Compliance Overview
Infracast provides continuous compliance monitoring against industry frameworks, government standards, and security benchmarks.
Supported Frameworksβ
| Framework | Controls | Coverage | Description |
|---|---|---|---|
| NIST 800-53 Rev 5 | 94 rules | Technical controls | Federal security standard |
| CMMC 2.0 | 67 rules | L1-L3 practices | DoD supply chain cybersecurity |
| FedRAMP | 89 rules | High baseline | Cloud services for federal |
| PCI-DSS v4.0 | 78 rules | All 12 requirements | Payment card industry |
| SOC 2 | 52 rules | Trust criteria | Service organization controls |
| HIPAA | 45 rules | Security Rule | Healthcare data protection |
| CIS Benchmarks | 189 rules | AWS, Azure, GCP | Hardening best practices |
| STIGs | 259 rules | Multiple products | DoD hardening guides |
| ISO 27001 | 38 rules | Annex A controls | Information security management |
| CSA CCM | 27 rules | Cloud controls | Cloud security alliance |
Total: 776+ automated compliance rules
How It Worksβ
Rule Evaluationβ
Each compliance rule is a check against your infrastructure graph:
// Example rule: CIS AWS 5.2 β No security groups allow 0.0.0.0/0 to SSH
rule := Rule{
ID: "CIS-AWS-5.2",
Framework: "CIS AWS Foundations",
Severity: "HIGH",
NodeTypes: []string{"aws.ec2.security_group"},
Condition: "ingress_rules contains (port=22, cidr='0.0.0.0/0')",
Remediation: "Restrict SSH access to known CIDR ranges",
}
Evaluation Pipelineβ
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β Discovery βββββΆβ Rule Engine βββββΆβ Findings β
β (nodes) β β (776 rules) β β (violations) β
ββββββββββββββββ ββββββββββββββββ ββββββββββββββββ
β
ββββββββΌβββββββ
β Control β
β Mappings β
β NISTβCISβPCIβ
βββββββββββββββ
Control Inheritanceβ
Many rules map to multiple frameworks:
Rule: "S3 bucket public access blocked"
βββ NIST 800-53 AC-3 (Access Enforcement)
βββ CIS AWS 2.1.5 (S3 Block Public Access)
βββ PCI-DSS 1.3.1 (Network Segmentation)
βββ SOC 2 CC6.1 (Logical Access)
One finding can satisfy (or fail) multiple framework controls.
Attestationsβ
Not all controls can be automated. Some require human attestation:
Automated vs Attestedβ
| Type | Example | How Assessed |
|---|---|---|
| Automated | S3 encryption enabled | Rule checks node property |
| Attested | Security training completed | Human uploads evidence |
| Hybrid | Incident response tested | Rule + evidence upload |
Managing Attestationsβ
- Navigate to Compliance β Attestations
- Filter by framework or control
- Upload evidence (PDFs, screenshots, policies)
- Set expiration date for periodic review
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Control: NIST 800-53 AT-2 (Security Awareness Training) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Status: β
Attested β
β Evidence: training-completion-report-2024.pdf β
β Attested By: security-admin@company.com β
β Date: 2024-01-15 β
β Expires: 2025-01-15 β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Compliance Scoresβ
Calculationβ
Overall Score = (Passing Automated + Passing Attested) / Total Applicable Γ 100
By Categoryβ
Controls are grouped into families/domains:
| NIST Family | Controls | Passing | Score |
|---|---|---|---|
| Access Control (AC) | 25 | 22 | 88% |
| Audit (AU) | 16 | 14 | 87% |
| Configuration (CM) | 14 | 10 | 71% |
| Identification (IA) | 12 | 12 | 100% |
| System Protection (SC) | 22 | 18 | 82% |
Trendsβ
Track improvement over time:
- Weekly compliance snapshots
- 30/60/90 day trends
- Regression detection (score dropped)
Exemptions & Risk Acceptanceβ
Creating an Exemptionβ
When a control doesn't apply or risk is accepted:
- Navigate to the finding
- Click Accept Risk or Mark Exempt
- Provide justification
- Set review date
Exemption Workflowβ
Finding Detected β Review Required β Approved β Exempted
β
Rejected β Must Remediate
Auditor Visibilityβ
Exemptions are clearly marked in reports:
Control: CIS-AWS-5.2
Status: EXEMPTED
Justification: "Legacy system scheduled for decommission Q2 2024"
Approved By: ciso@company.com
Review Date: 2024-06-30
Reportsβ
Available Report Typesβ
| Report | Description | Audience |
|---|---|---|
| Executive Summary | High-level posture, trends, top risks | Leadership |
| Framework Report | Detailed control-by-control status | Auditors |
| Gap Analysis | What's failing and why | Security team |
| Remediation Plan | Prioritized fix list | Engineering |
| POA&M | Plan of Action & Milestones | Federal compliance |
| SSP | System Security Plan (auto-generated) | FedRAMP/FISMA |
Export Formatsβ
- PDF β Formatted for printing/sharing
- Excel β For analysis and manipulation
- JSON β For API/automation
- Word β For SSP editing
Schedulingβ
Automate report delivery:
schedule:
frequency: weekly
day: monday
time: "08:00"
recipients:
- security-team@company.com
- compliance@company.com
reports:
- executive-summary
- framework-detail
Continuous Monitoringβ
Real-Time Detectionβ
Findings appear within minutes of discovery:
- Discovery job runs (scheduled or triggered)
- New/changed nodes evaluated against rules
- Findings created/resolved
- Alerts sent (Slack, email, webhook)
ConMon for FedRAMPβ
FedRAMP requires continuous monitoring. Infracast provides:
- Automated monthly scans
- Deviation tracking
- POA&M generation
- Significant change detection
See FedRAMP Guide for details.
API Accessβ
Query compliance data programmatically:
# Get compliance summary
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/compliance/summary"
# Get findings for a framework
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/findings?framework=nist-800-53"
# Export report
curl -H "Authorization: Bearer $TOKEN" \
"$API_URL/api/v1/tenants/$TENANT/reports/generate" \
-d '{"type":"framework","framework":"nist-800-53","format":"pdf"}'
Next Stepsβ
- NIST 800-53 Guide β Deep dive into federal controls
- CMMC Guide β Defense contractor requirements
- CIS Benchmarks β Practical hardening