Intended Audience: Entry-level cybersecurity professionals, IT administrators, and anyone responsible for securing or developing systems.

Balancing Security with Business Reality

CIS Benchmarks and DISA STIGs provide strong starting points for system hardening, but let’s face it—no benchmark is perfect for every environment. In many organizations, strict adherence to these benchmarks without any customization can result in usability issues, broken applications, or operational slowdowns.

That’s where thoughtful customization comes in. Instead of blindly applying every recommendation, organizations must strike a balance between ideal security and the reality of business requirements, user needs, and legacy system constraints. You can (and should) tailor these benchmarks, but only when done with a strategic, well-documented approach.

Modifying CIS or STIG Benchmarks Based on Business Needs

CIS Benchmarks and DISA STIGs are designed to be flexible enough to accommodate a variety of environments, but that doesn’t mean they should be blindly applied across the board.

CIS Benchmarks are structured using different profile levels, each representing a different balance of usability and security:

• Level 1 is a base recommendation that can typically be implemented promptly and without significant performance impact. These controls are meant to reduce the attack surface while maintaining usability and supporting business functionality.

• Level 2 is considered a “defense in depth” profile, intended for environments where security is critical. Level 2 recommendations are more stringent and may have an adverse effect on usability or business operations if applied without due care.

• STIG Profile (in benchmarks where applicable) replaces the former Level 3 and includes all recommendations specific to DISA STIGs. These controls may overlap with Level 1 and Level 2 but are focused on meeting DoD-level compliance standards.

Each recommendation within a CIS Benchmark is mapped to at least one of these profiles. CIS also strongly recommends testing any benchmark in a non-production environment first to evaluate its impact before applying it broadly.

DISA STIGs, similarly, categorize controls based on severity (CAT I, II, III). Like the CIS profiles, they’re intended to be reviewed and prioritized based on mission needs, compliance requirements, and potential disruption.

When and How to Make Exceptions

Customizations should never be ad hoc or undocumented. If your organization decides to deviate from a benchmark setting:

1. Conduct a risk assessment – Understand the risk of not implementing the control as recommended.

2. Justify the exception – Define why this change is necessary for business operations or compatibility.

3. Apply compensating controls – If possible, apply alternative security measures to offset the risk (e.g., more frequent monitoring, firewall restrictions, or logging).

4. Set review timelines – Exceptions should be reviewed regularly in case system updates or new business needs allow the original control to be applied later.

Documenting Deviations and Planning for Remediation

This is where most organizations drop the ball. Even if you make the right decision to customize a setting, failing to document it can lead to audit headaches or knowledge gaps later.

Best practices for exception documentation:

• Maintain a central repository (Excel spreadsheet, GRC tool, ticketing system, etc.)

• Capture system name, control ID, recommended setting, customized setting, justification, risk level, and next review date

• Include responsible team member and change control references

This documentation not only helps during audits but also creates a record for future teams that may inherit your environment. As systems evolve or legacy applications are retired, many of these deviations can be closed, bringing your environment closer to full compliance.

Bottom Line

CIS Benchmarks and DISA STIGs offer an excellent foundation for system hardening, but rigid implementation doesn't always align with real-world business needs. By customizing configuration baselines responsibly, with thorough documentation and compensating controls, organizations can strike a practical balance between strong security and operational efficiency. A tailored approach ensures compliance is maintained where it matters most, without sacrificing productivity or breaking essential systems.

Learn More About Defense in Depth and Earn a Continuing Education Certificate

For a deeper dive into these concepts, watch my no-cost training video, Introduction to Configuration Management and System Hardening, available on YouTube or through Natsar’s website. By completing this training, you can earn Continuing Professional Education (CPE) credits and strengthen your cybersecurity skills.

How Natsar Can Help

Natsar provides expert guidance on implementing secure system configurations, conducting configuration compliance assessments, and aligning with industry frameworks like NIST and CIS. Our consulting services and on-demand training help your organization reduce cyber risk and strengthen operational resilience. Learn more at natsar.com.

Stay Tuned for Our Next Post

In our next post, we’ll explore how to scan your systems for compliance using tools like CIS-CAT and the DISA SCAP Tool. We’ll cover what these tools can do, their limitations, and how to interpret your scan results to improve configuration management.

If you found this helpful, please subscribe to Natsar Cyber Insights, follow us on social media, and share your thoughts in the comments section. Your engagement guides future content!