Using CFEngine to Ensure IT Compliance

CFEngine can significantly simplify the implementation and compliance of IT regulations and security policies. Our decentralized, small-footprint agent architecture ensures continuous system-wide monitoring and automatic self-repair - no matter how large or complex the infrastructure.

CFEngine Enterprise can provide IT compliance reports and complete audits in hours instead of weeks. Here is a partial list of the common compliance regulations and policies that CFEngine can uphold:


The Payment Card Industry Data Security Standard, also known as PCI DSS is a set of requirements for enhancing payment account data security. Developed by the PCI Security Standards Council -- including American Express, MasterCard, Visa and others -- it helps facilitate the global adoption of consistent data security measures.  PCI DSS is composed of high-level requirements designed to secure and protect customer payment data. If you store, process or transmit any cardholder data electronically or manually, then your business must comply with PCI-DSS.

Learn more »

SOX 404
The Sarbanes-Oxley (SOX) act is a U.S. law that requires publicly-traded companies to secure the integrity of organizational and financial data. The law makes a company’s senior management directly responsible for introducing measures for good governance.  SOX compliance is not a purely technical matter -- it also encompasses human information trails, and is subject to interpretation of special auditors that judge compliance with the law.

Learn more »

Service providers can be required to demonstrate good governance. The "Statement on Auditing Standards (SAS) No. 70, Service Organizations", is an auditing standard developed by the American Institute of Certified Public Accountants ( that has evolved into a well-accepted standard for best-practice among service providers.  SAS-70 does not specify an explicit checklist for an audit, rather service auditors are required to follow the AICPA's standards for fieldwork, quality control, and reporting.

Learn more »

IT Best Practices

The IT Infrastructure Library of 'best practices' is rapidly becoming a core standard for industries around the world. It is a framework of guidance for IT governance and human process management, applied to the IT industry.  It introduces many concepts, iincluding the Configuration Management Database (CMDB).  In particular, the Build-Deploy-Manage-Audit model that neatly captures the IT system life-cycle.

Learn more »

The Control Objectives for Information and related Technology (COBIT) is an alternative effort to describe best practices (framework) for information technology management. COBIT provides not only IT users, but also managers and auditors with a set of generally accepted measures, indicators, processes and best practices to assist them in recording and maximizing the benefits derived through the use of information technology. 

Learn more »

ISO 27k
The ISO/IEC 27000-series numbering (ISO27k) is a family of information security management standards derived from British Standard BS 7799. These documents provide general advice about IT procedures and technology usage for risk and continuity management. As with other frameworks, no specific checklist of technical requirements is defined, but best practices are recommended.

Learn more »


The Security Technical Implementation Guides (STIGs) are a method for standardized secure installation and maintenance of computer software and hardware created by the Defense Information Systems Agency (DISA) that provides configuration documents in support of the United States Department of Defense (DoD).

See an example of using CFEngine 3 for STIGs compliance »


Learn more:

Contact us for more information on how CFEngine can help you ensure IT Compliance »