Testimonials

Check out what members and customers are saying about the products and services available from CIS!

 

Albert CIS Network Monitoring
CIS Benchmarks^®
CIS Controls^®
CIS SecureSuite^®
CIS Services^®
Malicious Domain Blocking and Reporting (MDBR)
MS-ISAC^®

 

---

 

Learn about Albert

 

Since we switched over to a standardized CIS Benchmark, it’s easy for us to give the auditor the data and say: We’re using CIS and these devices are going to be compliant with that, because we implement the CIS Benchmarks through group policy. If we fall in alignment with these configuration standards, it just clearly makes sense that it could really lighten the workload on the team of the State of Minnesota. I’m really impressed [by] the value you get with CIS. It’s huge.
Terry Seiple
State of Minnesota Security Architect

Without this resource, the hardening of our devices would have taken a lot longer and required many meetings between IT and Security to debate which configuration settings to change and the impact they could have. The CIS Benchmarks provided the necessary information to alleviate many of the fears IT may have had with changing specific settings.
Adam
Banking Information Security Engineer

The content comes from a diverse set of contributors and considers realistic threats. The CIS Benchmarks content is then presented as a series of recommendations, with rationales, that should be considered by the implementer and selected as appropriate to their use case.

CIS Benchmarks Contributor

Seattle, WA

 

CIS Benchmarks are very useful to apply security best practices on our platform and for the secure configuration of our system.

Information System Directorate

Financial Institution

South Africa

 

We needed to reach a security compliance for one of our clients and using CIS we were able to generate reports to prove our process

Director of Information Technology

Spring Design Partners, Inc.

New York, USA

 

Thank you for your efforts to better secure the overall cyber environment.

Security Technical Architect

Asset Management & Business Processing Solution Company

Delaware, USA

 

CIS’ collaborative correlation between standards facilitates the time to market our supplied assets covered by the CIS Benchmarks.

Cyber Information Assurance Specialist

Defense Technology Company

Virginia, USA

 

Download the CIS Benchmarks

 

 

 

"We built our cybersecurity program from the ground up, using the CIS Controls as a guiding light. Our CIS Controls Tactical Plan has since served as a compass, not just pointing the way but shaping how we move. It is more than a checklist. It is a framework that sharpens our focus, tempers our strategy, and aligns our actions with intention. In a space where complexity thrives, this plan brings clarity. It has been instrumental in maturing our security posture, not through noise, but through discipline, structure, and rhythm."

Kelven M. Leverett, CISSP, CISM
Information Security Manager
Security, Compliance, and Preparedness Division
Yolo County Innovation and Technology Services Department

 

"Version 8 is the biggest improvement yet. The implementation groups make prioritization and ROI more understandable than ever before. Using clear explanations of degrees of implementation combined with industry consensus on scoring removes a large amount of subjective bias making the result easier to explain to leadership and to gain buy in on initiatives to further improve security controls."

Alan Mercer, Information Security and Management Consultant

 

“The CIS Critical Security Controls have always provided a prioritized list of security controls to quickly secure your environment. Even if you can’t do everything (and let’s face it, most people can’t), you can easily create a plan for intelligently moving forward.”

Bryan Chou
Senior Manager of IT Security
Atlantic Aviation
CIS Controls Community Volunteer

 

“The CIS Controls are the friendliest framework for organizational security. They constitute a clear path to success that's built and updated by a small community of subject matter experts who are always looking for additional guidance and refinement."

Greg Carpenter
Senior Security Partner Strategist
Amazon Web Services (AWS)
CIS Controls Community Volunteer

 

“CIS controls and standards help new Fintechs like TASConnect by providing a clear set of baselines for secure configuration of common digital assets. By following a well-defined path to minimize the attack surface, TASConnect was able achieve a more mature security posture within a short time for its security set up. This has also enabled TASConnect to demonstrate its security posture and cybersecurity commitment.”

