The CIS Benchmarks community consensus process
The Center for Internet Security (CIS) recently celebrated 20 years of bringing confidence to the connected world with consensus-based security guidance. The first CIS Benchmark was released in 2000. Today, there are more than 100 CIS Benchmarks configuration guidelines across 25+ product vendor families. Without community participation, we would not have CIS Benchmarks, as the community is at the heart of what drives development and consensus across industries and technologies.
What is a CIS Benchmark?
CIS Benchmarks cover operating systems, servers, cloud, mobile devices, desktop software, and network devices. The PDF versions are available to download at no cost from the CIS website, and additional file formats (XCCDF, Word, Excel, etc.) are available to CIS SecureSuite Members.
CIS Benchmarks are unique:
- Developed through a community consensus process
- Provide vendor-neutral, technology-specific recommendations
- Provide the necessary steps to configure a system
- Recognized as an industry standard and referenced specifically by PCI DSS, FISMA, and more, as a way to be compliant with those standards
- Map to the CIS Controls
The CIS Benchmarks don’t just tell you what to configure; they provide extensive detail on each setting including a description, rationale, audit, impact, mapping to CIS Controls, etc. All of this is in a human-readable format, so you can fully understand each setting and why it’s important.
Although a number of factors have led the CIS Benchmarks to be trusted guidelines for a variety of industries, the way they are developed is also important. The CIS Benchmarks are created through a unique community consensus process on CIS WorkBench, our development platform.
Guidance driven by community consensus
The CIS Benchmarks Communities on CIS WorkBench are open to anyone who wants to contribute to the development of Benchmark best practices. The communities are made up of subject-matter experts, vendors, technical writers, and CIS SecureSuite Members from around the world. Together with CIS, these volunteers develop, review, and maintain the CIS Benchmarks. Each community brings real-world experience and expertise to the process to ensure we are addressing the most prevalent security for various technologies.
CIS team members and volunteer subject-matter experts (SMEs) are key to creating the initial content, which is the foundation for the continued development and publication of the CIS Benchmark. Technical writers, testers, and contributors all play a role in the process, reviewing recommendations and determining the best solutions through discussions. Vendors are also welcome to participate.
Why get involved
Volunteers have the opportunity to be part of a large network of professionals and help shape security. Those who make significant contributions are recognized in the final published CIS Benchmark document.
The CIS Benchmark development process
CIS depends on our community and partners to assist in developing and maintaining the CIS Benchmarks. Using CIS WorkBench, tickets and discussion threads are established to continue dialogue until a consensus has been reached on proposed recommendations and the working drafts.
The typical development process:
1. The initial development process defines the scope of the Benchmark and subject matter experts begin the discussion, creation, and testing process of working drafts.
2. After the initial draft is completed, we announce availability of the draft and invite folks to join the community to review, test, and provide feedback. This is the consensus process.
3. All of the feedback that’s received is reviewed by the CIS lead for the community along with the subject-matter experts. They discuss and adjust the Benchmark as necessary. This ensures the recommendations are complete and represent comprehensive guidance.
4. Once all feedback has been reviewed and addressed, CIS makes a final call for participation in the community. The final review period lasts an average of two weeks, allowing for a final review of the Benchmark before publishing.
5. Any final feedback is addressed.
6. Once consensus has been reached in the CIS Benchmark community, the final CIS Benchmark is published and made publicly available online.