Compliance

The Compliance module checks selected controls from various compliance standards, and compiles and reports the findings. New standards are being added regularly, and additional compliance coverage will be introduced over time. The checks include compliance handling for both Kubernetes and Cloud accounts (KSPM/CSPM), as well as identity and access for cloud accounts. Note that Sysdig cannot check all controls within a framework, such as those related to physical security.

Access Compliance from the left navigation menu.

Compliance is not available for Managed Falco (Secure light).

Benefits

Compliance that is actionable:
- Compliance lets you manage your risks if you have the required permissions. Take action to:
  - Remediate
  - Accept the risk
  - Open a Pull Request in your code repository.
    Applicable only of if Git Infrastructure as Code (IaC) integration is enabled
Collected Violations:
- The resources defined by your Zones are evaluated against compliance policies.
- Violations are collected into tiles and shown on the Compliance page.
- Every day, resources are sent to the backend, where Sysdig performs relevant analysis of policies.
- You can create custom policies or use Sysdig out-of-the-box policies.
Intuitive user interface (UI): Click the resource itself, rather than navigate a list of violations.
Download reports, supported by APIs.

Use Cases

Compliance and Security Team Members

Compliance and Security Team Members might want to:

Check the current compliance status of their business zones against predefined policies
Demonstrate to an auditor the compliance status of their business zone in a specific point in time (the audit)
Create a report of the compliance status of their business zone, and share it with their auditors and the management team
Understand the magnitude of the compliance gap

DevOps Team Members

DevOps Team Members might want to:

Identify the compliance violations of a predefined policy applied on their business zones
Manage the violations according to their severity
Easily fix the violation
Document exceptions and accept risk according to the risk management policy of their organization

Prerequisites

To populate the Compliance module with data, ensure that you have prepared your environment to connect to Sysdig Secure:

Connect Cloud Accounts
Install Sysdig Agent in your Kubernetes environment
- Include --set global.kspm.deploy=true \ while installing Sysdig Agent.
- If you are running Kubernetes and want to identify which version you have, see KSPM.

Understand the Compliance UI

On the Compliance page, you can review the compliance posture for each of your zones. Each row shows the compliance findings of a policy that is applied to your zone.

Filter the list with the Select Zones and Select Policies dropdowns.

The Compliance table is made up of the following columns:

Zone / Policy: This is the lens to evaluate your compliance results through your zones and the policies you applied to them.
Passing Score: The number of requirements passing for this policy view, expressed as a percentage. The percentage of resources passing (or accepted) out of all resources is evaluated. Resources are the most granular of your results. The higher the percentage, the fewer individual resources failing, the better. The higher the better.
Requirements Failing: The number of requirements remaining to fix to get to 100% for a view, listed as a bar chart of the past 7 days’ results. The smaller the number, the better. Requirements are made up of one or more controls, so requirements will be the smaller number.
Controls to Fix: The number of controls to fix to achieve a perfect score. The smaller the better. (Multiple controls make up a single requirement, so the control count will be larger than the requirement count).
Resource Violations by Severity: The number of resources failing, organized by severity. The severity can be High, Medium, or Low. One resource can be counted multiple times if it’s failing multiple controls. The fewer, the better.
Accepted Risks: The number of violations you have chosen to accept the risk for. Risks can be accepted at the level of an individual resource, or globally on a control for all resources that match a given zone.
For more information, see Accepted Risk.

Compliance Readiness Report

You can generate a PDF of the Compliance Readiness Report, providing an overview of the current state of a compliance policy within a specific zone. The report highlights the status of passing requirements and controls, along with the count of passing and failing resources for each control.

Additionally, you can schedule reports to automatically generate and send to an email or Slack channel as needed. When you generate a PDF, it is processed in the background and stored for up to 14 days for download.

Download PDF

You can generate an ad-hoc PDF that might take several minutes to process. Once generated, a toast notification will appear with a link to download the report. If the toast notification is missed, open the Compliance Readiness Report under the Report menu and click Downloads. You can view the Download History and download the report.

For more information, see Download a Report.

Schedule Reports

You can create a schedule directly from the Compliance Overview page using the Compliance Readiness Report menu. Clicking Schedule redirects you to the schedule configuration page with predefined fields. Alternatively, open **Reporting **> Schedule and click New Schedule. Select Compliance Readiness Report as the report type. For this report type, the zones and policy fields are required when creating a schedule.

Downloads

To access generated reports, open Report > Downloads. Both ad-hoc and scheduled reports are available for download on this page.

Existing Schedules

You can view all scheduled Compliance Readiness Reports. To do so, open Report > Existing Schedules

Currently, filtering reports by a specific policy and zone combination is not supported.

