CIS Benchmark allow organizations to tailor security configurations based on risk level and system criticality. This layered approach helps teams strengthen security while still accounting for operational requirements and performance constraints.
What You Will Learn
In this article, we explain CIS Benchmark levels and how they relate to CIS Benchmarks, we explain how to use them, and the processes and tools that help you implement them, including:
- What is the purpose of CIS Benchmarks
- How to apply CIS benchmarks
- Understand the benchmark development process
- Guidance for implementing CIS Benchmarks
- How CIS Benchmark relates to other frameworks and standards
What are CIS Benchmarks?
CIS benchmarks are actions you must perform to harden your servers. The benchmarks cover various platforms and technologies such as operating systems, cloud environments, databases, web browsers, and mobile devices.
Benchmark Structure
Each benchmark includes the following information:
- Setting name – The name of the recommended action, and its level (L) of importance :
- L1 – Mandatory recommendation, implement immediately
- L2 – Implemented at a later stage of the hardening project
- NA- Lower importance due to the specific configuration dependencies.
- Profile Applicability – Component affected by this policy.
- Description – Description of the setting’s rule.
- Rationale – The rationale behind setting the rule the way it is recommended.
- Impact – any expected impact on your production.
- Audit – audit recommendations for this rule.
- Remediation – ways you can enforce this rule on your machine.
- Default value – Default value of the setting.
- References – Reference to the relevant CCE
- CIS Controls – Relevant CIS Controls.
CIS Benchmark Development Process
CIS creates benchmarks with a global, consensus-driven process involving over 12,000 IT and cybersecurity experts. It defines the scope of each benchmark and drafts initial recommendations. Experts collaborate to review and refine recommendations. When a consensus is reached, CIS publishes the benchmarks. After release, CIS collects community feedback for future releases. This ensures guidelines remain effective over time.
Release Schedule
Regardless of the version being used, they are designed to be used with all build versions up to the most recent version to save time when searching for a specific build number of a CIS Windows Benchmark.
Windows Server
Starting in March 2023, all CIS Windows Server and Windows Workstation Benchmarks will be updated annually to align with Microsoft’s update schedule. CIS regularly updates Windows Benchmarks within 90 days of its release.
The release schedule of new CIS Benchmarks depends on the release schedule of the technology the benchmark supports and the Benchmark Community.
Download Formats
CIS releases benchmarks as free PDF files. For paid CIS SecureSuite Members accounts, downloads are available in Word, Excel, and XML formats.
CIS Benchmark Categories
CIS Benchmarks is organised into eight categories. Each category helps IT teams to identify and apply relevant benchmarks.
1. Operating System Benchmarks
Step-by-step guidance for securely configuring various operating systems, including Windows, Linux, and macOS, including user and access controls, authentication policies, logging, permission settings, and system services.
2. Server Software Benchmarks
Focus on securing server applications such as Microsoft Windows Server, Kubernetes, SQL Server, Apache, etc. They ensure application servers and backend systems are hardened against exploitation, remove unnecessary services, and control administrative access to server components.
3. Cloud Infrastructure and Services Benchmarks
Secure cloud environments like AWS, Microsoft Azure, and Google Cloud Platform. The guidelines provide detailed guidance on securing identity and access management (IAM), virtual networks, encryption settings, logging, and monitoring.
4. Mobile Device Benchmarks
Target mobile operating systems and devices, such as smartphones and tablets. Recommendations include controls for app permissions, developer mode restrictions, password policies, encryption, and privacy settings. These help organizations protect sensitive data on mobile endpoints and enforce enterprise mobile security standards.
5. Network Device Benchmark
Describes how organizations can secure infrastructure such as routers, firewalls, switches, and VPN appliances.
These include both vendor-neutral and vendor-specific recommendations to help prevent misconfigurations that could expose internal systems and ensure secure communication across the network.
6. Desktop Software Benchmarks
Covers desktop software like web browsers, email clients, and office productivity tools. T
hey include hardening guidance and best practices related to user access, software permissions, browser extensions, and security features. Implementing these helps protect end-user workstations, which are often targeted in phishing and malware attacks.
7. Multi-Function Print Devices Benchmark
Address the security of multi-functional printers and copiers, which are often overlooked when it comes to vulnerabilities.
Recommendations include firmware management, access control, secure printing features, and disabling unnecessary network protocols. Properly securing these devices helps prevent data leaks and unauthorized access to the network.
8. DevSecOps Tools Benchmark
Gives guidance for software lifecycle management and DevSecOps, such as integrating security into CI/CD pipelines and protecting the software supply chain.
This includes secure configuration for tools like Jenkins, GitLab, and others, helping enforce best practices throughout the development process.
CIS Levels Explained
Every CIS Benchmark is associated with at least one level profile. This provides a flexible framework for organizations, allowing them to configure the right balance of security and usability depending on their specific needs and use case.
CIS Level 1
Essential basic security requirements with little or no performance impact or reduced functionality. The intent of Level 1 is to reduce the attack surface while allowing machines to remain operational and not hindering the business’s functionality.
CIS Level 2
More stringent security settings for environments where security is paramount. Recommendations associated with Level 2 can cause a reduction in the functionality of a system and have adverse effects if not correctly implemented.
STIG
Security configurations that overlap with recommendations from Level 1 and Level 2.
