What are CIS Benchmarks?
CIS Benchmarks are publicly available security roadmaps that offer core recommendations to guide organizations in hardening their IT systems against cyber threats. The Center for Internet Security (CIS), a community-based nonprofit organization whose goal is “creating confidence in the connected world,” originally designed these Benchmarks.
A global community of IT professionals has collaboratively developed over 100 CIS Benchmarks across more than 25 vendor families, which they’ve organized into eight primary categories. The Benchmarks distill real-world best practices into actionable guidance to help teams eliminate common misconfigurations and harden default settings.
Experts have also aligned the Benchmarks with CIS Critical Security Controls and other standardized frameworks, such as NIST, PCI-DSS, and HIPAA. And while CIS Benchmarks are vendor-agnostic, they do provide some vendor-specific guidance.
Guide to Data Governance and Compliance in the Cloud
7-step framework to help you strengthen your cloud governance approach with confidence.
How do CIS Benchmarks make your organization safer?
Following CIS Benchmarks provides your organization with numerous benefits, including the following:
Reduced attack surface due to minimized exploitable weaknesses
Stronger baseline security with a solid foundation
Simplified compliance readiness industry standards, which can reduce audit risks and improve your overall security posture
Reduced misconfigurations, thanks to clear configuration guidelines
Greater resilience against the most common threats, according to an industry consensus
Material Security: A real-life use case for improving with Benchmarks
Material Security, the security platform behind Google Workspace and Microsoft 365, needed to enhance visibility and align its security with Benchmark standards. It chose Wiz to meet these standards and eliminate siloed tools.
According to Chris Long, Material’s senior director of security, “We don’t blindly implement controls just because they’re on a checklist. We look at what makes sense for us. Seeing that we’re at 90% compliance and figuring out what it takes to get that last 10% helps us proactively harden our production environment.”
This priority-based approach helps companies like Material meet CIS Benchmarks for stronger security environments.
Cloud Security Controls: Framework, Checklist, and Best Practices for Implementation
Read more
8 categories of CIS Benchmarks
To help organizations identify which CIS Benchmarks best support their security programs, experts have grouped them into eight general categories:
Cloud provider: These Benchmarks offer best practices for configuring identity and access management (IAM) controls, system logging mechanisms, network security settings, and compliance-aligned safeguards. Applicable providers include Amazon Web Services (AWS), Alibaba Cloud, Microsoft 365, and others.
Desktop software: These provide secure configuration guidance for popular desktop applications, including email security, mobile device management, web browsing, and risk mitigation for third-party software. This category also contains subcategories that include productivity software (such as Microsoft Office and Zoom) and web browsers (like Mozilla Firefox and Safari).
DevSecOps tools: This category aids security teams in securing the DevSecOps pipeline by providing best practices for configuring security controls within development and integration tools. It includes software supply chain security measures for GitHub and GitLab.
Mobile devices: These Benchmarks help teams focus on optimizing developer settings, operating system privacy configurations, securing web browsing settings, and enforcing granular app permission controls. The category includes subcategories for iOS and Android.
Print devices: This category currently contains only one benchmark: CIS Multi-Function Device. It focuses on hardening vulnerable devices, including firmware updates, network configurations, wireless access, user management, and file-sharing controls. (Note: CIS may add new device types as new threats arise.)
Network devices: These Benchmarks offer security hardening guidance that encompasses both general best practices and vendor-specific configurations to ensure optimal security for specific hardware. These network security devices include those from Cisco and Palo Alto Networks.
Operating systems: This category covers controls for local and remote access, user account management, driver installation protocols, and secure web browser settings. Subcategories include Linux (Debian, Ubuntu), Microsoft Windows, and Unix (IBM AIX, Apple macOS).
Server software: These Benchmarks provide recommendations for administrative controls, virtual network policies, storage access limitations, and secure configurations for Kubernetes, including PKI certificates and API server settings. There are multiple subcategories, including web servers (like Microsoft IIS), database servers (like MongoDB), and virtualized servers (like Kubernetes).
