New Options from CIS for STIG Compliance

Learn How CIS Helps Regulated Industries Meet Requirements


Staying secure can be a challenge, especially for organizations working in a regulated environment. Organizations in regulated industries can rely on the industry-recognized, community-developed CIS Benchmarks to help them meet their various cybersecurity compliance requirements. The CIS Benchmarks from The Center for Internet Security (CIS) are consensus-based secure configuration guidelines that help organizations around the globe meet common compliance framework requirements.

The CIS Benchmarks are recognized by multiple compliance frameworks from the Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA), to the Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG). To ensure the CIS Benchmarks provide the most up-to-date information, CIS continues to work with a global community of cybersecurity experts to develop new and update existing Benchmarks, including new best practice guidelines for organizations that need to comply with DoD requirements.

Compliance with DoD STIGs and CIS Benchmarks

Guidance from the DoD indicates that CIS Benchmarks are an acceptable replacement for Security Technical Implementation Guidelines (STIGs). STIGs are configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems. Additionally, the DoD Cloud Computing SRG, version 1, Release 3 states:

“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) benchmarks are an acceptable alternative to the STIGs and SRGs.”

Although the DoD references CIS Benchmarks specifically, CIS recognizes that many organizations are still required to align with STIGs as the configuration standards for DOD IA and IA-enabled devices/systems.

New STIG-specific guidance from CIS

CIS now has a trusted option to configure systems according to STIGs, both on-premises and in the cloud. The first STIG-specific CIS release is the CIS Red Hat Enterprise Linux (RHEL) 7 STIG Benchmark. This expanded Benchmark contains:

  • The existing consensus-based CIS RHEL 7 Benchmark Level 1 and Level 2 profiles mapped to applicable STIG recommendations.
  • A new Level 3 profile that includes additional requirements from the STIG that aren't covered in the Level 1 and Level 2 profiles.

When users apply CIS Benchmarks and need to be STIG compliant, they’ll be able to apply all three profiles and quickly address the gaps between the original CIS Benchmark profiles and STIGs. This new Benchmark is available as a free PDF download.

Also, a new CIS Hardened Image that maps to this CIS RHEL 7 STIG Benchmark is available in AWS Marketplace, Google Cloud Marketplace, and soon to be released on Microsoft Azure. It's the first CIS STIG-compliant Hardened Image, and there are plans to continue to expand coverage based on additional feedback

Working securely in the cloud with CIS

The CIS Foundations Benchmarks provide recommendations for securing your account and related services in the public cloud. It's a recommended first step for any organization that wants to secure their cloud environment. Download the free PDF for non-commercial use.

CIS Hardened Images are pre-configured virtual machine (VM) images based on the security recommendations of the CIS Benchmarks. There are more than 30 CIS Hardened Images available on AWS Marketplace, Azure Marketplace, Google Cloud Platform, and Oracle Cloud Marketplace. See the full list.

Every CIS Hardened Image includes a CIS-CAT Pro Assessment report showing conformance to the related CIS Benchmark, as well as an exception report. This report outlines the configurations that aren't applicable in the cloud. CIS updates these Images monthly to address patching and vulnerabilities.

The CIS Hardened Image for RHEL 7 STIG is just one way to start secure and stay secure with CIS. Try it today!

Launch the CIS Hardened Image for RHEL 7 STIG in AWS Marketplace

Copyright © 2020 IDG Communications, Inc.