CIS

Center for Internet Security

Security
Introduced in Rel-13
CIS is a security framework referenced in 3GPP specifications for establishing security baselines and controls. It provides standardized security configurations and benchmarks that network operators can implement to protect their infrastructure. While not a 3GPP-developed technology, its inclusion in specifications like 33.117 demonstrates its importance as an industry-recognized security reference.

Description

The Center for Internet Security (CIS) is an independent, non-profit organization that develops and promotes globally recognized security best practices. Within the 3GPP context, CIS is referenced as an authoritative source for security configuration benchmarks and controls that telecommunications operators can apply to their network infrastructure. These benchmarks provide specific, actionable guidance for securing operating systems, software applications, and network devices against common threats and vulnerabilities.

The CIS benchmarks are developed through a consensus-driven process involving security experts from government, industry, and academia. Each benchmark consists of configuration recommendations that are scored based on their security impact, allowing organizations to prioritize implementation based on their risk tolerance and operational requirements. The benchmarks cover a wide range of technologies including operating systems (Windows, Linux, UNIX), middleware software, mobile devices, cloud providers, and network devices.

In 3GPP specifications, particularly in TS 33.117, CIS benchmarks are referenced as part of security assurance frameworks for telecommunications equipment. The benchmarks provide standardized security configurations that equipment vendors and network operators can implement to ensure consistent security postures across diverse network elements. This standardization is particularly valuable in multi-vendor environments where different equipment may have varying default security configurations.

The integration of CIS benchmarks into 3GPP security specifications represents an important convergence between telecommunications standards and broader cybersecurity best practices. By referencing CIS, 3GPP acknowledges the value of industry-wide security frameworks while maintaining focus on telecommunications-specific security requirements. This approach allows network operators to leverage established security guidance while ensuring compliance with telecommunications regulatory and operational requirements.

Purpose & Motivation

The primary purpose of referencing CIS benchmarks in 3GPP specifications is to provide telecommunications operators with proven, industry-standard security configurations that can be consistently applied across network infrastructure. As telecommunications networks become increasingly complex and interconnected, maintaining consistent security postures becomes challenging, particularly in multi-vendor environments where different equipment may have varying default security settings. CIS benchmarks address this challenge by providing specific, testable security configurations that have been validated by security experts.

Historically, telecommunications security focused primarily on protocol-level security and cryptographic protections, with less emphasis on system-level security configurations. However, as networks evolved to incorporate more commercial off-the-shelf hardware and software, the need for standardized security configurations became apparent. The inclusion of CIS references in 3GPP specifications represents a recognition that comprehensive network security requires attention not only to communications security but also to the security of the underlying computing infrastructure.

By incorporating CIS benchmarks, 3GPP specifications provide operators with a practical framework for implementing defense-in-depth security strategies. The benchmarks help address common security weaknesses in default configurations, reduce the attack surface of network elements, and provide measurable security controls that can be audited and verified. This approach supports regulatory compliance requirements while improving overall network security resilience against evolving cyber threats.

Key Features

  • Industry-standard security configuration benchmarks
  • Consensus-developed security recommendations
  • Scored configuration items for risk-based implementation
  • Coverage of diverse technologies and platforms
  • Actionable security guidance with specific settings
  • Regular updates to address emerging threats

Evolution Across Releases

Rel-13 Initial

Initial reference to CIS benchmarks in 3GPP security specifications, particularly in TS 33.117. This established CIS as a recognized source for security configuration guidance within telecommunications networks. The inclusion provided operators with standardized security baselines for network equipment configuration.

TS 33.117

Defining Specifications

SpecificationTitle
TS 33.117 3GPP TR 33.117