Manish Joshi
CISO, TASConnect
Singapore

“The CIS Control framework along with CIS-RAM are exactly what you need to develop organizational cyber defense capabilities , as well conducting cyber risk assessment to make well-informed decisions about prioritization and implementation of the CIS Controls regardless of organization complexity in-line with global best practices. CIS framework is easy to map with program and risk frameworks, and reverse mapping features.”

Adham Etoom, PMP®, GCIH®, CRISC®, FAIR™, CISM®
Government of Jordan, NCSC

 

“We use the CIS Controls to help our clients achieve compliance with state and federal cybersecurity regulations. The CIS 18 are prioritized, easy to understand, and extremely cost-effective for small to mid-size organizations looking to prove they are secure enough to do business in today’s marketplace. I highly recommend starting with CIS in building your cybersecurity program.”

Jim Long
Managing Partner
The Long Law Firm, PLLC

 

“Too often, people think that CyberSecurity means making IT hard to use and stopping people from doing their jobs.  I call this the “wrong security”.  The CIS Controls show that good security doesn’t have to be this way.  We’ve spent years applying the controls to systems in the UK Public Sector, and now are pleased to be taking this to our SMB clients.”

Anthony Green
Chief Technology Officer, UK
Foxtrot Technologies

 

“The fact that the CIS Controls crosswalks to the other frameworks is very helpful to us. If we go into an entity that has to comply with another framework, we’re often able to show them how our evaluation crosses over with whatever they’re required to comply with. We don’t have to become specialists in eight different control frameworks. We can be specialists in this one framework and then help our audit clients understand how they are related.”

Erin Laska
IT Security Audit Manager
Washington State Auditor’s Office (SAO)

 

“Cybersecurity can be an overwhelming undertaking for organizations that lack the staff or knowledge. The CIS Controls take the guesswork out of what steps to implement. The Implementation Groups (IGs) take an overwhelming list of controls and essentially turns them into a checklist that is very easy to understand. I have found the CIS IGs to be very helpful when explaining to school officials and municipal leaders the steps or controls that need to be implemented to raise their security posture.”

Neal Richardson
Director of Technology
New Hampshire Hillsboro-Deering School District

 

“Applying the Controls in a school environment is very important to me. Controls 1 and 2 (Inventory) as well as Control 6 (Monitoring Logs) and Control 15 (Wireless Control) are the most useful CIS Controls. Of course, the goal is to apply all possible CIS Controls to achieve a higher level of security.”

Giacomo Lunardon
Technician and Educator
Italian Ministry of Education
CIS Controls Community Volunteer

 

“I strongly believe that good IT operational practices drive a reduction in cybersecurity-related risk and that the CIS Controls help drive those operational practices. I wanted to help develop the CIS Controls and use my quarter of a century experience in this sector to make them even more effective.”

Tony Krzyzewski
Director, SAM for Compliance Ltd.
CIS Controls Community Volunteer

 

“It’s been a good experience working with the community in the Controls update process. I’ve made many connections and had many discussions on Controls, especially for small businesses.”

Alan Watkins
CIS Controls Ambassador

 

“Falling into the CIS Controls framework was absolutely fantastic for us. I smiled ear to ear when I realized that there is a way to build a standard to measure against.”

CEO of a Small Consulting and Development Services Organization located in Upstate NY

 

 

 

 

 

 

 

 

Get more information about CIS Controls

 

Download the CIS Controls

 

 

 

“Integrating the CIS-CAT Pro Assessor and CIS Benchmarks directly into Puppet’s infrastructure compliance automation solutions has been a game-changer for our enterprise customers. Now they can address their compliance needs from Day 0 through Day 2 operations, alleviating their dependence on security or compliance professionals to manually interpret, declare, and enforce desired state. Puppet’s partnership with CIS provides peace of mind that infrastructure is – and remains – compliant with evolving security best practices.”

