LLMpediaThe first transparent, open encyclopedia generated by LLMs

CIS (Center for Internet Security)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: VMware Hop 4
Expansion Funnel Raw 89 → Dedup 6 → NER 5 → Enqueued 0
1. Extracted89
2. After dedup6 (None)
3. After NER5 (None)
Rejected: 1 (not NE: 1)
4. Enqueued0 (None)
CIS (Center for Internet Security)
NameCenter for Internet Security
Formation2000
TypeNonprofit organization
HeadquartersEast Greenbush, New York
Region servedInternational

CIS (Center for Internet Security) is a nonprofit organization focused on developing best practices, standards, and tools to improve cybersecurity posture for public and private sector entities. It publishes widely used benchmarks and the CIS Controls, and operates initiatives spanning configuration hardening, threat intelligence, and cloud security. CIS collaborates with standards bodies, technology vendors, academic institutions, and government agencies to promote implementation of actionable security measures.

History

Founded in 2000, CIS emerged amid rising concern after events such as the Melissa (computer virus) outbreak and the ILOVEYOU worm, with early engagement from stakeholders involved in responses to incidents like the Morris worm and initiatives linked to the National Institute of Standards and Technology. The organization refined device and system configuration guidance during periods influenced by policy work from entities such as the Department of Homeland Security, the Office of Management and Budget, and advisory efforts connected to the Computer Emergency Response Team community. CIS developed its first benchmarks alongside experts from technology firms including Microsoft, Apple Inc., and Red Hat, aligning over time with standards promulgated by ISO/IEC 27001, NIST SP 800-53, and frameworks used by DOD Cyber Command and allied organizations like NATO. Major milestones include publication of the initial CIS Benchmarks, expansion into cloud security concurrent with offerings from Amazon Web Services, Google LLC, and Microsoft Azure, and the evolution of the CIS Controls influenced by input from practitioners tied to SANS Institute, ISACA, and academic research at institutions such as Carnegie Mellon University and Massachusetts Institute of Technology.

Organizational structure and governance

CIS operates as a membership-based nonprofit overseen by a board with representation from corporations like Intel Corporation, Cisco Systems, and IBM, as well as public-sector participants from agencies including the Federal Bureau of Investigation and the United States Department of Defense. Governance incorporates advisory committees that draw experts affiliated with organizations such as University of California, Berkeley, Stanford University, Johns Hopkins University, and think tanks like the RAND Corporation and Brookings Institution. Operationally, CIS maintains programmatic units focused on Benchmarks, Controls, and community engagement, coordinating with standards bodies such as Internet Engineering Task Force and Organization for Economic Co-operation and Development delegates, while interacting with certification programs and auditors linked to ISACA and (ISC)².

CIS Controls and Benchmarks

The CIS Controls are a prioritized set of cybersecurity actions informed by practitioners and threat intelligence from sources like MITRE ATT&CK, FireEye, CrowdStrike, Palo Alto Networks, and the US Cyber Command ecosystem. CIS Benchmarks provide configuration guidance for technologies produced by vendors including Microsoft, Oracle Corporation, VMware, Cisco Systems, Red Hat, and Apple Inc., and have been mapped to standards such as NIST Cybersecurity Framework and ISO/IEC 27002. The Controls have undergone revisions reflecting research from groups like ENISA and case studies involving deployments by organizations such as State of California, City of London Corporation, and multinational firms like HSBC and Siemens. Implementation tools and automated assessment capabilities integrate with platforms from Splunk, Elastic NV, HashiCorp, and Tenable, enabling alignment with audit regimes used by Ernst & Young, Deloitte, and KPMG.

Services and initiatives

CIS offers services including benchmark downloads, automated assessment tools, the CIS Hardened Images program aligned with cloud marketplaces of Amazon Web Services, Google Cloud Platform, and Microsoft Azure, and the Multi-State Information Sharing and Analysis Center-like collaborations with state governments and agencies such as New York State Office of Information Technology Services and California Department of Technology. Initiatives include cyber workforce development tied to curricula from SANS Institute and higher education partners like Georgia Institute of Technology, incident response exercises reminiscent of scenarios used by Cyber Command and Cybersecurity and Infrastructure Security Agency, and participation in supply chain security dialogues involving vendors such as Fortinet and Check Point Software Technologies. CIS also operates community platforms for peer collaboration similar to those run by FIRST and leverages threat telemetry shared by commercial partners such as McAfee and Symantec.

Partnerships and partnerships impact

CIS collaborates with a broad ecology of partners, including international organizations like European Commission, standards bodies such as International Organization for Standardization, technology vendors including Amazon (company), Google LLC, Microsoft Corporation, and academic entities like University of Oxford and University of Cambridge. These partnerships have influenced national cybersecurity guidance in jurisdictions interacting with United Kingdom National Cyber Security Centre and the Australian Signals Directorate’s strategies, and have facilitated adoption of benchmarks by enterprises like JP Morgan Chase and infrastructure operators such as Exelon Corporation. Cooperative efforts with non-governmental organizations such as World Bank and United Nations initiatives have supported capacity-building programs and policy alignment across multiple sectors, while vendor integrations have produced hardened images and automated remediations used by cloud providers and managed service providers like Accenture and IBM Security.

Criticism and controversies

CIS has faced critique concerning vendor influence from large technology firms such as Microsoft and Amazon (company), and debates over the prescriptive nature of benchmarks echo controversies similar to those surrounding NIST guidance adoption in sectors overseen by entities like the Securities and Exchange Commission. Academic commentators from universities like MIT and Stanford University have raised questions about the empirical basis for prioritization in controls versus adversary-informed approaches advocated by MITRE and threat research from companies like Mandiant. Other controversies touch on accessibility for small and resource-constrained organizations compared with procurement practices of multinational corporations such as General Electric and Siemens, and discussions about the balance between prescriptive configuration guidance and operational flexibility seen in debates involving OpenAI and cloud-native adopters like Netflix.

Category:Cybersecurity organizations