CIS Benchmarks for Compliance

Written by Kelsey Kinzer on March 27, 2023

Share This Article

IT admins have some of the toughest, most thankless jobs.

While their day-to-day tasks may not be glamorous and flashy, the impact of their role can’t be understated — especially when it comes to security and compliance.

Modern organizations have a legal obligation to keep their employee and customer data safe. And the Center for Internet Security (CIS) helps companies minimize their risk and maximize their protection, sharing the most up-to-date guidelines for cybersecurity.

But the over 100 CIS Benchmarks tend to overwhelm IT leaders struggling with reduced budgets and resources. What they may not know is that implementing CIS Benchmarks doesn’t have to be painful.

Below, we’ll cover what CIS compliance is, why it’s important (even if you don’t work with the government), and how to use CIS Benchmarks to achieve it.

What Is CIS Compliance?

A company achieves CIS compliance when they’ve followed CIS security guidelines. To be CIS-compliant, organizations must implement a wide variety of recommendations outlined in the form of CIS Benchmarks. CIS compliance implies that organizations have taken the necessary steps to safeguard their data and systems from unauthorized access — from internal and external actors.

Most governments require proof of CIS compliance for their vendors. And some require other forms of compliance as well, such as NIST, PCI DSS, and HIPAA. Implementing CIS Benchmarks leaves companies with a strong, broad risk management strategy that helps companies adopt other security frameworks, too.

What Are CIS Benchmarks?

CIS Benchmarks are a set of best practices published by the Center for Internet Security, curated by cybersecurity experts from around the world. These Benchmarks are designed specifically to mitigate known and emerging security risks within organizations’ digital systems, applications, and networks and serve as an international standard for companies that collect, store, and analyze sensitive data.

CIS Benchmarks apply to over 25 of the most commonly used vendor products, defining optimal settings and access management policies to combat malware, phishing, and ransomware attacks. CIS Benchmark recommendations and audit checklists are free and available for anyone to download online.

Benchmark Structure

To make CIS Benchmarks easier to follow, they all have an analogous structure. First comes a high-level description of the Benchmark, any definitions IT and security teams need to know, and an explanation of the Benchmark’s impact on cybersecurity. Then comes a prioritized checklist of recommended policies and configurations for organizations to implement and audit.

Scored and Unscored Recommendations

Each recommendation in a CIS Benchmark is considered “scored” or “unscored.” Scored recommendations are mandatory to attain CIS compliance. If scored recommendations aren’t put into practice, they decrease the company’s overall Benchmark score. However, unlike scored recommendations, unscored recommendations do not affect an organization’s total Benchmark score. A list of scored and unscored recommendations is available in the appendix of each CIS Benchmark.

CIS Hardened Images

Beyond written recommendations, the CIS offers Hardened Images or virtual machines preconfigured with operating system configurations. Hardened Images serve as a template, meaning they can be copied and then adjusted to achieve varying levels of compliance. Companies take advantage of CIS Hardened Images because they are continuously updated by CIS, quick to deploy, and easy to manage.

CIS Benchmark Profiles

CIS uses several levels to distinguish between the resources and recommendations for each benchmark. Companies are encouraged to aim for the profile that best suits their compliance and security requirements.

  • Level 1 profile: Level 1 consists of relatively basic security recommendations that organizations can put into place quickly without significant disruption to internal or external stakeholders. The main goal of Level 1 is to decrease cybersecurity risk by minimizing entry points to IT systems.
  • Level 2 profile: Level 2 is meant to protect organizations that collect and store highly sensitive data. The policy and system considerations CIS outlines for this profile are more complex and tougher to implement than those in Level 1 and typically require extensive planning, change management, and subject matter expertise. Because of this rigor, implementing these recommendations sets organizations up for most regulatory requirements.
  • STIG profile: STIG, short for Security Technical Implementation Guide, is a set of configuration standards for organizations vying for U.S. government contracts. Although STIG is often referred to as Level 3 in CIS Benchmarks, the profile is somewhat separate from CIS in that it’s technically published and maintained by the Defense Information Systems Agency (DISA). Companies that do business with the government and the public sector might choose to achieve CIS and STIG compliance.

