NIST, FedRAMP, CMMC, SOC 2, and HIPAA, all mapped from one scan.
A single CIS benchmark scan produces evidence for NIST 800-53, FedRAMP Moderate/High, CMMC Level 2, SOC 2 Type II, HIPAA, and CCPA, with air-gapped support for federal classified environments.
US compliance at a glance, for fast retrieval.
Atomic factual claims auditors and search engines can cite verbatim.
- Federal frameworks
- NIST 800-53, FedRAMP, CMMC, FISMA, NIST 800-171
- Healthcare
- HIPAA Security Rule technical safeguards
- Privacy
- CCPA, CPRA, state-level privacy laws
- Financial
- SOC 2 Type II, NYDFS, GLBA
- Defense
- CMMC Level 2, IL4/IL5 deployment for DIB
- Air-gapped support
- Yes, required for FedRAMP High, IL4, IL5
- FedRAMP baselines
- Moderate and High supported
Compliance in United States.
US compliance is the most fragmented regulatory market in the world. Federal civilian (FedRAMP, FISMA), defense (CMMC, IL4/IL5), healthcare (HIPAA), financial services (NYDFS Cybersecurity Regulation, GLBA), state-level privacy (CCPA, CPRA, Texas DPSA, Colorado CPA, Virginia CDPA, and a dozen more), and sector-specific frameworks (PCI-DSS for cards, NERC CIP for power) all coexist. The common thread across the technical-controls layer is NIST 800-53 (directly or by derivation), and CIS benchmarks remain the most widely-cited configuration baseline. CISGuard maps a single scan to all of these simultaneously.
Frameworks CISGuard maps for US.
Each scan generates per-framework reports showing satisfied / partial / not-met status.
| Framework | Scope | Authority |
|---|---|---|
| NIST 800-53 → | Federal information systems | NIST + agency authorizing officials |
| FedRAMP → | Federal cloud authorization | FedRAMP PMO + JAB |
| CMMC → | Defense Industrial Base cybersecurity | DoD Cyber-AB |
| HIPAA Security Rule → | Healthcare protected health information | HHS OCR |
| SOC 2 Type II → | Service organization trust services | AICPA |
| PCI-DSS → | Payment card data | PCI SSC + card brands |
| CCPA / CPRA | California consumer privacy | California Privacy Protection Agency |
Sovereignty and residency, solved by architecture.
US sovereignty requirements vary dramatically by sector. Federal civilian workloads are tightly bounded by FedRAMP: the platform must operate within authorized cloud environments (Moderate or High). Defense workloads add IL4 (CUI) and IL5 (NSS) constraints, requiring DoD-impact-level-certified cloud providers and often air-gapped operation. Healthcare (HIPAA) imposes business-associate-agreement obligations, with state-level breach notification regimes overlaying federal requirements. CISGuard supports all three: standard cloud for commercial, FedRAMP-authorized environments for federal civilian, and air-gapped IL4/IL5 deployment for defense.
Three ways to deploy in US.
On-premises (commercial)
Standard single-tenant deployment in customer-controlled US infrastructure. Used by healthcare systems, financial services, and SaaS providers pursuing SOC 2 Type II.
FedRAMP-authorized cloud (Moderate / High)
Deployed within AWS GovCloud (US-East / US-West), Azure Government, Google Cloud Government, or equivalent FedRAMP-authorized environments for federal civilian workloads.
Air-gapped (IL4 / IL5)
Zero outbound connectivity. CIS benchmark updates ship via signed media via DoD-approved channels. Required for DoD IL4 (CUI) and IL5 (National Security Systems) environments.
US in practice.
US Healthcare System: HIPAA Continuous Evidence at Scale
A US health system replaced quarterly HIPAA Security Rule assessments with continuous CISGuard scanning across 8,400 endpoints, eliminating spreadsheet-based evidence collection.
Read full case study →US questions, answered directly.
Does CISGuard support FedRAMP authorization?
Yes. CISGuard maps 50 NIST 800-53 Rev. 5 controls across the 20 control families that underpin FedRAMP Moderate and High baselines. Continuous Monitoring (CA-7) is satisfied automatically. Air-gapped deployment is available for FedRAMP High and IL4/IL5 environments where outbound connectivity is prohibited.
Is CISGuard suitable for CMMC Level 2 assessment?
Yes. CMMC Level 2 aligns with NIST SP 800-171, which derives from NIST 800-53. CISGuard's NIST 800-53 mapping covers approximately 80% of CMMC Level 2 practice requirements through CIS benchmark scanning. Exception management documents compensating controls for the remaining practice-level evidence assessors need.
How does CISGuard support HIPAA Security Rule compliance?
CIS benchmark hardening directly satisfies HIPAA §164.312 technical safeguards (access control, audit controls, integrity, transmission security). Continuous monitoring addresses the §164.308(a)(1)(ii) ongoing risk assessment requirement. The Framework Coverage Report shows per-safeguard satisfaction status with underlying CIS controls: auditor-grade evidence for OCR investigations.
Can CISGuard generate SOC 2 Type II evidence?
Yes. CISGuard maps 26 Trust Services Criteria, primarily in CC6 (Access), CC7 (System Operations), CC8 (Change Management), and CC9 (Risk Mitigation). The 12-month historical posture trend provides the "over a period" evidence Type II requires. Big 4, Schellman, Coalfire, A-LIGN, and BARR Advisory all consume CISGuard reports directly.
Does CISGuard help with state privacy laws (CCPA, CPRA)?
Yes. CCPA/CPRA require "reasonable security", and California AG guidance has explicitly cited the CIS Controls as a reasonable-security baseline. CISGuard's continuous CIS benchmark scanning produces the technical evidence that California AG enforcement actions and class-action defenses rely on. The same evidence supports Colorado CPA, Virginia CDPA, and Texas DPSA technical-measures requirements.
Ready to deploy in US?
Our compliance engineers have helped organizations across US achieve regulatory readiness in as little as one business day.