Center for Internet Security (CIS) are security configuration standards that help teams harden systems against threats and prove compliance with frameworks like NIST, PCI-DSS, and HIPAA. In this guide, you’ll learn why these benchmarks matter, when to use them, and how to apply them in real environments to reduce misconfigurations and strengthen security posture.
What you will learn
- The Purpose of CIS Benchmarks
- How CIS Benchmarks Are Structured
- Levels of CIS Benchmarks
- Challenges of Manual Implementation
- How CalCom Automates CIS Compliance
Understanding the CIS Controls, Benchmarks and Baselines
Controls are a list of 18 procedures for building a cyberattack resistant IT infrastructure. For example, the 4th Control advises organizations to establish and maintain a secure configuration process for enterprise assets. From this list, CIS creates benchmarks. Benchmarks provide technical guidelines, configuration recommendations, and best practices to protect computer systems, networks, and digital assets.
CIS releases collections of benchmarks called baselines for various hosts, platforms, and operating systems. Via the CIS Workbench, a global community of cybersecurity experts create and update baselined to address new threats and vulnerabilities.
When to Use CIS Benchmarks
Use CIS Benchmarks when:
- You want to harden systems against configuration-based attacks
- You need baseline configuration standards for audit and compliance
- You want to align with recognized cybersecurity best practices
How CIS Benchmarks are Developed
Phase 1: Drafting CIS Benchmarks
Baseline development is a unique, consensus-based process. A group of IT Experts and Cybersecurity 12,000 Professionals from around the world led this initiative. Each benchmark undergoes two phases of consensus review.
Phase 2: Enhancing Published CIS Benchmarks
Defines best practices to secure specific systems or platforms by drafting, reviewing, and refining each benchmark, ensuring the resulting recommendations are practical.
Publishing and Feedback
Once published, CIS Benchmarks enter a continuous feedback cycle. Users provide feedback, such as:
- How benchmarks perform
- Related issues
- Auggested improvements
- Highlighting unclear recommendations
- Emerging threats
The CIS team reviews feedback and then uses it to refine, update, and expand the benchmarks where necessary. Ensuring benchmarks stay relevant, practical and aligned with the most up-to-date best practices.
CIS Benchmarking Levels
CIS benchmarks provide levels of security settings known as configuration profiles.
- Level 1: Basic security recommendations and requirements that cause little or no interruption of service or reduce functionality.
- Level 2: Stringent security setting that increase security and reduce the potential attack surface.
- STIG (Previously Level 3): Includes additional requirements not covered in Level 1 and Level 2.
How to Read and Interpret CIS Benchmark Recommendations
All benchmarks are identically constructed rules and contain the same sections.
- Headline: The advice is contained in the HEADLINE and the proposal’s significance level (L1). A proposal can be categorized as L1, which must be executed; L2, which can be executed later in the hardening operation; or NA, which is the least essential proposal.
- Profile Applicability: The system component impacted by this policy is indicated by “profile applicability.”
- Description: A description of the rules of the setting.
- Rationale: The justification for establishing the regulation in the suggested manner.
- Impact: Potential effect.
- Audit: Audit suggestions for this rule.
- Remediation: Techniques to comply with this guideline.
- Default value: Initial configuration setting.
- CIS Controls: Associated policy.
How CIS Benchmarks Support Security Hardening and Compliance
By default, operating systems vendors prioritizes usability over security. As a result, attackers frequently penetrate an organization’s IT network. For example, in May, the Server Message Block (SMB) based WannaCry worm (May 2017), exploited default settings to distribute malware, despite Microsoft releasing appropriate security upgrades the previous year. Unless proper hardening actions are implemented, SMB worms like Brambul and RDP protocol malware continue to inflict daily losses of thousands of dollars.
Practically all significant regulations directly or indirectly call for CIS basline adherence. Indirect means that specific laws demand adherence to other frameworks, such as the NIST Cybersecurity Framework, but these frameworks refer to the CIS Baselines.
Each frameworks has specific objectives and requirements. To achieve comprehensive cybersecurity and compliance, organizations use multiple frameworks.
Implementing CIS Benchmarks: Manual vs. Automated Approaches
There are two options for implementing CIS baselines:
Manual Implementation
Manual hardening is labor-intensive and challenging, especially as configurations change and new assets are added. It involves downloading the CIS Benchmark PDF. Then you implement the suggested configuration changes manually.
Automated Solution
Automated tools simplify the implementation process. They make hardening faster and easier to achieve and maintain CIS benchmark compliance.
How to plan and manage a hardening project.
Tools to Implement and Enforce CIS Benchmarks
Scanners and Assessment Tools
Examine your CIS Benchmark compliance posture, and indicate gaps between your current policy and the CIS Benchmarks. They do not resolve gaps for you. You must test and enforce the changes to improve your compliance posture.
Configuration Management Tools
Configuration management tools implement infrastructure configuration changes. They are relevant only after you find gaps between the policy and benchmarks, and test the impact of each change.
Hardening Automation Tools
Hardening automation tools:
- Streamline repetitive hardening tasks,
- Save significant manual effort
- Reduce human error
- Optimize time and resources by monitoring potential drifts
- Eliminate the need to check the impact of each configuration change on your network.
Key Takeaways
- CIS Benchmarks provide expert-approved hardening guidelines
- Each benchmark increases organizational security
- CIS Levels 1 and 2 balance security strength with operational needs.
- Manual hardening is complex and error-prone.
- CalCom Hardening Suite (CHS) simplifies CIS compliance by automating configuration.
Learn More
Read more about how CIS benchmarks can make your system more secure.
