What are CIS Benchmarks?

CIS Benchmarks from the Center for Internet Security (CIS) are a set of globally recognized and consensus-driven best practices to help security practitioners implement and manage their cybersecurity defenses. Developed with a global community of security experts, the guidelines help organizations proactively safeguard against emerging risks. Companies implement the CIS Benchmark guidelines to limit configuration-based security vulnerabilities in their digital assets.

Why are CIS Benchmarks important?

Tools such as the CIS Benchmarks are important because they outline security best practices, developed by security professionals and subject matter experts, for deploying over 25 different vendor products. These best practices are a good starting point for creating a new product or service deployment plan or for verifying that existing deployments are secure.

When you implement CIS Benchmarks, you can better secure your legacy systems against common and emerging risks by taking steps such as these: 

  • Disabling unused ports
  • Removing unnecessary app permissions
  • Limiting administrative privileges

IT systems and applications also perform better when you disable unnecessary services. 

CIS Benchmarks example

For example, admins can follow the step-by-step CIS AWS Foundations Benchmark guidelines to help them set up a strong password policy for AWS Identity and Access Management (IAM). Password policy enforcement, multi-factor authentication (MFA) usage, disabling root, ensuring access keys are rotated every 90 days, and other tactics are distinct, but related, identity guidelines to improve the security of an AWS account.

By adopting CIS Benchmarks, your organization can gain several cybersecurity benefits, such as the following:

Expert cybersecurity guidelines

CIS Benchmarks provide organizations with a framework of security configurations that are expert-vetted and proven. Companies can avoid trial-and-error scenarios that put security at risk and benefit from the expertise of a diverse IT and cybersecurity community.

Globally recognized security standards

CIS Benchmarks are the only best practice guides that are globally recognized and accepted by governments, businesses, research, and academic institutions alike. Thanks to the global and diverse community that works on a consensus-based decision-making model, CIS Benchmarks have far wider applicability and acceptability than regional laws and security standards. 

Cost-effective threat prevention

The CIS Benchmark documentation is freely available for anyone to download and implement. Your company can get up-to-date, step-by-step instructions for all kinds of IT systems at no cost. You can achieve IT governance and avert financial and reputational damage from preventable cyberthreats.

Regulatory compliance

CIS Benchmarks align with major security and data privacy frameworks such as these:

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework 
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Payment Card Industry Data Security Standard (PCI DSS)

Implementing CIS Benchmarks is a big step toward achieving compliance for organizations that operate in heavily regulated industries. They can prevent compliance failures due to misconfigured IT systems.

What types of IT systems do CIS Benchmarks cover?

CIS has published over 100 benchmarks that span 25+ vendor product families. When you apply and monitor CIS Benchmarks across all types of IT systems, you build an inherently secure IT environment that you can further defend with security solutions. Technologies that CIS Benchmarks cover can be broadly grouped into the following seven categories. 

Operating systems

CIS Benchmarks for operating systems provide standard security configurations for popular operating systems, including Amazon Linux. These benchmarks include best practices for features such as these:

  • Operating system access control 
  • Group policies
  • Web browser settings
  • Patch management 

Cloud infrastructure and services

CIS Benchmarks for cloud infrastructure provide security standards that companies can use to securely configure cloud environments, such as those provided by AWS. The guidelines include best-practice guidelines for virtual network settings, AWS Identity and Access Management (IAM) configurations, compliance and security controls, and more. 

Server software

CIS benchmarks for server software provide configuration baselines and recommendations for server settings, server admin controls, storage settings, and server software from popular vendors. 

Desktop software 

CIS Benchmarks cover most of the desktop software that organizations typically use. The guidelines include best practices for managing desktop software features, such as these:

  • Third-party desktop software
  • Browser settings
  • Access privileges
  • User accounts
  • Client device management

Mobile devices

CIS Benchmarks for mobile devices cover security configurations for operating systems that run on mobile phones, tablets, and other hand-held devices. They provide recommendations for mobile browser settings, application permissions, privacy settings, and more. 

Network devices

CIS Benchmarks also provide security configurations for network devices such as firewalls, routers, switches, and virtual private networks (VPNs). They contain both vendor-neutral and vendor-specific recommendations to ensure the secure setup and management of these network devices. 

Multi-function print devices

CIS Benchmarks for network peripherals such as multi-function printers, scanners, and photocopiers cover secure configuration best practices such as file sharing settings, access restrictions, and firmware updates.

What are CIS Benchmark levels?

To help organizations achieve their unique security goals, the CIS assigns a profile level to each CIS Benchmark guideline. Each CIS profile includes recommendations that provide a different level of security. Organizations can choose a profile based on their security and compliance needs. 

Level 1 profile

Configuration recommendations for the Level 1 profile are basic security recommendations for configuring IT systems. They are easy to follow and do not impact business functionality or uptime. These recommendations reduce the number of entry points into your IT systems, thereby reducing your cybersecurity risks.

Level 2 profile

Level 2 profile configuration recommendations work best for highly sensitive data where security is a priority. Implementing these recommendations requires professional expertise and diligent planning to achieve comprehensive security with minimal disruptions. Implementing Level 2 profile recommendations also helps with achieving regulatory compliance. 

STIG profile

The Security Technical Implementation Guide (STIG) is a set of configuration baselines from the Defense Information Systems Agency (DISA). The US Department of Defense publishes and maintains these security standards. STIGs are specifically written to meet US government requirements. 

