Maintaining Continuous Compliance with HCL BigFix
                     HCL BigFix Compliance
Maintain continuous compliance according to your needs and enforce 
them automatically 24/7 with the power of BigFix
HCL BigFix
The number of security threats that compromise endpoints and cause 
business level damages has been continually growing. With an ever 
increasing mobile workforce and new cloud initiatives, the very nature of Highlights
the endpoint is changing. Heightened regulatory concerns put additional 
burdens on already overtaxed IT teams. • Continuously enforce compliance to industry 
security benchmarks or 
BigFix® Compliance provides unified, real-time visibility and policy standards such as CIS, DISA 
enforcement to protect complex, highly distributed environments. STIG and PCI for endpoints 
Designed to dramatically reduce compliance reporting overhead as virtually running any OS, in any 
well as enforce compliance to standards, BigFix Compliance can help location.
organizations protect endpoints and reduce the attack surface with 
minimal administrative effort. • Automatic remediation of configuration drift back to 
desired states.
This easy-to-manage, quick-to-deploy solution supports compliance 
initiatives for highly diverse environments — from servers to desktop • Over 20,000 out-of-the-
PCs, mobile Internet-connected laptops, virtual servers, cloud based box compliance checks are 
systems, as well as specialized equipment such as point-of-sale devices, continuously updated by BigFix which dramatically 
ATMs and self-service kiosks. The low impact on endpoint operations reduces the effort to bring all 
enhances productivity and improves the user experience. Enforcing policy endpoints into compliance.
compliance reduces cybersecurity risk and increases audit visibility. 
The built-in AI agent provides speed and efficiency in compliance with • Historical trend reports 
automated audit cycles. What used to take days or weeks can now be demonstrate configuration, 
done in minutes. patch and vulnerability compliance over time.
• Speed vulnerability 
remediation using 
CyberFOCUS Analytics  
using the:
-Advanced Persistent Threat 
(APT) Simulator
-CISA Known Exploited 
Vulnerability Exposure 
Analyzer
-Insights for Vulnerability 
Remediation
-Ability to define and 
manage Protection Level 
Agreements (PLAs.)
Key Features
Security configuration management
At the core of BigFix Compliance is 
the ability to maintain Continuous 
Compliance with industry benchmarks 
using checklists, a set of configuration 
checks associated with many security 
benchmarks and guidelines such as 
the Center for Internet Security (CIS), 
Defense Information System Agency 
Security Technical Implementation 
Guidelines (DISA STIG), Federal 
Desktop Core Configuration 
(FDCC), United States Governance 
Configuration Baseline (USGCB) and 
Payment Card Industry Data Security 
Standard (PCI DSS 4.0).
With BigFix Compliance, you can 
create custom checklists using over 
20,000 out-of-the-box checks based PCI DSS Checklists
on cybersecurity best practices. 
Additional checks can be easily 
created to implement unique security 
policies. Once a checklist is applied What is Continuous Compliance?
to an endpoint, BigFix constantly 
evaluates the endpoint’s security BigFix’s continuous compliance technology eliminates visibility and 
configurations against the deployed compliance gaps by automatically enforcing rules at every endpoint. 
checklist. Compliance status is Continuous compliance will immediately recognize any configuration 
also constantly updated so that changes out of compliance on the device and immediately remediate back 
configuration drift can be identified into compliance.
and remediated quickly and endpoints 
are not left vulnerable.
CyberFOCUS Security Analytics
BigFix CyberFOCUS Security Analytics 
helps organizations discover, prioritize, 
and patch critical vulnerabilities and
reduce cybersecurity risk in real-time, 
across your global desktop, mobile, 
datacenter, cloud, and IoT landscape. 
It includes:
• Advanced Persistent Threat 
CVE Analyzer and Vulnerability 
Remediation Simulator displays 
your vulnerabilities grouped by 
today’s more critical Advanced 
Persistent Threat (APT) families. Traditional point-in-time management solutions “check in” at unpredictable 
Here, you can simulate the times, reducing viability, creating gaps and increasing risk due to non-
impact on your attack surface compliant endpoints caused by:
while minimizing downtime 
caused by patching actions. It • Disconnected endpoints
also recommends prescriptive • Critical patch releases that may take days or weeks to deploy and validate
remediation actions that • Complete patch status reporting that may take days or weeks
maximizes vulnerability attack • End user-initiated changes affecting security compliance
surface reduction and immediate 
protection. Because of continuous compliance, BigFix can deliver 99% compliance across 
• CISA KEVs Exposure Analyzer the enterprise without operator intervention — slashing compliance costs.
confirms priority exposures to 
CVEs in CISA’s Known Exploited 
Vulnerabilities Catalog based on 
available BigFix content. It also 
hcl-software.com
indicates the number of devices •       Vulnerability reports focus on of endpoint protection solutions, 
exposed, the device vulnerability tracking and reporting of an ensuring they are always running 
density, and identifies the biggest endpoint's vulnerability posture and kept up to date for reduced 
attack surface gaps that need as a result of patching actions. cybersecurity risk. It manages 
to be patched. The Analyzer This allows organizations to third-party antivirus and endpoint 
compares your environment to the identify risks and demonstrate protection clients from vendors such 
CISA-directed due dates for the compliance. as McAfee, Symantec, Trend Micro, 
CVE remediation and indicates Sophos, and Microsoft.
