Organizations tasked with meeting regulatory framework compliance know the difficulties they will face. On top of the resource hours, it can be costly to ensure compliance. Public sector organizations as well as their contractors and consultants also understand the importance of Defense Information Security Agency Security Technical Implementation Guides (DISA STIGs) compliance. These configuration standards apply to DoD Information Assurance (IA) and IA-enabled devices/systems.The Center for Internet Security (CIS) builds CIS Benchmarks and CIS Hardened Images mapped to these guides to more easily assist with DISA STIG compliance.CIS Benchmarks and Hardened Images for OS SecurityCIS maintains more than 100 secure configuration guidelines across 25+ product families. This prescriptive guidance is developed by communities of cybersecurity experts. In fact, CIS manages the communities that develop the only consensus-based cybersecurity guidelines both created and accepted by industry, government, academia, and business. Notably, one of the largest areas of CIS Benchmark technology coverage is operating systems.In addition to utilizing CIS Benchmarks for OS security, organizations can turn to CIS Hardened Images for security in the cloud. These pre-configured virtual machine (VM) images bring CIS Benchmark configurations to the public cloud. Every CIS Hardened Image includes a CIS-CAT Pro assessment report to quickly provide evidence of compliance. Also, CIS patches these VMs regularly for vulnerabilities. CIS Hardened Images are available on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Marketplaces.OS Security and DISA STIG Compliance from CISWhile complying with regulatory frameworks like PCI DSS, HIPAA, DoD Cloud Computing SRG, and DISA STIGs can be challenging, the governing institutions associated with them recognize CIS Benchmarks as an acceptable standard to help meet compliance. And CIS Hardened Images already apply these standards to VM images, saving both time and resources.More specifically, guidance from the DoD Cloud Computing SRG indicates CIS Benchmarks are an acceptable alternative in place of STIGs. The DoD Cloud Computing SRG, version 1, Release 3 states:“Impact Level 2: While the use of STIGs and SRGs by CSPs is preferable, industry-standard baselines such as those provided by the Center for Internet Security (CIS) Benchmarks are an acceptable alternative to the STIGs and SRGs.”Although the DoD references CIS Benchmarks specifically, many organizations still must utilize STIGs for DoD IA and IA-enabled devices/systems. That’s why CIS offers CIS Benchmarks mapped directly to STIG standards for OS security. Furthermore, CIS builds CIS Hardened Images to CIS STIG Benchmark standards. Thus, these virtual machine images also provide OS security to help meet STIG compliance in the public cloud.What’s New: CIS STIG Compliance Resource UpdatesIf you’re familiar with CIS STIG resources, you’ll now find structural updates to the profiles. Previously, the CIS STIG Benchmarks included a Level 3 profile to address recommendations needed to meet STIG compliance not covered in Levels 1 and 2. Now, a new STIG profile will replace the Level 3 profile. This new STIG profile allows users to easily identify all recommendations specific to the STIG. Overlaps from other profiles, i.e., Level 1, 2, and Next Generation, will exist in the STIG profile as well. If the recommendation in the STIG profile contradicts with the CIS Benchmark recommendation, that will be indicated in the description of the recommendation.To make STIG compliance even simpler, here’s the breakdown of information you’ll find in the CIS STIG Benchmark ‘additional information’ section:
Name, version and date of STIG release
Vulnerability ID
Rule ID
STIG ID
Severity
Download a CIS BenchmarkWhat’s Coming for STIG Compliance from CISCurrently, CIS offers four CIS STIG Benchmarks as well as four CIS STIG Hardened Images across AWS, Azure, GCP, and Oracle Cloud Marketplaces.The following CIS STIG Benchmarks are available for enhanced OS security: Amazon Linux 2, Microsoft Windows Server 2016, Microsoft Windows Server 2019, Red Hat Enterprise Linux 7. CIS is also excited to announce three additional CIS Benchmarks coming soon to help with STIG compliance: Apple macOS 11, Ubuntu Linux 20.04, and Red Hat Enterprise Linux 8.Lastly, CIS STIG Hardened Images provide enhanced OS security in the public cloud. Access the pre-configured VMs for STIG compliance:CIS is proud to provide users multiple resources to help OS security and meet STIG compliance.Download a CIS Benchmark
Copyright © 2021 IDG Communications, Inc.
Source link