Apply a framework

Compliance Manager frameworks consist of cloud controls that help you meet your organization's security or regulatory requirements in your cloud environments. Applying a framework is a two-step process. First, you must determine the cloud controls that your business requires to manage its security, compliance, and risk. Then, you deploy a framework that includes those cloud controls to the appropriate resources in Google Cloud. This page helps you complete the following steps:

Assess which built-in framework best aligns with your regulatory and security requirements. You can create your own custom framework, but we recommend starting with a built-in framework.
Determine which built-in cloud controls map to your business requirements. You can create custom cloud controls, if required.
Determine whether to deploy the framework to your Google Cloud organization, or to specific folders and projects. You can only deploy one framework to each organization, folder, or project. Compliance Manager supports app-enabled folders.
Copy an existing framework and modify it to match your requirements. If required, you can create a custom framework.
Deploy the framework on the appropriate organization, folder, or project.

Before you begin

To get the permissions that you need to apply frameworks, ask your administrator to grant you the following IAM roles on your organization:
- Compliance Manager Admin (roles/cloudsecuritycompliance.admin)
- To view findings dashboards: Compliance Manager Viewer (roles/cloudsecuritycompliance.viewer)
- To deploy frameworks that include cloud controls that are based on organization policies, one of:
  - Organization Policy Administrator (roles/orgpolicy.policyAdmin)
  - Assured Workloads Administrator (roles/assuredworkloads.admin)
  - Assured Workloads Editor (roles/assuredworkloads.editor)
- To create a folder while deploying a framework, one of:
  - Folder Admin (roles/resourcemanager.folderAdmin)
  - Folder Creator (roles/resourcemanager.folderCreator)
- To create a project while deploying a framework, all of:
  - Project Billing Manager (roles/billing.projectManager)
  - Project Creator (roles/resourcemanager.projectCreator)
  - Project Deleter (roles/resourcemanager.projectDeleter)
For more information about granting roles, see Manage access to projects, folders, and organizations.
The roles for deploying frameworks with organization policies contain the required orgpolicy.policies.create, orgpolicy.policies.update, and orgpolicy.policies.get permissions.

The roles for creating frameworks contain the required resourcemanager.folders.get, resourcemanager.folders.create, and resourcemanager.folders.delete permissions.

The roles for creating projects contain the required resourcemanager.projects.get, resourcemanager.projects.create, resourcemanager.projects.delete, and resourcemanager.projects.createBillingAssignment permissions.
You might also be able to get these permissions with custom roles or other predefined roles.

View frameworks

Complete the following steps to view the configuration for built-in frameworks or other frameworks that you've already created.

In the Google Cloud console, go to the Compliance page.

Go to Compliance
To view all available frameworks, click the Configure tab.

The dashboard shows the available frameworks, a brief description, supported platforms, and the resources that the framework has been applied to.
To view details about a specific framework, click the framework name.

View cloud controls

Complete the following steps to view built-in cloud controls and any custom cloud controls that you already created.

In the Google Cloud console, go to the Compliance page.

Go to Compliance
In the Configure tab, click Cloud Controls. The available cloud controls are displayed.

The dashboard includes information about which frameworks include the cloud control and the number of resources (organization, folders, and projects) that the cloud control is applied to.
To view details about a cloud control, click the control name.

Create a custom cloud control

A custom cloud control applies to only one resource type. The only supported data types are Cloud Asset Inventory resources.

In the Google Cloud console, go to the Compliance page.

Go to Compliance
In the Configure tab, click Cloud Controls. The list of available cloud controls are displayed.
Create a cloud control, either with Gemini or manually:

Use Gemini

Ask Gemini to generate a cloud control for you. Based on your prompt, Gemini provides a unique identifier, a name, associated detection logic, and possible remediation steps.
Review the recommendations and make any required changes.
Save your custom cloud control.

Create manually

In Cloud control ID, provide a unique identifier for your control.
Enter a name and description to help users in your organization understand the purpose of the custom cloud control.
Optional: Select the categories for the control. Click Continue.
Select an available resource type for your custom cloud control.
Provide the detection logic for your cloud control, in Common Expression Language (CEL) format.

CEL expressions lets you define how you want to evaluate the properties of a resource. For more information and examples, see Write rules for custom cloud controls. Click Continue.
Select an appropriate findings severity.
Write your remediation instructions so that incident responders and administrators in your organization can resolve any findings for the cloud control. Click Continue.
Review your entries, and then click Create.

Create a framework

After you determine which cloud controls apply to resources within your organization or a specific folder or project, you can create a framework. You can create a custom framework or copy an existing framework and modify it.

In the Google Cloud console, go to the Compliance page.

Go to Compliance
In the Configure tab, click Create custom framework.
Complete one of the following:
- To use an existing framework, complete the following:
  1. Select Start from an existing framework.
  2. Select the framework that you want to copy.
  3. Click Add.
- To create a custom framework, select Start new.
Enter a name, unique identifier, and description for your framework. Click Continue.

If you're copying an existing framework, the list of cloud controls that were part of the existing framework displays.
To add the cloud controls that you require, complete the following:
- To add an existing cloud control, click Add Cloud Controls. Select all the cloud controls that you require and then click Add.
- To create a custom cloud control, click Create custom cloud control. For instructions, see Create a custom cloud control.
Click Continue.
Add any additional parameters that the cloud controls require.
Click Create.

Deploy a framework

Deploy a framework to an organization, folder, or project so that you can control and monitor those resources using the framework's cloud controls. You can deploy multiple frameworks to each organization, folder, or project.

Folders and projects inherit frameworks through the Google Cloud resource hierarchy. Therefore, if you deploy frameworks at the organization level and at a project level, all the cloud controls within both frameworks apply to the resources in the project. If there are any differences in cloud control definitions, the lower-level cloud control is used by the resources in the project. For example, if a cloud control rule is set to Allow at the organization level and to Deny at the project level, the project-level setting of Deny is applied to the resources in the project.

As a best practice, we recommend that you deploy a framework at the organization level that includes the cloud controls that can apply to your entire business. You can then deploy more stringent frameworks to folders and projects that require them.

In the Google Cloud console, go to the Compliance page.

Go to Compliance
In the Configure tab, for the framework that you want to deploy, click More Actions > Apply to resources.
Choose one of the following options:
- To monitor for drift only, choose Monitor.
- To monitor for drift and actively prevent violations, choose Monitor and prevent.
Select the resource that you want to deploy the framework to. You can choose an existing organization, folder, or project. If you chose to actively prevent violations, you can create a new folder or project and deploy the framework to it.
Complete one of the following:
- If you selected Monitor, verify the information and click Monitor.
- If you selected Monitor and prevent, complete the following:
  1. Click Next. Review the cloud controls and modes.
  2. Click Continue.
  3. If displayed, verify the additional information that's required for some cloud controls.
  4. Click Next.
  5. Review your selections and then click Enforce.

After you deploy the framework, you can monitor your environment for any drift from your defined cloud controls. Security Command Center reports instances of drift as findings that you can review, filter, and resolve. It can take approximately six hours after you deploy a framework for findings related to cloud controls to appear.

This preview doesn't support removing framework deployments. If you no longer require a framework, you can mute its findings. For instructions, see Mute findings in Security Command Center.