CIS Data-Driven Report for CIS Policies

To evaluate your CIS policies precisely against the CIS benchmarks, the controls are now chained logically in the context of CIS references. 

You can generate a dedicated policy compliance report that organizes compliance data according to the CIS references. This report offers insight into control chaining conditions for CIS references and presents the compliance data in diverse ways, providing you with a comprehensive view of your CIS compliance. 

This feature offers you a structured framework for assessing your adherence to the CIS benchmarks. Also, it ensures that all relevant controls are considered and assessed logically.

Notes: 
- This enhancement is exclusive to PC subscriptions and not available for SCA subscriptions.
- Only CSV report format is supported.
- The following controls are skipped from the report:
       -Controls that are chained logically in the context of CIS references but are not part of the policy that is being evaluated
      - Inactive controls

Benefits

Here are some benefits offered by this enhancement:

  • Systematic Approach: Control chaining allows you to evaluate compliance with CIS benchmarks and controls in a structured and systematic manner.
  • Consistency and Standardization: Chaining policy compliance controls based on CIS references ensures consistency in evaluating compliance across the organization.
  • Dependency Handling: Control chaining considers dependencies or relationships between controls. This ensures a more accurate assessment of compliance
  • Simplified Compliance Reporting: A dedicated report template for CIS compliance makes it easier to review the adherence to CIS benchmarks and controls.
  • Improved Remediation: The dedicated CIS compliance report facilitates remediation efforts by identifying areas of non-compliance more precisely.
  • Enhanced Security Posture: As the security controls are now evaluated in a systematic manner, it reduces the probability of overlooking critical aspects of compliance. This, in turn, helps you improve the overall security posture.

Prerequisites

  • To enable this feature for your subscription, contact your Technical Account Manager or Quays Support.
  • The Qualys Cloud Platform version 10.30.0.0 or later.
  • PCRS enabled subscription along with the PCRS version PCRS-1.16.0 or later.
  • Import a CIS benchmark policy for which control chaining is implemented and run a compliance scan using it. To know the policies for which control chaining is implemented, refer to online help.

Generate CIS Compliance ReportGenerate CIS Compliance Report

Note: Currently, you cannot edit the report layout.

  1. Navigate to Reports > Templates, and click New > Policy Template.
  2. In the Layout section, under Report Layout, select Control Chaining as the Group by option.

    Select group by option-control chaining.
  3. Specify other details and save the template. To learn more about configuring Policy report template, refer to Configure Policy Report Templates.
  4. Generate a compliance report in CSV format using the saved template.

    Generate report.

    The compliance report is generated in the context of the CIS benchmark. Note that only CSV format is supported for this report. If you select a different format, the report generation fails with an error message.

    Important: 
    -While generating a report, select a valid CIS benchmark policy for which the controls are chained and mapped with CIS references.

    -This report does not work for instance-based technologies.

CIS Compliance Report StructureCIS Compliance Report Structure

The CIS compliance report is structured in a systematic way to show you the details such as the overall CIS compliance score, the compliance score for every CIS reference, the controls mapped to CIS references, control chaining condition for each reference, control status, and hosts mapped to CIS references.
The following is the typical representation of the CIS compliance report:

CIS Policies with Control Mapping ImplementedCIS Policies with Control Mapping Implemented

CIS Policies with Control Mapping Implemented


The Qualys Policy Compliance team is progressively implementing the control chaining, and mapping the controls with the CIS references. As of now, this mapping is implemented for the following policies:

