# Kubernetes compliance frameworks

> Canonical: https://juliet.sh/kubernetes-security/compliance-frameworks
> Category: Compliance
> Last reviewed: 2026-04-07

## Short answer

Kubernetes compliance sits at the intersection of infrastructure posture and control frameworks. The technical benchmarks (CIS Kubernetes, NSA/CISA Kubernetes Hardening Guidance, Pod Security Standards) are prescriptive: they specify which config flag to set. The business frameworks (SOC 2, PCI DSS, HIPAA, ISO 27001, NIST SP 800-190) are outcome-oriented: they describe controls rather than settings. A KSPM tool bridges both by running the technical benchmarks automatically and mapping each finding to the controls that matter for the audit.

## The technical benchmarks

- **CIS Kubernetes Benchmark.** Around 120 controls covering the control plane, worker nodes, and workload defaults. The de-facto standard. Cloud variants: CIS EKS, CIS GKE, CIS AKS. See [the deep dive](/kubernetes-security/cis-benchmarks).

                    - **NSA/CISA Kubernetes Hardening Guidance.** Published August 2021, updated 2022. Less prescriptive than CIS, more focused on threat models and practical hardening (network segmentation, authentication, logging).

                    - **Pod Security Standards.** The successor to PodSecurityPolicy. Three tiers: Privileged, Baseline, Restricted. Enforced by the built-in `PodSecurity` admission controller. See [the deep dive](/kubernetes-security/pod-security-standards).

                    - **NIST SP 800-190.** Container security guide. Broader than Kubernetes. Covers images, registries, orchestrators, and runtime.

## The business frameworks

- **SOC 2.** AICPA framework for service organizations. Kubernetes contributes controls under Security, Availability, and Confidentiality. Auditors look for evidence of RBAC, logging, encryption, backup, and incident response.

                    - **PCI DSS.** Payment card industry. If cardholder data touches a pod, the whole cluster is in scope. Scoping is the big fight. Network segmentation and isolation are the usual answer.

                    - **HIPAA.** Healthcare. Technical safeguards map to encryption, audit trails, access control, and integrity.

                    - **ISO 27001.** International information security management. Annex A controls map to most of CIS and NSA/CISA.

## How compliance automation works

A KSPM tool reads each rule in a framework, maps it to one or more technical checks against cluster state, runs those checks continuously, and produces a live compliance score plus evidence artifacts (PDF or JSON reports) that auditors accept. The point of automation is **evidence**, not just checks. An auditor wants to see "these 47 pods were compliant with CIS 5.2.5 for the full quarter" rather than "we passed this morning."

## Juliet compliance coverage

Juliet's Starter tier includes Pod Security Standards Baseline and Restricted. Team adds CIS Kubernetes Benchmark and NSA/CISA Hardening Guidance. Pro adds SOC 2, plus control mapping to PCI DSS, HIPAA, and ISO 27001 for audit evidence. Enterprise adds custom [Rego policies](/kubernetes-security/admission-control) for frameworks not included out of the box. Every check produces both a live finding and a point-in-time audit report. Dedicated first-class PCI DSS, HIPAA, and ISO 27001 scan profiles are on the roadmap.

## Frequently asked

### Does passing CIS mean I am SOC 2 compliant?

No, but CIS covers a meaningful chunk of the Kubernetes-specific evidence SOC 2 needs. SOC 2 covers org-wide process: incident response, vendor management, employee onboarding. CIS covers cluster configuration. Both are required for a passing SOC 2 audit with Kubernetes in scope.

### PSS Restricted or CIS, which first?

Pod Security Standards Baseline is the floor. Get Baseline green first. Then tackle CIS control-plane rules. PSS Restricted is a meaningful step up and often requires application changes (no root user, read-only root filesystem).

### Can I achieve compliance without an agent in the cluster?

For control-plane checks on managed clusters, cloud APIs give limited visibility. For worker-node and workload checks, an agent is required. Most teams accept the agent because it is also the foundation for runtime and admission.

### Do auditors accept KSPM tool output as evidence?

Increasingly yes, especially for Big 4 audits of Kubernetes-heavy environments. The requirement is that the tool produces signed, timestamped artifacts that can be exported and retained.

### What about FedRAMP?

FedRAMP's control set is NIST SP 800-53. Kubernetes contributions map to AC (access control), AU (audit), CM (configuration management), SC (system and communications), and SI (system and information integrity). Juliet's roadmap includes FedRAMP-mapped reporting for public-sector customers.

## Related

- [CIS Kubernetes Benchmark](https://juliet.sh/kubernetes-security/cis-benchmarks)
- [Pod Security Standards](https://juliet.sh/kubernetes-security/pod-security-standards)
- [What is KSPM?](https://juliet.sh/kubernetes-security/what-is-kspm)
- [Admission control](https://juliet.sh/kubernetes-security/admission-control)