CIS Benchmarks
CIS Benchmarks are a set of best-practice security configuration guidelines developed by the Center for Internet Security (CIS) through a consensus-driven process, providing prescriptive guidance for hardening operating systems, cloud platforms, network devices, applications, and other technology components.
The Center for Internet Security (CIS) develops and maintains over 100 benchmarks covering a wide range of technologies, including operating systems such as Windows, Linux, and macOS; cloud platforms like AWS, Azure, and Google Cloud; databases, web servers, mobile devices, and containerization technologies. Each benchmark is developed through a collaborative process involving cybersecurity experts from academia, government, and industry.
CIS Benchmarks are organized into two implementation levels. Level 1 recommendations provide essential security configurations that can be implemented with minimal impact on system functionality and are suitable for most organizations. Level 2 recommendations provide more advanced security configurations intended for environments requiring heightened security, though they may reduce system functionality or usability.
Each recommendation within a benchmark includes a description of the security concern, the rationale for the recommendation, step-by-step audit procedures to check current configuration, and remediation steps to implement the recommended setting. This structured approach makes CIS Benchmarks highly actionable for system administrators and security teams.
CIS Benchmarks are widely referenced in regulatory and compliance frameworks. Many organizations use them as the foundation for their security hardening standards, and several compliance regimes such as PCI DSS, HIPAA, and FedRAMP recognize CIS Benchmarks as an acceptable means of demonstrating baseline security configurations. Automated scanning tools frequently include CIS Benchmark checks, enabling continuous monitoring of configuration compliance.