Skip to content

chandrapati/CSW-Compliance-Mapping

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

62 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Cisco Secure Workload — Compliance Mapping Assets

Visitors

Customer-facing reports and matching technical runbooks that map Cisco Secure Workload (CSW) controls to thirty-four compliance, sector, and zero-trust frameworks. Every framework folder ships the same set of assets: a Markdown technical runbook (the engineering view), a DOCX report (the editable customer master), a PDF render of that report, and HTML versions of both for browser/mobile reading.

New here? Read Background — What is Cisco Secure Workload? for a one-page intro to the platform itself, then come back to pick a framework.

Executive overview — 60-second read

For a CISO / CIO skimming this for the first time.

  • What this is. A reference library that maps Cisco Secure Workload (CSW) capabilities to 34 security, regulatory, and zero-trust frameworks — so you can see which controls CSW helps you evidence, and how, before committing budget or audit hours.
  • What you get per framework. Two paired documents — a technical runbook (the engineering view: configuration steps, sample policies, exact evidence exports) and a customer-facing report (the narrative built on that work) — each in Markdown, DOCX, PDF, and HTML.
  • The core idea. CSW turns live workload behaviour — who talks to whom, on which port, via which process, and what changed — into micro-segmentation, drift tracking, and forensic-grade flow evidence. The same evidence answers the auditor ("prove the control still holds, not just on audit day") and the incident responder ("what moved laterally, and what changed"). That overlap is why segmentation shows up across PCI, HIPAA, NIST, DORA, NIS2, and the zero-trust models.
  • Where to start. New to CSW → compliance evidence playbook. Hunting a specific control → INDEX.md. Choosing a framework → the asset library table below.
  • Read this before relying on it. These mappings are informational reference only — not legal, audit, or completeness advice. They require SME review against current official sources and your assessors. Note the explicitly-labelled drafts and proposals: HIPAA 2025 NPRM is a proposed rule; CIS / CSF 2.0 / CMMC 2.0 and NERC CIP / TSA Pipeline are draft v1 cross-framework or IT-side sector overlays. See the full Disclaimer.

Why these mappings exist

Compliance frameworks were written by humans trying to describe what "good security" looks like for a class of risk. They are outcomes, not products. The hardest question a customer faces is not "what does the standard require?" — it's "for the workloads I actually defend, can I actually prove — with evidence that survives scrutiny — that the control still holds tomorrow, not just on audit day?"

These mappings exist to close that gap. For each framework, they trace specific controls (e.g. PCI DSS Req 1.2.1, HIPAA §164.312(a)(1), NIST AC-4) to concrete CSW capabilities — micro-segmentation, process-level telemetry, software inventory, vulnerability awareness, forensic flow data, and authored workload policy — and explain how those capabilities can contribute evidence for assessor review when deployed in scope.

The same workload-resident evidence that can support an auditor's review also shortens the questions defenders ask under pressure: what was talking to what, on which port, via which process, and what changed? That overlap is not a coincidence — it's why segmentation, lateral-movement visibility, and patching priority show up across PCI Req 1, HIPAA §164.312, NIST AC-4, ISO A.8.22, DORA Art. 9, NIS2 Art. 21(2)(j) and the zero-trust frameworks. Standards writers captured the failure modes people keep living through; treating those obligations as audit busywork forfeits blast-radius containment while still paying for the programme.

For the longer argument — including the five conversation-starter questions worth walking through against your own environment — see Why these mappings matter.

How the mapping works

Cisco Secure Workload Compliance Mapping Architecture

The same Secure Workload capabilities — micro-segmentation, process & flow telemetry, software inventory & CVE awareness, forensic flow evidence, and authored workload policy — are mapped, control by control, to 34 compliance and zero-trust frameworks. Each framework folder pairs an engineering runbook with a customer-facing report so the same live evidence answers both the auditor and the incident responder.


Customer design aids

Asset Use it for Formats
Compliance evidence playbook Step-by-step CSW operations for newcomers — coverage, ADM, simulation, enforce, quarterly export pack MD · PDF · DOCX · HTML
Framework Scope Design Guide Translating each compliance framework into practical CSW scope patterns, customer workshop questions, and label/tag recommendations MD · PDF
SE compliance & cyber-insurance role-play A first discovery-conversation rehearsal aid for SEs/SAs and partners — open by asking compliance needs, map pain to CSW, frame in the customer's framework, and answer the cyber-insurance / ransomware supplemental control questions honestly (what CSW covers vs. what to pair) MD · PDF · DOCX · HTML

Asset library

Coverage highlights what each framework section addresses so the whole library can be scanned in one view. The Runbook column comes first because the runbook is what proves the mapping is real and not marketing — it shows the actual configuration steps, sample policies, and evidence collection. The Report column is the customer-facing narrative built on top of that work. Format links open the asset directly; pick whichever fits the conversation you're in (see the audience and usage guide for when to reach for the runbook vs. the report).

