Public sector organizations can use industry-trusted configuration standards to simplify their DISA STIG compliance journey. Credit: CIS Organizations tasked with meeting regulatory framework compliance know (at least some of) the difficulties they will face along their compliance journeys. On top of the resource hours, for instance, it can be costly to ensure compliance.Public sector organizations as well as their contractors and consultants understand the importance of Defense Information Security Agency Security Technical Implementation Guide, or “DISA STIG,” compliance. These configuration standards apply to DoD Information Assurance (IA) and IA-enabled devices/systems.The Center for Internet Security (CIS) builds CIS Benchmarks and CIS Hardened Images mapped to these guides to more easily assist with DISA STIG compliance.CIS Benchmarks and CIS Hardened Images for OS securityCIS maintains more than 100 secure configuration guidelines across 25+ product families. This prescriptive guidance is developed by communities of cybersecurity experts. In fact, CIS manages the communities that develop the only consensus-based cybersecurity guidelines both created and accepted by industry, government, academia, and business. Notably, one of the largest areas of CIS Benchmark technology coverage is operating systems.In addition to utilizing CIS Benchmarks for OS security, organizations can turn to CIS Hardened Images for security in the cloud. These pre-configured virtual machine images bring CIS Benchmark configurations to the public cloud. Every CIS Hardened Image includes a CIS-CAT Pro assessment report to quickly provide evidence of compliance. Also, CIS patches these VMs regularly for vulnerabilities. CIS Hardened Images are available on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Marketplaces.OS security and DISA STIG compliance from CIS CISWhile complying with regulatory frameworks like PCI DSS, HIPAA, DoD Cloud Computing SRG, and DISA STIGs can be challenging, these frameworks recognize CIS Benchmarks as an acceptable standard to help meet compliance. And CIS Hardened Images already apply these standards to virtual machine images, saving both time and resources.More specifically, guidance from the DoD Cloud Computing SRG indicates CIS Benchmarks are an acceptable alternative in place of STIGs. The DoD Cloud Computing SRG, version 1, Release 3 states: “Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) Benchmarks are an acceptable alternative to the STIGs and SRGs.” Although the DoD references CIS Benchmarks specifically, many organizations still must utilize STIGs for DoD IA and IA-enabled devices/systems. That’s why CIS offers CIS Benchmarks mapped directly to STIG standards for OS security. Furthermore, CIS builds CIS Hardened Images to CIS STIG Benchmark standards. Thus, these virtual machine images also provide OS security to help meet STIG compliance in the public cloud.What’s new: CIS STIG compliance resource updatesIf you’re familiar with CIS STIG resources, you’ll now find structural updates to the profiles. Previously, the CIS STIG Benchmarks included a Level 3 profile to address recommendations needed to meet STIG compliance not covered in Levels 1 and 2. Now, a STIG profile allows users to easily identify all recommendations specific to the STIG. Overlaps from other profiles, i.e., Level 1, 2, and Next Generation, exist in the STIG profile, as well. If the recommendation in the STIG profile contradicts the CIS Benchmark recommendation, that will be indicated in the description of the recommendation.To make STIG compliance even simpler, here’s the breakdown of information you’ll find in the CIS STIG Benchmark ‘additional information’ section: Name, version, and date of STIG releaseVulnerability IDRule IDSTIG IDSeverityPre-configured VMs for STIG complianceCurrently, CIS offers five CIS STIG Benchmarks as well as five CIS STIG Hardened Images across AWS, Azure, GCP, and Oracle Cloud Marketplaces.The following CIS STIG Benchmarks are available for enhanced OS security: Amazon Linux 2, Microsoft Windows Server 2016 and 2019, Red Hat Enterprise Linux 7, and Ubuntu Linux 20.04 LTS. CIS is also excited to announce two additional CIS Benchmarks coming soon to help with STIG compliance: Apple macOS 11 and Red Hat Enterprise Linux 8. Amazon Linux 2 STIG on AWS MarketplaceMicrosoft Windows Server 2016 STIGOn AWSOn AzureOn GCPOn Oracle CloudMicrosoft Windows Server 2019 STIGOn AWSOn AzureOn GCPOn Oracle CloudRed Hat Enterprise Linux 7 STIGOn AWSOn AzureOn GCP Ubuntu Linux 20.04 LTS STIGOn AWSOn AzureOn GCPOn Oracle CloudCIS is proud to provide users with multiple resources to help attain OS security and meet STIG compliance. Click here to view all CIS Hardened Images. Related content brandpost Sponsored by CIS Three Ways Security in the Azure Cloud Just Got Simpler In ongoing partnership with Microsoft Azure, CIS has released three CIS Benchmarks, two updated and one new, for Microsoft Azure. By CIS Sep 21, 2022 3 mins Internet Security brandpost Sponsored by CIS Foundational Cloud Security with CIS Benchmarks Not all organizations understand their security responsibilities in the cloud. That's why having foundational cloud security guidelines is so crucial. By CIS Sep 01, 2022 3 mins Internet Security brandpost Sponsored by CIS Free Trials of Hardened VMs in AWS Marketplace Free trials of several CIS Hardened Images in the AWS Marketplace give customers a way of exploring how to best secure their cloud-based systems. By CIS Sep 01, 2022 5 mins Internet Security brandpost Sponsored by CIS CIS Hardened Images Built on Google Cloud’s Shielded VMs Cyber threat actors are targeting cloud user deployments with bootkits and rootkits. Fortunately, Google Cloud Platform is taking action to augment customer security. By CIS Sep 01, 2022 2 mins Internet PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe