Compliance and Regulations

CIS Benchmarks are also known as Configuration Policy Benchmarks. They are developed by the Center for Internet Security (CIS), a non-for-profit organization that develops benchmarks that allow organizations to improve their security and compliance programs and posture. This initiative aims to create community developed security configuration baselines, or CIS Benchmarks, for IT and Security products that are commonly found throughout organizations. 

Benefits of CIS Benchmarks 

Security organizations looking to achieve CIS compliance by adhering to specific benchmarks can expect benefits like: 

• Safeguarding systems against continuously evolving cyber threats
• Improved cloud-environment security posture and threat response
• Long-term C-Suite trust and budget allocation for the security organization
• Increased customer confidence that comes from demonstrating self-adherence to industry-and-sector-specific benchmarks 
• Faster remediation with benchmark-provided guidance when vulnerabilities are identified

With solutions from Rapid7 you can

Check and report on your compliance to CIS benchmarks

Use InsightVM, Rapid7's vulnerability risk management solution, to easily and automatically check the settings on all the assets in your organization to determine their overall level of compliance to CIS benchmarks in one unified view.

InsightVM scans all of your assets for the overall level of compliance against CIS benchmarks and policies. You can use InsightVM to determine the overall level of compliance across the organization for each CIS benchmark that you are interested in via pre-built scan templates, or with the Custom Policy Builder capability. Custom Policy Builder enables you to create, modify, and augment common benchmarks like CIS based on the unique needs of your IT environment.

Ensure compliance in cloud environments

CIS offers benchmarks on best practices for the secure configuration of Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Kubernetes. When using cloud or Kubernetes services, security is a shared responsibility between the cloud service provider and the customer. You as the customer are responsible for configuring and using cloud services in a way that is secure, and the CIS benchmarks provide a framework for how to do this.

InsightCloudSec enables you to automate compliance with CIS benchmarks. InsightCloudSec provides dozens of out-of-the-box policies as part of our CIS compliances pack that map back to specific directives within CIS benchmarks. For example, InsightCloudSec’s policy “Encryption Key Not Supporting Key Rotation” supports compliance with the “Logging 2.8” directive in the CIS Amazon Web Services Benchmark. You can immediately use the CIS compliance packs to identify and remediate policy violations in real time.

The Cybersecurity Maturity Model Certification (CMMC) is a certification process under development by the US Department of Defense (DoD).

The Cloud Security Alliance Cloud Controls Matrix (CSA CCM) controls framework offers a detailed understanding of security concepts and principles that follow Cloud Security Alliance guidance in 13 domains. The foundation of the CSA CCM aligns with other industry-accepted security standards, regulations, and controls frameworks, such as ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum, and NERC CIP.  It is an optional standard that some organizations implement to benefit from the best practices it contains, and to reassure customers that its recommendations have been followed.

With solutions from Rapid7, you can ensure compliance in cloud environments

When using Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud service provider, security and compliance is a shared responsibility between the cloud provider and the customer. You as the customer are responsible for configuring and using cloud services in a way that complies with the applicable directives contained within CSA CCM.

InsightCloudSec enables you to automate security and compliance with CSA CCM. InsightCloudSec provides dozens of out-of-the-box policies as part of our CSA CCM compliance pack that map back to specific directives within CSA CCM. For example, InsightCloudSec’s policy “Cloud Account Without Root Account MFA Protection” supports compliance with the “AIS-04, EKM-01, EKM-02, EKM-03, GRM-06, IAM-01, IAM-02, IAM-04, IAM-05, IAM-10, IAM-11, and IAM-12” directives in CSA CCM. You can immediately use the CSA CCM compliance pack to identify and remediate policy violations in real time.

The Dubai Electronic Security Center (DESC) Cloud Service Provider (CSP) Security Standard is a mandatory certification for any enterprise offering cloud services to government and semi-government entities in Dubai. The standard is an essential part of DESC’s initiative to strengthen cybersecurity and is based on internationally recognized frameworks, such as ISO/IEC 27001, in addition to specific local controls from the Information Security Regulation (ISR) V3. Rapid7 has achieved this certification to demonstrate its commitment to meeting these strict security and data residency requirements for customers in the region. Achieving this certification is a key part of Rapid7’s plan for our UAE Region and a public commitment to our support for compliance and security.

The Federal Desktop Core Configuration (FDCC compliance) is an older federal standard that defines a standardized desktop configuration to improve security. Although FDCC benchmarks have been superseded by USGCB benchmarks in 2010 and 2011, many agencies are still working on their FDCC compliance. If you're one of them, we can help you achieve FDCC compliance.

How Rapid7 helps you get FDCC compliant

Check and report on asset settings

You can use Nexpose to easily and automatically check the settings on all the Windows assets in your organization to make sure they pass Federal Desktop Core Configuration compliance (FDCC compliance) - and quickly generate reports on their status. InsightVM is both SCAP validated and an FDCC compliance - certified tool.