CIS Benchmarks also specify a Level 3 STIG profile that is designed to help organizations comply with the STIG. The STIG profile contains Level 1 and Level 2 profile recommendations that are STIG-specific and provides more recommendations that the other two profiles do not cover but that are required by DISA’s STIGs. 

When you configure your systems according to the CIS STIG Benchmarks, your IT environment will be both CIS and STIG compliant.

How are CIS Benchmarks developed?

CIS communities follow a unique consensus-based process to develop, approve, and maintain CIS Benchmarks for different target systems. Overall, the CIS Benchmark development process looks like this:

  1. The community identifies the need for a specific benchmark.
  2. They establish the scope of the benchmark.
  3. Volunteers create discussion threads on the CIS WorkBench community website. 
  4. Experts from the specific IT system’s CIS community spend time reviewing and discussing the working draft. 
  5. The experts create, discuss, and test their recommendations until they reach a consensus.
  6. They finalize the benchmark and publish it on the CIS website.
  7. More volunteers from the community join in on the CIS Benchmark discussion.
  8. The consensus team considers the feedback from those who implement the benchmark.
  9. They make revisions and updates in the new versions of the CIS Benchmark.

The release of new versions of the CIS Benchmarks also depends on changes or upgrades to the corresponding IT systems.

How can you implement CIS Benchmarks?

Each CIS Benchmark includes a description of the recommendation, the reason for the recommendation, and instructions that system admins can follow to implement the recommendation correctly. Each benchmark can consist of several hundred pages because it covers each area of the target IT system.  

Implementing CIS Benchmarks and keeping up with all the version releases gets complicated if you do it manually. That’s why many organizations use automated tools to monitor CIS compliance. The CIS also offers free and premium tools that you can use to scan IT systems and generate CIS compliance reports. These tools alert system admins if the existing configurations don't meet CIS Benchmark recommendations.

What other security resources are included with the CIS Benchmarks?

The CIS also publishes other resources to improve an organization’s internet security, including the following two main resources.

CIS Controls

CIS Controls (formerly called CIS Critical Security Controls) is another resource that the CIS publishes as a comprehensive best-practice guide for system and network security. The guide contains a checklist of 20 safeguards and actions that are high priority and have proven effective against the most pervasive and destructive cybersecurity threats on IT systems.

CIS Controls map to most of the major standards and regulatory frameworks, such as these:

  • National Institute of Standards and Technology (NIST) Cybersecurity Framework
  • NIST 800-53
  • Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Federal Information Security Management Act (FISMA), and others in the ISO 27000 series of standards

CIS Controls give you a starting point for following any of these compliance frameworks. 

CIS Benchmarks vs. CIS Controls

CIS Controls are rather generic guidelines for securing entire systems and networks, but CIS Benchmarks are very specific recommendations for secure system configurations. CIS Benchmarks are a critical step for implementing CIS Controls because each CIS Benchmark recommendation refers to one or more of the CIS Controls.

For example, CIS Control 3 suggests secure hardware and software configurations for computer systems. CIS Benchmarks provide vendor-neutral and vendor-specific guidance along with detailed instructions that admins can follow to implement CIS Control 3. 

CIS Hardened Images

A virtual machine (VM) is a virtual computing environment that emulates dedicated computer hardware. VM images are templates that system admins use to quickly create multiple VMs with similar operating system configurations. However, if the VM image is configured improperly, the VM instances created from it will also be misconfigured and vulnerable. 

The CIS offers CIS Hardened Images, which are VM images that have already been configured to CIS Benchmark standards. 

Benefits of using CIS Hardened Images

CIS Hardened Images are useful because they offer the following features: 

  • Preconfigured to CIS Benchmark baselines
  • Easy to deploy and manage
  • Updated and patched by CIS

Depending on your security and compliance needs, you can choose CIS Hardened Images that are configured to a Level 1 or Level 2 profile. 

How to use CIS Benchmarks on AWS?

CIS is an AWS Independent Software Vendor (ISV) partner, and AWS is a CIS Security Benchmarks Member company. CIS Benchmarks include guidelines for secure configurations for a subset of AWS cloud services and account-level settings. 

For example, CIS outlines the best-practice configuration settings for AWS in CIS Benchmarks, such as these:

  • CIS AWS Foundations Benchmark
  • CIS Amazon Linux 2 Benchmark
  • CIS Amazon Elastic Kubernetes Service (EKS) Benchmark 
  • AWS End User Compute Benchmark

You can also access CIS-hardened Amazon Elastic Compute Cloud (EC2) images in the AWS Marketplace so you can be confident that your Amazon EC2 images meet CIS Benchmarks.

Similarly, you can automate the checks to ensure that your AWS deployment meets the recommendations set in the CIS AWS Foundations Benchmark standard. AWS Security Hub supports the CIS AWS Foundations Benchmark standard, which consists of 43 controls and 32 Payment Card Industry Data Security Standard (PCI DSS) requirements across 14 AWS services. Once AWS Security Hub is enabled, it immediately begins running continuous and automated security checks against each control and each relevant resource associated with the control.

Ensure CIS compliance for your cloud infrastructure and get started with AWS by creating a free AWS account today.

AWS CIS Benchmark next steps

Check out additional related resources
Learn more about AWS Cloud Security 
Sign up for a free account

Instantly get access to the AWS free tier. 

Sign up 
Start building in the console

Get started building with AWS in the AWS Management Console.

Sign in