CIS Benchmarks for Servers

CIS Benchmarks are consensus-developed configuration guidelines published by the Center for Internet Security (CIS) that define measurable hardening standards for operating systems, server software, cloud platforms, and network devices. This page describes the structure of the benchmark program, how benchmark profiles are applied to server environments, the principal compliance and regulatory contexts in which the benchmarks appear, and the criteria that determine when one benchmark level or profile is appropriate versus another. The benchmarks are widely referenced in federal procurement, healthcare, financial services, and critical infrastructure sectors.

Definition and scope

The Center for Internet Security publishes CIS Benchmarks as freely downloadable PDF documents, each covering a specific technology platform — for example, CIS Benchmark for Red Hat Enterprise Linux 9, CIS Benchmark for Microsoft Windows Server 2022, or CIS Benchmark for Apache HTTP Server. Each benchmark contains a numbered list of configuration recommendations, and each recommendation is classified by one or two profile levels.

Profile Level 1 covers foundational controls that are expected to have minimal impact on system performance or functionality. Applying Level 1 recommendations is broadly feasible for production environments without specialized approval.

Profile Level 2 adds defense-in-depth controls intended for high-sensitivity or highly regulated environments. Level 2 settings may disable features that certain applications depend on, making them unsuitable for universal deployment without workload-by-workload review.

In addition to scored and unscored categories within each profile, the benchmark program segments into several platform families relevant to server operators:

1. Operating system benchmarks — covering Linux distributions (CentOS, RHEL, Ubuntu, Debian, SUSE) and Windows Server versions (2016, 2019, 2022)
2. Web server benchmarks — covering Apache, Nginx, and IIS
3. Database benchmarks — covering PostgreSQL, MySQL, Microsoft SQL Server, Oracle Database
4. Cloud provider benchmarks — covering AWS, Azure, and Google Cloud at the configuration layer
5. Container runtime benchmarks — covering Docker and Kubernetes

The CIS Benchmark program operates under a community consensus process. Subject-matter contributors, CIS staff, and technology vendors review draft recommendations before publication. This distinguishes benchmarks from vendor default documentation and from government mandates, though federal agencies and commercial compliance frameworks frequently reference them by name. The National Institute of Standards and Technology (NIST) SP 800-70, National Checklist Program for IT Products, formally recognizes CIS Benchmarks as a source of National Checklist Program (NCP) content.

How it works

Applying a CIS Benchmark to a server follows a defined remediation and assessment cycle. The process below reflects the structure described in benchmark documents themselves and in NIST SP 800-70:

1. Platform identification — The applicable benchmark is matched to the specific OS version, patch level, and server role. A CIS Benchmark for Ubuntu 22.04 LTS, for example, does not apply to Ubuntu 20.04 installations without a separate document.
2. Audit phase — The current configuration is measured against each numbered recommendation. CIS publishes companion automation support through CIS-CAT Pro, an assessment tool that generates scored HTML and CSV reports showing pass/fail status per control. Open-source alternatives such as OpenSCAP support benchmark-derived XCCDF content for Linux platforms.
3. Gap analysis — Recommendations that fail the audit are prioritized by profile level and by the server's sensitivity classification. Level 1 gaps on internet-facing servers typically carry higher immediate priority than Level 2 gaps on isolated internal hosts.
4. Remediation — Configuration changes are applied, scripts are modified, services are disabled, or policies are deployed. For Windows Server environments, Group Policy Objects (GPOs) are a standard remediation vehicle. For Linux, shell scripts or configuration management tools such as Ansible or Puppet translate benchmark requirements into enforced state.
5. Validation — A second automated scan confirms that remediated controls now pass. Any exceptions — configurations that cannot be remediated due to application dependency — are formally documented and risk-accepted.
6. Continuous monitoring — Benchmark compliance is not a one-time event. OS patches, application upgrades, or infrastructure changes can reset previously compliant settings. Integration with server vulnerability scanning and server security auditing and compliance pipelines maintains ongoing posture visibility.