Find exploitable vulnerabilities

While you're checking your assets for misconfigurations, InsightVM also scans your physical and virtual assets for vulnerabilities and malware exposure. In addition, it shows you the contextual risk for each found threat—that way you can prioritize how best to take action and achieve FDCC compliance.

Generate and submit CyberScope-compatible reports for FDCC compliance

A key part of FISMA compliance is submitting a CyberScope-compatible report on USGCB and/or FDCC compliance. CyberScope compatibility is a core feature of InsightVM, so your monthly reporting is hands-free and easy.

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. federal government initiative that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud services. FedRAMP provides a standardized approach to cloud security through a core set of processes, thereby ensuring effective, repeatable cloud security for the government.

Rapid7 InsightGovCloud is designed to facilitate alignment with NIST 800-53–based security framework, supporting the rigorous requirements of state and local government agencies.

The Federal Information Security Management Act (FISMA) requires Federal agencies to develop, document, and implement an information security program to safeguard their systems and data. In addition to government agencies, FISMA also applies to contractors and third parties that use or operate an information system on behalf of a Federal agency.

One of the core requirements of FISMA is compliance with the United States Government Configuration Baseline (USGCB), which evolved from the Federal Desktop Core Configuration mandate (FDCC). USGCB is a government-wide initiative that provides guidance to Federal agencies on secure configuration settings for IT products, specifically on desktops and laptops. Security Content Automation Protocol (SCAP) validated technologies can be used to assess compliance of systems with USGCB.

How Rapid7 helps get you FISMA compliant

Continuously assess systems for vulnerabilities

Use InsightVM to meet vulnerability scanning requirements for FISMA compliance. Automatically discover new assets across physical, virtual, and mobile environments, and trigger an immediate risk assessment. Nexpose can also identify all hardware and software assets on the network to compare with an authorized inventory.

Test your internal and external defenses

Simulate real-world attacks against your defenses to uncover weaknesses and verify the effectiveness of security controls with Metasploit. Validate the level of exploitability of vulnerabilities as required for FISMA compliance, and leverage closed–loop integration with Nexpose to prioritize exploitable vulnerabilities for remediation.

Classify and prioritize high risk level assets

FISMA requires all systems and data to be categorized according to risk level and organizational value. Nexpose's RealContext™ feature enables you to automatically classify assets based on its business context, prioritize risks on high criticality assets, and immediately assign remediation tasks to the asset owner.

Automatically check for secure configurations

Use InsightVM to easily and automatically check system configuration settings across all assets in your organization against USGCB compliance requirements. InsightVM is a SCAP validated and USGCB certified scanner by NIST with built-in policies for auditing systems against standards such as USGCB, DISA STIGS, and CIS Benchmarks.

Simplify CyberScope compliance reporting

CyberScope is a web-based reporting tool launched by the Office of Management and Budget (OMB) for Federal agencies to submit security metrics for FISMA compliance. InsightVM provides built-in CyberScope-compatible reports in XML format, simplifying and automating the monthly FISMA and USGCB compliance reporting process.

Download the FISMA Compliance Guide

The EU General Data Protection Regulation (GDPR) requires the protection of personal data of EU citizens regardless of the geographic location of the organization or the data.

The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to protect customer information.

The Health Insurance Portability and Accountability Act (HIPAA) requires that patient medical records and other protected health information (PHI) be safeguarded against security breaches.

ISO/IEC 27001 is a security management standard jointly published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC 27001 specifies security management best practices and comprehensive security controls. It is an optional standard that some organizations choose to implement, both to benefit from the best practices it contains and to reassure customers that its recommendations have been followed.

With solutions from Rapid7, you can ensure compliance in cloud environments

When using Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud service provider, security and compliance is a shared responsibility between the cloud provider and the customer. You as the customer are responsible for configuring and using cloud services in a way that complies with the applicable directives contained within ISO/IEC 27001.

InsightCloudSec enables you to automate security and compliance with ISO/IEC 27001. InsightCloudSec provides dozens of out-of-the-box policies as part of our ISO/IEC 27001 compliance pack that map back to specific directives within ISO/IEC 27001. For example, InsightCloudSec’s policy “Access List Exposes Windows RDP to World (Security Group)” supports compliance with the “A.11.4.4 – Remote diagnostic and configuration port protection” directive in ISO/IEC 27001. You can immediately use the ISO/IEC 27001 compliance pack to identify and remediate policy violations in real time.

The North American Electric Reliability Corporation (NERC) develops standards to ensure reliability and safety for the North American bulk power system. 

The EU’s 2016 NIS Directive requires “essential services” and digital service providers in the EU and UK to establish cybersecurity safeguards and incident reporting. EU agencies, EU Member States, and the UK have issued regulations and guidelines to implement the Directive.

NIS2 shifts EU cybersecurity to continuous risk management and resilience. Rapid7 helps organizations operationalize risk-based controls and maintain a defensible security posture.