Benefits of Using CIS Benchmarks

CIS Benchmarks ensure that companies are preserving their product, employee, and customer data and minimizing the chances of a detrimental cyberattack by:

  • Implementing the most up-to-date industry standards for threat prevention
  • Having a documented process for uncovering and addressing harmful vulnerabilities 
  • Having a solid data governance process recognized by academics, research institutions, governments, and enterprise companies
  • Laying a foundation for compliance with other regulations such as NIST, PCI DSS, and HIPAA 

Hitting particular benchmarks gives vendors, clients, investors, and the general public confidence that the IT infrastructure powering modern organizations is safe and secure — today and in the future.


The IT Manager’s Guide to Data Compliance Hygiene

How to ace your audit

How to Use Benchmarks for CIS Compliance

The 100+ CIS Benchmarks help organizations achieve CIS compliance and limit an organization’s exposure to cyber threats across their tech stack.

Server Software

Servers can have multiple points of failure — storage settings, admin controls, permissions, and authentication. CIS Benchmarks specify configurations for the major server providers on the market, like VMware and Microsoft Windows Server, making it easy for IT and security teams to execute and enforce.

Multi-Function Print Devices

Although they may not immediately come to mind as potential weak points in your IT environment, printers, scanners, and copiers can and have been hacked before. CIS Benchmarks outline proper firmware, wireless access, and file-sharing settings to prevent unwanted cyber threats in peripheral devices.

Cloud Providers

These days, virtually every company employs some form of cloud services. CIS Benchmarks describe optimal settings for popular infrastructure solutions such as Oracle Cloud, Google Cloud, Microsoft Azure, and Amazon Web Services. Safeguards include compliance controls, identity and access management, and network configurations.

Mobile Devices

In remote and hybrid workplaces, it’s not uncommon for employees to use mobile phones, tablets, or other connected devices in their daily work. CIS Benchmarks delineate the appropriate privacy settings, application permissions, browser settings, and developer settings for Android, iPadOS, and Apple iOS operating systems.

Desktop Software

Most employees spend most of their time working on a computer. CIS benchmarks provide settings, access management, and device management recommendations for browsers like Mozilla Firefox and Google Chrome, widely used desktop applications like Microsoft Office suite, and other third-party software.

Network Devices

Networks are another major point of entry for cyberattacks, so CIS Benchmarks provide configurations for virtual private networks (VPNs), firewalls, routers, and switches. Some benchmarks are specific to network vendors like Palo Alto Networks, Cisco, and Juniper but can also be applied to other providers to bolster an organization’s governance policy.

Operating Systems

Operating systems are a core component of an organization’s IT framework but can be particularly vulnerable to attack. There are CIS Benchmarks for personal and enterprise Linux, macOS, and Windows operating systems that dictate web browser settings, policies, user profile management, remote access, patch management, and driver installation.

JumpCloud’s Solutions for CIS Compliance and Meeting CIS Benchmarks

Adhering to CIS Benchmarks isn’t a simple process. But for companies dealing with sensitive data, CIS compliance will never be a nice-to-have — it’s a must-have. And it’s also not a one-and-done activity. Regulations and best practices are always changing as the world becomes more complex and cyberattackers evolve their strategies.

So how can IT and security teams get and stay on track?

JumpCloud helps you integrate CIS Benchmarks into your day-to-day operations, helping you manage data and security across your identity, access, and device management infrastructure. As an intuitive open directory platform, with built-in server authentication, cross-OS mobile device management (MDM), RADIUS, and more, JumpCloud has everything you need to keep up with modern IT hygiene and overcome the challenges that come with traditional system administration. JumpCloud gives you the automation, depth, and peace of mind you need to keep your company safe.

Ready for the best audit results you’ve ever had? Download our Guide to Data Compliance Hygiene today.

Kelsey Kinzer

Kelsey is a passionate storyteller and Content Writer at JumpCloud. She is particularly inspired by the people who drive innovation in B2B tech. When away from her screen, you can find her climbing mountains and (unsuccessfully) trying to quit cold brew coffee.

Continue Learning with our Newsletter