Robin Tatam
CISM PCI-P CTMA CPSP CPFA
Sr. Director of Product Marketing
Puppet by Perforce
Minneapolis, USA

 

Every month, we report on compliance levels against the CIS Benchmarks. This puts us in a position where we can actively reassure customers that we're keeping their systems hardened to the required levels. Using Group Policy to actually implement the hardening guidelines has been a huge helping hand, as well. It's drastically reduced the amount of operational work that goes into achieving different levels of compliance.

 

 

 

 

 

 

 

 

Apply for a CIS SecureSuite Membership

 

 

The Center for Internet Security has been a proven partner in providing private sector class cybersecurity solutions that overcome public sector challenges. Continually facing limited budgets and staffing in the public sector, CIS services such as Albert, ESS, ESS Mobile, MDBR+, incident response along their 24x7x365 SOC provide core capabilities that can be leveraged in building a cybersecurity program of any size. In addition to the services it provides, CIS has created an active community focused on all aspects of cybersecurity in the public sector.  CIS listens and partners with the community to continually improve existing services and to look for the next opportunity to make an impact in cyber risk reduction for our community as a whole.

Mark Johnston CISO
TriMet

 

Our institution has greatly benefited from the services provided by the Center for Internet Security (CIS) through MS-ISAC. The CIS Security Operations Center (SOC) has been vital, offering 24/7 monitoring and rapid response that has significantly strengthened our cybersecurity posture.

The Endpoint Security Services (ESS) have enhanced our endpoint protection, providing proactive threat intelligence and continuous monitoring that ensures our network’s security. Albert Network Monitoring offers real-time alerts and insights, helping us quickly identify and mitigate potential threats, which has been crucial for maintaining our network integrity.

Finally, the Managed Security Services (MSS) have provided comprehensive support, allowing us to manage our security operations effectively without overwhelming our internal resources.

The CIS services through MS-ISAC are integral to our cybersecurity strategy, and I highly recommend them to any organization seeking to bolster their defenses.

Saby Waraich PMP CSM CIO
Dean of Technology, Clackamas Community College

 

Learn About CIS Services

 

Malicious Domain Blocking and Reporting (MDBR)

“For California, the Malicious Domain Blocking and Reporting (MDBR) service has been effective as an additional source of threat intelligence. This capability adds an additional element of automation in our security operations processes and playbooks, resulting in greater efficiencies. The preventive blocking and reporting provides metrics on true positive and high-fidelity events, allowing our internal teams to focus on more sophisticated attacks.”

Chief Information Security Officer
State of California

 

Learn About MDBR

 

We are all working to secure the organizations that we work in with limited resources.... I rely heavily on the notifications sent out by the MS-ISAC for all the CVEs for the various tools that are deployed in [my] environment. The MS-ISAC has been a centralized source of information for me for over 15 years. Their information is reliable, accurate, and very helpful. I rely heavily on the MS-ISAC and because of them, [I] have defended [against] possibly millions of attacks.
Security Director from a Municipal Retirement System

On March 18 [2025] I received MS-ISAC Advisory Number 2025-027 regarding a vulnerability in Apache Tomcat.  We were using a vulnerable version of that software for one of our key services.  Not only was this the only source of reporting I had for this vulnerability, but the advisory also contained clear and comprehensive instructions for how to remedy the problem.  We were able to adjust our settings to ensure we could continue to operate the service safely. 