The anatomy of a CIS Benchmark
Each CIS Benchmark contains one of the following two profiles:
Level 1: This profile provides basic guidelines to achieve an adequate level of security for non-mission-critical devices. Level 1 actions will rarely affect system functionality.
Level 2: This level includes stronger security guidelines for mission-critical devices. These actions may impact system functionality but will provide far more bulletproof security.
To sum up the differences between these levels, Level 1 checks are broadly applicable and low-friction, while Level 2 benchmarks are more stringent and may introduce usability or operational tradeoffs if you apply them blindly.
Experts also tailor each CIS Benchmark to a list of recommendations that are specific to a particular product. The number of recommendations varies according to the product’s complexity.
Many Benchmarks contain hundreds of extremely detailed recommendations. For each recommendation, its assessment status notes whether teams can automate it or if it requires manual configuration.
Each recommendation also includes two areas of focus:
Audit: This helps you assess a specific area’s security.
Remediation: These action steps with configuration recommendations help you harden your system in a specific area.
How to implement CIS Benchmarks within your cloud environment
Embedding CIS Benchmarks into your cloud security means investing in automation and prioritization and building CIS standards into your security culture. With the right practices and technology, you can implement these standards through a streamlined approach.
Here are a few ways to start:
Automate assessment and remediation
Manual checks don’t scale—but agentless, continuous scanning makes CIS adherence more scalable for large organizations. An automated approach enables organizations to meet CIS Benchmarks, save time, and enhance security.
Solutions like Wiz, for example, offer agentless scanning and real-time assessments to improve your security across the board for all your needs, like computing, storage, networking, and Kubernetes.
Manufacturing company Colgate-Palmolive, for instance, used Wiz’s agentless scanning and cloud native security platform to gain visibility across its cloud environment. Within minutes, the agentless solution provided critical risks and action steps to remediate the issue.
According to Neelam Kumari, the brand’s cloud security architect, “Wiz helps us focus on the right risks while saving a lot of time. We’re now consistently developing products that are secure by design.”
Prioritize remediation using risk context
Automation is helpful, but prioritization is just as important—some issues need immediate attention due to potential risk escalations and damaging impact.
You can meet Benchmarks more efficiently when you combine automation with a hierarchy of security needs. By taking this approach, your team can address risks quickly and make a more effective impact on your security health.
Schrödinger, a drug discovery and material design company, knew the importance of prioritization, especially in an industry with such high standards for security and safety. But its team needed an all-in-one security solution that pointed out risk priorities so they could more easily address the most important issues first.
The company chose Wiz’s cloud native security solution for its risk prioritization and additional security features. This saved Schrödinger over $613k per year on cloud costs, eliminated vulnerabilities, and helped its team work collaboratively for a more secure cloud environment.
Inject Benchmarks into your CI/CD and DevSecOps workflows
To maintain and meet CIS Benchmarks, your organization should consider shifting left as much as possible. That means making security a priority from the ground up, from development to deployment. This holistic approach creates a much more secure and efficient cloud security approach.
One way to shift left is by starting with CI/CD workflows. To do this, integrate CIS checks into your development pipelines with IaC validations, container scans, and pre-deployment controls. These steps help you catch any misconfigurations before deployment.
Additionally, tools like Wiz Code can integrate with GitHub, GitLab, and Jenkins to find any CIS violations during your build. This speeds up both security and developer feedback loops.
Maintain continuous compliance
Benchmarking and reviewing your cloud infrastructure isn’t a set-and-go practice. Instead, dynamic cloud environments require policy as code to enforce your CIS configuration settings. This automatic approach can find any drifts and automatically remediate them (or notify you of necessary manual adjustments).
Solutions like Wiz monitor your cloud posture for compliance against over 100 frameworks. You can use this, along with CIS, to maintain compliance with standards like NIST, HIPAA, and HiTrust.