Favorites

Select or deselect the star beside any policy or zone view to add it to your favorites.

Select My Favorites to filter the policy list by Favorites.

Favorites are displayed on the Home page.

Detect and Remediate Vulnerabilities

To detect prioritized vulnerabilities, analyze them, and remediate them in Compliance, follow these steps:

On the Compliance page, review high-level posture performance indicators on each of the policies applied on your zones.
Select a Policy to see its Findings and select a failing requirement to see the Controls and failing resources that comprise it.
Select View Remediation to open the Remediation panel.
On the Remediation panel, you can Review Issues where possible, and consult Remediation Guidelines for possible fixes. You can remediate:
- Manually: Copy the code and apply it in production.
- Open a Pull Request: If you have a Git Integration, choose the relevant Git source and Compliance will create a pull request integrating the fix (as well as checking for code formatting cleanup). You can review all the changes in the PR before you merge.
Optionally, Accept the Risk and remove the violation from the failed controls. When accepting the risk you can leave a note as to the reason, and choose an expiration period for the acceptance. Risk can be accepted at the level of an individual resource, or globally on a control for all resources that match a given zone.
Optionally, select Download Report for a .CSV spreadsheet of your compliance results for development teams, executives, or auditors.

CSPM Zones Management

On the Compliance page, a default Entire Infrastructure zone is automatically created. Center for Internet Security (CIS) policies and the Sysdig Kubernetes policy are automatically added to the Entire Infrastructure zone.

To see results from any of the dozens of out-of-the-box policies provided with the Compliance module, or for any custom policies, you must apply them to a zone.

Select Policies > Posture | Policies to create, edit, and apply zones to policies.

Use the CSPM API

When your organization uses a third-party system to receive remediation reports and create tasks, consider using the CSPM APIs.

These are documented online along with the rest of the Sysdig Secure APIs.

For API doc links for additional regions or steps to access them from within the Sysdig Secure UI, see the Developer Tools overview.

Compliance Results API Call Requirements

Please specify a zone in the request. If a zone is not specified in the request, results will be returned for policies applied on the default “Entire Infrastructure” zone.
If no policy is applied on the default “Entire Infrastructure” zone, you will receive empty results.
Note that URL Links to every Control Resource List API call are contained in the Compliance Results Response.

Tenant-Aware Hierarchical Posture Scanning

Sysdig Tenant-Aware Hierarchical Posture Scanning enables organizations to centrally manage and evaluate security posture across both parent and child tenants in a multi-tenant environment. This feature ensures that posture assessments performed at the child tenant level are integrated into the parent tenant’s reporting and evaluation workflows, providing a unified compliance view.

This feature applies only to Kubernetes scan results (KSPM).

Key Capabilities

Hierarchical Posture Reporting: Child tenant scan results are aggregated under the parent tenant for a consolidated security posture.
Centralized Compliance Evaluation: All policy evaluations occur in the parent tenant, ensuring uniform application of security policies.
No Cross-Region Data Transfers: This feature assumes parent and child tenants are within the same region to avoid data transfer complexities.
Independent Child Tenants: Child tenants operate independently but forward posture data to the parent for evaluation.

Prerequisites

Same-Region Deployment: Parent and child tenants must be deployed within the same cloud region.
Parent-Child Relationship Definition: A mapping of child customer IDs to a parent customer ID must be configured.

Guidelines

Kubernetes Compliance Data Only: Parent centralization applies only to compliance-related data for Kubernetes scan results (KSPM).
Zones and Risk Acceptance: These configurations are not automatically replicated from parent to child tenants.
Child Tenant Autonomy: Each child tenant remains an independent entity with its own resources and configurations.
Non-KSPM Functionality: This solution currently focuses on KSPM. Other CNAPP functionalities remain unchanged.

Activate Tenant-Aware Hierarchical Posture Scanning

To activate the Tenant-Aware Hierarchical Posture Scanning feature, customers must contact Sysdig Support or their account representative. Our team will assist with enabling the feature and guiding you through the setup process to ensure smooth integration into your environment.

Configure Tenant-Aware Hierarchical Posture Scanning

Enable Hierarchical Posture Scanning.
To do so, set up the parent-child customer ID mapping in system settings.
Define Zones and Policies in the parent tenant environment:
1. Ensure all child resources are available in the parent inventory.
2. Define security zones within the parent UI.
3. Assign policies to zones for posture evaluation.
Activate Policy Evaluation in the parent tenant environment:
1. Ensure that Policy evaluation occurs exclusively at the parent level.
2. Ensure that a re-evaluation task is triggered on the parent tenant to assess compliance based on the aggregated data.