your performance against those Patch management
due dates. Patch management includes Quarantine of non-compliant systems
• Insights for Vulnerability comprehensive capabilities for Many organizations need to strictly 
Remediation integrates with your delivering patches for Windows, UNIX, control how endpoints can access the 
existing vulnerability assessment Linux and macOS and for third-party corporate intranet. BigFix Compliance 
tools to be able to prioritize application, database and middleware can quarantine endpoints based on 
patching at a deeper level and vendors, including Adobe, Mozilla, their status or configuration against 
verify that vulnerabilities have Apple, and Oracle. a customized, predefined policy. If an 
been properly remediated with endpoint is discovered to be out
available patch content. A single management server can of compliance, BigFix Compliance support up to 300,000 endpoints, can place the endpoint in network 
• Protection Level Agreements shortening patch times with no loss quarantine until it is compliant. A 
(PLAs) empowers business of endpoint functionality, even over quarantined endpoint can still be 
decisions to be made regarding low bandwidth or globally distributed managed by BigFix so that it can be 
cyber security risk. It enables networks. Real-time reporting provides remediated, but all other network 
business stakeholders and IT/ information on which patches were access is disabled.
SecOps to balance cyber risks deployed, when they were deployed, 
and the cost of protection, and who deployed them, and confirmation Fast endpoint query
measures patch performance that patches were applied for a 
against agreed-to goals. complete closed-loop solution to the 
BigFix Query provides real-time 
patching process. status of all your endpoints, enabling accurate identification and inspection 
Compliance analytics Multivendor endpoint protection of vulnerable devices. You can 
The compliance status of all endpoints management interrogate endpoints and get precise 
against deployed policies are answers back in seconds, telling BigFix Client Manager for Endpoint 
constantly collected, aggregated and you which policies are enforced and Protection (CEMP) , a component 
reported. The built-in reports show the which applications and services are of BigFix Compliance, provides 
current status and the historical trends installed. You can even examine files centralized management and control 
to provide comprehensive analytics and system configuration settings to 
for the Security, IT Operations and 
Compliance teams. With Compliance 
Analytics, an organization can track 
the effectiveness of its compliance 
effort and quickly identify security 
exposures and risks. Compliance 
analytics provides the following types 
of reports:
•       Security configuration reports 
shows the current status and 
historic trend for every endpoint, 
checklist, and check. An 
aggregated report on compliance 
posture shows the overall status 
and progress of compliance 
across the entire fleet of 
endpoints.
• Patch reports provide 
comprehensive and historical view 
of patching activities and patch 
compliance across the entire fleet 
of endpoints. Patch reporting 
also tracks when each patch is 
released and applied to each 
endpoint to help organizations 
demonstrate compliance and 
satisfy auditors. Security Configuration Reporting
hcl-software.com
help you identify additional security identify all IP-addressable devices. Prerequisites
threats. Users can access a library Device discovery helps maintain 
of predefined queries or quickly visibility into all endpoints including - BigFix Compliance on the BigFix 
and easily create their own custom end user devices that are roaming Platform 10.0.8 or later
queries. BigFix Query also verifies the beyond the organization's network.  
remediation of endpoints, helping - Microsoft Windows Server 2012, 2012 
to bridge the gap between security Multiple deployment options R2, 2016, or 2019
and IT operations to choose the right BigFix Compliance can be deployed - Microsoft SQL Server 2012, 2014, 
technology for their environment. on-premise, in your organization’s 2016, or 2019
cloud, or on the HCL Cloud. There - A supported browser
Device discovery are two options for utilizing the HCL 
With BigFix Compliance, device Cloud: BigFix Compliance on Cloud More details are available online at 
discovery is no longer a snapshot and BigFix One on Cloud. BigFix help.hcltechsw.com/bigfix/landing/
counting exercise. Instead, it provides Compliance on Cloud delivers only index.html.
dynamic situational awareness the capabilities of BigFix Compliance 
about changing conditions in the while BigFix One on Cloud delivers 
infrastructure. The ability to frequently all the capabilities of BigFix 
scan the entire network delivers Lifecycle, BigFix Inventory, and BigFix 
pervasive visibility and control to help Compliance in a single cloud solution.
ensure that organizations quickly 
About HCLSoftware     
HCLSoftware develops, markets, sells, and supports product families in the areas of Digital Transformation, Data, Analytics & 
Insights, AI & Automation and Enterprise Security platforms. HCLSoftware is the cloud-native solution factory for enterprise 
software and powers millions of apps at more than 20,000 organizations, including more than half of the Fortune 1000 and 
Global 2000 companies. HCLSoftware’s mission is to drive ultimate customer success with its IT investments through relentless 
product innovation.
hcl-software.com