world. Cybersecurity Ventures reported that there were 3.5 million cybersecurity job vacancies around the world in 2023. The publisher went on to predict that the gap would continue through at least 2025.

On the other hand, the U.S. IC workforce underwent cuts at the beginning of 2025. In May, AP News reported that the Trump Administration planned to reduce the workforce at the Central Intelligence Agency (CIA) by 1,200 over several years. These cuts would include early retirement for some personnel and reduced hirings. AP News shared how the Trump Administration also planned to cut thousands of positions at the National Security Agency (NSA) along with other U.S. IC organizations.

When coupled with the ongoing demand for cybersecurity professionals worldwide, these workforce changes complicate the ability of U.S. IC organizations to find trained cloud security personnel.

Budget Constraints

In July 2024, GovWin IQ shared that the DoD's estimated cloud budget for Fiscal Year (FY) 2025 was $2.4 billion. By comparison, the civilian sector's projected budget for using the cloud was $8.9 billion. This disparity highlights how U.S. IC organizations need to invest in cost-effective solutions that will enable them to easily track expenses over time.

CIS Hardened Images: Meeting the Cloud Security Needs of the U.S. IC

The U.S. IC can use CIS Hardened Images to address the three challenges discussed above. These virtual machine images of Windows and Linux operating systems are pre-hardened to the CIS Benchmarks^®, consensus-driven secure recommendations for hardening more than 100 technologies across 25+ vendor product families.

Fostering Compliance Through Level 2 and STIG Profiles

The Benchmarks — and the CIS Hardened Images, by extension — are referenced by regulations that apply to the U.S. IC. Among them is the DoD Cloud Computing SRG. Version 1, Release 3 states that the Level 2 CIS Benchmarks serve as an "acceptable alternative" to DISA STIGs when a DISA STIG is not available, as an example. Simultaneously, many other industry frameworks recognize and reference the Benchmarks, including FedRAMP.

CIS Benchmarks profiles help to make this recognition possible, particularly the Level 2 and STIG profiles, as they’re configured to elevated standards that apply to U.S. IC organizations. Per the Benchmarks FAQs, the Level 2 profile enables organizations to implement defense-in-depth measures in environments where security is prioritized. As such, these measures could interfere with functionality and operations depending on how they're implemented. Meanwhile, the STIG Profile covers recommendations that are specific to the DISA STIGs. It notes overlaps of recommendations from the Level 1 and Level 2 profiles, as applicable.

Cost, Time, and Effort Savings for the U.S. IC

With the Benchmark profiles as context, CIS Hardened Images with Level 2 and STIG profiles offer mission-ready, Benchmark-aligned operating systems that reduce the time, cost, and risk of meeting U.S. IC/DoD security standards. They are vetted and trusted by public sector security professionals and are now increasingly accessible through secure procurement channels like the AWS ICMP, including in both commercial and classified regions (C2S/S-C2S/Top Secret regions). This makes them an ideal choice for Federal System Integrators (FSIs) and DoD teams seeking to operationalize secure cloud workloads quickly and at scale. STIG-mapped CIS Hardened Images also simplify deployment for federal agencies as well as align with zero trust architecture models and Cloud Security Posture Management (CSPM) methodology.

Want to learn more about how CIS Hardened Images fulfill CSPM? Check out our video below.

 

 

Finally, CIS Hardened Images are built using a rigorous secure configuration process and updated monthly, thus sparing U.S. IC organizations from needing to develop hardened images themselves. They cost just pennies per compute hour.

Work with a Trusted Partner in Securing Your U.S. IC Organization on AWS

In the summer of 2025, the Center for Internet Security^® (CIS^®) received AWS Government Competency recognition. This award illustrates our technical expertise and proven success in helping government clients improve the security posture in the AWS Cloud and that our CIS Hardened Images passed a rigorous technical validation to ensure they follow AWS best practices. AWS Government Competency attests to our ability to help AWS government customers, including those in the U.S. IC space, to meet stringent security requirements and regulations.

Ready to make use of a trusted partner in securing your U.S. IC organization’s cloud-based systems?