Introduction
The Center for Internet Security (CIS) benchmarks are a standardized way of describing a secure baseline for IT assets — servers, workstations, network devices, firewalls, phone systems, and so on. An organization that configures its systems according to the CIS benchmarks is considered “CIS compliant,” which saves it from re-deriving a secure baseline from scratch for every device.
CIS also publishes a set of CIS Controls — prescriptive best practices that cover devices, applications, data, network infrastructure, and user access policy. The controls are grouped into three implementation groups (IG1, IG2, IG3) at increasing levels of rigour, and map cleanly onto common regulatory regimes such as HIPAA and PCI-DSS. Achieving HIPAA compliance, for example, typically satisfies a large subset of the CIS Controls as a side effect.
CIS benchmarks in practice
A CIS benchmark has two ingredients:
- A set of configuration templates representing the “known good” configuration for each asset class deployed at a site.
- A method for auditing actual device configurations against those templates so that drift can be detected and corrected.
Under the covers, CIS benchmarks fall under NIST SP 800-70, which defines how to write a security configuration checklist (also called a hardening guide). A checklist may take the form of a written procedure, an automated script, or an XML configuration template. Vendors and third parties often publish device-specific checklists for particular use cases — for example, configuring a firewall to meet HIPAA — and upload them to NIST or CIS for re-use.
CIS benchmarks describe how to configure assets; they don’t prescribe which assets to buy. Organizations are expected to work with their vendors and service providers to pick functions and features that an appropriate 800-70 checklist can then cover.
Compliance levels
The CIS benchmarks come in three profiles, in ascending order of security:
Level 1
A base profile that’s quick to implement and has minimal performance impact. It reduces the organization’s attack surface to a sensible default.
Level 2
A higher-security profile aimed at security-conscious organizations. If implemented carelessly it can have a performance cost, so it needs to be rolled out deliberately.
STIG (formerly Level 3)
The Security Technical Implementation Guide profile aligns with United States Department of Defense cybersecurity requirements and is the highest CIS benchmark tier. STIG checklists may incorporate Level 1 and Level 2 recommendations and are typically developed together with DISA (the Defense Information Systems Agency).
Scoring
CIS compliance is measured on a scoring scale. The score increases as more devices are configured against the relevant checklist, and as a greater proportion of each checklist is followed per device. A 100% score requires every in-scope device to be configured to 100% of its checklist.
Checklist items are tagged as either scored (mandatory — must be followed to count toward the score) or unscored (advisory — does not affect the score).
How Uplevel maps onto CIS
The Uplevel platform meets a number of Level 1 expectations out of the box, because the factory-default configuration is already hardened to reduce attack surface. For example:
- The internal stateful firewall is always on and presents a minimal attack surface on the public Internet.
- Wi-Fi access always requires a strong (8+ character) password.
- Guest access is always isolated and firewalled off from the rest of the network.
- VLAN configurations for traffic isolation propagate consistently to every network device on the site.
Reaching CIS Level 1 is therefore a matter of not overriding the factory defaults — which has the helpful side effect of keeping configurations consistent across customer sites.
Reaching Level 2
Level 2 requires additional configuration on top of the defaults, which is where the NIST 800-70 checklist mindset comes in. A typical Level 2 checklist for an Uplevel deployment might call for:
- Enabling Threat Analysis (IDS/IPS) and content filtering on the gateway.
- Applying both to every VLAN that carries business traffic.
- Using VLANs to separate devices by business function — for example, isolating payment devices onto a dedicated VLAN and SSID to satisfy PCI-DSS.
- Enabling Active Directory and configuring the relevant policies and accounts — for example, password complexity, screen locking, and removable-media controls to support HIPAA.
Because the entire Uplevel platform is configured through a single dashboard, complying with Level 2 reduces to writing a checklist that names the features and dashboard settings the organization needs, then auditing the dashboard against it.