Enable Compliance Frameworks

To monitor your infrastructure's compliance, you choose the frameworks you want to comply with and enable the policies they require. A framework is a set of published requirements (or guidelines) your organization must meet — best practices and security measures that help make your systems secure.

Some frameworks are mandatory:

• BSI C5 is required for public cloud services provided to German federal agencies.
• HIPAA is required for health care organizations in the USA.

Other frameworks are voluntary but important to your customers or partners:

• SOC 2 compliance is required by many American businesses for all their partners and vendors.
• PCI DSS is a globally accepted framework for protecting cardholders against misuse of personal information.

How Mondoo codifies frameworks

Mondoo's security team analyzes each published framework and translates its written requirements into automated checks that run against your infrastructure. This process involves:

1. Analyzing each requirement to determine how it applies to different platforms.
2. Identifying the specific practices and settings that different types of assets must follow.
3. Codifying these practices so Mondoo can automatically collect evidence.

Controls and checks

Each broad requirement in a framework is called a control. Examples of controls include:

• Establish and maintain a secure network architecture
• Log sensitive data access
• Configure trusted DNS servers on enterprise assets

Each control maps to one or more checks — specific tests that Mondoo runs against individual assets to collect evidence.

For example, the CIS Controls framework includes the control "Implement and manage a firewall on end-user devices." Mondoo maps this single control to nearly 200 checks across different platforms:

• On Ubuntu devices, install Uncomplicated Firewall (UFW)
• On Ubuntu devices, configure iptables to deny incoming traffic by default
• On Windows 10 devices, set the Windows Firewall to block incoming connections by default
• On Windows 11 devices, log when Windows Firewall drops an incoming packet
• On macOS 12 devices, enable firewall stealth mode
• On Red Hat 9 devices, employ a single firewall configuration utility

Policies

Checks live inside policies. The controls in a framework typically map to checks spread across many different policies (Ubuntu policies, macOS policies, Windows policies, and so on). For a framework to accurately assess compliance across all your asset types, each relevant policy must be enabled.

Enable a compliance framework

By default, all frameworks are in preview for every space. In preview mode, Mondoo collects data for the controls in a framework but doesn't calculate an overall compliance score.

Enable a framework to start calculating a score that represents your progress toward 100% compliance.

Note: Only team members with Editor or Owner access can perform this task.

1. In the Mondoo Console, navigate to the space for which you want to assess compliance progress.

   

2. In the side navigation bar, select Compliance.

   

3. Select the SELECT COMPLIANCE FRAMEWORK button.

   

4. Select the framework you want to comply with.

   

5. Choose the framework status:

   • ACTIVE shows your team that you're working toward an upcoming audit based on this framework.
   • PREVIEW reflects that you're in the early stages of work and not yet striving to pass an audit.

6. Select the ADD FRAMEWORK button.

   

Enable policies for a framework

After you enable a framework, Mondoo recommends the policies you need to enable for full compliance coverage.

Note: Only team members with Editor or Owner access can perform this task.

To enable a policy, hover over the policy and select the Enabled icon.

Once the framework and its policies are enabled, Mondoo continuously runs the relevant checks against every asset in the space. To view results, read Gather Evidence of Compliance.

---