CIS benchmarks are publicly available security roadmaps offering core recommendations to guide organizations on hardening their IT systems against cyber threats. They were created by the Center for Internet Security (CIS), a community-based nonprofit organization striving to “create confidence in the connected world.”
Over 140 CIS benchmarks, in eight primary categories, have been created to date through a community-based consensus of IT professionals worldwide. These are mapped to the CIS Critical Security Controls and can also be aligned with other standardized frameworks such as NIST, PCI-DSS, HIPAA, and others.
CIS benchmarks have been designed to be a central guiding factor in preparing a comprehensive cybersecurity program. While CIS makes its benchmark guidelines available as free PDF downloads to security professionals for non-commercial use, the organization also makes money through commercial membership and add-on services.
Free Cloud Security Risk Assessment
Connect with a Wiz expert for a personal walkthrough of the critical risks in each layer of your environment.
Learn more
How do CIS benchmarks make your organization safer?
Because CIS benchmarks are created via consensus by IT professionals worldwide, they are well-known and widely accepted. These professionals have aggregated a wide range of lessons learned and best practices that can give any organization a powerful head start against cyber adversaries.
Following CIS benchmarks offers your organization numerous benefits:
Reduced attack surface by minimizing exploitable weaknesses
Stronger baseline security with a solid foundation
Alignment with industry standards, potentially reducing audit risks while simplifying compliance and overall security posture
Reduced misconfigurations thanks to clear configuration guidelines
Better resilience against the most common known threats as determined by industry consensus
CIS benchmarks are also vendor-agnostic, providing combined intelligence from the global IT community. Beyond hardening security across a wide range of systems and devices, following CIS benchmark remediations can also improve system performance and sustainability.
8 categories of CIS benchmarks
To aid organizations in determining which CIS benchmarks are most relevant to their security program, they are divided into eight general categories.
Cloud provider: Offers best practices for configuring identity and access controls (IAM), system logging mechanisms, network security settings, and compliance-aligned safeguards; includes Amazon Web Services (AWS, e.g., AWS Compute Services), Alibaba Cloud, Microsoft 365, and others
Desktop software: Provides secure configuration guidance for popular desktop applications, encompassing email security, mobile device management, web browsing, and third-party software risk mitigation. It contains subcategories that include productivity software (e.g., Microsoft Office, Zoom) and web browsers (e.g., Mozilla Firefox, Safari)
DevSecOps tools: Aids security teams in securing DevSecOps pipeline, providing best practices for configuring security controls within development and integration tools; includes software supply chain security measures for GitHub and GitLab
Mobile devices: Helps teams focus on optimizing developer settings, operating system privacy configurations, secure web browsing settings, and granular app permission controls; includes subcategories for Apple iOS and Android
Print devices: Currently contains only one benchmark, CIS Multi-Function Device; focuses on hardening vulnerable devices including firmware updates, network configurations, wireless access, user management, and file-sharing controls
Network devices: Offers security hardening guidance encompassing both general best practices and vendor-specific configurations, ensuring optimal security for specific hardware; includes network security devices from Cisco and Palo Alto Networks
Operating systems: Covers controls for local and remote access, user account management, driver installation protocols, and secure web browser settings; subcategories include Linux (e.g., Debian, Ubuntu), Microsoft Windows, and Unix (e.g., IBM AIX, Apple macOS)
Server software: Provides recommendations encompassing administrative controls, virtual network policies, storage access limitations, and secure configurations for Kubernetes, including PKI certificates and API server settings; multiple subcategories include web servers (e.g., Microsoft IIS), database servers (e.g., MongoDB), and virtualized servers (e.g., Kubernetes)
Anatomy of a CIS benchmark
Each CIS benchmark contains a list of recommendations for a particular product, with the number of recommendations depending on the complexity of the product.
Many benchmarks contain hundreds of very detailed recommendations. For each recommendation, its assessment status notes whether it can be automated or requires manual configuration.
Each CIS benchmark is assigned one of two profiles:
Level 1: Basic security guidelines to attain an adequate level of security for non-mission-critical devices; Level 1 actions will rarely affect system functionality.
