Browse Skills

CIS Benchmark Mapper

    NIST CSF CIS Benchmarks STIG Hardening GRC Secure Configuration
    Get Started with This Skill

    Overview

    Draft and validate Secure Configuration Baselines (hardening guides) that turn CIS Benchmarks or STIGs into formal company policy, aligned to NIST CSF 2.0 Protect (PR.PS). The skill guides mapping of Rationale and Remediation from CIS/STIG into policy language and enforces a recurring Drift Analysis schedule so configurations are verified over time. One validation tool runs on the draft: config_drift_procedure_audit checks for a dedicated drift/baseline verification section and an explicit recurring schedule (e.g. quarterly, monthly).

    Example Conversation

    You: We need a hardening guide for our Windows Server fleet. Use the CIS Microsoft Windows Server 2022 Benchmark and turn the Rationale and Remediation into our company baseline policy. Make sure we have a drift analysis procedure.

    Agent: I’ll draft the Secure Configuration Baseline with scope (Windows Server 2022), requirements mapped from the CIS Benchmark, and a Drift Analysis section with a quarterly schedule. Then I’ll run config_drift_procedure_audit on the draft.

    Agent: I’ve added the Drift Analysis section: “Configuration drift analysis is performed quarterly for all in-scope servers.” Running config_drift_procedure_audit

    Agent: Result of config_drift_procedure_audit:

    — CONFIG DRIFT PROCEDURE AUDIT — Result: PASS Drift / baseline verification section: found. Recurring schedule: found (e.g. quarterly, monthly, or explicit cadence).

    The hardening guide passes the audit. You can finalize and publish.

    Extension tools

    ToolPurpose
    config_drift_procedure_auditRun on the hardening guide draft before finalizing. Ensures a drift/baseline verification section exists and includes an explicit recurring schedule (e.g. quarterly, monthly) so configurations are re-verified over time.

    Output excerpt

    After the agent drafts the baseline and runs the audit, the document includes scope, CIS/STIG-based requirements (Rationale → policy; Remediation → procedure), and a Drift Analysis section with schedule. Excerpt:

    ## Drift Analysis

Configuration baseline verification is performed **quarterly** for all in-scope servers and network devices. The responsible team compares current configurations to this baseline and documents any drift; exceptions are remediated or formally approved. Results are reported to GRC for alignment with NIST CSF 2.0 PR.PS.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started