CIS Benchmarks

The CIS Benchmarks Explained...

The CIS Benchmarks are community-developed secure configuration recommendations for hardening organizations' technologies against cyber attacks. Mapped to the CIS Critical Security Controls (CIS Controls), the CIS Benchmarks elevate the security defenses for cloud provider platforms and cloud services, containers, databases, desktop software, server software, mobile devices, network devices, and operating systems. They also help organizations demonstrate compliance with components of various industry regulations and frameworks.

Currently, there are more than 100 CIS Benchmarks across 25+ vendor product families that are available through free PDF download for non-commercial use.

Watch video to learn more

Get Involved in the CIS Benchmarks Communities

The CIS Benchmarks Communities are comprised of more than 12,000 IT security professionals who participate in the consensus process to develop secure configuration recommendations. Each of these individuals brings something different to the community development process.

You can volunteer for one (or several) CIS Benchmarks Communities by visiting CIS WorkBench. 

What Makes the CIS Benchmarks So Unique?

A Consensus Development Process

The CIS Benchmarks are different from other secure configuration guides because they are the product of an ongoing consensus process. Subject matter experts (SMEs), technology vendors, public and private community members, and academics from different industries come together in this process to debate use cases and agree upon secure recommendations.

Here's an overview of what the consensus-development process looks like:

• Put together an SME volunteer team and make a general call for participation
• Define the scope of the Benchmark and notify the SME volunteers so that they can help contribute to a draft
• Invite additional volunteers to review, test, and provide feedback on the draft
• The SME volunteers and CIS Lead review the feedback and incorporate applicable changes
• The CIS Lead announces a final review period
• The CIS team submits the Benchmark for publication
• After a period of time, the cycle starts again to incorporate new technology updates and other changes into the Benchmark recommendations

Prescriptive Guidance

CIS Benchmarks tell you "why" to take certain hardening measures by breaking down every security recommendation into the following sections:

• The description summarizes the recommendation.
• The rationale discusses the importance of the recommendation.
• The impact frames the security benefit of implementing the recommendation.
• The audit identifies how you can prove you've implemented the recommendation for an audit.
• The remediation goes through the actual steps of implementing the recommendation.

How to Use a CIS Benchmark

• Use a PDF: Anyone can download them free of charge in PDF format for non-commercial use.
• Through CIS SecureSuite Membership: CIS SecureSuite Members can download the Benchmarks in additional formats such as Word, Excel, and XML via CIS WorkBench. As part of CIS SecureSuite Membership, they can use the CIS Build Kits to automate their hardening efforts across Windows, macOS, and select Linux systems to CIS Benchmarks standards.
• Launch a CIS Hardened Image: These virtual machine images are hardened in accordance with the CIS Benchmarks.
• Deploy the Tools of Certified Product Vendors: CIS SecureSuite Product Vendor Member tools provide certified offerings for configuration, assessment, and remediation of CIS Benchmarks content.