  • CIS Benchmark for Docker, v1.6.0
  • CIS Benchmark for Microsoft Windows 11 Stand-alone, v3.0.0
  • CIS Benchmark for Microsoft Windows 10 EMS Gateway, v3.0.0
  • CIS Benchmark for Microsoft Windows Server 2019, v2.0.0
  • CIS Benchmark for CentOS Linux 8, v2.0.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 2004), v1.9.1
  • CIS Benchmark for Ubuntu Linux 18.04 LTS, v2.1.0
  • CIS Benchmark for Ubuntu Linux 22.04 LTS, v1.0.0
  • CIS Ubuntu Linux 20.04 LTS STIG, v1.0.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1607), v1.2.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1703), v1.3.0
  • CIS Benchmark for Oracle Solaris 11, v1.1.0
  • CIS Benchmark for Debian Family Linux, v1.0.0
  • CIS Benchmark for Oracle Solaris 10, v5.2.0
  • CIS Benchmark for Debian Linux 8, v2.0.1
  • CIS Benchmark for Debian Linux 9, v1.0.0
  • CIS Benchmark for Debian Linux 11, v1.0.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1709), v1.4.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1803), v1.5.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1809), v1.6.1
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1903), v1.7.1
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 1909), v1.8.1
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 20H2 or older), v1.10.1
  • CIS Benchmark for Ubuntu Linux 18.04 LXD Host, v1.0.0
  • CIS Benchmark for Ubuntu Linux 18.04 LXD Container, v1.0.0
  • CIS Benchmark for Red Hat Enterprise Linux 9, v1.0.0
  • CIS Benchmark for Ubuntu Linux 16.04 LTS, v2.0.0
  • CIS Benchmark for Ubuntu Linux 14.04 LTS, v2.1.0
  • CIS Benchmark for Oracle Linux 9, v1.0.0
  • CIS Benchmark for CentOS Linux 6, v3.0.0
  • CIS Benchmark for Oracle Linux 6, v2.0.0
  •  Control Chain CIS Red Hat Enterprise Linux 6 Benchmark v3.0.0 
  • CIS Benchmark for Red Hat Fedora 28, v2.0.0
  • CIS Benchmark for Red Hat Enterprise Linux 8 STIG, v1.0.0
  • CIS Benchmark for VMware ESXi 6.5, V1.0.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise RTM (Release 1511), v1.1.0
  • CIS Benchmark for Red Hat Enterprise Linux 7 STIG , v2.0.0
  • CIS Benchmark for Ubuntu 12.04 LTS Server, v1.1.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise (Release 21H1 or older), v1.11.0
  • CIS Benchmark for Debian Linux 7, v1.0.0
  • CIS Benchmark for SUSE Linux Enterprise 12.x, v3.1.0
  • CIS Benchmark for Microsoft Office Enterprise, v1.1.0
  • CIS Benchmark for SUSE Linux Enterprise 15.x, v1.1.1
  • CIS Benchmark for Alma Linux 9, v1.0.0
  • CIS Benchmark for Red Hat Enterprise Linux 8, v3.0.0
  • CIS Benchmark for Rocky Linux 9, v1.0.0
  • CIS Benchmark for Debian Linux 10, v2.0.0
  • CIS Benchmark for Palo Alto Firewall 9, v1.1.0
  • CIS Benchmark for Microsoft Windows Server 2012 R2, v3.0.0
  • CIS Benchmark for Oracle Linux 8, v3.0.0
  • CIS Benchmark for Microsoft Windows Server 2016 STIG, v2.0.0
  • CIS Benchmark for Microsoft Windows Server 2019 STIG, v2.0.0
  • CIS Benchmark for Microsoft Windows Server 2022 STIG, v1.0.0 
  • CIS Benchmark for Alma Linux 8 v3.0.0
  • CIS Benchmark for Red Hat Enterprise Linux 7, v4.0.0
  • CIS Rocky Linux 8 Benchmark v2.0.0
  • CIS Benchmark for Microsoft Windows Server 2008 R2, v3.3.0
  • CIS Benchmark for Amazon Linux 2023, v1.0.0
  • CIS Benchmark for Ubuntu Linux 20.04, v2.0.1
  • CIS Benchmark for Microsoft Windows Server 2012 non-R2, v3.0.0
  • CIS Benchmark for Microsoft Windows 11 Enterprise, v3.0.0
  • CIS Benchmark for Debian Linux 11, v1.0.0
  • CIS Benchmark for CentOS Linux 7, v4.0.0
  • CIS Benchmark for Amazon Linux 2, v3.0.0
  • CIS Benchmark for Oracle Linux 7, v4.0.0
  • CIS Benchmark for IBM i V7R4M0, v1.0.0
  • CIS Apple macOS 12.0 Monterey Benchmark v3.0.0
  • CIS Benchmark for ISC BIND DNS Server 9.9, v3.0.1
  • CIS Microsoft Intune for Windows 10 Benchmark, v3.0.1
  • CIS Benchmark for Google Chrome, v3.0.0
  • CIS Benchmark for Microsoft Windows 10 Enterprise, v3.0.0
  • CIS Benchmark for Microsoft Windows Server 2022, v3.0.0
  • CIS Benchmark for Microsoft Windows 10 Stand-alone, v3.0.0
  • CIS Benchmark for Microsoft Windows Server 2016, v3.0.0
  • CIS Benchmark for Microsoft Windows Server 2019, v3.0.0

If you have any queries, reach out to your technical account manager or Qualys Support.