diff --git a/applications/openshift/api-server/api_server_profiling/rule.yml b/applications/openshift/api-server/api_server_profiling/rule.yml
deleted file mode 100644
index 3215c9b25ab7..000000000000
--- a/applications/openshift/api-server/api_server_profiling/rule.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-documentation_complete: true
-
-prodtype: ocp4
-
-title: 'Disable Profiling on the API server'
-
-description: |-
-    To disable profiling,
-    edit the <tt>openshift-kube-apiserver</tt> configmap on the master node(s)
-    and set <tt>profiling</tt> to <tt>false</tt>:
-    <pre>
-    "schedulerArguments":{
-      ...
-      "profiling":[
-        "false"
-      ],
-      ...
-    </pre>
-
-rationale: |-
-    Profiling allows for the identification of specific performance bottlenecks. It
-    generates a significant amount of program data that could potentially be
-    exploited to uncover system and program details. If the profiler is not
-    needed for troubleshooting purposes, it is recommended to turn off for
-    reduction of potential attack surface.
-
-severity: low
-
-references:
-    cis: 1.2.21
-
-ocil_clause: '<tt>profiling</tt> is enabled and is set to value of <tt>true</tt>'
-
-ocil: |-
-    Run the following command on the master node(s):
-    <pre>$ oc get configmap config -n openshift-kube-apiserver -ojson | jq -r '.data["config.yaml"]' | jq '.schedulerArguments["profiling"]'</pre>
-    The output should return <pre>false</pre>.
diff --git a/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml
new file mode 100644
index 000000000000..34dbf69e6a0e
--- /dev/null
+++ b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/rule.yml
@@ -0,0 +1,50 @@
+prodtype: ocp4
+
+title: 'Profiling is protected by RBAC'
+
+description: |-
+  Ensure that the cluster-debugger cluster role includes the /metrics
+  resource URL. This demonstrates that profiling is protected by RBAC, with a
+  specific cluster role to allow access.
+
+rationale: |-
+  Profiling allows for the identification of specific performance bottlenecks.
+  It generates a significant amount of program data that could potentially be
+  exploited to uncover system and program details. 
+  To ensure the collected data is not exploited, profiling endpoints are secured
+  via RBAC (see cluster-debugger role). By default, the profiling endpoints are
+  accessible only by users bound to cluster-admin or cluster-debugger role.
+  Profiling can not be disabled.
+
+identifiers:
+  cce@ocp4: CCE-84212-0
+
+references:
+  cis: 1.2.21
+
+severity: medium
+
+ocil_clause: |-
+    The <tt>cluster-debugger</tt> role isn't protecting <tt>/metrics</tt>
+
+ocil: |-
+    To verify that the <tt>cluster-debugger</tt> role is configured correctly,
+    run the following command:
+    <pre>$ oc get clusterroles cluster-debugger -o jsonpath='{.rules[0].nonResourceURLs}'</pre>
+    and verify that the <tt>/metrics</tt> path is included there.
+
+warnings:
+- general: |-
+    {{{ openshift_cluster_setting("/apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger") | indent(4) }}}
+
+template:
+  name: yamlfile_value
+  vars:
+    ocp_data: "true"
+    filepath: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-debugger
+    yamlpath: '.rules[0].nonResourceURLs[:]'
+    entity_check: 'at least one'
+    values:
+    - value: '\/metrics'
+      operation: 'pattern match'
+      entity_check: 'at least one'
diff --git a/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml
new file mode 100644
index 000000000000..b49fd368b988
--- /dev/null
+++ b/applications/openshift/api-server/api_server_profiling_protected_by_rbac/tests/ocp4/e2e.yml
@@ -0,0 +1,2 @@
+---
+default_result: PASS
diff --git a/ocp4/profiles/cis.profile b/ocp4/profiles/cis.profile
index bd15e8b53e55..29003b7c7073 100644
--- a/ocp4/profiles/cis.profile
+++ b/ocp4/profiles/cis.profile
@@ -75,9 +75,7 @@ selections:
   # 1.2.20 Ensure that the --secure-port argument is not set to 0
     - api_server_bind_address
   # 1.2.21 Ensure that the --profiling argument is set to false
-    # (jhrozek): This rule should temporarily be commented out as OCP diverges from CIS
-    #            and we need to improve our reply to this control
-    # - api_server_profiling
+    - api_server_profiling_protected_by_rbac
   # 1.2.22 Ensure that the --audit-log-path argument is set
     - api_server_audit_log_path
     - openshift_api_server_audit_log_path
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index a39b145df02b..7f4f535ab8fd 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -559,7 +559,6 @@ CCE-84203-9
 CCE-84205-4
 CCE-84206-2
 CCE-84210-4
-CCE-84212-0
 CCE-84213-8
 CCE-84214-6
 CCE-84215-3