Do “STIG Benchmark” and “CIS Benchmark – Level X” relate to the FISMA scale?
Product Name
CIS Benchmarks™
Product Version
all
Date
Sep 16, 2020
Problem
”Can you relate your “STIG Benchmark” and “Benchmark – Level X” tags to the “FISMA Low-Medium-High” scale? “
Solution
Within the CIS STIG Benchmark you will see the STIG severity categories I, II, II noted in the notes as applicable, but nothing directly related to FISMA. For the moment we only notate the STIG severity in the STIG Benchmarks.
Additionally, this resource may be useful: https://www.cisecurity.org/cybersecurity-tools/mapping-compliance/
Additional information regarding Severity Ratings
How do we determine which recommendations should be remediated first to close the most critical security gaps?
Each recommendations in a benchmark holds a weight of 1, meaning one recommendation does not hold more importance or a higher severity level than the other.
As each organization reviews and implements the recommendations within a benchmark in a different way, a setting you might rate at the highest criticality another organization may rate at a lower priority. Of course, the more recommendations that can be implemented without negatively impacting your environment the better.
We recognize that 100% compliance may not be practical for many organizations, but closing as many security gaps as possible is the real success story. As a reference point, most organizations fall within the 70-100% passing rate and that percentage really varies based on the requirements and unique tailoring to their environment.
If you have specific questions about a recommendation or setting within a benchmark, please feel free to participate within the community of that particular benchmark on our WorkBench platform by opening a discussion thread. Providing feedback and developing conversations surrounding our benchmarks and recommendations allows us the opportunity for continuous improvement of our products.