Framework Coverage Runbook Report
HIPAA Security Rule ePHI workload isolation; investigation-supporting telemetry; BAA technical boundary evidence MD · PDF · DOCX · HTML PDF · DOCX · HTML
SOC 2 Type II Continuous CC6.x evidence (vs point-in-time samples); CC7 incident artefacts; customer due-diligence proofs MD · PDF · DOCX · HTML PDF · DOCX · HTML
PCI DSS v4.0 CDE segmentation simulation→enforce; Req 1/11 evidence inputs to validate with your QSA; CVE + EPSS + reachability prioritisation MD · PDF · DOCX · HTML PDF · DOCX · HTML
NIST SP 800-53 Rev 5 AC-4 information-flow enforcement; CA-7 continuous monitoring; CM-2/3/8 baseline + change tracking MD · PDF · DOCX · HTML PDF · DOCX · HTML
ISO/IEC 27001:2022 A.8.20–A.8.22 network segregation; A.5.19–A.5.22 supplier egress reconciliation; A.8.16 monitoring evidence MD · PDF · DOCX · HTML PDF · DOCX · HTML
CISA Zero Trust Maturity Model Networks pillar Initial→Advanced path; Applications & Workloads policy enforcement; observable maturity progression MD · PDF · DOCX · HTML PDF · DOCX · HTML
FIPS 140 Plaintext-protocol DENY enforcement; programme-level FIPS posture (cryptographic modules out of scope); 140-2→140-3 transition visibility MD · PDF · DOCX · HTML PDF · DOCX · HTML
NIST SP 800-207 (ZTA Seven Tenets) Workload-side evidence for Tenets 2/3/5/6; ZTA architecture mapping; workload-level enforcement as one possible PEP placement MD · PDF · DOCX · HTML PDF · DOCX · HTML
NIST SP 800-207A (PDP/PEP/PA/PIP, draft-derived) CSW Defend as PDP/PEP; telemetry as PIP; logical-component traceability for cloud-native ZTA MD · PDF · DOCX · HTML PDF · DOCX · HTML
DORA (EU 2022/2554) Art. 8/9 segmentation + inventory; Art. 19 incident dossier templates; Art. 28 third-party egress reconciliation MD · PDF · DOCX · HTML PDF · DOCX · HTML
NIS2 (EU 2022/2555) Art. 21(2)(a–j) risk-management mapping; Art. 23 24 h / 72 h / 1-month dossier; Art. 21(2)(d) supply-chain egress MD · PDF · DOCX · HTML PDF · DOCX · HTML
NERC CIP (Bulk Electric System) IT-side ESP boundary hardening (CIP-005 R1); IRA evidence (CIP-005 R2); CIP-007/010 ports + baseline + VA evidence; CIP-013 vendor-egress reconciliation. IT-side scope; OT device layer out of scope. MD · PDF · DOCX · HTML PDF · DOCX · HTML
TSA Pipeline Security Directive IT-side IT/OT segmentation (Section III.A); access control + monitoring (III.B/III.C); unpatched-system risk reduction (III.D); CIRP + CAP evidence packs. IT-side scope; OT device layer out of scope. MD · PDF · DOCX · HTML PDF · DOCX · HTML
CIS Critical Security Controls v8.1 Direct on Controls 1, 2, 4, 7, 8, 13 (asset & software inventory, secure config, vuln mgmt, audit logs, network monitoring); IG2 lead with IG1/IG3 deltas called out MD · PDF · DOCX · HTML PDF · DOCX · HTML
NIST Cybersecurity Framework 2.0 Govern (GV.OV/GV.SC) evidence pack; direct coverage of ID.AM, ID.RA, PR.IR, PR.PS, DE.CM, DE.AE, RS.AN, RS.MI Subcategories MD · PDF · DOCX · HTML PDF · DOCX · HTML
CMMC 2.0 (DoD / DIB) Level 2 lead (110 controls = NIST 800-171 Rev 2): direct on AC, AU, CM, RA, SC, SI families; CUI-scope labelling pattern; L1 (FCI) and L3 (800-172) deltas MD · PDF · DOCX · HTML PDF · DOCX · HTML
IEC 62443 (IACS) Zones & conduits segmentation; IT-side OT boundary hardening; SR control evidence; pair with Cyber Vision/Claroty for OT device layer MD · PDF · DOCX · HTML PDF · DOCX · HTML