Mapping CIS Benchmarks to risk reduction and compliance outcomes
Practicing security protocols that align with CIS Benchmarks improves your posture and regulatory compliance. But what does that look like?
Below are some real outcomes from A+ CIS practices:
Attack surface reduction
Get rid of unnecessary or redundant services and ports and remove default credentials.
Eliminate vulnerabilities from certificates, such as expired SSL/TLS certificates.
Build a baseline with more configuration security to prevent drift.
Add more authentication for key operations like S3 MFA delete.
Compliance framework alignment
Align with key standards like NIST, PCI-DSS, HIPAA (for healthcare), and SOC 2.
Generate and collect audit-ready information with logging and documentation.
Measurable improvements for security
Reduce vulnerabilities over time.
Speed up your system’s mean time to detection.
Lower cloud costs with proper configuration.
Minimize costs with audit preparation and external assessments.
Operational wins and strategic value
Increase developer productivity and efficiency with CI/CD security checks.
Prioritize risks based on the level of importance and maximum impact controls.
Provide quantifiable improvements and measurements to stakeholders.
What you’ll see when you unpack a typical CIS recommendation
CIS Foundations Benchmarks encompass all aspects of cloud service provider security for organizations like AWS, Google Cloud Platform, Microsoft Azure, and Alibaba Cloud.
The following two examples are from the CIS Foundations Benchmark for AWS to give you a better idea of what you’ll see inside a typical benchmark recommendation. One is a Level 1 example (basic security guidelines), and the other is a Level 2 example (stronger security guidelines). But keep in mind that these recommendations and details can change.
| AWS Control ID | 1.19 | 2.12 |
|---|---|---|
| Title | Ensure that teams remove all expired SSL/TLS certificates in AWS IAM. | Make sure to enable MFA delete on S3 buckets |
| Assessment status | Automated | Manual |
| Profile | Level 1 | Level 2 |
| Description | To enable HTTPS in AWS, you’ll need an SSL/TLS server certificate. Use ACM to store and deploy it. | Once you enable MFA Delete on your sensitive and classified S3 bucket, the user must have two-factor authentication. |
| Impact statement | Deleting the certificate could have implications for your application if you’re using an expired server certificate with ELB, CloudFront, or other services. You should configure these services to ensure uninterrupted application functionality. | Enabling MFA delete on an S3 bucket could require additional administrator oversight. Also, adding MFA Delete may impact other services that automate the creation or deletion of S3 buckets. |
| CIS Controls |
|
|
Wiz: First agentless cloud security vendor to attain CIS SecureSuite Vendor Certification for cloud-managed Kubernetes
Read more
Choosing Wiz to secure your cloud with CIS Benchmark standards
As an integrated, cloud native application protection platform, Wiz was the first vendor to receive the CIS SecureSuite Vendor Certification. It won for three major Kubernetes benchmarks, which simplify compliance with the latest EKS, AKS, and GKE CIS Benchmarks while providing a cloud native way to secure your Kubernetes environments.
Along with Kubernetes standard features, Wiz provides the tools you need to meet CIS Benchmarks, help your security teams learn from best practices, and harden your entire organization against today’s leading threats. We help you accomplish much of that from a single pane of glass that aggregates data from all your tools to provide actionable, prioritized insights based on toxic combinations—a unique vulnerability score that reflects real risk to your organization. And because it’s agentless, Wiz is easy to deploy across your entire organization, no matter its size.
Overall, Wiz allows you to proactively identify vulnerabilities with clear remediation guidance so you can stay ahead of attackers and secure your cloud environments. Get our demo today to learn how Wiz can help you simplify Kubernetes compliance—and elevate your entire security posture.
100+ Built-In Compliance Frameworks
See how Wiz eliminates the manual effort and complexity of achieving compliance in dynamic and multi-cloud environments.