Troubleshooting Tenant-Aware Hierarchical Posture Scanning

Child scan results are not appearing in the parent tenant

Possible Causes and Solution

Parent-Child Relationship Not Defined: Verify that the customer ID mappings are correctly set.
Delayed Syncing: Ensure that the system has completed its data ingestion cycle.

Policy evaluation not occurring at the parent level

Possible Causes and Solutions

Zones Not Defined in Parent: Ensure that zones are correctly configured in the parent tenant.
Re-Evaluation Task Not Triggered: Confirm that the parent tenant is set to re-evaluate child scan results.

Frequently Asked Questions

Can policies be defined at the child tenant level?

No. Policies are only defined at the parent level and applied across all child tenants.

Does this feature work across multiple regions?

No. The feature is designed for same-region deployments to avoid cross-region data transfer complexities.

How often does data sync between child and parent tenants?

Syncing occurs after each scan is completed in a child tenant, followed by ingestion and evaluation at the parent tenant.

What happens if a child tenant is deleted?

The parent tenant retains previously ingested compliance data, but no new scans will be processed from the deleted child.

Can I turn off hierarchical posture scanning after enabling it?

A: Yes. However, once turned off, child scan results will no longer be forwarded to the parent, and compliance evaluations will only happen at the child level.

Terminology and Policies

Terminology Changes

Previous Term	New Term
Framework, Benchmark	Policy The policy is a group of business/security/compliance/operations requirements that can represent a compliance standard (for example, PCI 3.2.1), a benchmark (for example, CIS Kubernetes 1.5.1), or a business policy (for example, ACME corp policy v1). You can review the available policies and create custom CSPM/Posture policies under Policies
Scopes	Zone A business group of resources for a specific customer, defined by a collection of Scopes of various resource types, calculated by “OR” operators
Control	Requirement (or Policy Requirement) A requirement exists in a single policy and is an integral part of the policy. The requirement represents a section in a policy with which compliance officers & auditors are familiar.
Family	Requirements Group Group of requirements in a policy
Rule	Control A control defines the way we identify the issue (check) and the playbook to remediate the violation detected.
Vulnerability Exception	Risk Acceptance You can review a violation or vulnerability, but not remediate it, and acknowledge it without making it fail the policy.

Posture Policies

The following posture policies are included out of the box:

National Institute of Standards and Technology (NIST)
- NIST Cybersecurity Framework (CSF) v2.0
- NIST Privacy Framework v1.0
- NIST SP 800-53 Rev 5
- NIST SP 800-53 Rev 5 Privacy Baseline
- NIST SP 800-53 Rev 5 Low Baseline
- NIST SP 800-53 Rev 5 Moderate Baseline
- NIST SP 800-53 Rev 5 High Baseline
- NIST SP 800-82 Rev 2
- NIST SP 800-82 Rev 2 Low Baseline
- NIST SP 800-82 Rev 2 Moderate Baseline
- NIST SP 800-82 Rev 2 High Baseline
- NIST SP 800-171 Rev 2
- NIST SP 800-190 2017
- NIST SP 800-218 v1.1
Federal Risk and Authorization Management Program (FedRAMP)
- FedRAMP Rev 4 LI-SaaS Baseline
- FedRAMP Rev 4 Low Baseline
- FedRAMP Rev 4 Moderate Baseline
- FedRAMP Rev 4 High Baseline
Defense Information Systems Administration (DISA) Security Technical Implementation Guide (STIG)
- DISA Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide (STIG)
- DISA Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide (STIG) v2 Category I (High)
- DISA Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide (STIG) v2 Category II (Medium)
- DISA Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide (STIG) v2 Category III (Low)
- DISA Kubernetes Security Technical Implementation Guide (STIG) Ver 1 Rel 6
- DISA Kubernetes Security Technical Implementation Guide (STIG) Ver 1 Rel 6 Category I (High)
- DISA Kubernetes Security Technical Implementation Guide (STIG) Ver 1 Rel 6 Category II (Medium)
Center for Internet Security (CIS) Benchmarks
- CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.4.0
- CIS Amazon Linux 2 Benchmark v3.0.0
- CIS Amazon Web Services Foundations Benchmark v4.0.1
- CIS Amazon Web Services Foundations Benchmark v4.0.0
- CIS Amazon Web Services Foundations Benchmark v3.0.0
- CIS Azure Kubernetes Service (AKS) Benchmark v1.6.0
- CIS Azure Kubernetes Service (AKS) Benchmark v1.5.0
- CIS Azure Kubernetes Service (AKS) Benchmark v1.4.0
- CIS Azure Kubernetes Service (AKS) Benchmark v1.3.0
- CIS Bottlerocket Benchmark v1.0.0
- CIS Critical Security Controls V8
- CIS Distribution Independent Linux Benchmark (Level 1 - Server) v2.0.0
- CIS Distribution Independent Linux Benchmark (Level 2 - Server) v2.0.0
- CIS Distribution Independent Linux Benchmark (Level 1 - Workstation) v2.0.0
- CIS Distribution Independent Linux Benchmark (Level 1 - Workstation) v2.0.0
- CIS Docker Benchmark v1.5.0
- CIS Google Cloud Platform Foundations Benchmark v3.0.0
- CIS Google Cloud Platform Foundations Benchmark v2.0.0
- CIS Google Container-Optimized OS Benchmark v1.2.0
- CIS Google Kubernetes Engine (GKE) Autopilot Benchmark v1.1.0
- CIS Google Kubernetes Engine (GKE) Benchmark v1.4.0
- CIS Kubernetes V1.27 Benchmark v1.9.0
- CIS Kubernetes V1.26 Benchmark v1.8.0
- CIS Kubernetes V1.25 Benchmark v1.7.1
- CIS Kubernetes V1.24 Benchmark v1.0.0
- CIS Kubernetes V1.23 Benchmark v1.0.0
- CIS Kubernetes V1.20 Benchmark v1.0.0
- CIS Kubernetes V1.18 Benchmark v1.6.0
- CIS Kubernetes V1.15 Benchmark v1.5.1
- CIS Microsoft Azure Foundations Benchmark v3.0.0
- CIS Microsoft Azure Foundations Benchmark v2.1.0
- CIS Microsoft Azure Foundations Benchmark v2.0.0
- CIS Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) v1.5.0
- CIS Oracle Cloud Infrastructure Foundations Benchmark v2.0.0
- CIS Red Hat Enterprise Linux 9 Benchmark v2.0.0
- CIS Red Hat Enterprise Linux 8 Benchmark v3.0.0
- CIS Red Hat OpenShift Container Platform Benchmark v1.7.0
- CIS Red Hat OpenShift Container Platform Benchmark v1.6.0
- CIS Red Hat OpenShift Container Platform Benchmark v1.5.0
- CIS Rocky Linux 9 Benchmark v2.0.0
- CIS SUSE Linux Enterprise 12 Benchmark v3.1.0
- CIS Talos Linux Benchmark v1.0.0
- CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0
- CIS Ubuntu Linux 22.04 LTS Benchmark v2.0.0
- CIS Ubuntu Linux 20.04 LTS Benchmark v2.0.1
Amazon Web Services (AWS) Best Practices
- AWS Foundational Security Best Practices
- AWS Well Architected Framework
Regulatory Compliance Standards
- Australian Government Information Security Manual (ISM) 2022
- BSI-Standard 200-1: Information Security Management v1.0
- CCPA (California Consumer Privacy Act)
- Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) Ver 4
- Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554
- DPDP (Digital Personal Data Protection) Act
- Family Educational Rights and Privacy Act (FERPA)
- Federal Information Security Modernization Act (FISMA)
- General Data Protection Regulation (GDPR)
- Gramm-Leach-Bliley Act (GLBA)
- HIPAA (Health Insurance Portability and Accountability Act) Security Rule 2013
- HITRUST CSF (Health Information Trust Common Security Framework) v9.6.0
- Information Technology Security Guidance (ITSG-33)
- ISO/IEC 27001:2022 v3
- ISO/IEC 27001:2013 v2
- Multi-Level Protection Scheme (MLPS)
- NERC Critical Infrastructure Protection (CIP)
- NIS2 Directive (Directive on measures for a high common level of cybersecurity across de Union) 2022/2555
- NSA/CISA Kubernetes Hardening Guide 2022
- NCSC Cyber Assessment Framework (CAF)
- PCI DSS (Payment Card Industry Data Security Standard) v4.0
- PCI DSS (Payment Card Industry Data Security Standard) v3.2.1
- Reserve Bank of India (RBI) Framework
- Sarbanes-Oxley (SOX) Act
- SEBI (Securities and Exchange Board of India) Act
- SOSC 2 (System and Organization Controls) 2010
Risk Frameworks
- All Posture Findings
- MITRE ATT&CK for Enterprise v13.1
- MITRE D3FEND v0.11.0-BETA-1
Sysdig Best Practices
- Sysdig Google Cloud Benchmark v1.0.0
- Sysdig IBM Cloud Kubernetes Service (IKS) Benchmark
- Sysdig Kubernetes
- Sysdig Mirantis Kubernetes Engine (MKE) Benchmark
- Sysdig Rancher Kubernetes Engine (RKE2) Benchmark
Other Policies
- Lockheed Martin Cyber Kill Chain
- OWASP Kubernetes Top Ten v1.0.0

Cloud Coverage

The following cloud services are covered:

Amazon Web Services (AWS)
- Amazon CloudFront
- Amazon CloudWatch
- Amazon DynamoDB
- Amazon EC2
- Amazon EC2 Auto Scaling
- Amazon Elastic Block Store (EBS)
- Amazon Elastic Container Registry (ECR)
- Amazon Elastic Container Service (ECS)
- Amazon Elastic File System (EFS)
- Amazon Elastic Kubernetes Service (EKS)
- Amazon ElastiCache
- Amazon Elasticsearch Service
- Amazon OpenSearch Service
- Amazon RDS
- Amazon Redshift
- Amazon Simple Notification Service (SNS)
- Amazon Simple Storage Service (S3)
- Amazon VPC
- AWS Account
- AWS CloudFormation
- AWS CloudTrail
- AWS CodeBuild
- AWS Config
- AWS Identity and Access Management (IAM)
- AWS Key Management Service (KMS)
- AWS Lambda
- AWS Region
- AWS Secrets Manager
- AWS VPN
- Elastic Load Balancing (ELB)
Google Cloud
- Anthos
- API Gateway
- App Engine
- Artifact Registry
- Assured Workloads
- BeyondCorp Enterprise
- BigQuery
- Certificate Authority Service
- Cloud Bigtable
- Cloud Composer
- Cloud Data Fusion
- Cloud Data Loss Prevention
- Cloud DNS
- Cloud Domains
- Cloud Functions
- Cloud Healthcare API
- Cloud Intrusion Detection System (IDS)
- Cloud Key Management Service (KMS)
- Cloud Logging
- Cloud Monitoring
- Cloud Resource Manager
- Cloud Run
- Cloud Spanner
- Cloud SQL
- Cloud Storage
- Cloud TPUs
- Compute Engine
- Container Engine
- Container Registry
- Database Migration Service
- Dataflow
- Dataplex
- Dataproc
- Datastream
- Deployment Manager
- Dialogflow
- Document AI
- Eventarc
- Filestore
- Firestore
- Game Servers
- Google Cloud Billing API
- Google Cloud Virtual Network
- Google Kubernetes Engine (GKE)
- Identity and Access Management (IAM)
- Integration Connectors
- Managed Service for Microsoft Active Directory (Managed Microsoft AD)
- Memorystore
- Network Connectivity
- Network Management
- Network Services
- Organization Policy API
- Pub/Sub
- Secret Manager
- Service Directory
- Service Management API
- Speech-to-Text
- Transcoder API
- Vertex AI
- Virtual Private Cloud (VPC)
- Workflows
Microsoft Azure
- AKS
- AppService
- Authorization
- Compute
- Event Hub
- Key Vault
- Logging
- Managed Identity
- Monitor
- MySQL
- Network
- Operational Insights
- Operations Management
- PostgreSQL
- Security
- Service Bus
- SQL
- Storage
- Subscription
- Web

Legacy Compliance Versions

Note that you may have a legacy version of Compliance installed.

If you are an On-Prem or IBM Cloud user, see Legacy Compliance.
If you are running older versions of Sysdig Secure, you may encounter different Compliance UI and features.
Compliance and legacy Unified Compliance can be run in parallel. When benchmarks reach End of Life (EOL), data collection will only be available through Compliance, while the Legacy Reports will remain accessible on the interface for one year from their creation date.
Data cannot be transferred between Compliance versions.

Migration Guide

For users migrating to the Compliance module, released January 2023:

SaaS users that connect new data sources for Sysdig cloud accounts or Sysdig agents will automatically have the new Compliance module (previously known as “Actionable Compliance”) enabled.
Resources of the connected data sources will be evaluated according to CSPM/Risk and Compliance policies that are applied to zones. Results are displayed about 5-10 minutes after connection, varying by the scale of the resources.
If you were using Unified Compliance:
- On existing Kubernetes clusters, ensure the applied helm charts are updated according to the KSPM Components guide.
- For Existing GCP cloud accounts, enable the Cloud Asset API.
- The new Compliance module will be automatically enabled on your existing Cloud accounts by January 26th.
The new CSPM Compliance module is not available for on-prem users; they can continue using Unified Compliance

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.