3 min. read

What are CIS Benchmarks?

The CIS Benchmarks are a set of prescriptive configuration recommendations for hardening an organization’s technologies against cyberattacks. Created in 2000 as a nonprofit organization, the Center for Internet Security (CIS) maintains over 100 CIS Benchmarks, covering more than 25 vendor product families.

CIS Benchmarks are Created and Maintained by a Consensus-Driven, Global Community

A global community of more than 12,000 security professionals, technology vendors, and academics have created this free resource via consensus. Used by governments, businesses, research, and academic institution, the CIS Benchmark community identifies the need for a new or updated benchmark. Experts collectively create, vet, and test their recommendations to publish a final benchmark.

The Center for Internet Security creates CIS Controls, a comprehensive guide of 20 safeguards. The CIS Benchmarks map to these controls, and the community refers to them when creating new or updated configuration recommendations.

What Technologies Do CIS Benchmarks Cover?

CIS Benchmarks offers a set of best practices as a starting point for creating new product or service deployment plans and for verifying whether current deployments are configured to maximum security.

There are 8 categories that provide CIS Benchmarks across the following IT technologies:

  • Cloud providers
  • Desktop software
  • DevSecOps tools
  • Mobile devices
  • Multi-function print devices
  • Network devices
  • Operating systems
  • Server software

Within each category are specific guidelines for current products or vendors. For example, Cloud Providers covers Alibaba, AWS, Google Cloud, Google Workspace, IBM Cloud, Microsoft 365, Microsoft Azure, Microsoft Dynamics 365, and Oracle Cloud. And, for AWS, benchmarks are available for the latest versions, including AWS Compute Services, Amazon Web Services Foundations, AWS End User Compute Services, and Amazon Web Services Three-tier Web Architecture.

How are CIS Benchmarks Recommendations Organized?

CIS Benchmarks and their recommendations are organized into seven areas across three levels.

Benchmark levels

The CIS assigns a profile level to each CIS Benchmark guideline, allowing organizations to choose a profile based on their unique security or compliance requirements.

Level 1 includes basic security recommendations for configuring IT systems. They are straightforward and avoid impacting business functionality or uptime.

Level 2 is includes highly sensitive data where security is a priority. These recommendations call for professional expertise and focused security planning to attain higher-level security with minimal disruptions to operations. The Level 2 profile supports regulatory compliance as well.

Level 3 includes the Security Technical Implementation Guide (STIG) baselines from the Defense Information Systems Agency (DISA), as well as Level 1 and Level 2 recommendations. CIS Benchmarks specify a Level 3 STIG profile to support compliance with US government requirements.

Benchmark recommendations

Each vendor or product benchmark includes 7 recommendation areas detailing specific guidelines.

  • Profile Applicability designates whether the recommendation is Level 1, 2, or 3 STIG.
  • A description explains the recommendation and its importance.
  • Audit recommendations provide details on how to evaluate the status of the recommendation in its current configuration.
  • Remediation offers step-by-step guidance on how to implement the recommendation.
  • References offers links to supporting documentation.
  • Additional Information may be provided.
  • CIS Controls shows how the recommendations map to specific CIS Controls.

Every benchmark follows this format, making implementation straightforward and standardized.

Why Would an Organization Adopt CIS Benchmarks?

Adopting CIS Benchmarks provides significant valuable benefits at no cost. A committee of experts creates, vets, and approves the benchmarks. Organizations can use the benchmarks as a starting point to choose technologies, purchasing cloud services, or configuring IT resources. IT teams use the benchmarks internally and when vetting third-party IT support or cloud services. Lastly, CIS Benchmarks align with security and data privacy frameworks like NIST, HIPAA, and PCI DSS to support regulatory compliance.

How are CIS Benchmarks used?

CIS Benchmarks are packaged into configuration guidebooks. Organizations use them to create policies and procedure manuals, and plan and manage their IT systems and secure cloud environments. Foundationally, the benchmarks provide best practices specific to Identity and Access Management (IAM), logging and monitoring, and networking.

DevOps teams can implement CIS Benchmarks and stay apprised of version releases. However, CIS offers free and paid tools to automate CIS benchmark configuration maintenance and compliance. These tools scan IT systems and alert when current configurations don’t meet CIS Benchmark recommendations.

CIS Benchmarks provide access to expert best practices for configuring IT technologies

With a global community of over 12,000 security professionals, the CIS Benchmarks provide prescriptive guidance for securely configuring IT technologies. This free resource enables education and decision-making based on consensus-driven, vetted best practices that organizations of every size can access.

Modern Cloud-native security starts with Panoptica

Cisco’s Emerging Technologies and Incubation (ET&I) team is paving the way with “DevOps-friendly” cloud-native security solutions that fundamentally simplify conventional offerings. Our Panoptica solution simplifies cloud-native application security, making it easy to embed into the software development lifecycle. Panoptica protects the full application stack from code to runtime by scanning for security vulnerabilities in the cloud infrastructure, microservices (Containers or Serverless), the software bill of materials, and the interconnecting APIs. And best of all, it integrates with the tools that your application development and SecOps teams are already using.