GDPR (EU 2016/679) Art. 32 security-of-processing evidence; data-flow mapping for Art. 30 RoPA; breach timeline for Art. 33/34; processor egress for Art. 28 MD · PDF · DOCX · HTML PDF · DOCX · HTML
MITRE ATT&CK (Enterprise) Tactic-by-tactic detection/prevention mapping (TA0001–TA0011, TA0040); technique-level forensic rule alignment; SOC integration guidance MD · PDF · DOCX · HTML PDF · DOCX · HTML
FedRAMP (Moderate) Moderate baseline overlay on NIST 800-53; ConMon evidence; POA&M inputs; 3PAO assessment preparation; AC-4/SC-7/CA-7/SI-4 FedRAMP parameters MD · PDF · DOCX · HTML PDF · DOCX · HTML
SWIFT CSCF (v2024) SWIFT secure zone isolation; mandatory/advisory control mapping; operator session integrity; Internet access restriction; SWIFT-specific logging MD · PDF · DOCX · HTML PDF · DOCX · HTML
HITRUST CSF (v11) Harmonized control mapping (HIPAA+ISO+NIST+PCI); e1/i1/r2 assessment level guidance; network segregation; vulnerability management; incident evidence MD · PDF · DOCX · HTML PDF · DOCX · HTML
NIST SP 800-171 Rev. 3 CUI enclave isolation; 03.01/03.13 flow enforcement; Rev 3 family alignment with 800-53; CMMC L2 underpinning evidence MD · PDF · DOCX · HTML PDF · DOCX · HTML
CSA CCM v4 Cloud workload segmentation; IVS-09 network security; DSP data isolation; TVM reachability; STAR certification evidence support MD · PDF · DOCX · HTML PDF · DOCX · HTML
COBIT 2019 DSS05.02 network security; APO13 managed security; MEA01/02 conformance monitoring; BAI06/10 change and configuration evidence MD · PDF · DOCX · HTML PDF · DOCX · HTML
Australian Essential Eight ML1–ML3 maturity evidence; E2/E6 patch prioritisation via CVE+EPSS; E5 admin privilege path restriction; E1 application control support MD · PDF · DOCX · HTML PDF · DOCX · HTML
UK Cyber Essentials Plus CE1 workload-level firewall; CE2 secure configuration baseline; CE5 patch management evidence; Plus technical verification support MD · PDF · DOCX · HTML PDF · DOCX · HTML
HIPAA 2025 NPRM Mandatory network segmentation (§164.312(a)(2)(vi)); technology asset inventory; 24-month log retention architecture; 72-hour breach timeline; annual assessment evidence MD · PDF · DOCX · HTML PDF · DOCX · HTML
MAS TRM Singapore financial-sector technology risk evidence; critical-system segmentation; outsourcing / third-party egress; incident investigation support MD · PDF · DOCX · HTML PDF · DOCX · HTML
APRA CPS 234 Australian prudential information security; critical information assets; control testing; service-provider dependency visibility MD · PDF · DOCX · HTML PDF · DOCX · HTML
NY DFS 23 NYCRR Part 500 Covered-system workload visibility; NPI application scope; vulnerability context; third-party service-provider egress; incident support MD · PDF · DOCX · HTML PDF · DOCX · HTML
TISAX / VDA ISA Automotive prototype and confidential engineering workload segmentation; supplier/customer egress; assessment evidence support MD · PDF · DOCX · HTML PDF · DOCX · HTML
NIST SP 800-82 OT-adjacent IT segmentation; jump hosts, historians, patch repositories, identity services, vendor access; pair with OT visibility MD · PDF · DOCX · HTML PDF · DOCX · HTML
BSI C5 Cloud service assurance; tenant/shared-service workload boundaries; cloud communication security; vulnerability and incident evidence MD · PDF · DOCX · HTML PDF · DOCX · HTML

