CIS-CAT® Pro FAQ

CIS Configuration Assessment Tool (CIS-CAT) compares the actual configuration settings of target systems to the secure configuration settings recommended in security automation content, primarily the CIS Benchmarks. CIS-CAT can understand content that conforms with Security Content Automation Protocol (SCAP).

CIS-CAT automatically compares a target system’s configuration settings to recommended settings in more than 80 CIS Benchmarks. CIS-CAT outputs a conformance report ranging from 0-100, and offers written remediation guidance for each supported CIS Benchmark within the output report.

Want to learn more about the CIS Benchmarks? Check out our video below.

CIS-CAT Pro offers multiple assessment reporting output formats (TXT, CSV, HTML, XML, JSON) that provide a conformance score for 80+ CIS Benchmarks.

CIS-CAT Lite is available as a preview for users. It offers HTML-based reporting output and a limited set of CIS Benchmarks (Microsoft Windows 10, Google Chrome, and Ubuntu). Review the full list of comparisons between the versions of Lite and Pro.

No. We built CIS-CAT Pro Assessor v4 in conformance with NIST SCAP specifications, but it has not been formally validated. CIS-CAT Pro Assessor v3, our SCAP 1.2 validated product, will remain available in a limited capacity until December 31, 2022.

Try CIS-CAT Lite for free by signing up to download. It does not require a license key. However, features and content are limited.

To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab.

CIS-CAT Pro requires a license to unlock full features and CIS Benchmark content. See our deployment guide on how to apply your organization’s license key.

To support the broadest possible portability, we created CIS-CAT as a Java application. It requires an available Java Runtime Environment (JRE) for execution.

See our CIS-CAT Assessor v4 and CIS-CAT Pro Dashboard configuration guides for up-to-date information on JRE/JDK requirements.

The security vulnerabilities reported are not about Java (the programming language). Instead, they're typically in the Java Sandbox, which uses a privileged model that permits safe execution of untrusted code and risks automatic execution of Java Applets in a browser. Oracle uses the “Java” trademark both for the programming language and the browser plugin that runs applets. CIS-CAT Pro uses the Java language as it offers the broadest possible platform portability. CIS-CAT Pro does not execute code in a browser, which is the source of most Java vulnerabilities.

No. CIS-CAT Pro works with OpenJDK, which is free and available at jdk.java.net. OpenJDK will continue to receive security updates.

If OpenJDK does not meet your organization’s needs, you can obtain Oracle Java releases through My Oracle Support (MOS) and other locations by paying a license fee. For organizations requiring security updates to Java 8, you can obtain these by paying a nominal license fee per server to Oracle.

Assessor v4 offers remote scanning, which provides the benefit of maintaining Java on a single server only. This can help keep the cost of maintaining Java low.

Yes. Review our CIS-CAT Pro Assessor v4 online documentation to learn how to prepare for a remote Microsoft Windows or Linux remote assessment. For Windows, WinRM must be enabled, while Linux requires SSH. CIS-CAT Pro Assessor v4 also supports local and in-network scanning (centralized/share drive) workflows for Windows and Linux.

Yes. We recommend utilizing CIS WorkBench to customize CIS Benchmark automated assessment content. Review our tailoring functionality to customize CIS Benchmark recommendations to more closely match organizational policies. Tailored benchmarks can be exported, placed in the CIS-CAT "benchmarks" folder and utilized to perform configuration assessments.

Some CIS Benchmark prose is not accompanied by automated assessment content that CIS-CAT Pro needs to perform an assessment, which means that only manual inspection of configuration state can be performed

We are always looking for technology experts to help us develop content, review recommendations, and test the CIS Benchmarks. If interested, join a community or contact us at [email protected] to inquire about the process. You can also join the CIS Member Benchmark Wish List Community and post your request.

No. CIS-CAT Pro does not currently support automated assessments of mobile device configurations. CIS Benchmarks are available for download through CIS WorkBench for various mobile platforms, they may be audited, configured, and remediated manually.

Acceptable overall scores for configuration assessments are defined by each organization's security policies.

Many organizations find it reasonably possible to score between 85 and 97% with a CIS Benchmark after remediation and before tailoring or exceptions.

Where organizations deviate from CIS recommendations and choose to tailor or except, some organizational security policies may require an exception report to document the rationale for tailored or excepted recommendations.

CIS has developed CIS Build Kits in an effort to save our Members time and effort when remediating failed settings or recommendations identified in the CIS-CAT Pro report. Instead of manually remediating each failed setting, CIS Build Kits contain automated content to streamline this process.

For Windows, this automated content takes the form of group policy objects (GPOs) that are available to CIS SecureSuite Members via CIS WorkBench. Upon being downloaded, the GPOs can be unzipped and imported into your group policy management console. You can also make customizations, as the GPOs are not read-only. You can continue by applying the GPO to the appropriate organizational units or individual machines and push the configuration policy out. The chosen domain members will be reconfigured to be in compliance with the recommended settings in the Benchmark.

For Unix and Linux environments, the CIS Build Kits take the form of basic shell scripts that can be run through your machine or a corresponding tool of your preference. These scripts can be run on the appropriate CIS Benchmark profile intended to be configured against. At that point, the script will execute and apply the secure CIS Benchmark settings. We recommend reviewing the README files accompanying the scripts, as these resources contain content that cannot be remediated by the automated shell script, such as portioning file systems or limiting root access.

