Supported benchmarks

BigFix Compliance SCM provides checklists that are created based on the following security configuration benchmarks:

Center for Internet Security (CIS)

The CIS guidelines recommend technical control rules and values that apply to network devices, operating systems, software applications, and middleware applications. The CIS guidelines are consensus-based and are used by the US government and businesses in various industries.

The CIS guidelines are distributed for free in PDF files and are also available in Extensible Configuration Checklist Description Format (XCCDF) for CIS Security Benchmark members. XCCDF is an XML-based language that is used for benchmark assessment tools and custom scripts.

For more information about CIS, see https://www.cisecurity.org/cis-benchmarks/.

Defense Information System Agency (DISA) Security Technical Implementation Guidelines (STIG)

The DISA STIG provides recommendations for secure installation, configuration, and maintenance of software, hardware, and information systems. The DISA STIG is one of the bases of configuration standards that the US government uses.

For more information about the DISA STIG, see https://public.cyber.mil/stigs/.

Payment Card Industry Data Security Standard (PCI DSS)

The PCI DSS is a baseline of technical and organizational requirements that are related to the Payment Card Industry.

You must establish a secure payments environment throughout your organization to achieve PCI DSS compliance. SCM enforces security configurations for devices and servers in your organization, and it can help your organization protect devices to meet security compliance for PCI DSS.

By complying with PCI DSS standards, you help ensure that cardholder data and sensitive authentication data are secure and well protected from malicious users and attacks. PCI DSS applies to all entities that are involved in payment card processing and requires continuous compliance with the security standards and best practices that the PCI Security Standards Council sets.

For more information about PCI DSS, see the PCI Security Standards Council resources:

Federal Desktop Core Configuration (FDCC)

The FDCC is a set of security settings that the National Institute of Standards and Technology (NIST) recommended. FDCC was replaced by the United States Government Configuration Baseline (USGCB).

United States Government Configuration Baseline (USGCB)

The USGCB provides guidance for the security configuration of Information Technology products that US government federal agencies deploy. USGCB addresses the following platforms Microsoft Windows 7, Windows 7 Firewall, Windows Vista, Windows Vista Firewall, Windows XP, Windows XP Firewall, Internet Explorer 7, Internet Explorer 8, and Red Hat Enterprise Linux 5.

USGBC replaced the Federal Desktop Core Configuration (FDCC).

For more information about USGCB, see http://usgcb.nist.gov/.