Quickly find a control? See INDEX.md for a control-ID-keyed index across all thirty-four frameworks (e.g. PCI Req 1.2, HIPAA §164.312(a)(1), DORA Art. 9, NIS2 Art. 21(2)(d), NIST AC-4, NERC CIP-005 R1, TSA SD Section III.A, IEC 62443 SR 5.3, GDPR Art. 32, FedRAMP AC-4, SWIFT CSCF 1.4, HITRUST 01.m, MITRE TA0008, CIS Safeguard 13.4, CSF PR.IR-01, CMMC AC.L2-3.1.1, NIST 800-171 03.13.06, CSA IVS-09, COBIT DSS05.02, E8 E5, UK CE1, HIPAA NPRM §164.312(a)(2)(vi), MAS TRM, APRA CPS 234, NY DFS 500.03, TISAX ISA, NIST 800-82, BSI C5).

Cross-cutting frameworks scope note (CIS, CSF, CMMC). These three frameworks are cross-mapping / certification frameworks that intentionally overlap with the underlying NIST families already in this library. CIS Controls v8.1 is a prioritised subset of NIST 800-53; CSF 2.0 is an outcomes wrapper that cites 800-53 (and others) as Informative References; CMMC 2.0 Level 2 is NIST 800-171, which is itself a tailored subset of 800-53. Read the standalone runbook when you need the framework-native narrative (assessor language, IG/Level/Profile structure, format evidence comes in); cross-reference the 800-53 and 800-207 runbooks for the deeper control rationale. All three are draft v1 and require SME review before being relied upon in a formal compliance engagement (CMMC L2 specifically requires a C3PAO assessment regardless).

Sector frameworks scope note (NERC CIP, TSA Pipeline). Both frameworks are sector overlays whose substantive controls overlap heavily with the NIST families already in this library. The CSW mapping is on the IT side of the IT/OT boundary — EACMS, jump hosts, vendor-access servers, engineering workstations, historians, identity/PKI, and the corporate IT systems that touch BES Cyber System Information or pipeline Critical Cyber Systems. CSW does not enforce on PLCs/RTUs/IEDs/HMIs and is not certified as an Electronic Access Point (NERC) or as an OT-protocol DPI tool; pair with your boundary firewall and your OT-aware monitoring stack (Cisco Cyber Vision, Claroty, Nozomi, Dragos) for end-to-end coverage. Both runbooks and reports are draft v1 and require SME review before being relied upon in a formal compliance engagement.

Read next

  • Compliance evidence playbookstart here if you are new to CSW — universal 4-phase evidence programme, console map, quarterly export pack, and CSW effectiveness vs. manual audits.
  • Background — What is Cisco Secure Workload? — one-page intro to the platform, its agent + connector model, and the ML capabilities relevant to this repository.
  • Why these mappings matter — five conversation-starter questions to ask about your own environment, plus the case for evaluating CSW alongside what you already run.
  • Framework Scope Design Guide — customer workshop aid for translating framework obligations into CSW scopes, labels, and evidence boundaries.
  • SE compliance & cyber-insurance role-play — a discovery-conversation rehearsal aid: open by asking compliance needs, map pain to CSW, frame it in the customer's framework, and answer the cyber-insurance / ransomware supplemental honestly (what CSW covers vs. what to pair).
  • Audience and usage guide — who should lead with which document, runbook-vs-report guidance, file format guidance, and the full folder layout.
  • INDEX.md — control-ID lookup across all thirty-four frameworks.
  • CSW Epic EHR Microsegmentation Guide — step-by-step practitioner runbook for Epic tier scopes, ADM, Interconnect/HL7 policy, enforcement, and HIPAA quarterly evidence — pairs directly with the HIPAA and HITRUST runbooks in this repo.

Once GitHub Pages is enabled, the same content is also browseable at https://chandrapati.github.io/CSW-Compliance-Mapping/ (landing page index.html).

Licensing

This repository ships with Cisco's standard terms in LICENSE at the repo root — read before redistributing, forking commercially, or building derivative artefacts outside your organisation.

Disclaimer

The compliance mappings in this repository are derived from public standards and regulatory framework documents (HIPAA, SOC 2, PCI DSS, NIST SP 800-series, ISO/IEC 27001, CISA ZTMM, FIPS 140, EU DORA, EU NIS2, NERC CIP, TSA Pipeline Security Directives, CIS Critical Security Controls v8.1, NIST Cybersecurity Framework 2.0, CMMC 2.0, IEC 62443, GDPR, MITRE ATT&CK, FedRAMP, SWIFT CSCF, HITRUST CSF, NIST SP 800-171 Rev. 3, CSA Cloud Controls Matrix v4, COBIT 2019, ACSC Essential Eight, UK Cyber Essentials Plus, the HIPAA Security Rule 2025 Notice of Proposed Rulemaking (NPRM), MAS Technology Risk Management Guidelines, APRA CPS 234, NY DFS 23 NYCRR Part 500, TISAX / VDA ISA, NIST SP 800-82, and BSI C5 cross-referenced against documented Cisco Secure Workload (CSW) product capabilities at the time of authoring.

The HIPAA 2025 NPRM technical mapping interprets a proposed Security Rule update and must be reconciled against final regulatory text before formal reliance; continue parallel compliance with the current Security Rule until amendments are effective.

