CIS Data-Driven Report for CIS Policies

To evaluate your CIS policies precisely against the CIS benchmarks, the controls are now chained logically in the context of CIS references. 

You can generate a dedicated policy compliance report that organizes compliance data according to the CIS references. This report offers insight into control chaining conditions for CIS references and presents the compliance data in diverse ways, providing you with a comprehensive view of your CIS compliance. 

This feature offers you a structured framework for assessing your adherence to the CIS benchmarks. Also, it ensures that all relevant controls are considered and assessed logically.

Notes: 
- This enhancement is exclusive to PC subscriptions and not available for SCA subscriptions.
- Only CSV report format is supported.
- The following controls are skipped from the report:
       -Controls that are chained logically in the context of CIS references but are not part of the policy that is being evaluated
      - Inactive controls

Benefits

Here are some benefits offered by this enhancement:

Prerequisites

Generate CIS Compliance ReportGenerate CIS Compliance Report

Note: Currently, you cannot edit the report layout.

  1. Navigate to Reports > Templates, and click New > Policy Template.
  2. In the Layout section, under Report Layout, select Control Chaining as the Group by option.

    Select group by option-control chaining.
  3. Specify other details and save the template. To learn more about configuring Policy report template, refer to Configure Policy Report Templates.
  4. Generate a compliance report in CSV format using the saved template.

    Generate report.

    The compliance report is generated in the context of the CIS benchmark. Note that only CSV format is supported for this report. If you select a different format, the report generation fails with an error message.

    Important: 
    -While generating a report, select a valid CIS benchmark policy for which the controls are chained and mapped with CIS references.

    -This report does not work for instance-based technologies.

CIS Compliance Report StructureCIS Compliance Report Structure

The CIS compliance report is structured in a systematic way to show you the details such as the overall CIS compliance score, the compliance score for every CIS reference, the controls mapped to CIS references, control chaining condition for each reference, control status, and hosts mapped to CIS references.
The following is the typical representation of the CIS compliance report:

CIS Policies with Control Mapping ImplementedCIS Policies with Control Mapping Implemented

CIS Policies with Control Mapping Implemented


The Qualys Policy Compliance team is progressively implementing the control chaining, and mapping the controls with the CIS references. As of now, this mapping is implemented for the following policies:

If you have any queries, reach out to your technical account manager or Qualys Support.