Mondoo
Docs
ComplianceMonitor Compliance

Enable Compliance Frameworks

Enable compliance frameworks in Mondoo so it monitors your infrastructure against SOC 2, HIPAA, PCI DSS, and other standards.

To monitor compliance, you pick the frameworks your space should be assessed against and enable the policies that back them. A framework is a published set of requirements your organization must meet.

Some frameworks are mandatory in particular contexts:

  • BSI C5 is required for public cloud services provided to German federal agencies.
  • HIPAA is required for health care organizations in the USA.

Others are voluntary but important to your customers or partners:

  • SOC 2 is required by many American businesses for their partners and vendors.
  • PCI DSS is globally accepted for protecting cardholders against misuse of personal information.

How frameworks map to checks

Mondoo's security team translates each published framework into automated tests. Three layers connect a written requirement to the assets it's evaluated on:

  • Control. A broad requirement in the framework, such as "Implement and manage a firewall on end-user devices."
  • Check. A specific test that runs against an asset, such as "Windows Firewall blocks incoming connections by default."
  • Policy. A bundle of checks that target a particular platform (Ubuntu, Windows, macOS, AWS, and so on).

Controls and checks

A single control typically maps to many checks across many policies. For the CIS firewall control above, Mondoo runs checks for Ubuntu (UFW installed, iptables denying inbound), Windows 11 (firewall logging dropped packets), macOS 12 (stealth mode enabled), and more. For the framework to score accurately, every relevant policy must be enabled in your space.

Controls, checks, and policies

Enable a framework

By default, every framework is in preview for a new space. Mondoo collects data but doesn't calculate an overall score. Enabling a framework turns on scoring and tells your team you're working toward an audit.

Only team members with Editor or Owner access can perform this task.

  1. In the Mondoo App, navigate to the space.

  2. In the side navigation, select Compliance.

    Compliance in the Mondoo App

  3. Select SELECT COMPLIANCE FRAMEWORK and pick the framework you want.

    Available compliance frameworks

  4. Choose the framework status, then select ADD FRAMEWORK:

    • ACTIVE. You're working toward an upcoming audit; the framework counts toward scoring.
    • PREVIEW. You're still exploring; the framework collects data without scoring.

    Select a compliance framework

    Enabled compliance framework

You can also enable a framework from the command line. See cnspec framework active.

Enable the framework's policies

After you enable a framework, Mondoo recommends the policies it needs for full coverage. Hover any recommended policy and select the Enabled icon to turn it on.

Recommended policies for a framework

Only team members with Editor or Owner access can perform this task.

Once the framework and its policies are enabled, Mondoo runs the relevant checks against every asset in the space on every scan. To see results, read Gather Evidence of Compliance.

Overview

Use Mondoo to continuously assess and prove your compliance with major frameworks.

Gather Evidence

View compliance progress, drill into controls and assets, and generate PDF reports for auditors.

On this page

How frameworks map to checksEnable a frameworkEnable the framework's policies