Seven Steps to Apply CIS Levels to System Hardening
CIS Benchmark implementation is a big step towards achieving a hardened infrastructure. It is also one of the most complicated ones.
To harden systems effectively:
- Define a baseline aligned to risk and system criticality using CIS Benchmarks or DISA STIGs.
- Keep systems patched to reduce exposure to known vulnerabilities.
- Enforce strong authentication, including complex passwords or MFA.
- Review access regularly to ensure permissions remain appropriate.
- Disable unnecessary services and protocols to reduce the attack surface.
- Monitor configurations automatically using tools that support SCAP.
- Enforce configurations continuously with system configuration management tools.
CIS Level Compliance Tools
To effectively evaluate and enhance cybersecurity measures, we present CIS assessment tools designed to identify vulnerabilities, measure compliance, and strengthen overall security posture.
Scanners and Assessment Tools
Indicate your CIS Benchmark compliance and security posture. Using them will indicate the gap between your current policy and the CIS Benchmarks.
They will not provide any solution for overcoming this gap, and you will have to test and enforce the changes to improve your compliance posture. The CIS offers its own developed scanner – the CIS CAT.
Configuration Management Tools
Configuration management tools are not necessarily specific to security purposes, but they allow the implementation of configuration changes on your infrastructure.
These tools are relevant only after you have scanned and found the gap between your policy and the CIS Benchmark and tested the predicted impact of each configuration change. Examples of this kind of tool are Chef, Ansible, and Tripwire Configuration Manager.
Hardening Automation Tools
Hardening automation tools basically provide a comprehensive solution for server hardening. They do everything from scanning, through implementing, and also monitoring and maintaining the compliance and security posture.
Hardening automation tools offers the following solution:
- Scanning and discovering the gap between your current policy and your desired policy.
- Learning your network and indicating what the impact of each configuration change will be.
- Implement the new policy directly on production without testing or breaking anything.
- Monitoring, controlling, and preventing configuration changes, all from a single point of control.
CIS Workbench
CIS relies on the WorkBench Communities to develop, revise, and edit the CIS Benchmarks and CIS Critical Security Controls (CIS Controls). Collaboration is an effortless way to track discussion topics and monitor the progress of CIS Benchmarks during the approval process. Users can easily create tickets, navigate group forums, and access publicly available resources for CIS Controls and CIS Benchmarks through the platform.
Enhancing Cybersecurity and Compliance with CIS Benchmarks
Regulations should also be taken into consideration when deciding whether or not to use CIS Benchmarks. It is fair to say that almost all the major regulations require CIS Benchmark compliance directly or indirectly.
Direct Compliance
| Standard | Description | CIS Bencmarks |
|---|---|---|
| Payment Card Industry Data Security Standard (PCI-DSS) | Security standards are designed explicitly for protecting cardholder data. | Provide a reference for implementing secure configurations to meet PCI-DSS requirements. |
| Health Insurance Portability and Accountability Act (HIPAA) | US regulations for protecting sensitive patient health information. CIS Benchmarks. | Enhances healthcare providers’ security posture and aligns with HIPAA requirements. |
| Cybersecurity Maturity Model Certification( CMMC) | The US Department of Defense framework that assesses and enhances the cybersecurity posture of organizations in the defense supply chain. | Implement specific security controls and best practices aligned with CMMC requirements. |
Indirect Compliance
The National Institute of Standards and Technology(NIST) provides a comprehensive set of guidelines, controls, and best practices for various aspects of cybersecurity. NIST-based frameworks, such as the NIST Special Publication 800 series, comply with CIS benchmarks indirectly.
| Organiztion | Standard | Description |
|---|---|---|
| International Organization for Standardization (ISO) | ISO 27001 | Outlines requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). While ISO 27001 is a standard, NIST documents offer detailed guidance for ISO 27001 implementation. |
| New York State Department of Financial Services (NYDFS) | NYCRR Part 500 | Establishes cybersecurity requirements for financial institutions operating in New York. NYDFS specifically references NIST as a recognized industry standard in its regulation. |
| MITRE | ATT&CK | Comprehensive knowledge base of tactics, techniques, and procedures (TTPs) commonly employed by threat actors during cyber attacks. Provides organizations with a standardized framework for understanding and categorizing adversary behaviors. |
Key Takeaways
- CIS Benchmarks are a key part of your server hardening
- Success requires careful implementation
- Implement structured baselines as the first step of the process
- Hardening Is More than Configuration
- Tailor benchmarks to meet your compliance needs
- Automation increases the chance of successful results
How CalCom Can Help
Implementing hardening frameworks, like CIS Benchmarks, is a complex task that harms production systems. Before deploying benchmarks to production, you must perform lab testing. As the enterprise’s network constantly changes, keeping track of the baseline hardening status and implementing CIS benchmark hardening is almost impossible.
Calcom Hardening Suite (CHS) is the perfect solution for this painful issue. Using CHS, you can:
- Automates every stage of the configuration process. From baseline creation and policy enforcement to continuous monitoring and drift remediation—without risking downtime or performance impact.
- Eliminate manual hardening errors.
- Ensure consistent alignment with CIS, NIST, and other regulatory frameworks.
- Provide complete visibility into your security posture.
- Integrates policy automation and real-time reporting,
- Transform server hardening from a one-time task into a continuous, reliable compliance process.
