The FedRAMP-certified Qualys Cloud Platform now supports the requirements laid out in the 2017 White House Executive Order (EO) on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.
The 2017 White House EO charges each individual agency with reviewing and reporting on its cyber posture using the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), while continuing to manage its own cyber risk using the Defense Information Systems Agency Security Technical Implementation Guides (DISA-STIG) to harden systems. However, measuring compliance against multiple regulations can be a significant challenge when collecting technical control data from complex IT environments.
Qualys Policy Compliance (PC) now helps customers overcome that challenge by harmonizing the process of technical control assessment and reporting. PC has been updated with DISA-STIG content along with comprehensive mapping of controls to the NIST Cybersecurity Framework. This gives customers automated control assessment capabilities across complex heterogeneous environments leveraging DISA-STIG and other best practice standards, while integrating native reporting against NIST CSF.
“IT security and compliance plays a crucial role in the continued adoption of cloud by U.S. Government agencies,” said Philippe Courtot, chairman and CEO, Qualys, Inc. “The Qualys Cloud Platform provides federal agencies a unified solution that can deploy and scale, providing the 2-second visibility of continuous security and compliance posture of IT assets at an agency-wide level, helping ensure that IT vulnerabilities do not compromise the security of critical U.S. Government infrastructure.”
The Qualys Cloud Platform combines assessment and reporting of technical and procedural EO requirements in a harmonized solution that helps with:
Combined visibility of mandate compliance – PC empowers customers to comply with multiple mandates and standards in a harmonized manner — by consolidating the requirements from the multiple standards into a single view — and allows reporting on one mandate or on multiple mandates in a single report. This is done through the automated harmonization of compliance requirements from multiple standards, in a continuous manner.
Technical and procedural risk assessment – Qualys Security Assessment Questionnaire (SAQ) module allows customers to also assess the procedural controls of the standards and also empowers customers in assessing their vendors and third parties for their controls posture. An out-of-the-box NIST Cybersecurity Framework template can be sent across internal departments and to vendors to assess their responses and report on overall compliance.
Automated mandate-based reporting – Qualys PC and SAQ support out-of-the-box, automated reporting on NIST CSF on the basis of the DISA STIG guidelines. The mandate-based reporting feature of PC showcases the compliance posture against the standards or mandates in terms of the underlying security baseline by mapping DISA and other controls to the required compliance standards in a continuous manner.