CIS-CAT Pro Dashboard is a dynamic web application and companion tool to CIS-CAT Pro Assessor. CIS-CAT Pro Dashboard consumes assessment reports and allows users to quickly view their configuration assessment performance over a two year historical lookback, from overall compliance down to a particular system or CIS Benchmark.

To access CIS-CAT Pro, your organization must be a CIS SecureSuite Member. Members can download CIS-CAT Pro from our community platform, CIS WorkBench. Log in to CIS WorkBench with your work email address (registration required) and click on the “Downloads” tab.

CIS-CAT Pro requires a license to unlock full features. See our deployment guide on how to apply your organization’s license key.

Yes. CIS-CAT Pro Assessor produces the same output formats for the CIS Controls Assessment Module as it does for CIS Benchmarks. You can import the Asset Reporting Format (ARF) XML into the CIS-CAT Pro Dashboard to analyze your results over time.

Review our deployment guide to review installation requirements.

Key features of CIS-CAT Pro Dashboard include:

• Overview identification of assessment reports by date – View your entire ecosystem’s conformance to a particular CIS Benchmark or drill down to a particular system or group of systems.     
• Sort assessment results per-Benchmark or per-device – Flexible reporting methods to let you view and sort data in multiple ways.
• CIS Controls view for annotated CIS Benchmarks content – See how your systems compare to applicable CIS Controls best practices.
  
  

  

• Custom device tagging – Sort systems by group (PCI, admin, etc.) and view the group’s compliance over time.
  
  

  

• Except failed recommendations and re-score – Ability to create exceptions to CIS Benchmark content and recalculate assessment scoring.
  
  

  

• In-dashboard alerts – Generate automatic in-dashboard alerts based on user-configured configuration score difference value and receive automatic in-dashboard alerts when new CIS-CAT Pro releases are available.
• Track configuration drift – Show configuration drift from one assessment to the current with difference reports.

New features and bug fixes are released periodically for CIS-CAT Pro Dashboard. Join the CIS-CAT Discussion community on our CIS WorkBench to stay informed on new releases.

The CIS Controls Assessment Module is a semi-automated way to measure your organization’s application of CIS Critical Security Controls Implementation Group 1 in Windows 10 and Windows Server environments. It assesses compliance via a combination of scripts and survey questions. The module runs inside CIS-CAT Pro Assessor v4, leveraging Assessor’s ability to conduct both local and remote assessments.

The automated checks utilize PowerShell scripts. In the CIS Controls Assessment Module v1.0.2, there are 13 automated Safeguards checks. Some of these checks have values that can be customized in the Assessor Properties file.

Some Safeguards are more procedural in nature and don’t lend themselves to being automated. The CIS Controls Assessment Module uses survey questions so that organizations can still track their implementation of these Safeguards.

Each automated check is looking for something different. Refer to that check’s “Remediation” section for more information about the check and how to pass it. The “Remediation” section for each check is available in either the HTML output or the CIS-CAT Pro Dashboard output associated with each check. Additionally, you can view the script output for each automated check in the HTML output file by expanding the “Show Rule Result XML” under that check and looking between the 'and' tags.

You should not need to change your PowerShell settings. It is important to note that when calling PowerShell scripts, CIS-CAT Assessor invokes the script with an “-ExecutionPolicy bypass,” temporarily bypassing the PowerShell execution policy for just the run of each of these scripts without changing the system’s overall PowerShell Execution Policy. Additionally, the Unblock-File PowerShell command will be run against the scripts when CIS-CAT Assessor calls them. This will result in the CIS Controls Assessment Module scripts remaining unblocked/trusted even after running the CIS Controls Assessment Module. These scripts are only designed to read configuration data from target systems. The use of the “-ExecutionPolicy bypass” and “Unblock-File” is designed to create a smoother user experience, but it is important that you consider any policy and security implications for your organization prior to running the CIS Controls Assessment Module.

The non-automated Safeguards are assessed via survey questions. These are a series of 30 yes/no questions, one for each of the non-automated Safeguards. Answers to these survey questions can be saved in the Assessor Properties file (assessor-cli.properties), and the saved answers will be used for each assessment. If the organization changes its implementation status for a Safeguard (i.e., implements a new Safeguard), the corresponding saved answer can be updated in the Assessor Properties file, and that new answer will be used for future assessments.

Alternatively, you can set a question to be answered interactively in the Assessor Properties file by commenting out its answer line. This will result in the question being asked in the Assessor command prompt once for each machine in the assessment. The user can enter a ‘y’ or ‘n’ for each of these questions. These entered values will be used for the interactive questions rather than saved values from the Properties file.

Survey questions are yes/no. Affirmative answers can be provided with 'y' or 'yes' (case insensitive) and will result in a PASS for that Safeguard check. Anything not recognized as an affirmative answer (yes) will be treated as a negative answer (no) and will result in a FAIL for that Safeguard check.

The default saved answer for all survey questions is set to 'no.' You should adjust these answers in the Assessor Properties file to reflect your organization’s implementation status for each Safeguard survey question.

You can assess Windows 10 and Windows Server endpoints using the CIS Controls Assessment Module in much the same way that you perform other assessments via the command line using supporting sessions and configuration files.

The CIS Controls Assessment Module has three profiles available:

• Automated checks only
• Survey questions only
• Automated checks and survey questions

More information is available in the CIS Controls Assessment Module User Guide.

We welcome you to join the CIS Controls Assessment Module Community on CIS WorkBench. There, you can start a discussion, ask questions, and make comments or suggestions to help shape the future of the CIS Controls Assessment Module.