Compliance
22 regulatory frameworks. Enforced through idempotent resources, not just scanned. Honest claims — Vigo reports what it proves.
How Vigo compliance works
Every module can declare compliance: tags mapping its resources to framework controls. Vigo builds a coverage index at config load time, tracks per-node coverage percentages, and generates reports that clearly distinguish three categories:
Enforced
Controls satisfied by idempotent resources that Vigo actively applies. If the state drifts, Vigo corrects it. These controls are provably met through enforcement.
Monitored
Controls where Vigo collects evidence (traits, scan results) but cannot enforce the requirement. For example, backup verification or capacity planning — Vigo can observe but not guarantee.
External
Controls outside Vigo's scope: physical security, personnel training, legal agreements, WORM archival. Honestly stated as requiring external validation.
Supported frameworks
| Framework | Controls | Category |
|---|---|---|
| HIPAA | Access controls, audit logging, encryption, session management, integrity | Healthcare |
| SOC 2 | Change management, access provisioning, monitoring, availability, confidentiality | Trust Services |
| PCI DSS v4.0 | Firewall, hardening, access control, integrity monitoring, encryption | Payment Card |
| NIST 800-53 | AC, AU, CM, IA, SC control families | Federal |
| ISO 27001 | Asset management, cryptography, operations security, communications | International |
| CIS Ubuntu | 5 modules, 100+ L1/L2 controls | Benchmarks |
| CIS RHEL | 5 modules with firewalld, SELinux, authselect | Benchmarks |
| CIS Windows Server | 8 modules, account/audit/network/service policies | Benchmarks |
| HITRUST CSF | Access management, audit, encryption, configuration | Healthcare |
| GDPR | Data protection, access controls, encryption, audit logging | Privacy |
| NERC CIP | Electronic security perimeters, system hardening, access management | Energy |
| IEC 62443 | 37 system requirements across 7 FRs, zone/conduit model | Industrial |
| SOX | 12 controls, all enforced — change management, access, audit | Financial |
| FINRA | Rule 4370, BCP, WORM monitoring | Financial |
| MiFID II RTS 7 | Resilience, change management, capacity monitoring | Financial |
| CCSS | Key storage, network security | Cryptocurrency |
| FDA 21 CFR Part 11 | Access, audit, e-signatures (external) | Life Sciences |
| Gaming Commission | Nevada, Malta, UKGC — integrity, availability, RNG (external) | Gaming |
| DISA STIG | DoD hardening baselines | Defense |
| Cyber Essentials | UK government baseline — firewall, access, patching, malware | Government |
| ABA Cybersecurity | ABA 477R + Model Rules 1.1/1.6 — 18 controls for law firms | Legal |
| NY DFS 23 NYCRR 500 | 15 controls — access, encryption, audit, incident response | Financial |
Compliance features
Per-node coverage tracking
Every envoy shows coverage percentage per framework. Drill into which controls are satisfied, which are missing, and which modules would close the gap.
Compliance waivers
File-based waivers with directory inheritance. Exempt specific controls with reason, approver, and expiration date. Three-state scoring: passing, failing, waived.
Gap recommendations
Missing controls show which modules would satisfy them. The web UI and CLI tell you exactly what to add to close a compliance gap.
Executive summary reports
Non-technical compliance reports for auditors and business owners. Fleet-wide coverage, per-framework breakdown, risk posture, and trend data.
GRC platform export
Push compliance evidence to Vanta, Drata, ServiceNow, or any REST API on a configurable schedule. Generic JSON format with per-standard control detail.
Connwaer active verification
Standalone agent for controls Vigo can't prove through enforcement: WORM storage integrity, RNG validation (NIST SP 800-22), encryption at rest, network segmentation, HSM lifecycle, and 13 more capabilities.
See compliance in action
Free for 25 nodes.* All 22 frameworks included. No enterprise-only add-ons.
* Free tier is for evaluation purposes only and is provided AS IS with no support obligation. See Commercial Terms.