Compliance

22 regulatory frameworks. Enforced through idempotent resources, not just scanned. Honest claims — Vigo reports what it proves.

Releasing soon Vigo is in alpha and closing in on its first stable release. Expect breaking changes between releases until then — we're looking for testing partners with meaningful fleets across diverse architectures. Learn more →

How Vigo compliance works

A configcrate claims framework controls via provides: capabilities or bundle: framework cuts. Vigo builds a coverage index at config load time, tracks per-node coverage percentages, and generates reports that clearly distinguish three categories:

Enforced

Controls satisfied by idempotent resources that Vigo actively applies. If the state drifts, Vigo corrects it. These controls are provably met through enforcement.

Attested

Controls where Vigo collects evidence (traits, scan results, Connwaer checks) but cannot enforce the requirement. For example, backup verification or capacity planning — Vigo attests to what it observes, signed and timestamped.

External

Controls outside Vigo's scope: physical security, personnel training, legal agreements, WORM archival. Honestly stated as requiring external validation.

Supported frameworks

22 compliance frameworks supported by Vigo with the controls each framework covers and the industry category.
Framework Controls Category
HIPAAAccess controls, audit logging, encryption, session management, integrityHealthcare
SOC 2Change management, access provisioning, monitoring, availability, confidentialityTrust Services
PCI DSS v4.0Firewall, hardening, access control, integrity monitoring, encryptionPayment Card
NIST 800-53AC, AU, CM, IA, SC control familiesFederal
ISO 27001Asset management, cryptography, operations security, communicationsInternational
CIS Ubuntu5 configcrates, 100+ L1/L2 controlsBenchmarks
CIS RHEL5 configcrates with firewalld, SELinux, authselectBenchmarks
CIS Windows 118 configcrates, account/audit/network/service policiesBenchmarks
HITRUST CSFAccess management, audit, encryption, configurationHealthcare
GDPRData protection, access controls, encryption, audit loggingPrivacy
NERC CIPElectronic security perimeters, system hardening, access managementEnergy
IEC 6244337 system requirements across 7 FRs, zone/conduit modelIndustrial
SOX12 controls, all enforced — change management, access, auditFinancial
FINRARule 4370, BCP, WORM monitoringFinancial
MiFID II RTS 24Resilience, change management, capacity monitoringFinancial
FDA 21 CFR Part 11Access, audit, e-signatures (external)Life Sciences
Cyber Essentials PlusUK government baseline — firewall, access, patching, malwareGovernment
NY DFS 23 NYCRR 50015 controls — access, encryption, audit, incident responseFinancial
CCSSKey storage & backup, HSM lifecycle, keyholder authorization/revocation, audit logging, proof of reservesCryptocurrency
UKGCUK Gambling Commission Remote Technical Standards — system integrity, change control, audit loggingGaming
Nevada GCBNevada Gaming Control Board Reg 14 — system access, change management, audit loggingGaming
MGAMalta Gaming Authority technical infrastructure — system access, integrity monitoring, audit loggingGaming

Compliance features

Per-node coverage tracking

Every envoy shows coverage percentage per framework. Drill into which controls are satisfied, which are missing, and which configcrates would close the gap.

Compliance waivers

File-based waivers with directory inheritance. Exempt specific controls with reason, approver, and expiration date. Three-state scoring: passing, failing, waived.

Gap recommendations

Missing controls show which configcrates would satisfy them. The web UI and CLI tell you exactly what to add to close a compliance gap.

Executive summary reports

Non-technical compliance reports for auditors and business owners. Fleet-wide coverage, per-framework breakdown, risk posture, and trend data.

GRC platform export

Push compliance evidence to Vanta, Drata, ServiceNow, or any REST API on a configurable schedule. Generic JSON format with per-standard control detail.

Connwaer active verification

Standalone agent for controls Vigo can't prove through enforcement: WORM storage integrity, RNG validation (NIST SP 800-90B), encryption at rest, network segmentation, HSM lifecycle, and 13 more capabilities.

Compliance dashboard

Per-framework coverage, Executive Summary for leadership, Audit Evidence Center for auditors, and active waivers at a glance.

Vigo compliance page with per-framework coverage cards for CIS Ubuntu, HIPAA, and SOC 2, plus Executive Summary, Audit Evidence Center, and waivers panel

See compliance in action

Free for up to 100 nodes.* All 22 frameworks included. No enterprise-only add-ons.

Get Started Free All Features

* Free tier is provided AS IS with no support obligation. See Commercial Terms.