Cloud Security

Lacework

Name: Lacework
Rating: 2.2333333333333334 (16 reviews)
Author: Fortinet

by Fortinet

Covered

controls

Partial

controls

Gaps

controls

NIST 800-171 Coverage7%

Overview

Lacework by Fortinet is a cloud security solution that covers 8 NIST 800-171 controls (7% total coverage). It addresses key requirements in the cloud security domain for defense contractors pursuing CMMC compliance.

Controls Covered (8)

cm-3-4-1 cm-3-4-2 ra-3-11-1 sc-3-13-1 au-3-3-1 au-3-3-2 si-3-14-1 si-3-14-2

Partially Covered (2)

cm-3-4-6 ca-3-12-1

Not Covered (4)

mp-3-8-1 ia-3-5-1 pe-3-10-1 ac-3-1-12

Implementation Notes

Deploy Lacework with FIPS-validated configurations. Integrate with your SIEM for centralized audit logging. Review partial controls quarterly to identify supplementary tooling needs.

More Cloud Security Products

Prisma Cloud

Palo Alto Networks — 11% coverage

Wiz

Wiz — 9% coverage

Orca Security

Orca Security — 7% coverage

Aqua Security

Aqua Security — 6% coverage

Implementation Guidance for Lacework

Configure Lacework to address NIST 800-171 controls through its cloud workload protection and behavioral analytics capabilities. For AC (Access Control) controls, enable Lacework's identity and access monitoring to track privileged account usage and detect anomalous authentication patterns. Configure custom policies to alert on violations of least privilege principles and unauthorized access attempts. For AU (Audit and Accountability), deploy Lacework's comprehensive logging and monitoring across all cloud resources. Enable automated log collection from AWS CloudTrail, Azure Activity Logs, and GCP Cloud Audit Logs. Configure retention policies to meet NIST requirements (typically 1 year minimum) and establish automated alerting for security events. For CA (Security Assessment and Authorization), leverage Lacework's continuous compliance monitoring to generate assessment evidence. Set up automated compliance reports for CIS benchmarks and security configuration baselines. For SI (System and Information Integrity), configure Lacework's threat detection to monitor for malicious activities, unauthorized software installations, and configuration drift. Enable vulnerability scanning across container images and cloud resources. Generate assessment evidence through Lacework's reporting dashboard, exporting compliance reports in CSV/PDF formats for C3PAO assessments. Integrate with SIEM solutions like Splunk or LogRhythm for centralized security monitoring. Common misconfigurations include insufficient log retention periods, overly permissive alert thresholds that create noise, and failure to customize policies for specific defense contractor environments. Ensure proper network segmentation monitoring is configured for CUI environments.

Gap Analysis & Compensating Controls

Lacework's 7% coverage leaves significant gaps in critical NIST 800-171 control families. The most notable gaps are in IA (Identification and Authentication), where multi-factor authentication enforcement and authenticator management require dedicated IAM solutions like Okta or Azure AD. PE (Physical and Environmental Protection) controls are completely unaddressed, necessitating physical security measures and environmental monitoring systems. SC (System and Communications Protection) gaps include encryption key management, secure communications protocols, and boundary protection - requiring tools like AWS KMS, network firewalls, and VPN solutions. CM (Configuration Management) needs are only partially met; defense contractors must implement dedicated configuration management tools like Ansible or Puppet for baseline configurations and change control. To document these gaps in your System Security Plan (SSP), create a control implementation matrix showing Lacework's coverage and identifying compensating controls. In your Plan of Action and Milestones (POA&M), prioritize closing IA gaps first due to their high CMMC assessment weight (Level 2 requires strong authentication controls). Next, address SC gaps as they're fundamental to protecting CUI. Document planned procurement of complementary tools and implementation timelines. Physical security gaps should be addressed through facility security procedures rather than technical controls. Ensure your POA&M includes specific milestones for tool procurement, configuration, and testing phases.

Compliance Cost Estimate

Lacework licensing typically ranges from $15-30 per workload per month, with enterprise contracts potentially reaching $50-100K annually for mid-sized defense contractors. Initial implementation costs include 2-4 weeks of professional services ($20-40K) for proper configuration and integration with existing security infrastructure. Ongoing monitoring requires dedicated security personnel (0.5-1 FTE) for alert triage and policy tuning, adding $50-100K annually in operational costs. Compared to competitors like Prisma Cloud or Aqua Security, Lacework offers competitive pricing but may require additional tooling for comprehensive NIST 800-171 coverage. The total cost of ownership should factor in complementary tools needed to address the 93% coverage gap, potentially doubling the overall security stack investment. Consider cloud provider native solutions (AWS Security Hub, Azure Security Center) as cost-effective alternatives for basic compliance requirements.

Compliance Cross-References

Lacework addresses several DFARS 252.204-7012 requirements through its cloud monitoring and incident response capabilities, particularly sections related to cyber incident reporting and forensic analysis. For CMMC Level 2, Lacework supports domains AC.L2 (Access Control) through user activity monitoring and AU.L2 (Audit and Accountability) via comprehensive logging. However, it provides limited coverage for IA.L2 (Identification and Authentication) and no direct support for PE.L2 (Physical Protection) or RM.L2 (Risk Management). Assessment objectives satisfied include continuous monitoring (CA.L2-3.12.4), security alerting (SI.L2-3.14.6), and incident handling support (IR.L2-3.6.1). FedRAMP control alignment includes partial coverage of AC-2 (Account Management), AU-2 (Audit Events), and SI-4 (Information System Monitoring). Defense contractors should map Lacework's capabilities to specific CMMC assessment objectives in their SSP, clearly identifying where additional tools or processes are required. The tool's behavioral analytics support CMMC's advanced persistent threat detection requirements but cannot standalone for Level 2 certification.

Frequently Asked Questions

How many NIST 800-171 controls does Lacework cover?

Lacework covers 8 of 110 NIST 800-171 controls (7%), with 2 partially covered and 4 gaps.

Can Lacework alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. Lacework covers 7% and should be part of a layered security stack addressing the remaining controls.

What controls does Lacework not cover?

Lacework does not cover controls mp-3-8-1, ia-3-5-1, pe-3-10-1, ac-3-1-12. These require supplementary solutions such as physical security controls, additional access management, or media protection tools.

Map Your Full Security Stack

See NIST 800-171 control coverage for 80+ security products.

Open NIST Tool Mapper

Track Lacework NIST 800-171 coverage updates with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

← All NIST Tool Mappings

Implementation Guidance for Lacework

Gap Analysis & Compensating Controls

Compliance Cost Estimate

Compliance Cross-References

Frequently Asked Questions

How many NIST 800-171 controls does Lacework cover?

Lacework covers 8 of 110 NIST 800-171 controls (7%), with 2 partially covered and 4 gaps.

Can Lacework alone satisfy CMMC Level 2?

No single tool covers all 110 NIST 800-171 controls. Lacework covers 7% and should be part of a layered security stack addressing the remaining controls.