The CIS Benchmarks community consensus process


The Center for Internet Security (CIS) recently celebrated 20 years of trusting the connected world with consensus-based security advice. The first CIS Benchmark was released in 2000. Today, there are over 100 CIS Benchmarks configuration guidelines in over 25 product vendor families. Without the participation of the community, we would not have CIS Benchmarks, because the community is at the heart of what drives development and consensus between industries and technologies.

What is a CIS benchmark?

CIS benchmarks cover operating systems, servers, cloud, mobile devices, office software, and network devices. PDF versions can be downloaded for free from the CIS website, and additional file formats (XCCDF, Word, Excel, etc.) are available for CIS SecureSuite members.
CIS Benchmarks are unique:

  • Developed through a community consensus process
  • Provide vendor independent and technology specific recommendations
  • Provide the necessary steps to configure a system
  • Recognized as an industry standard and referenced specifically by PCI DSS, FISMA and more, as a means of complying with these standards
  • Map to CIS controls

CIS Benchmarks don’t just tell you what to configure; they provide detailed details on each parameter, including description, rationale, audit, impact, correspondence with CIS controls, etc. All of this is in a human readable format, so that you can fully understand each setting and why it’s important.

Download CIS Benchmarks

While a number of factors have made CIS Benchmarks reliable guidelines for a variety of industries, how they are developed is also important. CIS Benchmarks are created through a unique community consensus process on CIS WorkBench, our development platform.

Guidance guided by community consensus

The CIS Benchmarks communities on CIS WorkBench are open to anyone wishing to contribute to the development of Benchmark best practices. Communities are made up of subject matter experts, vendors, technical writers, and CIS SecureSuite members from around the world. In collaboration with CIS, these volunteers develop, review and maintain CIS credentials. Each community brings real-world experience and expertise to the process to ensure that we address the most prevalent security for various technologies.

CIS team members and volunteer Subject Matter Experts (PMEs) are essential to the creation of the initial content, which forms the basis for the continued development and publication of the CIS Benchmark. Technical writers, testers, and contributors all play a role in the process, reviewing recommendations and determining the best solutions through discussions. Vendors are also invited to participate.

Learn more about volunteer roles

Why get involved

Volunteers have the opportunity to be part of a large network of professionals and help shape safety. Those who make important contributions are recognized in the final published CIS reference document.

The process of developing the CIS benchmark

CIS depends on our community and our partners to help develop and maintain CIS credentials. Using CIS WorkBench, tickets and discussion threads are established to continue the dialogue until consensus is reached on proposed recommendations and drafts.
The typical development process:

1. The initial development process defines the scope of the Benchmark and subject matter experts begin the process of discussing, creating and testing the drafts.

2. Once the initial draft is complete, we announce the availability of the draft and invite people to join the community to review, test, and provide feedback. This is the consensus process.

3. All comments received are reviewed by the CIS community manager and subject matter experts. They discuss and adjust the Benchmark if necessary. This ensures that the recommendations are complete and represent complete guidance.

4. Once all comments have been reviewed and addressed, CIS launches a final call for participation in the community. The final review period lasts on average two weeks, which allows for a final review of the Benchmark before its publication.

5. All final comments are taken into account.

6. Once consensus is reached within the CIS Benchmark community, the final CIS Benchmark is published and made public online.


Sam D. Gomez