diff --git a/cmd/common.go b/cmd/common.go
index fcacd8b75cff617abe1ab17336897127b354ff80..89f45bc4883faec29db8af16b60f7f5411408827 100644
--- a/cmd/common.go
+++ b/cmd/common.go
@@ -18,7 +18,6 @@ import (
 	"fmt"
 	"io/ioutil"
 	"os"
-	"strings"
 
 	"github.com/aquasecurity/kube-bench/check"
 	"github.com/spf13/viper"
@@ -97,26 +96,26 @@ func runChecks(t check.NodeType) {
 	}
 
 	// Variable substitutions. Replace all occurrences of variables in controls files.
-	s := strings.Replace(string(in), "$apiserverbin", apiserverBin, -1)
-	s = strings.Replace(s, "$apiserverconf", apiserverConf, -1)
-	s = strings.Replace(s, "$schedulerbin", schedulerBin, -1)
-	s = strings.Replace(s, "$schedulerconf", schedulerConf, -1)
-	s = strings.Replace(s, "$controllermanagerbin", controllerManagerBin, -1)
-	s = strings.Replace(s, "$controllermanagerconf", controllerManagerConf, -1)
-	s = strings.Replace(s, "$config", config, -1)
-
-	s = strings.Replace(s, "$etcdbin", etcdBin, -1)
-	s = strings.Replace(s, "$etcdconf", etcdConf, -1)
-	s = strings.Replace(s, "$flanneldbin", flanneldBin, -1)
-	s = strings.Replace(s, "$flanneldconf", flanneldConf, -1)
-
-	s = strings.Replace(s, "$kubeletbin", kubeletBin, -1)
-	s = strings.Replace(s, "$kubeletconf", kubeletConf, -1)
-	s = strings.Replace(s, "$proxybin", proxyBin, -1)
-	s = strings.Replace(s, "$proxyconf", proxyConf, -1)
-
-	s = strings.Replace(s, "$fedapiserverbin", fedApiserverBin, -1)
-	s = strings.Replace(s, "$fedcontrollermanagerbin", fedControllerManagerBin, -1)
+	s := multiWordReplace(string(in), "$apiserverbin", apiserverBin)
+	s = multiWordReplace(s, "$apiserverconf", apiserverConf)
+	s = multiWordReplace(s, "$schedulerbin", schedulerBin)
+	s = multiWordReplace(s, "$schedulerconf", schedulerConf)
+	s = multiWordReplace(s, "$controllermanagerbin", controllerManagerBin)
+	s = multiWordReplace(s, "$controllermanagerconf", controllerManagerConf)
+	s = multiWordReplace(s, "$config", config)
+
+	s = multiWordReplace(s, "$etcdbin", etcdBin)
+	s = multiWordReplace(s, "$etcdconf", etcdConf)
+	s = multiWordReplace(s, "$flanneldbin", flanneldBin)
+	s = multiWordReplace(s, "$flanneldconf", flanneldConf)
+
+	s = multiWordReplace(s, "$kubeletbin", kubeletBin)
+	s = multiWordReplace(s, "$kubeletconf", kubeletConf)
+	s = multiWordReplace(s, "$proxybin", proxyBin)
+	s = multiWordReplace(s, "$proxyconf", proxyConf)
+
+	s = multiWordReplace(s, "$fedapiserverbin", fedApiserverBin)
+	s = multiWordReplace(s, "$fedcontrollermanagerbin", fedControllerManagerBin)
 
 	controls, err := check.NewControls(t, []byte(s))
 	if err != nil {
diff --git a/cmd/util.go b/cmd/util.go
index 4967cbe896a2b504bdc349472aaad8c0d152f34e..478ae21ce75796cfff0834afbe75575b312ee009 100644
--- a/cmd/util.go
+++ b/cmd/util.go
@@ -150,3 +150,12 @@ func versionMatch(r *regexp.Regexp, s string) string {
 	}
 	return match[1]
 }
+
+func multiWordReplace(s string, subname string, sub string) string {
+	f := strings.Fields(sub)
+	if len(f) > 1 {
+		sub = "'" + sub + "'"
+	}
+
+	return strings.Replace(s, subname, sub, -1)
+}
diff --git a/cmd/util_test.go b/cmd/util_test.go
index fe9e0b935f5d5404f7ffb2add4deaa889d81a321..dbd434b533e04ab68631670bb21a737fcdbe085f 100644
--- a/cmd/util_test.go
+++ b/cmd/util_test.go
@@ -107,3 +107,25 @@ func TestVerifyBin(t *testing.T) {
 		})
 	}
 }
+
+func TestMultiWordReplace(t *testing.T) {
+	cases := []struct {
+		input   string
+		sub     string
+		subname string
+		output  string
+	}{
+		{input: "Here's a file with no substitutions", sub: "blah", subname: "blah", output: "Here's a file with no substitutions"},
+		{input: "Here's a file with a substitution", sub: "blah", subname: "substitution", output: "Here's a file with a blah"},
+		{input: "Here's a file with multi-word substitutions", sub: "multi word", subname: "multi-word", output: "Here's a file with 'multi word' substitutions"},
+		{input: "Here's a file with several several substitutions several", sub: "blah", subname: "several", output: "Here's a file with blah blah substitutions blah"},
+	}
+	for id, c := range cases {
+		t.Run(strconv.Itoa(id), func(t *testing.T) {
+			s := multiWordReplace(c.input, c.subname, c.sub)
+			if s != c.output {
+				t.Fatalf("Expected %s got %s", c.output, s)
+			}
+		})
+	}
+}