Level 2: Stronger security guidelines for mission-critical devices; these actions may impact system functionality but will provide far more bulletproof security.
Finally, each recommendation includes two areas of focus:
Audit: Helps you investigate how secure you are in one particular area
Remediation: Action steps with configuration recommendations to harden your system in that area
Here’s what you’ll see when you unpack a typical CIS recommendation:
CIS Foundations Benchmarks cover all aspects of cloud service provider (CSP) security for organizations like Amazon Web Services (AWS), Google Cloud Computing Platform, Microsoft Azure, Alibaba Cloud, and several others.
The following two examples are taken from the CIS Foundations Benchmark for AWS to give you a better idea of what you’ll see inside a typical benchmark recommendation. One is a Level 1 example (basic security guidelines), and the other is a Level 2 example (stronger security guidelines).
| Number | 1.19 | 2.12 |
|---|---|---|
| Title | Ensure that all the expired SSL/TLS certificates stored in AWS IAM are removed | Ensure MFA delete is enabled on S3 buckets |
| Assessment status | Automated | Manual |
| Profile | Level 1 | Level 2 |
| Description | To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. You can use ACM or IAM to store and deploy server certificates. Use IAM as a certificate manager only when you must support HTTPS connections in a region that is not supported by ACM. IAM securely encrypts your private keys and stores the encrypted version in IAM SSL certificate storage. IAM supports deploying server certificates in all regions, but you must obtain your certificate from an external provider for use with AWS. You cannot upload an ACM certificate to IAM. Additionally, you cannot manage your certificates from the IAM Console. | Once MFA Delete is enabled on your sensitive and classified S3 bucket it requires the user to have two forms of authentication. |
| Rationale statement | Removing expired SSL/TLS certificates eliminates the risk that an invalid certificate will be deployed accidentally to a resource such as AWS Elastic Load Balancing (ELB), which can damage the credibility of the application/website behind the load balancer. As a best practice, it is recommended to delete expired certificates. | Adding MFA delete to an S3 bucket requires additional authentication when you change the version state of your bucket or you delete an object version adding another layer of security in the event your security credentials are compromised or unauthorized access is granted. |
| Impact statement | Deleting the certificate could have implications for your application if you are using an expired server certificate with ELB, CloudFront, etc. One has to make configurations at the respective services to ensure there is no interruption in application functionality. | Enabling MFA delete on an S3 bucket could require additional administrator oversight. Enabling MFA delete may impact other services that automate the creation and/or deletion of S3 buckets. |
| Audit procedure | Audit steps provided (console and command line) | Audit steps provided (console and command line) |
| Remediation procedure | Remediation steps provided (console and command line) | Remediation steps provided (command line only) |
| Default value | By default, expired certificates won't get deleted. | n/a |
| References | References provided | References provided |
| CIS Controls mapping | CIS v8 - 3.1 Establish and Maintain a Data Management Process CIS v7 - 13 Data Protection | CIS v8 - 3.3 Configure Data Access Control Lists 6.5 Require MFA for Administrative Access CIS v7 - 14.6 Protect Information through Access Control Lists |
Wiz: First agentless cloud security vendor to attain CIS SecureSuite Vendor Certification for cloud-managed Kubernetes
Read more
Wiz: First to market with built-in Kubernetes CIS benchmark certification
As an integrated cloud native application protection platform (CNAPP) platform, Wiz was the first vendor to be recognized with CIS SecureSuite Vendor Certification for three major Kubernetes benchmarks, simplifying compliance with the latest EKS, AKS, and GKE CIS Benchmarks while giving you a cloud-native way to secure your Kubernetes environments.
Adopting CIS Benchmarks helps your security teams learn from best practices and harden your entire organization against today’s leading threats. And with Wiz, you can do much of that from a single pane of glass, aggregating data from all your tools for actionable, prioritized insights based on “toxic combinations”—a unique vulnerability score based on real risk to your organization. And because it’s agentless, it’s easy to deploy across your entire organization, no matter its size.
Wiz lets you proactively identify vulnerabilities, with clear remediation guidance, staying far ahead of attackers to secure your cloud environments.
Get a demo today to start simplifying Kubernetes compliance and elevating your entire security posture with Wiz.
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
