Managing a compliance catalog

You can upload compliance catalogs to IBM® Concert to process and prioritize compliance-related results across your applications and environments. Compliance catalogs contain subsets of security or privacy controls where each control defines an aspect of the information system, the nature of which varies based on the context of the compliance requirements or guidelines. You can also remove catalog from Concert if you no longer need them.

In the context of compliance scans, low, high, and medium baselines refer to the severity levels of compliance violations that are considered acceptable or tolerable. These baselines help you define the appropriate level of scrutiny for your organization's compliance scans.

Compliance catalogs are published by standard or regulatory bodies, or you can create your own as long as it adheres to the OSCAL format. These catalogs serve as essential resources for organizations to help ensure that they comply with various regulations and industry standards. OSCAL is designed to provide a machine-readable representation of the controls, security plans, assessment plans, and results.

Before you begin

You can bring in your catalog to Concert using multiple ways. Concert library has a few standard catalogs that are listed. You can choose from them. Or you can upload your catalog to Concert public git for catalog and use if from there.

  • From standard library - You can choose from available catalogs within Concert or upload a custom catalog. Concert has NIST 800-53, FedRAMP, ARS, PCI, SOC2, CIS, Red Hat OpenShift Container Platform catalogs to choose from. Concert supports RHEL Benchmark and Openshift Benchmark for the CIS catalog version 8.0.

    Click Add catalog to select From standards library to choose one or more catalogs from Concert library.

  • From Git - You can also add a catalog to Concert public git for catalog, and choose from Git.

    Click Add catalog and select From standards library. Click public Git repository to select your catalog from Git

In case you have a custom catalog or would like to use a catalog not available in our standard library. You can upload a catalog from your device. You can find the details of steps and instructions in the following section.

Instructions to upload a catalog from your device

To upload a compliance catalog to Concert from your device:

  1. Navigate to Dimensions > Compliance.
  2. Choose Catalogs from the subnavigation.
  3. Click Add catalog.
  4. Click From file to choose a file from your device or click From standards library to choose from available catalogs within Concert.
  5. Select catalog from your device or from the available library in Concert.
    Note: While choosing catalog from available library in Concert, you can use the option Preview catalog details to see corresponding component definitions for the selected catalog. Choose one or more catalogs from the list and click Add.
  6. After selecting catalog of choice click Upload.
    Note: The compliance catalog must be a JSON file in OSCAL format and file size must not exceed 2 MB.

Once processed, the uploaded catalog appears in the list. You can click the name of a catalog to view details, including the control ID, name, class, catalog, and tags for each corresponding control. Expand each row to see a detailed description of each catalog. You can also click the Ask watsonx to start a chat with watsonx.

Component definition for catalogs

Concert supports component definition for CIS controls catalog (only OpenShift Container Platform 4 and Red Hat Enterprise Linux 9). You can upload component definitions for multiple benchmarks within a catalog. You can import scan results from tools(OpenScap and OSCO) to Concert.

To view and upload a component definition to the catalog:

  1. Navigate to Dimensions > Compliance.
  2. Click Catalogs from the subnavigation.
  3. From the overflow menu against a catalog choose Component definitons.
  4. You can view existing component definitions for the catalog or click Upload component definitions + to add a new one.
  5. Choose a file in OSCAL format from your device of size less than 10MB, click Upload.

The new component definition can be seen under the Component definitions tab under Catalog.

Deleting a catalog from Concert

You can remove catalogs from Concert if you no longer need them.

  1. Navigate to Dimensions > Compliance.
  2. Click Catalogs from the subnavigation.
  3. From the overflow menu against CIS control catalog from the list of available catalogs and choose Delete.

Next step: Create a compliance profile

A compliance profile represents a baseline (high, moderate, and low) of selected controls from one or more compliance catalogs. Refer to Creating a compliance profile for instructions.