CIS-CAT Pro is a tool used to evaluate the cybersecurity posture of a system against the recommended policy settings outlined in the CIS Benchmarks. Following the release of CIS-CAT Pro Assessor v4, the Center for Internet Security (CIS) will cease support for CIS-CAT Pro Assessor v3. Its final release will occur in November 2021.
What End of Life Means for Assessor v3
CIS will stop delivering and supporting CIS-CAT Pro Assessor v3. Version 3.0.76 will mark the final delivery of this tool. This release also contains updated third-party dependencies to resolve security vulnerabilities. See our knowledge base article for more information on security risk.
Changes in the Final Release
This final release of CIS-CAT Pro Assessor v3 requires a Java Runtime Environment (JRE), Java Development Kit (JDK), or open JDK versions of Java 8. We have updated third party libraries that support assessor activities in this release. These new updates require Java 8, at a minimum.
The Assessor v3 dissolvable version has been updated to operate with Java 8.
Still Need Assessor v3?
CIS-CAT Pro Assessor v3 will remain available until November 2022.
The CIS Support Team will assist CIS SecureSuite Members with questions regarding the availability of the tool, but will no longer offer support on the function of the tool.
Read about Assessor v3’s limited use guidelines in our knowledge article.
Assessor v3 and CIS Benchmarks
Assessor v3 will include CIS Benchmarks officially supported for use with this final version. Future and past CIS Benchmark versions for the technologies supported by Assessor v3 may work with the final tool version, but are not guaranteed and should be used at the Member’s discretion.
Members requiring the ability to assess against older Benchmarks that aren’t supported in Assessor v4 can continue to utilize v3 until the Benchmark is supported in v4 or reaches its end of life (HP UX, Cisco ASA Firewall, Oracle Solaris OS, IBM AIX). If Member demand supports the need for the tool to support these CIS Benchmarks after November 2022, CIS will evaluate extending the availability date.
Other Assessor v3 Functions
Members are advised to no longer utilize Assessor v3 for vulnerability assessments. Since Assessor v3 will not be updated monthly with new CVE information, the vulnerabilities will quickly go out-of-date. Members are encouraged to utilize Assessor v4 for vulnerability assessments going forward.
CIS-CAT Pro Assessor v3 is a Security Content Automation Protocol (SCAP) validated tool. Members requiring some use of a NIST validated tool can continue to use Assessor v3 when necessary. CIS-CAT Pro Assessor v4 is architected in compliance with SCAP, but has not yet been formally SCAP validated. CIS currently plans to pursue SCAP 1.3 validation for CIS-CAT Pro Assessor v4 in 2022.
The Assessor v3 dissolvable bundle includes Java version 8 in this final release. With CIS-CAT Pro Assessor v4, we plan to offer an embedded Java for command line activities in 2022.
Still have questions?
Join the CIS-CAT Discussion Community on CIS WorkBench and start a discussion! Reach out to CIS Support and ask for the feedback ticket to be directed to the CIS-CAT Product Owner.
Where to Get CIS-CAT Pro Assessor
CIS-CAT Pro Assessor and Dashboard save you hours of configuration review by scanning against a target system’s configuration settings and reporting the system’s compliance to the corresponding CIS Benchmark. These tools are available as part of a CIS SecureSuite Membership. Members can download these tools and other resources on CIS WorkBench.
Not a Member yet? Learn more about CIS-CAT Pro Assessor at one of our free webinars.
You can also try CIS-CAT Lite v4 at no cost.
