THE CIO INSTITUTE
The Center for Internet Security
By the late 1990s CIOs were facing a mounting wave of viruses, worms and direct cyber attacks against their systems, and they were unable to systematically harden those systems against attacks because hardening sometimes disabled mission-critical applications. First Union Bank (now part of the Bank of America) had demonstrated remarkable effectiveness of an approach to cyber hygiene in which they identified the vulnerabilities in their UNIX and Windows systems that were most likely to be exploited and began monitoring all systems for the presence of those specific vulnerabilities. In just a few months, nearly all the exploited vulnerabilities were gone and all the important applications worked fine.
The CIO Connection used this case study to convene a meeting of the top cyber leaders in the US government and industry who agreed to jointly establish the Center for Internet Security (CIS) (www.cisecurity.org) to make it possible for the First Union story to be replicated widely. CIS with membership fees and start-up support from the SANS Institute developed secure configurations of common operating systems along with scoring systems that told organization how close to secure each system was. The ultimate goal was to enable CIOs to demand that vendors deliver systems with those safe configurations “baked-in.” A partnership between CIS and the National Security Agency enabled consensus on secure configurations of Windows to be reached across commercial and government organizations. Led by CIO John Gilligan, the U.S. Air Force purchased more than 450,000 computers with those secure configurations baked in.
NSA reported that the secure configurations used by the Air Force blocked more than 85% of all attacks that were successfully gaining control of systems at other agencies. The Air Force reported reduced patching time from 57 days to 3 days and, at the same time, savings exceeding $100 million dollars in procurement and an equal amount each year in reduced patching and cleanup costs. Best of all the users reported that they were much more satisfied and used much less help desk time because their systems had common configurations that could be centrally managed.
In 2007 and 2008, the US Office of Management and Budget established mandates requiring all computers purchased by the federal government to have secure configurations baked in and requiring application vendors to take responsibility for ensuring their applications ran effectively on the secure configurations. Not all federal agencies followed OMB’s requirement, but nearly 800 organizations – both government and commercial – have become members of CIS in large part to use the benchmark configurations. Today Amazon Web Services delivers cloud based system images pre-configured with the CIS hardened configurations