Qualys Solutions for IT Security & Compliance
Qualys' continuous security approach to IT security and compliance enables organizations of all sizes to successfully achieve both vulnerability management and policy compliance initiatives cohesively, while reducing costs and streamlining operations. Using an innovative Software as a Service (SaaS) approach, the Qualys® Security and Compliance Suite combines Qualys' industry leading vulnerability management service with a comprehensive IT compliance solution.
Qualys Vulnerability Management
Globally Deployable, Scalable Security Risk and Vulnerability Management
Qualys Continuous Monitoring
Identify threats and monitor for changes in your environment
Qualys Threat Protect
Prioritize vulnerability remediation and stay on top of breaches
Qualys Policy Compliance
Define, Audit and Document IT Security Compliance
Qualys Security Assessment Questionnaire
Collect and analyze information about your business easily, quickly, and without reinventing the wheel
Qualys PCI Compliance
Automated PCI Compliance Validation for Merchants and Acquiring Institutions
Qualys Web Application Scanning
Automated Web Application Security Assessment and Reporting
Qualys Web Application Firewall
Simple, Scalable and Customizable Solution to stop Web Application Attacks and Prevent Data Breaches
FISMA is the Federal Information Security Management Act of 2002. It imposes strong requirements to secure government information and holds federal agencies accountable for their success in meeting this goal. Organizations that exchange data with federal information systems also must comply with requirements of FISMA. This page provides background information about FISMA and describes how solutions from Qualys help federal agencies and contractors to be compliant.
FISMA is part of the E-Government Act of 2002. Its provisions fall into three major categories: assessment, enforcement, and compliance. The first pertains to determining the adequacy of the security of federal assets. The second requires that key information security provisions be implemented and managed. The third establishes provisions for the management of each agency's information security program and the accountability of each agency for compliance and reporting. FISMA directs the National Institute of Standards and Technologies (NIST) to create and manage technical standards for compliance. Key standards include NIST Special Publication 800-53, and Federal Information Processing Standards (FIPS) 199 and 200. Audits for FISMA compliance are managed by the Office of Management and Budget (OMB).
Why FISMA Matters to Your Organization
Threats to federal systems and critical cyber infrastructure come from sovereign states, terrorists, criminals, lone hackers, and mistakes committed by staff and contractors. A successful exploit would be disastrous if it stopped vital functions of government and critical services. If a federal agency fails to comply with FISMA, it may be sanctioned via a budget cut. Contractors that exchange data with federal information systems must comply with FISMA or risk termination from a contract. Non-compliance may preclude contractors from bidding on future federal contracts.
Considerations for a FISMA Security Compliance Program
Compliance with FISMA can be challenging due to the broad scope of technical standard specified by NIST. The security framework in SP 800-53 includes 17 areas of security covering 205 technical and program management controls. Mapping these to IT operations of a large federal agency, implementation, and ongoing management is a huge process. To help, current and past federal CIOs and CISOs working in conjunction with the SANS Institute created the Consensus Audit Guidelines (CAG), which are 20 critical controls for effective cyber defense. These specific recommendations are "viewed as effective in blocking currently known high-priority attacks, as well as those attack types expected in the near future." CAG Critical Control 10: Continuous Vulnerability Assessment and Remediation, along with other provisions in SP 800-53 are addressed by Qualys solutions. Automation is a vital part of these, and NIST has further specified that vulnerability scanners used for FISMA compliance must conform to its Security Content Automation Protocol (SCAP). The Qualys FDCC scanner module is validated by NIST as conforming to the SCAP specification in accordance with OMB's Memorandum M-07-11, "Implementation of Commonly Accepted Security Configurations for Windows Operating Systems."
How Qualys Solutions Help Registered Entities Meet FISMA Requirements
Qualys solutions in the Qualys Security and Compliance Suite enable immediate compliance with key FISMA requirements by allowing subscribers to automatically discover and manage all devices and applications on the network, identify and remediate network security vulnerabilities, measure and manage overall security exposure and risk, and ensure compliance with internal and external FISMA policies.
In particular, solutions in the Qualys IT Security & Compliance Suite fulfill key security controls from NIST SP 800-53 and specified by CAG Critical Control 10, including: RA-3 (a, b, c, d) and RA-5 (a, b, 1, 2, 5, 6), plus many others. These are summarized in the matrix below. For a detailed explanation requirement-by-requirement, see FISMA Compliance: Making the Grade.
|FISMA Requirements||Qualys Capabilities|
|Specific accountability of agencies and officials||
|Assess risk by seeking to meet defined security objectives||
|Maintain an inventory of major systems and interconnections||
|Regular security assessments and reviews||
|Significant regular reporting of ISS program progress and results||
|Tracking of significant deficiencies and remediation actions taken||
|Incident response and prevention processes and capability||
|Compliance with minimum system configuration requirements||
|Policies and procedures which support compliance and training for key ISS personnel||
|Integration of security management processes with strategic and operational planning||