The Center for Internet Security (CIS) benchmarks are a method of specifying a secure baseline configuration for assets. This includes assets of all kinds: servers, workstations, network devices, firewalls, phone systems, etc. Organizations that utilize the CIS benchmarks to configure their systems and thereby protect against cyberattacks are considered to be "CIS Compliant". This enables organizations to avoid "reinventing the wheel" with every asset, and instead follow baseline configurations developed across the industry.

 CIS also publishes a set of "CIS Controls" which are prescriptive guidelines for configuring devices and applications according to a set of best practices. These best practices cover: devices (e.g., workstations), applications (e.g., database software), data (e.g., protected health information), network (e.g, routers and firewalls), and users (i.e., corporate access policies). The controls are divided into three implementation groups, IG1, IG2 and IG3, indicating a higher and higher level of security. CIS controls map to commonly used regulatory and industry compliance requirements such as HIPAA, PCI-DSS, etc. In most cases, complying with HIPAA will automatically comply with a large subset of the CIS controls.

 CIS Benchmarks

 The CIS benchmarks require two things:

1. a set of configuration templates that contain recommended "correct" configurations and cover all the IT devices at the customer site
   
2. a way of auditing and checking the actual device configurations against the templates to ensure that all devices are configured according to the requirements
   

 CIS benchmarks actually fall under NIST SP 800-70 checklists. NIST SP 800-70 provides guidelines for developing a security configuration checklist (also known as a 'hardening guide') - basically, a set of instructions or procedures for configuring some IT product for a specific customer. The checklists may also be used to verify that the product was configured correctly. Checklists can either be written procedures, or automated scripts, or even XML templates specifying configurations.

 In some cases, vendors or third-party entities may construct a checklist for a particular device (e.g., a firewall) that covers the setup of the firewall for a specific task (e.g., complying with HIPAA requirements). The checklist may then be uploaded to NIST or CIS for use by others that have the same requirements and wish to configure the same firewall.

 Note that CIS benchmarks are intended to help organizations configure their assets. They do not mandate or prescribe specific functions or devices that an organization must procure. Organizations are expected to work with service providers and vendors to select the proper functions and features (or select an appropriate NIST SP 800-70 checklist pertaining to their device) that are covered by the configuration.

 CIS Compliance Levels

 The CIS benchmarks are classified into three profiles, of ascending order of security:

 Level 1

 Level 2:

 STIG (formerly Level 3):

 Note that CIS compliance is ranked using a scoring system that indicates how well the organization adheres to the CIS benchmarks when configuring its systems. The scores increase as more devices are configured using the checklists associated with the benchmarks, and also increase as more of the checklist is followed for each device. The highest score is reached when 100% of the devices are configured with 100% checklist compliance.

 Also, CIS recommendations (checklist items) have a mandatory ("scored") or non-mandatory ("unscored") attribute. Unscored items do not count against the compliance level. Scored items, however, must be complied with.

 Uplevel Devices and CIS Compliance

 In a number of ways, the Uplevel Systems product directly complies with the Level 1 CIS benchmark without additional configuration requirements. This is because the Uplevel Systems products ship "out of the box" with a default security configuration that provides the "attack surface" reduction aimed at by CIS Level 1. For example:

1. The internal stateful firewall is always on, and always presents a minimum attack surface on the public Internet
   
2. Wi-Fi access always mandates a strong (8+ character) password
   
3. Guest access is always isolated and firewalled off from the remainder of the system
   
4. VLAN configurations for traffic isolation are always propagated to all network devices consistently
   

 Compliance with CIS Level 1 is therefore possible by simply not overriding the factory-shipped defaults. This ensures a consistent configuration setup across customer sites and systems.

 Compliance with Level 2 CIS benchmarks requires additional configuration and is hence associated with the NIST 800-70 checklists. The higher security profile that is the goal of CIS Level 2 can be achieved by documenting a standard configuration checklist, for example:

1. Turning on Threat Analysis (IDS/IPS) and Content Filtering
   
2. Configuring both to cover all VLANs used by business operations
   
3. Using VLANs to separate devices and employees by business functions (for example, adhering to PCI-DSS by placing all payment devices on a separate VLAN/SSID)
   
4. Enabling Active Directory and configuring appropriate policies and accounts (for example, adhering to HIPAA by setting password, screen locking and removable media controls)
   

 Since all of the configuration of the Uplevel products is accomplished via a "single pane of glass" dashboard, complying to CIS Level 2 is relatively simple. A checklist can be created to cover the specific customer organizational needs, identifying the features and functions on the dashboard that need to be enabled and configured. Once that is done, adherence to the checklist is very straightforward.