The U.S. Commerce Department’s National Institute of Standards and Technology (NIST) Cybersecurity Framework is a voluntary framework, based on existing standards, guidelines, and practices. Its intention is to reduce cyber risks to critical infrastructure. The NIST Cybersecurity Framework (NIST CSF) was developed with a focus on industries vital to national and economic security, including energy, banking, communications, and the defense industrial base.

Meanwhile, the NIST Special Publication 800-53 provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security. The NIST 800-53 controls set the security baseline for federal agencies and contractors, and are continuously updated to address new threats and to prevent major cybersecurity incidents

With solutions from Rapid7, you can ensure compliance in cloud environments

When using Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud service provider, security and compliance is a shared responsibility between the cloud provider and the customer. You as the customer are responsible for configuring and using cloud services in a way that complies with the applicable directives contained within NIST CSF and NIST 800-53.

InsightCloudSec enables you to automate security and compliance with NIST CSF and NIST 800-53. InsightCloudSec provides dozens of out-of-the-box policies as part of our NIST compliance packs that map back to specific directives within NIST CSF and NIST 800-53. For example, InsightCloudSec’s policy “Cloud Account Password Policy Missing” supports compliance with the “PR.AC-1” directive in NIST CSF. You can immediately use the NIST compliance packs to identify and remediate policy violations in real time.

The New York Department of Financial Services (NYDFS) issued its Cybersecurity Regulation to require cybersecurity practices for financial institutions’ customer information and IT systems.

The Payment Card Industry Data Security Standard (PCI DSS) challenges businesses to safeguard credit cardholder information through strict protection measures.

The Security Content Automation Protocol (SCAP) is a method that uses open standards to organize and express security-related information. It's not a regulation or a mandate, but it allows federal agencies to automate a great deal of manual processes and make data standardization and comparisons a lot easier.

If you are part of a federal agency and are working at being FISMA compliant, making your security solutions SCAP compliant will help you gain efficiency in your reporting. In addition, using SCAP Compliance tools ensures that you'll be able to report on your security progress to the Department of Homeland Security, as required by FISMA, and that your security systems will all work together. This paves the way for the automation of vulnerability management tasks, including vulnerability scanning and management, checking for misconfigurations and report generation.

Rapid7 InsightVM is SCAP validated and accredited for regulations including USGCB and FDCC, meaning any federal agency using InsightVM will be able to scan their systems for specific security controls within FISMA requirements.

The American Institute of CPAs (AICPA) Service and Organization Controls (SOC) 2 reporting standard defines criteria for how organizations should manage customer data. Many organizations, especially SaaS companies, choose to establish and follow strict information security policies and procedures that adhere to the SOC 2 standard, and to undergo regular third-party audits to certify their compliance.

With solutions from Rapid7, you can ensure compliance in cloud environments

When using Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or any other cloud service provider, security and compliance is a shared responsibility between the cloud provider and the customer. You as the customer are responsible for configuring and using cloud services in a way that complies with the applicable directives contained within SOC 2.

InsightCloudSec enables you to automate security and compliance with SOC 2. InsightCloudSec provides dozens of out-of-the-box policies as part of our SOC 2 compliance pack that map back to specific directives within SOC 2. For example, InsightCloudSec’s policy “Storage Container Exposed To The Public” supports compliance with the “C1.2, C1.3, C1.7, and CC5.6” directives in SOC 2. You can immediately use the SOC 2 compliance pack to identify and remediate policy violations in real time.

The Sarbanes-Oxley Act (SOX) requires that publicly traded companies ensure their internal business processes are properly monitored and managed.

Half of U.S. states have laws requiring businesses to provide security for electronic personal information, with more states taking on these requirements each year. 

The United States Government Configuration Baseline (USGCB) is a United States government-wide initiative that guides federal agencies on what they can do to improve and maintain effective configuration settings focusing primarily on security. This initiative aims to create security configuration baselines for IT and security products, specifically on desktops and laptops, deployed across federal agencies. While it's not a standalone regulation like FISMA, USGCB compliance is a core requirement of FISMA.

How Rapid7 helps get you USGCB compliant

Check and report on asset settings

You can use InsightVM to easily and automatically check the settings on all the assets in your organization to make sure they're passing USGCB compliance requirements-and quickly generate reports on their status. Nexpose is both SCAP validated and a USGCB Certified Scanner by NIST.

Find exploitable vulnerabilities

InsightVM scans all your physical and virtual assets for vulnerabilities, misconfigurations and malware exposure and provides the contextual risk for each found threat, so you can easily prioritize how you want to remediate or mitigate what you find. See what vulnerabilities are keeping you from achieving USGCB compliance.

Generate and submit CyberScope-compatible reports

The ability to generate a CyberScope-compatible report is a core component of Nexpose, so your monthly USGCB compliance reporting requirements can be hands-free and easier than ever. In addition, in InsightVM you can customize a number of other reports, from executive trend summaries to detailed remediation plans.