The MS-ISAC community plays a vital role in strengthening my organization’s cybersecurity posture. Through its webinars and collaborative resources, we are able to remain informed of the latest cyber threats and emerging trends. As a professional transitioning from the private sector, this community has been instrumental in helping me maintain a high level of cybersecurity awareness and keep my skills current. The opportunity to engage with industry experts and gain insight into real-time threat intelligence enables me to implement timely and effective security measures within my organization.
Information Technology Security Analyst from a Municipality

One of the key benefits of MS-ISAC membership is the collaborative environment it fosters. This community allows members to share appropriate information, recognize the sensitivity and confidentiality of shared data, and take necessary steps to protect critical infrastructure. [Our organization] has utilized various MS-ISAC services to bolster its cybersecurity posture. For instance, the MS-ISAC provides actionable cyber threat intelligence, incident response, and cybersecurity services tailored to the SLTT community. These services have been crucial in helping [our organization] manage and respond to persistent and increasingly complex cybersecurity threats.
Director of Information Technology from a Tribal Nation

In April [2024], Palo Alto revealed the existence of a zero-day exploit.  As a small, rural school district, we do not have the manpower/skill set on staff nor the budget to handle these types of situations. I remembered I was eligible for free assistance if we thought we had been the victim of a breach, so I reached out immediately. Shortly after reaching out, I had a meeting with CIRT to determine next steps. They told me what logs needed to be collected [and] what information needed to be pulled from the compromised device. They helped me sift through this mountain of data to determine the scope of the breach. We were able to limit the impact to the compromised device itself and confirm that there was not any malicious activity elsewhere in the environment.  Without the MS-ISAC, I would have spent a lot more time and considerably more money attempting to ascertain the scope of this incident.
Network Manager from a K-12 School District

Given the limited funding available for cybersecurity in education, the resources offered by the MS-ISAC have been especially crucial for us. The collaborative information sharing, expert guidance, and comprehensive services the MS-ISAC provides have enabled us to build a robust cybersecurity program that effectively protects our students and staff.

IT Director from a County Office of Education

As our city continues to navigate the continual challenges of maintaining a strong cybersecurity posture with a small cyber team, the MS-ISAC community has proven to be an invaluable resource. With limited personnel, it's critical for us to maximize efficiency to stay ahead of evolving threats. The ability to connect with peer organizations through the MS-ISAC community forums allows my team to exchange insights, share best practices, and tap into the collective knowledge that would otherwise be beyond our internal capacity. The daily MS-ISAC advisory email notifications help the team stay informed of emerging threats, enabling us to prioritize updates strategically and mitigate potential attack vectors more effectively. The MS-ISAC plays a key role in strengthening our overall resilience despite our limited staffing.

Chief Information Officer from a Municipality

 

The MS-ISAC’s timely advisories, threat intelligence, and cybersecurity services have directly enhanced our ability to detect, respond to, and prevent cyberattacks. Their vulnerability notifications have allowed us to patch critical systems before they could be exploited, and their threat briefings have ensured that we stay ahead of emerging risks. In addition, the MS-ISAC’s 24/7 incident response services give us confidence that we have expert resources standing ready to assist in any crisis — something our local resources alone could not match.
Chief IT Officer from a Municipality

 

Learn About MS-ISAC

 

Sources Going Back to December 2019 (Case Studies):

Washington State Auditor’s Office: https://www.cisecurity.org/insights/case-study/washington-state-auditors-office-uses-cis-controls-to-perform-effective-security-audits/

Minnesota Security Architect: https://www.cisecurity.org/insights/case-study/tackling-audits-and-cloud-security-efficiently-and-at-scale/

New Hampshire: https://www.cisecurity.org/insights/case-study/school-district-enhances-cyber-hygiene-with-cis-controls/

BFB Consulting: https://www.cisecurity.org/insights/case-study/how-to-choose-a-cybersecurity-consultant-what-are-their-security-best-practices/

Rockwell: https://www.cisecurity.org/insights/case-study/from-the-ground-up-how-cis-best-practices-helped-build-a-cybersecurity-consulting-agency/

Albert: https://www.cisecurity.org/insights/case-study/identifying-suspicious-election-network-activity-with-albert/

Bank: https://www.cisecurity.org/insights/case-study/bank-relies-on-industry-recommended-cybersecurity-best-practices/

Sources (Volunteers):

Giacomo: https://www.cisecurity.org/blog/cis-controls-volunteer-spotlight-giacomo-lunardon/