The Payment Card Industry Data Security Standard (PCI DSS) comprises 12 Requirements to guide organizations processing cardholder data when securing their systems.
PCI DSS Requirement 2 (Do not use vendor-supplied defaults for system passwords and other security parameters) points to the Center for Internet Security Benchmarks in sub-requirement 2.2 for configuration standards;
In addition, PCI DSS enumerates other requirements for which the CIS Benchmark configuration recommendations are useful for achieving PCI DSS compliance, including:
1.1 Firewall and router configurations
6.1 Patch deployment
7.1 Access control
6.4 Change control
plus numerous other specific requirements.
The PCI DSS document can be found at:
The NIST National Checklist Program Repository contains the CIS Benchmarks as official configuration guidance for use by federal agencies and other entities who are subject to FISMA compliance requirements.
See http://web.nvd.nist.gov/view/ncp/repository for further information.
The Center for Internet Security Configuration Assessment Tool (CIS-CAT) is a validated product for the NIST Security Content Automation Protocol (SCAP) in the following categories:
Authenticated Configuration Scanner
As a NIST validated tool, it may be used for auditing systems subject to FISMA requirements for compliance with CIS Benchmark configuration recommendations.
See http://nvd.nist.gov/scapproducts.cfm for further information
The CIS Benchmark configuration recommendations are widely used to attain compliance with a number of recognized security standards, including:
Graham, Leech, Bliley
Sarbanes-Oxley for all sectors
The above named standards/codes of practice deal with the protection of information in a horizontally comprehensive manner, touching on many facets of information security such as asset classification, access authentication methods and privileges, event logging, segregation of duties, encryption, and others.
Within these standards, the components of information security are typically expressed in a technology brand-agnostic way, and at a level of generality that requires further elaboration of detail prior to operational implementation. It is the brand-specific, operationally detailed and actionable content in the CIS Benchmarks that renders them so useful for implementation of the various security standards and codes of practice noted above.