CIS Benchmark Profile Levels

Nick Gibbon

Published in

Pareture

2 min readAug 18, 2021

CIS Benchmark Level 1, Level 2 and STIG(?!) Profiles

What are the Level 1, Level 2, and STIG Profiles within a CIS Benchmark?

Most CIS Benchmarks include multiple configuration profiles. A profile definition describes the configurations assigned to benchmark recommendations.
The Level 1 profile is considered a base recommendation that can be implemented fairly promptly and is designed to not have an extensive performance impact. The intent of the Level 1 profile benchmark is to lower the attack surface of your organization while keeping machines usable and not hindering business functionality.
The Level 2 profile is considered to be “defense in depth” and is intended for environments where security is paramount. The recommendations associated with the Level 2 profile can have an adverse effect on your organization if not implemented appropriately or without due care.
The STIG profile replaces the previous Level 3. The STIG profile provides all recommendations that are STIG specific. Overlap of recommendations from other profiles, i.e. Level 1 and Level 2, are present in the STIG profile as applicable.
Every recommendation within each CIS Benchmark is associated with at least one profile. Regardless of which level profile you plan to implement in your environment, we recommend applying CIS Benchmark guidance in a test environment first to determine potential impact.

CIS Benchmarks™ FAQ - CIS

CIS Benchmarks are best practices for the secure configuration of a target system. Available for more than 100 CIS…

www.cisecurity.org

My Takes

Level 1 vs Level 2

The distinction in any one case is not crystal clear but it generally is. Items are judged level 2 where the implementation will come with significant drawbacks whilst being more secure. For example:

Kubernetes EKS Benchmark v1.0.1 — Section 5.4.2 — Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled — Profile Level 2.

When working with Cloud Provider APIs the default position is authenticated and encrypted traffic over the public internet. This item would mean that you can only network with the EKS Cluster via an internal network. This is a lot more secure but it will also involve investment into a secure network infrastructure to enable it — hence the Level 2 assignment.

STIG

Defense Information Systems Agency Security Technical Implementation Guides (DISA STIGs) are requirements defined by the US Department of Defence.

This profile is specifically to enable a STIG requirement mapping.