Compliance Automation in Practice

How we help build the community standard for CIS and STIG compliance — and what that means for your infrastructure

The Challenge With Compliance

Compliance frameworks like CIS Benchmarks and DISA STIGs are not static. They update regularly, covering new controls, revised guidance, and expanded platform support. Keeping infrastructure aligned manually is slow, error-prone, and leaves gaps that typically only surface at audit time.

Security teams spend days running checks that automation could handle in minutes. And when a framework releases a new version, the cycle starts over. Without a structured, automated approach, compliance becomes a reactive exercise rather than a built-in property of your infrastructure.

Our Approach

The answer is not just automation. It is automation that is auditable, peer-reviewed, and built against the same standards your auditors use. Every control should be traceable back to the framework it implements, and every change should be tested against real infrastructure before it reaches production.

Our methodology follows four principles:

Automate

Replace manual checks and remediation with idempotent Ansible roles that can be run repeatedly without side effects.

Audit

Every control maps directly to a framework requirement. Nothing is assumed — every role is tested against real system states.

Validate

Community scrutiny catches what internal review misses. Open development surfaces edge cases across a far wider range of environments than any single organisation sees.

Sustain

Frameworks evolve. Roles must evolve with them. Ongoing maintenance is built into how we work, not bolted on afterwards.

Ansible-Lockdown: The Proof

Ansible-Lockdown is this methodology in action. It is the community's leading open-source project delivering audited, security-hardened Ansible roles implementing CIS Benchmarks and DISA STIGs across major Linux and Windows platforms. The project is relied upon by security teams across government, defence, and enterprise worldwide.

Krameff are part of the core implementation and design team behind Ansible-Lockdown. We do not just use the project — we shape it. The architecture decisions, control mappings, testing approach, and release cadence are things we have direct influence over. That means when we work with your environment, we bring a depth of understanding that goes well beyond what any user of the project could offer.

Community Leading

Hundreds of audited roles covering CIS Benchmarks and DISA STIGs, continuously maintained against the latest framework releases

Widely Trusted

Used by security and compliance professionals in government, defence, and enterprise — reviewed and validated across thousands of real environments

Actively Maintained

Framework updates are tracked and implemented as they are released — so compliance automation stays current without manual intervention

View on GitHub

What It Covers

Frameworks

CIS Benchmarks — Level 1 & Level 2
DISA STIG (Security Technical Implementation Guides)
NIST 800-53 aligned controls

Linux Platforms

RHEL / Rocky Linux / CentOS Stream
Ubuntu / Debian
Amazon Linux
SUSE Linux Enterprise

Windows Platforms

Windows Server 2019
Windows Server 2022

Cloud & Virtualisation

AWS EC2
Azure VMs
GCP Compute
VMware / on-premises

What This Means For Your Environment

A default compliance role gets you most of the way there. Your environment, your applications, and your operational requirements do the rest. Off-the-shelf roles apply controls as written. Real environments need controls applied as appropriate.

We bring primary maintainer knowledge to that gap. We understand why each control exists, what the framework intends it to achieve, and where it is reasonable to tune versus enforce. That context is what makes the difference between a compliant system on paper and one that holds up in practice.

Role Tuning

Adjusting controls to fit your specific configuration — working exceptions, site-specific requirements, and application compatibility — without losing the compliance baseline.

CI/CD Integration

Embedding compliance checks into your pipeline so drift is caught before it reaches production, not discovered at the next audit.

Team Enablement

Knowledge transfer so your engineers understand what is running, why, and how to maintain it. The goal is always to leave your team fully capable of owning the outcome.

Ongoing Alignment

Framework releases happen. We can help you stay current — whether that is a one-off update engagement or a longer support arrangement.

Compliance Across the Server Lifecycle

Hardening a server at build time is the starting point, not the finish line. Compliance is a continuous property of a system, not a point-in-time achievement. Here is how that plays out across the full lifecycle — and where automation keeps it sustainable.

Build & Provision

Deploy from a pre-hardened golden image or apply the baseline at build time via Ansible. Initial compliance scan confirms the system meets the required benchmark before it goes anywhere near production.

Validate & Certify

Full compliance audit using CIS-CAT Pro, OpenSCAP, or Nessus/Tenable. Exceptions documented and signed off. Vulnerability scan run before handover. Formal accreditation where required.

Production Operation

Compliance is re-affirmed after every patch cycle and after any change — not just on a schedule. Patches can silently alter hardened settings. Application installs, user changes, and configuration updates all carry the same risk. Event-driven compliance runs, embedded in your change and patch pipeline, catch drift at the point it happens rather than at the next quarterly scan.

Ongoing Maintenance

CIS and DISA release benchmark updates regularly. Roles are updated to match, re-applied to the fleet, and a compliance run confirms alignment. Exceptions are reviewed periodically — approved deviations do not stay approved indefinitely.

Major Version Upgrade

OS major versions require a new benchmark baseline. Hardening roles are validated against the new platform before rollout, the upgrade is staged through dev and test, and the system is re-certified before it returns to production.

End of Life & Decommission

EOL dates tracked well in advance. Migration completed before vendor support ends. Final compliance report and audit trail archived. Secure data disposal to standard. Asset retired from CMDB.

Ansible-Lockdown roles can be applied at stages 1, 3, 4, and 5 — making automation the consistent thread across the entire lifecycle rather than a one-off exercise.

Ready to Talk Compliance?

Whether you are starting from scratch or looking to mature an existing implementation, we would be happy to discuss your environment and what a good outcome looks like.

Get in Touch

✓ No obligation ✓ 30-minute expert session ✓ Tailored to your environment