Skip to content

About CIS-CAT Pro Assessor v4

Introduction

CIS-CAT Pro Assessor v4 evaluates the cybersecurity posture of a system against recommended policy settings. The tool helps organizations save time and resources by employing automated content with policy setting recommendations based on 100+ globally recognized CIS Benchmarks.

The tool is maintained at a location under each Member’s control. Whether your organization’s use is virtual, cloud, in-network, or on a local machine, CIS-CAT Pro Assessor v4 helps ensure compliance to policies. CIS-CAT Pro Assessor v4 includes functions to assess remote or local target systems whether they reside in the cloud or on-premises.

Feature Highlights

  • Automatically compare a target system's configuration settings to the recommended settings in the corresponding CIS Benchmarks
  • Evaluate target systems' security with reports that map results to the CIS Critical Security Controls (CIS Controls).
  • Scan local and remote systems
  • Export assessments results in multiple reporting formats, including an HTML report which enables quick reviews of non-compliant settings and remediation steps for achieving compliance to the Benchmark Recommendation
  • Compatible with customized CIS Benchmarks
  • Integrates with the CIS-CAT Pro Dashboard and CIS SecureSuite Platform, allowing users to view their systems' Benchmark compliance over a recent period of time with dynamic reporting features

Security

Development Process

The CIS team makes its best effort to ensure that the product is free from material vulnerabilities resulting from integrated third-party libraries with continuous use of monitoring tools as part of the software build process.

Some detected vulnerabilities, however, may still be present in the application for multiple reasons such as the vendor has not provided a non-vulnerable update, the vulnerability is a false positive, NIST has not yet completed analysis, etc. The known vulnerabilities will be disclosed in the README.txt document within the bundle. With each release, the CIS team reviews and updates this list and the libraries where possible.

Penetration Testing

CIS performs annual penetration testing on eligible software products, including CIS-CAT Pro Assessor. The CIS-CAT Pro Assessor team mitigates risks with recommended solutions associated with penetration test findings assessed at or above a Medium.

SOC 2 Compliant

CIS's product engineering practices are SOC 2 certified.

SOC 2 is a voluntary compliance standard for service organizations, developed by the American Institute of CPAs (AICPA), which specifies how organizations should manage customer data. The standard is based on the following Trust Services Criteria: security, availability, processing integrity, confidentiality, privacy.

Security-Trained Engineers

CIS-CAT Pro Assessor's engineering team is comprised of individuals educated and certified in CIS's cybersecurity best practices. We develop these best practices with our global community of cybersecurity experts.

Software Bill of Materials (SBOM)

SecureSuite delivers with a Software Bill of Materials (SBOM) in the JSON and XML file formats. The SBOM is updated with every release. You can find the SBOM in the Documentation folder or download it from CIS WorkBench.

SBOM is a formal record containing the details and supply chain relationships of various components used in building software. CIS SecureSuite products utilize and embed many open source and commercial software components. The SBOM enumerates these components in the product.

An SBOM is useful to those who develop or manufacture software, those who select or purchase software, and those who operate software. Buyers can use an SBOM to perform vulnerability or license analysis, both of which can be used to evaluate risk in a product. Those who operate software can use SBOMs to quickly and easily determine whether they are at potential risk of a newly discovered vulnerability.

SBOMs can provide tremendous value when stored in a repository that can be easily queried by other applications or systems. Understanding the supply chain of software, obtaining an SBOM, and using it to analyze known vulnerabilities are crucial in managing risk.

FAQ

How does CIS-CAT Pro Assessor v4 work?

CIS-CAT Pro Assessor automatically compares a target system’s configuration settings to recommended settings in more than 80 CIS Benchmarks. CIS-CAT outputs a conformance report ranging from 0-100, and offers written remediation guidance for each supported CIS Benchmark within the output report.

What is the difference between CIS-CAT Pro and CIS-CAT Lite?

CIS-CAT Pro offers multiple assessment reporting output formats (TXT, CSV, HTML, XML, JSON), and can run configuration assessments against all CIS Benchmarks.

CIS-CAT Lite is available as a preview primarily for users without a CIS SecureSuite Membership. It offers HTML-based reporting output and a limited set of CIS Benchmarks (Microsoft Windows 10, Google Chrome, and Ubuntu).

Feature Comparison

Download CIS-CAT Lite

Download CIS-CAT Lite from our website.