Does Morpheus support compliance for ISO-27001 & PCI-DSS?

Does Morpheus support compliance for ISO-27001 & PCI-DSS for security ? or is there a plan to add those certifications in near future?

Morpheus helps you configure your instances to comply with various compliance frameworks like NIST 800, ISO 27001, etc. Currently, there is a SCAP scanning module to ingest XML definition profiles. I am evaluating a request to support the ingestion of CIS benchmarks in addition to DISA STIG profiles which Morpheus supports already.

Morpheus also provides guidance to configure your control tier for the Morpheus appliance to meet requirements in hardened environments using DISA guidelines. I am working with our engineering teams to certify the Morpheus appliance running on CIS benchmarks in addition to the DISA requirements.

Morpheus has internal documentation detailing which NIST 800-53 requirements our application meets. It also lists requirements out of scope, and they pertain to organization controls. I am working on updating this document to align with revision 5 of the NIST 800-53 framework.

1 Like

Thanks Greg for your response. Can you share some insights around PIC-DSS compliance as well as multiple of our customer is asking for it? I would also request your support to get some detailed documentation on various Morpheus supported compliances so that I can read and understand how to configure the same?

1 Like

Hello @piyush.jain

I have sent you an e-mail, perhaps it will be a good idea to have a Zoom/Teams call about this question.


1 Like

Hello @greg and @alipscombe, We are working with one of our customer, who would like us to start the Morpheus installation on CIS hardened Ubuntu image CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0.
checklist config : template page 520 CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0

I have attached the same here for your reference. I would like to know if Morpheus have tested it already as discussed early June this year in the same thread.

Hello @piyush.jain I hope you’re well. We have not validated installing Morpheus on a CIS hardened virtual machine. I can confirm that we do have plans to validate installing Morpheus onto a CIS compliant virtual machine however I’m unable to provide you with an ETA on when this will be completed. As mentioned on our call we have validated installing Morpheus onto a FIPS compliant RHEL/CentOS virtual machine, the fips packages can be downloaded from the Morpheushub.

Thanks a lot for your input. Adam. Is there tentative timelines for validating installation of Morpheus on a CIS hardened virtual machine? We may need to start our implementation sometime in Nov-Dec time frame. Anything we can get before that would be of great help.