Skip to main content

Enable Compliance Frameworks

To get started monitoring your infrastructure's compliance, you must choose the frameworks you want to comply with. A framework is a set of published requirements (or guidelines) you want your organization to meet. These requirements are best practices and security measures that help make your systems secure.

Some frameworks are required for organizations doing business in certain industries and nations or with government agencies. Examples:

  • BIS C5 is mandatory for public cloud services provided to German federal agencies.

  • HIPAA is a required framework for health care organizations in the USA.

Other frameworks are voluntary but may be important to your customers or partners. Examples:

  • Many American businesses require SOC 2 compliance for all their partners and vendors.

  • PCI DSS is a globally accepted framework for protecting cardholders against misuse of personal information. Compliance with this framework is a worldwide standard.

Frameworks are documents that describe the practices and guidelines that the publishing organization requires or recommends. For example, the Center for Internet Security (CIS) publishes the framework CIS Critical Security Controls (known as CIS Controls). Here is one example of the many requirements documented this framework:

Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum.

If you want your organization to reach CIS Controls compliance, you must meet this requirement. But how do you take a general guideline like this and demonstrate that all of the assets in your immense infrastructure follow the practice? How do you prove that every system complies with it?

Compliance frameworks in Mondoo

Mondoo breaks down and codifies compliance frameworks in order to automate continuous evidence collection and reporting. Mondoo's security team makes this possible by:

  1. Analyzing each written requirement in the compliance framework to determine how the requirement applies to different platforms.

  2. Identifying the practices and settings that different types of assets must follow to meet the requirement.

  3. Codifying these practices into Mondoo frameworks, which are used to automatically collect evidence.

Based on these codified frameworks, Mondoo programmatically collects the data needed to evaluate the compliance of every asset in your infrastructure.

Controls and checks

In Mondoo, each overarching requirement is called a control. Some examples of controls are:

  • Establish and maintain a secure network architecture

  • Log sensitive data access

  • Configure trusted DNS servers on enterprise assets

A Mondoo framework is made up of controls that match the broad guidelines in the published framework document.

Each control maps to one or more checks, the individual practices and settings that assets must follow. Checks tell Mondoo's query engine what evidence to collect about individual assets.

For example, the Center for Internet Security's CIS Controls framework includes this control: "Implement and manage a firewall on end-user devices." Mondoo's security team analyzed the control and identified nearly 200 checks for different types of end-user devices. These are just a few examples:

  • On Ubuntu devices, install Uncomplicated Firewall (UFW)

  • On Ubuntu devices, configure iptables to deny incoming traffic by default

  • On Windows 11 devices, set the Windows Firewall to block incoming connections by default

  • On Windows 12 devices, log when Windows Firewall drops an incoming packet

  • On macOS 12 devices, enable firewall stealth mode

  • On Red Hat 9 devices, employ a single firewall configuration utility

When you enable a compliance framework, you tell Mondoo to verify all of the checks in all of the controls in that framework.

Enable a compliance framework

By default, for every space in your organization, all frameworks are in preview. Preview means that Mondoo collects data for the controls in a framework but doesn't provide an overall score.

Enable a framework to calculate a score that represents your progress toward 100% compliance with that framework.

  1. In the Mondoo Console, navigate to the space for which you want to assess compliance progress.

    Space in the Mondoo Console

  2. In the side navigation bar, under Compliance, select Frameworks.

    Compliance in the Mondoo Console

  3. Select the framework you want to comply with.

    Compliance framework in the Mondoo Console

  4. To enable the framework, select the large toggle near the top-right corner of the framework page.

  5. Follow the steps in the next section to enable the policies that the framework relies on.

Enable policies for a compliance framework

Frameworks don't contain checks; they contain controls. Each control maps to one or more checks, which exist in Mondoo policies. For Mondoo to perform the many checks required by a framework, you must enable the policies that contain the checks.

The controls in a framework typically map to checks in many different policies. In the CIS Controls example in the previous section, the single control, Implement and manage a firewall on end-user devices, maps to checks in different Ubuntu policies, macOS policies, Windows policies, and more. For the CIS Controls framework to accurately assess the compliance of all these different types of devices, each of those policies must be enabled.

After you enable a framework, Mondoo tells you which policies you must enable in order to measure compliance with that framework.

Recommended policies for a framework

To enable a policy, hover over the policy and select the Enable icon.

Enable a recommended policy for a framework