CIS Product Security and Compliance

Each Cloud Service Provider (CSP) scans images submitted to their marketplace. What is being scanned for varies by CSP. Most commonly, CSPs scan for known Common Vulnerabilities and Exposures (CVE) and reject submission of an image if a CVE is resident.

Once the images are approved and exist within the CSP marketplace, the Center for Internet Security, Inc. (CIS^®) cannot alter them. Following submission, the images become the responsibility of the CSP housing them and the end user upon purchase to align with security patching, new CVE releases, etc. CSPs scan their marketplace images for CVEs and send notifications to CIS if any CIS Hardened Images available on the associated marketplace have a CVE. CIS will then take immediate action to comply with the CSP standard and remove that image from the marketplace.

CIS maintains compliance with System and Organization Controls (SOC) 2 Type II Audit, SOC for Cybersecurity, ISO 27001, and ISO 27701.