Compliance Overview
Infracast provides continuous compliance monitoring against industry frameworks, government standards, and security benchmarks β 1,241 automated rules across 35 YAML packs, all hot-reloadable without redeployment.
Supported Frameworksβ
US Federal & DoDβ
| Framework | Rules | Description |
|---|---|---|
| NIST 800-53 Rev 5 | 94 | Federal security standard β comprehensive technical & operational controls |
| NIST 800-171 r2 | 114 | CUI protection for DoD contractors β all 110 requirements across 14 families |
| DFARS 252.204-7012 | 19 | Safeguarding Covered Defense Information and cyber incident reporting (72-hour DoD notification) |
| FAR 52.204-21/23/25/27 | 30 | Federal Acquisition Regulation baseline safeguarding β applies to ALL federal contractors handling FCI |
| FedRAMP Moderate | 34 | Cloud services for federal agencies β moderate baseline |
| FedRAMP High | 32 | Cloud services for federal agencies β high baseline |
| CMMC Level 2 | 32 | DoD supply chain cybersecurity β 110 practices |
DISA STIGsβ
| STIG | Rules |
|---|---|
| RHEL 9 | 61 |
| Windows Server 2022 | 60 |
| Ubuntu 22.04 | 33 |
| AWS | 39 |
| Windows 10 | 29 |
| PostgreSQL | 25 |
| SQL Server | 22 |
| STIG Total | 269 |
Industry Standardsβ
| Framework | Rules | Description |
|---|---|---|
| ISO 27001:2022 | 41 | Information security management β Annex A controls |
| PCI-DSS v4.0 | 32 | Payment card industry β all 12 requirements |
| HIPAA | 28 | Healthcare data protection β Security Rule |
| SOC 2 | 26 | Service organization controls β Trust Service Criteria |
CIS Benchmarksβ
| Benchmark | Rules |
|---|---|
| AWS Foundations | 53 |
| Azure | 52 |
| GCP | 50 |
| Kubernetes | 34 |
| Microsoft 365 | 23 |
| CIS Total | 212 |
International & Sector-Specificβ
| Framework | Rules | Description |
|---|---|---|
| GDPR | 38 | EU General Data Protection Regulation |
| NIS2 | 28 | EU Network & Information Security Directive |
| IRAP | 29 | Australian Information Security Registered Assessors Program |
| CSA CCM v4 | 29 | Cloud Security Alliance Cloud Controls Matrix |
| NIST CSF 2.0 | 27 | NIST Cybersecurity Framework β Identify through Recover |
| DORA | 26 | EU Digital Operational Resilience Act |
| NERC CIP | 28 | Critical infrastructure protection β energy sector |
| SOX IT | 22 | Sarbanes-Oxley β IT general controls |
| UK Cyber Essentials | 22 | UK government baseline security standard |
| LGPD | 20 | Brazil Lei Geral de Proteção de Dados |
| PIPEDA | 18 | Canada Personal Information Protection |
Total: 1,241+ rules across 35 YAML packs β all hot-reloadable Β· 23+ compliance frameworks incl. 11 international
Dynamic Rule Managementβ
All compliance rules are defined in YAML and can be updated without redeployment:
# Example: rules/nist-800-53/ac-3.yaml
id: NIST-AC-3
framework: nist-800-53
title: "Access Enforcement"
severity: HIGH
node_types:
- aws.s3.bucket
condition: "public_access_block.enabled == true"
remediation: "Enable S3 Block Public Access settings at the bucket and account level"
mappings:
- framework: cis-aws
control: "2.1.5"
- framework: pci-dss-v4
control: "1.3.1"
- framework: soc2
control: "CC6.1"
Hot-Reloadβ
Push rule updates without downtime:
# Reload all rule packs immediately
POST /api/v1/rules/reload
# Response
{
"status": "ok",
"packs_reloaded": 35,
"rules_loaded": 1241,
"duration_ms": 142
}
Per-Tenant Rule Overridesβ
Each tenant can customize rules independently:
| Override Type | Description |
|---|---|
| Disable | Turn off a rule that doesn't apply to this tenant |
| Severity Change | Promote or demote severity (e.g. MEDIUM β HIGH) |
| Timed Suppression | Suppress findings for a set window (e.g. maintenance, remediation sprint) |
# Tenant override example
tenant: acme-corp
overrides:
- rule_id: CIS-AWS-5.2
action: suppress
reason: "Legacy network migration in progress"
expires: 2026-06-30
approved_by: ciso@acme-corp.com
- rule_id: NIST-SC-7
action: severity_change
severity: CRITICAL
reason: "Internal policy β border protection is critical"
How It Worksβ
Rule Evaluationβ
Each compliance rule is a check against your infrastructure graph:
// Example rule: CIS AWS 5.2 β No security groups allow 0.0.0.0/0 to SSH
rule := Rule{
ID: "CIS-AWS-5.2",
Framework: "CIS AWS Foundations",
Severity: "HIGH",
NodeTypes: []string{"aws.ec2.security_group"},
Condition: "ingress_rules contains (port=22, cidr='0.0.0.0/0')",
Remediation: "Restrict SSH access to known CIDR ranges",
}
Evaluation Pipelineβ
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β Discovery βββββΆβ Rule Engine βββββΆβ Findings β
β (nodes) β β (1,094 rules)β β (violations) β
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β
ββββββββΌβββββββ
β Control β
β Mappings β
β NISTβCISβPCIβ
βββββββββββββββ
Control Inheritanceβ
Many rules map to multiple frameworks:
Rule: "S3 bucket public access blocked"
βββ NIST 800-53 AC-3 (Access Enforcement)
βββ CIS AWS 2.1.5 (S3 Block Public Access)
βββ PCI-DSS 1.3.1 (Network Segmentation)
βββ SOC 2 CC6.1 (Logical Access)
One finding can satisfy (or fail) multiple framework controls.
Assessment & Questionnaire Systemβ
For controls requiring human input, Infracast ships a full Assessment & Questionnaire System with 20 pre-built questionnaire templates across 4 languages:
| Language | Templates |
|---|---|
| English (EN) | All 20 |
| German (DE) | All 20 |
| French (FR) | All 20 |
| Portuguese (PT) | All 20 |
Templates cover common attested controls: security awareness training, incident response testing, vendor risk reviews, business continuity testing, and more. Templates are customizable per tenant and can be versioned in git.
Attestationsβ
Not all controls can be automated. Some require human attestation:
Automated vs Attestedβ
| Type | Example | How Assessed |
|---|---|---|
| Automated | S3 encryption enabled | Rule checks node property |
| Attested | Security training completed | Human uploads evidence |
| Hybrid | Incident response tested | Rule + evidence upload |
Managing Attestationsβ
- Navigate to Compliance β Attestations
- Filter by framework or control
- Upload evidence (PDFs, screenshots, policies)
- Set expiration date for periodic review
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Control: NIST 800-53 AT-2 (Security Awareness Training) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Status: β
Attested β
β Evidence: training-completion-report-2025.pdf β
β Attested By: security-admin@company.com β
β Date: 2025-01-15 β
β Expires: 2026-01-15 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Compliance Scoresβ
Calculationβ
Overall Score = (Passing Automated + Passing Attested) / Total Applicable Γ 100
By Categoryβ
Controls are grouped into families/domains:
| NIST Family | Controls | Passing | Score |
|---|---|---|---|
| Access Control (AC) | 25 | 22 | 88% |
| Audit (AU) | 16 | 14 | 87% |
| Configuration (CM) | 14 | 10 | 71% |
| Identification (IA) | 12 | 12 | 100% |
| System Protection (SC) | 22 | 18 | 82% |
Trendsβ
Track improvement over time:
- Weekly compliance snapshots
- 30/60/90 day trends
- Regression detection (score dropped)
Exemptions & Risk Acceptanceβ
Creating an Exemptionβ
When a control doesn't apply or risk is accepted:
- Navigate to the finding
- Click Accept Risk or Mark Exempt
- Provide justification
- Set review date
Exemption Workflowβ
Finding Detected β Review Required β Approved β Exempted
β
Rejected β Must Remediate
Auditor Visibilityβ
Exemptions are clearly marked in reports:
Control: CIS-AWS-5.2
Status: EXEMPTED
Justification: "Legacy system scheduled for decommission Q2 2026"
Approved By: ciso@company.com
Review Date: 2026-06-30
Reportsβ
Available Report Typesβ
| Report | Description | Audience |
|---|---|---|
| Executive Summary | High-level posture, trends, top risks | Leadership |
| Framework Report | Detailed control-by-control status | Auditors |
| Gap Analysis | What's failing and why | Security team |
| Remediation Plan | Prioritized fix list | Engineering |
| POA&M | Plan of Action & Milestones | Federal compliance |
| SSP | System Security Plan (auto-generated) | FedRAMP/FISMA |
| FAR 52.204-21 Report | Basic safeguarding attestation for federal contractors | Contracting Officers, Federal Primes |
| DFARS 252.204-7012 Report | CDI safeguarding + SPRS score for DoD contractors | DoD Contracting, DCSA |
Export Formatsβ
- PDF β Formatted for printing/sharing
- Excel β For analysis and manipulation
- JSON β For API/automation
- Word β For SSP editing
Schedulingβ
Automate report delivery:
schedule:
frequency: weekly
day: monday
time: "08:00"
recipients:
- security-team@company.com
- compliance@company.com
reports:
- executive-summary
- framework-detail
Continuous Monitoringβ
Real-Time Detectionβ
Findings appear within minutes of discovery:
- Discovery job runs (scheduled or triggered)
- New/changed nodes evaluated against rules
- Findings created/resolved
- Alerts sent (Slack, email, webhook)
ConMon for FedRAMPβ
FedRAMP requires continuous monitoring. Infracast provides:
- Automated monthly scans
- Deviation tracking
- POA&M generation
- Significant change detection
See FedRAMP Guide for details.
API Accessβ
Query compliance data programmatically:
# Get compliance summary
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/compliance/summary"
# Get findings for a framework
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/findings?framework=nist-800-53"
# Export report
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/reports/generate" \
-d '{"type":"framework","framework":"nist-800-53","format":"pdf"}'
# Hot-reload rule packs (no restart required)
curl -X POST -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/rules/reload"
Next Stepsβ
- NIST 800-53 Guide β Deep dive into federal controls
- FedRAMP Guide β FedRAMP Moderate & High baselines
- CMMC Guide β Defense contractor requirements
- CIS Benchmarks β Practical hardening
- DISA STIGs β DoD hardening guides