Qualys Solutions for IT Security & Compliance
Qualys' on demand approach to IT security and compliance enables organizations of all sizes to successfully achieve both vulnerability management and policy compliance initiatives cohesively, while reducing costs and streamlining operations. Using an innovative Software as a Service (SaaS) approach, the QualysGuard® Security and Compliance Suite combines Qualys' industry leading vulnerability management service with a comprehensive IT compliance solution.
- QualysGuard Vulnerability Management
Globally Deployable, Scalable Security Risk and Vulnerability Management
- QualysGuard Policy Compliance
Define, Audit and Document IT Security Compliance
- QualysGuard PCI Compliance
Automated PCI Compliance Validation for Merchants and Acquiring Institutions
- QualysGuard Web Application Scanning
Automated Web Application Security Assessment and Reporting
FISMA is the Federal Information Security Management Act of 2002. It imposes strong requirements to secure government information and holds federal agencies accountable for their success in meeting this goal. Organizations that exchange data with federal information systems also must comply with requirements of FISMA. This page provides background information about FISMA and describes how solutions from Qualys help federal agencies and contractors to be compliant.
FISMA is part of the E-Government Act of 2002. Its provisions fall into three major categories: assessment, enforcement, and compliance. The first pertains to determining the adequacy of the security of federal assets. The second requires that key information security provisions be implemented and managed. The third establishes provisions for the management of each agency's information security program and the accountability of each agency for compliance and reporting. FISMA directs the National Institute of Standards and Technologies (NIST) to create and manage technical standards for compliance. Key standards include NIST Special Publication 800-53, and Federal Information Processing Standards (FIPS) 199 and 200. Audits for FISMA compliance are managed by the Office of Management and Budget (OMB).
Why FISMA Matters to Your Organization
Threats to federal systems and critical cyber infrastructure come from sovereign states, terrorists, criminals, lone hackers, and mistakes committed by staff and contractors. A successful exploit would be disastrous if it stopped vital functions of government and critical services. If a federal agency fails to comply with FISMA, it may be sanctioned via a budget cut. Contractors that exchange data with federal information systems must comply with FISMA or risk termination from a contract. Non-compliance may preclude contractors from bidding on future federal contracts.
Considerations for a FISMA Security Compliance Program
Compliance with FISMA can be challenging due to the broad scope of technical standard specified by NIST. The security framework in SP 800-53 includes 17 areas of security covering 205 technical and program management controls. Mapping these to IT operations of a large federal agency, implementation, and ongoing management is a huge process. To help, current and past federal CIOs and CISOs working in conjunction with the SANS Institute created the Consensus Audit Guidelines (CAG), which are 20 critical controls for effective cyber defense. These specific recommendations are "viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future." CAG Critical Control 10: Continuous Vulnerability Assessment and Remediation, along with other provisions in SP 800-53 are addressed by Qualys solutions. Automation is a vital part of these, and NIST has further specified that vulnerability scanners used for FISMA compliance must conform to its Security Content Automation Protocol (SCAP). The QualysGuard FDCC scanner module is validated by NIST as conforming to the SCAP specification in accordance with OMB's Memorandum M-07-11, "Implementation of Commonly Accepted Security Configurations for Windows Operating Systems."
How Qualys Solutions Help Registered Entities Meet FISMA Requirements
Qualys solutions in the QualysGuard Security and Compliance Suite enable immediate compliance with key FISMA requirements by allowing subscribers to automatically discover and manage all devices and applications on the network, identify and remediate network security vulnerabilities, measure and manage overall security exposure and risk, and ensure compliance with internal and external FISMA policies.
In particular, solutions in the QualysGuard IT Security & Compliance Suite fulfill key security controls from NIST SP 800-53 and specified by CAG Critical Control 10, including: RA-3 (a, b, c, d) and RA-5 (a, b, 1, 2, 5, 6), plus many others. These are summarized in the matrix below. For a detailed explanation requirement-by-requirement, see FISMA Compliance: Making the Grade.
|FISMA Requirements||QualysGuard Capabilities|
|Specific accountability of agencies and officials||
|Assess risk by seeking to meet defined security objectives||
|Maintain an inventory of major systems and interconnections||
|Regular security assessments and reviews||
|Significant regular reporting of ISS program progress and results||
|Tracking of significant deficiencies and remediation actions taken||
|Incident response and prevention processes and capability||
|Compliance with minimum system configuration requirements||
|Policies and procedures which support compliance and training for key ISS personnel||
|Integration of security management processes with strategic and operational planning||