HomeCIS SecureSuite® MembershipCIS SecureSuite® Categories and PricingProduct VendorCIS Benchmarks Assessment Certification

CIS Benchmarks Assessment Certification

CIS SecureSuite Product Vendor Membership enables product vendors to integrate, reference, and support the CIS Benchmarks™ and/or CIS Controls® content into their security product offering(s). If the Member’s tool or product includes one or more CIS Benchmarks, the Member must obtain annual CIS Benchmarks Certification in advance of any sale, distribution, or marketing.

In order to incorporate and market the CIS Benchmarks as part of a product offering, CIS Benchmarks Certification must be awarded to denote conformance with the CIS Benchmark. CIS Benchmarks Assessment Certification certifies a product's ability to accurately assess and report to the security recommendations in the associated CIS Benchmark(s).

Please see the information and steps below for preparing product(s) for Certification.

The CIS SecureSuite Product Vendor Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmark as “CIS Certification pending,” or similar verbiage.

Steps to Submit

New CIS Benchmarks Certification Requirements and Process

Effective for new Members with Membership start dates after January 1, 2025 and existing Members upon your 2025 Membership renewal.

CIS Benchmarks Certification Requirements

By submitting a tool(s) for CIS Benchmarks Certification, the Member agrees to meet all the stated requirements. Member must submit once annually for each Certification type (Assessment, Remediation, and Configuration) and once annually for each Member’s Integrated Product(s). E.g., if the Member has two tools that each perform assessment and remediation against the CIS Benchmarks, the Member will submit for Certification four times: Tool 1 – Assessment, Tool 1 – Remediation, Tool 2 – Assessment, and Tool 2 – Remediation.

The Member declares to CIS that said tooling and content accurately represents all CIS Benchmarks™ recommendations as described below.

  1. Member has CIS Benchmarks testing processes that ensure accuracy of results/configurations.
  2. Member has CIS Benchmarks quality assurance processes that ensure accuracy of results/configurations.
  3. Member will update to the latest version of any previously integrated CIS Benchmarks within 90 days of CIS Benchmarks release.
  4. Member will only submit for CIS Benchmarks™ Certification for actively supported CIS Benchmarks. Archived Benchmarks are not available for Certification.
  5. Member will provide a screenshot demonstrating that manual recommendations and exceptions are shown to the end user by marking them as Not Applicable, Manual, or otherwise.
    • When capable, show all details of the given recommendation of the CIS Benchmarks – title, description, impact, audit, and remediation (remaining sections are optional).
    • If not able to show all details of the given recommendation sections as described above, Member will provide a link to the CIS Benchmarks webpage (https://www.cisecurity.org/cis-benchmarks) prominently within the tool to provide users a pathway to access the free for non-commercial use CIS Benchmarks™ PDFs for manual assessment and/or remediation.
  6. Member attests that the number of recommendations automated in the Member tool are equal or more than 90% of the total number of automated recommendations within that Level of the Benchmark. If less than 90%, written approval is from CIS is needed.
    • E.g., the CIS Benchmark has 100 recommendations in Level 1. Of the 100 total recommendations, 90 are marked as automated by CIS. The Member should automate at least 81 recommendations (81 = 90% of 90 recommendations).
  7. Member will make reasonable efforts to submit feedback on implementation methods, proposed improvements to the CIS Benchmarks, or Certification exceptions submitted to the applicable CIS WorkBench Community as a ticket on the latest draft of the applicable CIS Benchmarks.

CIS reserves the right to cancel a Certification (company, tool, and/or Benchmark) at any time.

For New Members and the Annual CIS Benchmarks Certification Process
  1. Navigate to https://www.cisecurity.org/support.
  2. Click on “CIS Benchmarks™ Certification”
  3. Fill out required fields marked with an asterisk*
  4. Summary – Certification | [Organization Name]
  5. Enter Certification Request Type
    • Certification
  6. Select Certification Type
    • Assessment
  7. Enter Company Name
  8. Enter Tool Name (Tool Name must align with list of reported tools via the CIS Product Vendor Membership Attestation Form)
  9. Enter Tool Version
  10. Enter Benchmark
    • Enter ‘Provided list via CIS SecureSuite Product Vendor Member Attestation Form’
    • If a CIS SecureSuite Product Vendor Member Attestation Form has not been submitted, please contact your Account Manager.
  11. Screenshot demonstrating either manual recommendations and exceptions are shown to the end user by marking them as Not Applicable, Manual, or otherwise (item one below), and/or clearly indicating that the tool cannot assess against all recommendations in the CIS Benchmark and the customer should refer to the CIS Benchmarks PDFs to identify which recommendations require manual assessment. In either instance, a screenshot must be provided.
    • Option A (preferred): When capable, show all details of the manual and excluded recommendations – title, description, impact, audit, and remediation (remaining sections are optional).
    • Option B: If you are not able to show all details of the manual and excluded recommendation sections as described above or if you are not able to show the manual and excluded recommendations at all, provide a link to the CIS Benchmarks webpage (https://www.cisecurity.org/cis-benchmarks) prominently within the tool to provide users a pathway to access the free for non-commercial use CIS Benchmarks PDFs for manual assessment. Use this language within your tool, “Not all recommendations from the CIS Benchmarks are included in this tool. Please refer to the CIS website to access the free CIS Benchmarks PDFs for manual assessment instructions.” 
  12. In the Description section and/or as an attachment, provide:

    • Description of testing processes to ensure accuracy of results against CIS Benchmarks.

      E.g., for Assessment, “At [Organization Name] we validate the accuracy of our tool results against the CIS Benchmarks by creating two environments for our tool to scan. The first environment is hardened to 100% of the CIS Benchmarks and we validate that the results of the scan report pass at 100%. The second environment is not hardened according to the CIS Benchmarks recommendations and we assess that all of the recommendations fail. This demonstrates that our tool can provide a passing and failing score when expected.”

    • Description of quality assurance processes to ensure accuracy of results against CIS Benchmarks.

      E.g., “After completion of developer testing, we conduct the same testing as development to ensure accuracy of results and complete regression and release testing.”

    • Attestation that Member will update to the latest version of any previously integrated CIS Benchmarks™ within 90 days of CIS Benchmarks™ release.

      E.g., “I, [Organization Name], attest to the fact that all CIS Benchmarks will be updated to the latest version within 90 days of the CIS Benchmarks™ release.”

    • Attestation that the number of recommendations automated in the Member tool are equal or more than 90% of the total number of automated recommendations within that Level of the Benchmark. If less than 90%, written approval is from CIS is needed. To obtain written approval, follow the instructions in the ‘For Members with Less Than 90% of the Automated Recommendations’ section below.

      E.g., the CIS Benchmark has 100 recommendations in Level 1. Of the 100 total recommendations, 90 are marked as automated by CIS. The Member should automate at least 81 recommendations (81 = 90% of 90 recommendations).


For Updates to List of CIS Benchmarks Throughout the Term
  1. Navigate to https://www.cisecurity.org/support.
  2. Click on “CIS Benchmarks™ Certification”
  3. Fill out required fields marked with an asterisk*
    1. Summary – Certification List Update | [Enter full CIS Benchmark name, version, and profiles, if not certifying against the entire Benchmark according to list of CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks]
    2. Enter Certification Request Type
      • Update to Certification List
    3. Select Certification Type
      • Assessment
    4. Enter Company Name
    5. Enter Tool Name (Tool Name must align with list of reported tools via the CIS Product Vendor Membership Attestation Form)
    6. Enter Tool Version
    7. Enter Benchmark
      • Only the latest CIS Benchmark version will be accepted for a given technology.
      • Upon submission of an updated version of a CIS Benchmark, it will supersede the previous CIS Benchmark version, e.g., Certification is listed for CIS Benchmark v1.0.0. When you submit CIS Benchmark v2.0.0, v1.0.0 will be removed, and v2.0.0 will be added to the dedicated vendor profile page on the CIS website.

For Members with Less Than 90% of the Automated Recommendations
  1. Navigate to the files section of CIS WorkBench.
  2. Search for the CIS Benchmark(s) you’re certifying against.
  3. Download the excel versions of the CIS Benchmarks(s) you’re certifying against.
  4. Add two columns to the sheet: one to indicate which recommendations cannot be implemented and the second to describe why the recommendations cannot be implemented.
  5. Within the first column, indicate all automated recommendations that cannot be automated/implemented within your tool.
  6. Within the second column for each recommendation that cannot be automated/implemented, describe why. Some common reasons are unable to automate due to implementation method or the way the tool collects or remediates systems.
  7. Once the excel document is complete, save it with the existing file name plus ‘ – Your Company Name’, so it clearly indicates the CIS Benchmark you’re seeking an exception for and your organization.
  8. Email it to your Account Manager with the following information:
    • Subject: CIS Benchmarks Certification – [Certification Type – Assessment, Remediation, Configuration] – [Your Company Name] – [Your Tool Name]
    • Body: I am seeking an exception for the attached CIS Benchmark because the tool cannot automate/integrate at least 90% of the automated recommendations within the CIS Benchmark.
  9. Please allow for one business week for review and response on the submission.
  10. If approved, proceed with the CIS Benchmarks Certification submission and your CIS Account Manager will attach the completed spreadsheet and approval email to your Certification submission.

Old CIS Benchmarks Certification Submission Process

For Members with Membership start dates prior to January 1, 2025 use the following steps to submit Certification effective until your 2025 renewal.

