The Center for Internet Security (CIS) announced the release of an enhanced version of its CIS Configuration Assessment Tool, known as CIS-CAT.
CIS-CAT 3.0 will provide CIS Security Benchmarks members with increased capabilities, including the ability to perform software vulnerability assessments as well as leverage a broader array of standards-based, automatable security information (content) for assessing the security configuration of IT systems and applications.
The new tool is one of only a small number of security assessment products to have obtained Security Content Automation Protocol (SCAP) 1.2 validation from the National Institute of Standards and Technology (NIST).
CIS-CAT 3.0 was awarded SCAP 1.2 validation as an Authenticated Configuration Scanner (ACS) with the Common Vulnerabilities and Exposures (CVE) Option. NIST validated CIS-CAT 3.0’s ACS and CVE Option capabilities across all Microsoft Windows and Red Hat Enterprise Linux profiles available under the SCAP 1.2 Validation Program. The new release also provides other added functionality and features, including direct evidence-based reporting for a variety of technologies assessed for policy compliance and unified reporting for security configuration and software vulnerability assessments.
SCAP 1.2 requires a rigorous development, testing and evaluation process to determine whether CIS-CAT 3.0 meets the complex requirements. SCAP defines the process for using several security automation specifications together to enable automated vulnerability management, measurement and policy compliance evaluations. SCAP 1.2 validation certifies that CIS-CAT 3.0 can successfully leverage a wide range of automatable content, which is cited as a best practice in many sources, including the recently released NIST Cyber Security Framework.
Standards-based security automation allows for improved and consistent sharing of security information across various tools and reports. It also provides greater consistency in how IT systems and applications are assessed and the results reported. CIS-CAT 3.0’s SCAP 1.2 validation and CIS’ continued and rapidly increasing production of its security configuration Benchmarks as SCAP 1.2-based automatable content is evidence of its dedication to the adoption and use of open, interoperable standards for security automation.
“CIS is committed to open standards for security automation, as it promotes interoperability, giving organizations more choice and flexibility regarding security assessment products,” said William F. Pelgrin, CIS president and CEO. “Our team worked incredibly hard and we are pleased to release CIS-CAT 3.0, which provides our Benchmarks members with a fundamentally new security assessment tool to support their cyber security readiness and response efforts.”
CIS-CAT 3.0 can now evaluate target IT assets utilizing repositories of SCAP 1.2 content from a number of sources, including: NIST’s United States Government Configuration Baseline (USGCB) and the Defense Information Systems Agency’s Security Technical Implementation Guides (DISA STIGs) as well as CIS’ expanding collection of CIS Security Benchmarks in SCAP format. CIS-CAT 3.0’s validation for the CVE Option also enables the tool to perform software vulnerability assessments according to the thousands of documented vulnerabilities maintained in MITRE’s CVE List.