Using the Compliance dimension

Edit online

IBM® Concert ingests your organization's compliance assessment data and delivers a holistic view of the compliance posture of your application environments.

The following steps provide a high-level overview of the end-to-end process to render a comprehensive view of your organization's compliance posture.

Note: The following workflow assumes you already built your application topology in Concert by uploading SBOM files or configuring data ingestion jobs from third-party tools and services.

Step 1: Upload a compliance catalog

A compliance catalog serves as the single source of truth for an organization's compliance-related policies, procedures, and standards. Concert supports compliance catalogs based on the NIST 800-53 (Rev4 for OCP and Rev5), PCI, or a custom standard.

Refer to Managing a compliance catalog for details and instructions on uploading a scan manually. You can also create custom catalogs using watsonx.ai, refer to catalog creation using watsonx.ai topic for more details.

You can now trigger a workflow for CIS compliance scan for Red Hat® Enterprise Linux® 9 (RHEL9) or OpenShift Container Platform 4 (OCP4) clusters and import them into Concert. For importing scan by using Concert workflow, refer to OCP4 scan or RHEL9 scan pages.

Step 2: Create a compliance profile

A compliance profile represents a subset of controls from a compliance catalog. Each profile specifies a set of rules the scan results (generated by other applications) will use to assess the overall compliance of your application environments. Defining a profile before uploading a compliance assessment can help which ensure that the results are specific to your organization's compliance requirements.

Refer to Creating a compliance profile for details and instructions.

Step 3: Managing your compliance posture

You can either upload a compliance scan to Concert or create a compliance assessment manually. Uploading the compliance scan runs the compliance assessment, which evaluates the overall compliance of your application environments, generating a compliance score. The compliance scan must be in OSCAL or XCCDF format (XML or YAML). Concert can also support scan results that come from IBM Z Security Compliance Center (IBM Z SCC) and scans generated by Trivy Kubernetes compliance scanner in JSON format.

Learn more about OSCAL models, Trivy and the XCCDF format accepted by Concert.

Once the scan is uploaded and processed, Concert provides a compliance score and other insights about the impact of compliance issues on specific environments. The compliance score represents the percentage of controls with which the assessed environment was compliant out of the total number of controls that are specified in the compliance profile that is associated with this scan. The compliance score determines whether the environment's level of compliance is High, Medium, or Low and is based on the calculated compliance score.

Refer to Managing compliance postures and assessments for details and instructions.

The compliance mappings feature enables you to convert existing compliance postures from one standard to another using existing compliance catalog files, eliminating the need to generate assessments repeatedly and accelerating cross-framework compliance analysis. Refer to compliance mapping for more details.

You can also use Concert Workflows to generate and import CIS Red Hat® Enterprise Linux® (RHEL9) and CIS OpenShift® Container Platform cluster version 4 (OCP4) scans.

Step 4: View compliance posture

Once you upload or create an assessment, you can see an aggregated compliance posture that helps by gathering control statuses from multiple scan results, offering a more comprehensive view of your environment's compliance posture. Instead of relying on individual assessment scores, the overall environment posture provides a meaningful insight into compliance status. The Posture trend graph available within the selected posture, gives you an understanding of the overall state of your environment's compliance. Compliance dashboard showing posture score and trend over time.

Navigate to Dimensions > Compliance to view a list of compliance postures under sub navigation Postures, and select the name of a posture to view a summary of available controls and assessments.

Click the posture that you want to inspect and get a list of controls along with a graphical view under Control summary. And under Assessment history you can see all the assessments that are associated with the selected posture.

The page includes compliance posture score, compliance level, and count of controls failed. A graphical view of compliance posture assessment is also available which can be filtered based on Environment or Profiles.

Step 5: Provide evidence for unassessed controls

If the assessed environment is not compliant with a compliance control, you can override the noncompliant status by providing evidence to explain why the environment should be considered compliant. The evidence that you provide is evaluated by IBM watsonx to determine its validity. If valid, the State field is updated to "Assessed."

This option is useful, for example, if action taken outside of what is being tracked in Concert addresses the compliance issue.

Refer to providing evidence section to get steps to upload evidence.