CIS also publishes CIS Controls, a separate but complementary framework of 18 control categories. Controls v8, published in 2021 (CIS Controls v8), maps directly to CIS Benchmarks such that a benchmark recommendation can be traced to the CIS Control and sub-control it satisfies. This mapping is used during compliance reporting to demonstrate coverage across multiple frameworks from a single set of configuration actions.

Common scenarios

Federal agency and FedRAMP environments — The Federal Risk and Authorization Management Program (FedRAMP) requires cloud service providers to demonstrate configuration compliance against baselines. CIS Benchmarks are accepted as an equivalent hardening standard alongside DISA STIGs (Security Technical Implementation Guides) for systems not subject to DoD policy. CIS Level 2 profiles are frequently applied in Moderate and High impact authorizations.

Healthcare organizations under HIPAA — The Department of Health and Human Services Office for Civil Rights identifies configuration management as a component of the Security Rule (45 CFR Part 164). CIS Benchmarks are used as an operational implementation of the "addressable" technical safeguard requirement for workstation and server configuration. See also server security for healthcare organizations for the broader regulatory landscape.

Financial institutions under FFIEC and PCI DSS — The Federal Financial Institutions Examination Council (FFIEC) IT Examination Handbook references configuration standards as a baseline control expectation. PCI DSS Requirement 2.2 (PCI DSS v4.0) requires that system components be configured using industry-accepted hardening standards, with CIS Benchmarks cited as a recognized source. Financial institutions implementing server security for financial institutions frequently specify the applicable CIS Benchmark version in their system security plans.

Linux server hardening programs — CIS Benchmark for Linux distributions maps directly to the categories covered in Linux server security best practices, including filesystem partitioning, PAM configuration, auditd rules, network stack hardening, and cron restrictions. The scored recommendation count per benchmark varies by distribution; the CIS Benchmark for Ubuntu 22.04 contains over 250 individual recommendations across Level 1 and Level 2.

Windows Server environments — The CIS Benchmark for Windows Server 2022 covers account policies, local policies, Windows Defender configuration, Windows Firewall settings, and audit policy. These align with Windows server security best practices and are deployable via Group Policy baseline templates that CIS publishes alongside the benchmark PDFs.

Decision boundaries

Selecting the appropriate benchmark profile and handling exceptions requires structured judgment criteria:

Level 1 vs. Level 2 selection — Level 1 is the default for general-purpose production servers. Level 2 is appropriate for servers handling classified data, regulated personal health information, cardholder data, or servers with direct internet exposure. The deciding factor is impact level classification under the applicable regulatory framework, not the technical difficulty of remediation.

CIS Benchmarks vs. DISA STIGs — Organizations operating under Department of Defense contracts or within the Defense Industrial Base are typically required to use DISA STIGs rather than CIS Benchmarks. The two systems share significant overlap — the DISA STIG for RHEL 9 and the CIS Benchmark for RHEL 9 address many identical controls — but STIG content is authoritative for DoD Assessment and Authorization under RMF (NIST SP 800-37). CIS Benchmarks remain the standard of choice for commercial and non-DoD federal environments.

Scored vs. unscored recommendations — Scored recommendations count toward the automated CIS-CAT benchmark score. Unscored recommendations represent best-practice guidance where pass/fail determination depends on organizational policy rather than a fixed configuration value. Unscored items are not reflected in automated scan percentages but should be reviewed manually during security audits.

Exception and compensating control handling — When a benchmark recommendation conflicts with a production application dependency, the exception must be documented with a named owner, a risk acceptance rationale, and an identified compensating control. Blanket exceptions applied across an entire server fleet without workload-specific justification are not consistent with NIST SP 800-53 (Rev. 5, §CA-7) continuous monitoring expectations.

Benchmark versioning — CIS Benchmarks are versioned documents. A server assessed against CIS Benchmark for Windows Server 2019 v2.0.0 is not necessarily compliant with v3.0.0 of the same benchmark. Organizations must track which benchmark version was used for each assessment and re-evaluate when new versions are published. Benchmark version currency is a standard finding in third-party server security auditing and compliance engagements.

References

• Center for Internet Security — CIS Benchmarks
• Center for Internet Security — CIS Controls v8
• [NIST SP 800-70 Rev. 4 — National Checklist Program for IT Products](https://csrc.nist.gov/publications/detail/sp