The NERC CIP and TSA Pipeline mappings are explicitly scoped to the IT side of the IT/OT boundary and are issued as draft v1. Treat them as sector overlays on the underlying NIST family rather than as standalone audit references.

The CIS Controls v8.1, NIST CSF 2.0, and CMMC 2.0 mappings are issued as draft v1 and are cross-mapping frameworks that intentionally overlap with the underlying NIST families already in this library. CMMC Level 2 assessment is performed by a Certified Third-Party Assessor Organisation (C3PAO); nothing in this repository substitutes for the System Security Plan (SSP), Plan of Action & Milestones (POA&M), or the C3PAO engagement.

All mappings require subject-matter-expert review for both regulatory / framework accuracy and current Cisco product capability before being relied upon in a formal compliance engagement.

These materials are provided for informational and reference purposes only. They do not constitute legal, regulatory, or audit advice, are not warranted to be complete, current, or fit for any specific compliance program, and should not be relied upon as a substitute for review by your own qualified compliance, legal, and audit professionals.

Standards evolve, product capabilities change, and the applicability of any specific control depends on each organization's environment, deployment, and risk posture. Always validate against the latest official source documents before formal use.

Guidelines. The capability bullets in Background — What is Cisco Secure Workload? describe how teams commonly use Cisco Secure Workload. They are not a completeness check for your estate — apply professional judgment, align with your assessors, and tailor to how you run operations.

For questions, scoping discussions, or to validate how these mappings apply to your environment, please contact your Cisco account team.


Step-by-Step Guides

Legend: 🎬 video · 📘 guide · 📄 doc

Hands-on integration and deployment guides — follow these top to bottom to build out a deployment:

Guide Description Best for
📘 Agent Installation Deploy CSW agents on Linux / Windows / cloud Day-1 sensor deployment
📘 Policy Lifecycle Policy discovery → enforcement workflow Policy management
📘 ISE / pxGrid ISE/pxGrid: user-identity–aware microsegmentation Identity & Zero Trust
📘 AnyConnect NVM Endpoint process flows + user identity via NVM Endpoint telemetry
📘 ServiceNow CMDB ServiceNow CMDB label enrichment for workload scopes CMDB-driven policy
📘 Infoblox Infoblox IPAM/DNS extensible-attribute label enrichment IPAM/DNS-driven policy
📘 F5 BIG-IP F5 virtual-server labels, policy enforcement, IPFIX flow visibility Load balancer segmentation
📘 NetScaler ADC NetScaler LB virtual-server labels, ACL enforcement + AppFlow/IPFIX flow visibility Load balancer segmentation
📘 AWS Connector EC2 tag ingestion + VPC flow logs + Security Group enforcement AWS workloads
📘 Azure Connector Azure VM tag ingestion + VNet flow logs + NSG enforcement Azure workloads
📘 GCP Connector GCE label ingestion + VPC flow logs + firewall enforcement GCP workloads
📘 NetFlow NetFlow v9/IPFIX agentless flow ingestion from switches Network fabric visibility
📘 ERSPAN Agentless packet mirroring for legacy / OT / IoT devices Deep agentless visibility
📘 Secure Firewall NSEL flow ingestion from Cisco Secure Firewall (FTD/ASA) Firewall flow visibility
📘 Splunk Integration CSW syslog alerts → Splunk SIEM SecOps / SIEM teams

Resources

Legend: 🎬 video · 📘 guide · 📄 doc

Learning paths, reference material, and day-2 tooling:

Resource Description Best for
📘 User Education Onboarding guides, concept explainers, and curated video library New CSW users
📘 Compliance Mapping Map CSW controls to NIST, PCI-DSS, HIPAA, CIS Compliance & audit
📘 Tenant Insights Tenant-level reporting and analytics Visibility metrics
📘 Operations Toolkit Day-2 ops scripts: health checks, reporting, policy analysis Ongoing operations
📄 Supported OS & Compatibility Matrix Cisco's authoritative list of supported agent operating systems, external systems, and connector requirements Platform planning & prerequisites

Suggested customer journey: User Education → Agent Installation → Policy Lifecycle → ISE/pxGrid → ServiceNow CMDB → Infoblox → F5 BIG-IP → NetScaler ADC → Splunk Integration → Compliance Mapping → Operations Toolkit

About

Cisco Secure Workload (CSW) compliance mapping assets — customer-facing reports and SA/SE technical runbooks for HIPAA, SOC 2, PCI DSS v4, NIST 800-53, ISO 27001:2022, CISA ZTMM, and FIPS 140.

Resources

License

Stars

2 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors