CIS Benchmarks Configuration Certification
CIS SecureSuite Product Vendor Membership enables product vendors to integrate, reference, and support the CIS Benchmarks™ and/or CIS Controls® content into their security product offering(s). If the Member’s tool or product includes one or more CIS Benchmarks, the Member must obtain annual CIS Benchmarks Certification in advance of any sale, distribution, or marketing.
In order to incorporate and market the CIS Benchmarks as part of a product offering, CIS Benchmarks Configuration Certification must be awarded to denote conformance with the CIS Benchmark. Configuration Certification certifies a system’s configuration is in conformance with CIS Benchmark(s), assuring that a system’s performance will not be negatively impacted when product is running in a CIS hardened environment.
Configuration Certification enables Product Vendor Members to implement “security by design” with the CIS Benchmarks built in, tested, and certified at the outset. Along with our other certifications, Configuration Certification provides Product Vendor Members a streamlined way to bring CIS Benchmark security to their customers. Use cases include:
- Organization seeking certification to promote that their solution will run efficiently in a CIS hardened environment
- Organization’s solution sold configured to CIS Benchmark(s) with assurance that their solution will run without impact on a CIS hardened environment
- Organization’s solution configured to CIS Benchmark for said vendor product/offering (i.e., CIS Hardened Images®, infrastructure, stack)
- One or more CIS Benchmark(s) configured within another product/offering (i.e., device ships secure)
- Vendor service providing option to deploy configured environment to CIS Benchmark(s)
Please see the information and steps below for preparing product(s) for Certification.
The Product Vendor Member SHALL NOT represent any of its product’s support/compliance for a given CIS Benchmark as “CIS Certification pending,” or similar verbiage.
Steps to Submit
New CIS Benchmarks Certification Requirements and Process
Effective for new Members with Membership start dates after January 1, 2025 and existing Members upon your 2025 Membership renewal.
CIS Benchmarks™ Certification Requirements
By submitting a tool(s) for CIS Benchmarks™ Certification, the Member agrees to meet all the stated requirements. Member must submit once annually for each Certification type (Assessment, Remediation, and Configuration) and once annually for each Member’s Integrated Product(s). E.g., if the Member has two tools that each perform assessment and remediation against the CIS Benchmarks, the Member will submit for Certification four times: Tool 1 – Assessment, Tool 1 – Remediation, Tool 2 – Assessment, and Tool 2 – Remediation.
The Member declares to CIS® that said tooling and content accurately represents all CIS Benchmarks™ recommendations as described below.
- Member has CIS Benchmarks™ testing processes that ensure accuracy of results/configurations.
- Member has CIS Benchmarks™ quality assurance processes that ensure accuracy of results/configurations.
- Member will update to the latest version of any previously integrated CIS Benchmarks™ within 90 days of CIS Benchmarks™ release.
- Member will only submit for CIS Benchmarks™ Certification for actively supported CIS Benchmarks™. Archived Benchmarks are not available for Certification.
- Member attests that the number of recommendations implemented are equal or more than 90% of the total number of automated recommendations within that Level of the Benchmark. If less than 90%, written approval is from CIS® is needed.
- E.g., the CIS Benchmark™ has 100 recommendations in Level 1. Of the 100 total recommendations, 90 are marked as automated by CIS. The Member should implement at least 81 recommendations (81 = 90% of 90 recommendations).
- Member must provide a link to the CIS Benchmarks webpage (https://www.cisecurity.org/cis-benchmarks) prominently within the tool or public facing documentation to provide users a pathway to access the free for non-commercial use CIS Benchmarks PDFs for manual assessment and/or remediation.
- Member will make reasonable efforts to submit feedback on implementation methods, proposed improvements to the CIS Benchmarks™, or Certification exceptions submitted to the applicable CIS WorkBench Community as a ticket on the latest draft of the applicable CIS Benchmarks™.
CIS reserves the right to cancel a Certification (company, tool, and/or Benchmark) at any time.
For New Members and the Annual CIS Benchmarks Certification™ Process
- Navigate to https://www.cisecurity.org/support.
- Click on “CIS Benchmarks™ Certification”
- Fill out required fields marked with an asterisk*
- Summary – Certification | [Organization Name]
- Enter Certification Request Type
- Certification
- Select Certification Type
- Configuration
- Enter Company Name
- Enter Tool Name (Tool Name must align with list of reported tools via the CIS Product Vendor Membership Attestation Form)
- Enter Tool Version
- Enter Benchmark
- Enter ‘Provided list via CIS SecureSuite Product Vendor Member Attestation Form’
- If a CIS SecureSuite Product Vendor Member Attestation Form has not been submitted, please contact your Account Manager.
- Attach evidence (screenshot or URL) of a link to the CIS Benchmarks webpage (https://www.cisecurity.org/cis-benchmarks) prominently within the tool or public facing documentation. Use this language within your tool or public facing documentation, “Not all recommendations from the CIS Benchmarks have been applied. Please refer to the CIS website to access the free CIS Benchmarks PDFs for more detail on the recommended settings.”
- In the Description section and/or as an attachment, provide:
- Description of testing processes to ensure accuracy of results against CIS Benchmarks™.
E.g., for Configuration, “At [Organization Name] we validate the accuracy of the environment that’s hardened against the CIS Benchmarks™ by scanning it with either CIS-CAT® Pro or a CIS Benchmarks Certified tool.” - Description of quality assurance processes to ensure accuracy of results against CIS Benchmarks™.
E.g., “After completion of developer testing, we conduct the same testing as development to ensure accuracy of results and complete regression and release testing.” - Attestation that Member will update to the latest version of any previously integrated CIS Benchmarks™ within 90 days of CIS Benchmarks™ release.
E.g., “I, [Organization Name], attest to the fact that all CIS Benchmarks will be updated to the latest version within 90 days of the CIS Benchmarks™ release.” - Attestation that the number of recommendations implemented are equal or more than 90% of the total number of automated recommendations within that Level of the Benchmark. If less than 90%, written approval is from CIS is needed. To obtain written approval, follow the instructions in the ‘For Members with Less Than 90% of the Automated Recommendations’ section below.
E.g., the CIS Benchmark has 100 recommendations in Level 1. Of the 100 total recommendations, 90 are marked as automated by CIS. The Member should automate at least 81 recommendations (81 = 90% of 90 recommendations).
- Description of testing processes to ensure accuracy of results against CIS Benchmarks™.
For Updates to List of CIS Benchmarks Throughout the Term
- Navigate to https://www.cisecurity.org/support.
- Click on “CIS Benchmarks™ Certification”
- Fill out required fields marked with an asterisk*
- Summary – Certification List Update | [Enter full CIS Benchmark name, version, and profiles, if not certifying against the entire Benchmark according to list of CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks]
- Enter Certification Request Type
- Update to Certification List
- Select Certification Type
- Configuration
- Enter Company Name
- Enter Tool Name (Tool Name must align with list of reported tools via the CIS Product Vendor Membership Attestation Form)
- Enter Tool Version
- Enter Benchmark
- Enter full CIS Benchmark name, version, and profiles, if not certifying against the entire Benchmark according to list of CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks
- Only the latest CIS Benchmark version will be accepted for a given technology.
- Upon submission of an updated version of a CIS Benchmark, it will supersede the previous CIS Benchmark version, e.g., Certification is listed for CIS Benchmark v1.0.0. When you submit CIS Benchmark v2.0.0, v1.0.0 will be removed, and v2.0.0 will be added to the dedicated vendor profile page on the CIS website.
For Members with Less Than 90% of the Automated Recommendations
- Navigate to the files section of CIS WorkBench.
- Search for the CIS Benchmark(s) you’re certifying against.
- Download the excel versions of the CIS Benchmarks(s) you’re certifying against.
- Add two columns to the sheet: one to indicate which recommendations cannot be implemented and the second to describe why the recommendations cannot be implemented.
- Within the first column, indicate all automated recommendations that cannot be automated/implemented within your tool.
- Within the second column for each recommendation that cannot be automated/implemented, describe why. Some common reasons are unable to automate due to implementation method or the way the tool collects or remediates systems.
- Once the excel document is complete, save it with the existing file name plus ‘ – Your Company Name’, so it clearly indicates the CIS Benchmark you’re seeking an exception for and your organization.
- Email it to your Account Manager with the following information:
- Subject: CIS Benchmarks Certification – [Certification Type – Assessment, Remediation, Configuration] – [Your Company Name] – [Your Tool Name]
- Body: I am seeking an exception for the attached CIS Benchmark because the tool cannot automate/integrate at least 90% of the automated recommendations within the CIS Benchmark.
- Please allow for one business week for review and response on the submission.
- If approved, proceed with the CIS Benchmarks Certification submission and your CIS Account Manager will attach the completed spreadsheet and approval email to your Certification submission.
Old CIS Benchmarks Certification Submission Process
For Members with Membership start dates prior to January 1, 2025 use the following steps to submit Certification effective until your 2025 renewal.
CIS requires that a CIS SecureSuite Product Vendor Member submit for CIS Benchmarks Configuration Certification against the most recently published version of a CIS Benchmark. However, CIS does recognize that a Product Vendor Member may be in the process of completing the necessary product testing when an update to a CIS Benchmark is released by CIS. Under these circumstances, CIS will accept submission for Configuration Certification against the previous CIS Benchmark version with the understanding that (1) the submission is made within 60 days of the most recent CIS Benchmark version release; and (2) the Product Vendor Member submits a follow-on product Certification/Recertification request for the current version of the CIS Benchmark within 90 days of that most recent CIS Benchmark version release.
Submit one certification via our support portal here: https://www.cisecurity.org/support/ under the CIS SecureSuite Vendor Certification option. Include the following information in the form:
- Summary
- Certification Request Type
- Company
- Tool Name
- Tool Version
- CIS Benchmark(s) & Profile(s): ____________________________
- Attach
- CIS-CAT report to show conformance to the CIS Benchmark version(s) and Profile(s) as applicable. If CIS-CAT is not applicable or does not provide coverage for the CIS Benchmark you are seeking certification please submit and note accordingly so CIS Support can assist.
- Exception report, if applicable. A list of any CIS Benchmark recommendation(s) for which your system/device/appliance/platform does not meet a scored recommendation. Please include an explanation for any such CIS Benchmark recommendation(s) regarding why your product is not configured to meet that recommendation(s).
- A brief description of your system/device/appliance/platform hardened in compliance that is being submitted for CIS Benchmarks Configuration Certification.
- First Name
- Last Name
- Business Email Address
Upon submission, you will receive an email confirming receipt. CIS may reach out to request access to check/test product’s conformance to CIS Benchmark(s) and Profile(s). Please ensure that your configuration settings recognize that CIS Benchmarks are minimum due diligence security standards. Thus, a technical security control(s) that is configured for a higher level of security than that recommended by a particular CIS Benchmark’s recommendation(s) is considered to be in compliance with that particular CIS Benchmark.
Award of CIS Certification and Timeline
- CIS Certification attests that your product is configured according to the CIS Benchmark’s security configuration recommendations to the relevant IT system/asset.
- CIS Certification attests that a specific product accurately applies all of the scored recommendations in a specific, corresponding version of a CIS Benchmark and in the associated version of the CIS Configuration Assessment Tool (CIS-CAT) used to verify such IT system/asset.
- CIS Certification does not attest to your product’s ability to perform any other functions, including checking/scoring/reporting conformance/comparison with CIS Benchmark unless CIS Certification for such checking/scoring/reporting has also been awarded to your product.
- Award of CIS Certification is based initially on CIS’s review of a certification application and supporting materials that detail the testing and preparation conducted by your company.
- Depending on the number of CIS Certifications requested and when CIS receives an application for certification(s), CIS’s review is generally completed within two weeks.
- If there are issues that need to be addressed by your company, the time between your initial submission and award of CIS Certification(s) may take longer than two weeks.
You may market and sell your product(s) with the CIS Benchmarks Certified Badge corresponding to the specific certification type only after the respective product(s) has been awarded CIS Benchmarks Certification. CIS will provide the badge with the certification award email.
It is CIS’s intent to provide and preserve Membership equity and value. We understand that certain circumstances may not be addressed in the processes defined here. If you have any questions or particular circumstances related to your product and certification requirements that are not addressed in this document, please submit a support ticket at https://www.cisecurity.org/support, and we would be happy to discuss your particular circumstance and address your issues accordingly.