0

How does a whole asset fail a CIS benchmarks assessment?

I am using Rapid7's InsightVM tool to run CIS scans on couple of our servers. One of them reported 68.27% compliance, while the other scored close too. However, in the summary of the asset, it has marked the status of the asset as 'Failed'. Is there a minimum compliance percentage an asset should meet for CIS compliance? I understand each benchmark rules failing or passing. But would like to understand the minimum acceptable compliance required for an asset to Pass, if there is such a minimum threshold. I Is there a threshold percentage that the asset should meet?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Sreeraj
  • 1,297
  • 1
  • 13
  • 21

1 Answers1

1

I think there is no precise threshold for the CIS compliance. In my company we had to go through this server hardening process. What we did, we addressed all the failed ones. If company policy/standard allowed us to change the config as CIS recommended we did that, otherwise we mentioned the compensating controls against that or treated it as accepted risk. Its is not feasible to comply with all the listed requirements of CIS but failed ones should be appropriately addressed.

Reasad Amin
  • 13
  • 2