CIS requires that a CIS SecureSuite Product Vendor Member submit for CIS Benchmarks Assessment Certification against the most recently published version of a CIS Benchmark. However, CIS does recognize that a Product Vendor Member may be in the process of completing the necessary product testing when an update to a CIS Benchmark is released by CIS. Under these circumstances, CIS will accept submission for Assessment Certification against the previous CIS Benchmark version with the understanding that (1) the submission is made within 60 days of the most recent CIS Benchmark version release; and (2) the Product Vendor Member submits a follow-on product Certification/Recertification request for the current version of the CIS Benchmark within 90 days of that most recent CIS Benchmark version release.

Submit one certification via our support portal here: https://www.cisecurity.org/support/ under the CIS SecureSuite Vendor Certification option. Include the following information in the form:

  1. Summary
  2. Certification Request Type
  3. Company
  4. Tool Name
  5. Tool Version
  6. CIS Benchmark(s) & Profile(s)
  7. A brief description of your security software product that is being submitted for CIS Benchmarks Assessment Certification.
  8. A brief description of the internal testing process that effectively demonstrates how your security software product accurately and thoroughly checks/reports as compared to the relevant CIS Benchmark(s) and Profile.
  9. Include the spreadsheet with results of the testing. See below.
  10. Submit this information with the testing results referenced below via our support portal.

Download the required certification spreadsheet from the CIS WorkBench by selecting “SSV” in the Tag area within the Download section.

The report/spreadsheet will contain the following data attributes:

  • CIS Benchmark Recommendation #
  • CIS Benchmark Recommendation Title
  • Actual State (Pass/Fail)
  • Failure State (Fail) This column should only include the fail status. Failures for each recommendation shows that the tool is capable of assessing each recommendation when it is not applied.
  • Remediated State (Pass/Fail) This column can include either pass or fail. Any failures indicated in this column must be followed with:
    • a detailed explanation of the failure;
    • Exceptions provided should only be presented if a certain recommendation inhibits the Product Vendor Member’s tool from performance. No exceptions beyond those inhibiting performance will be accepted. CIS reserves the right to deny any Certifications based upon the exceptions provided. See Exception section listed below.
      • Request for the recommendations exemption; and
      • If possible other mitigation factors that can be applied in place of the recommendation.
  • An exception list of any CIS Benchmark recommendation(s) for which your security software product does not check/report. Please include an explanation for any such CIS Benchmark recommendation(s) regarding why your security software product does not check/report for that recommendation(s).

Ensure that your testing recognizes that the CIS Benchmarks are the minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular Benchmark’s recommendation(s) is considered to be in compliance with that particular Benchmark.

CIS may also request a copy of the product for testing. If the product cannot be provided to CIS, a webcast can be set up for the Product Vendor Member to demonstrate conformance of the product to the designated Benchmark(s)/profile(s).

CIS will validate test results and upon achieving successful validation, CIS will provide the Certification award(s) via email. If incomplete or inaccurate test results are submitted, CIS will contact you to resolve the issues. This may result in a delay in awarding a Certification(s).

Award of CIS Certification and Timeline

  1. CIS Certification attests that your security software product’s reports enable a user to identify any and all differences between the actual configuration of a scanned system(s) and the associated CIS Benchmark’s security configuration recommendations.
  2. CIS Certification attests that a specific major version of your security software product accurately checks and reports the comparison of actual system configuration status to all of the scored recommendations in a specific, corresponding version of a CIS Benchmark.
  3. Award of CIS Certification is based initially on CIS’s review of a certification application and supporting materials that detail the testing and preparation conducted by your company.
  4. Depending on the number of CIS Certifications requested and when CIS receives an application for certification(s), CIS’s review is generally completed within two weeks.
  5. If there are issues that need to be addressed by your company, the time between your initial submission and award of CIS Certification(s) may take longer than two weeks.

You may market and sell your product(s) with the CIS Benchmarks Certified Badge corresponding to the specific certification type only after the respective product(s) has been awarded CIS Benchmarks Certification. CIS will provide the badge with the certification award email.

It is CIS’s intent to provide and preserve Membership equity and value. We understand that certain circumstances may not be addressed in the processes defined here. If you have any questions or particular circumstances related to your product and certification requirements that are not addressed in this document, please submit a request for assistance via our  support portal , and we would be happy to discuss your particular circumstance and address your issues accordingly.

CIS SecureSuite Membership logo  
Ready to enroll?
Arrow Apply for CIS SecureSuite Membership
 
Have questions about Membership?
Arrow Contact us

Information Hub

CIS Benchmarks

Blog Post11.07.2024
CIS Benchmarks November 2024 Update
Read More
Webinar10.15.2024
Uncovering Gaps: Enhancing Cloud Security Posture Management
Read More
Blog Post10.07.2024
CIS Benchmarks October 2024 Update
Read More
Blog Post10.04.2024
11 Cyber Defense Tips to Stay Secure at Work and Home
Read More