The operational continuity of networks and information technology is vital for the federal government – both for delivery of services by civilian agencies and to ensure national security. Threats to federal systems and critical cyber infrastructure come from sovereign states, terrorists, criminals, lone hackers, and mistakes committed by staff and contractors.
The Comprehensive National Cybersecurity Initiative by President Obama is driving new efforts by the federal government to establish a front line of defense against cyber threats. In the Federal Cloud Computing Strategy, agencies are directed to evaluate safe, secure cloud computing options before making any new investments in IT. On demand solutions from Qualys for IT security and compliance can quickly help federal agencies to comply with these and other requirements while securing network-based operations and critical infrastructure from harmful exploits.
Mandates for Federal Security
The Federal Information Security Management Act (FISMA) requires securing government systems and information, and holds federal agencies accountable for their success in meeting this goal. Organizations that exchange data with federal information systems also must comply with requirements of FISMA.
FISMA directs the National Institute of Standards and Technologies (NIST) to create and manage technical standards for compliance. Key standards include NIST Special Publication 800-53, and Federal Information Processing Standards (FIPS) 199 and 200. In addition to deployment of appropriate security controls, agencies must continuously monitor networks and systems to ensure that controls are working – especially after changes are made to IT environments (see FAQ from NIST). Audits for FISMA compliance are managed by the Office of Management and Budget (OMB).
To strengthen endpoint security, the OMB requires federal agencies to follow uniform desktop configurations. The Federal Desktop Core Configuration (FDCC) entails security configurations for Microsoft Windows Vista and XP operating system software. The newer U.S. Government Configuration Baseline (USGCB) adds configurations for Microsoft Windows 7 operating system and services. Central to automation of scanning for these configurations is the Security Content Automation Protocol (SCAP).
Qualys has attained FedRAMP compliance, an important cyber-security seal of approval from the U.S. federal government for cloud computing service providers. FedRAMP provides a single, unified and consistent process for federal agencies to assess, authorize and monitor the secure use of certain types of cloud computing services. Specifically, FedRAMP standardizes how the Federal Information Security Management Act (FISMA) applies to cloud computing services via a security assessment framework.
As a pioneer and leader in enterprise cloud cyber-security software, Qualys supports FedRAMP’s goal of increasing the adoption, trustworthiness and consistency of secure cloud solutions in the U.S. federal government, where we have multiple customers. Qualys achieved FedRAMP Authority to Operate (ATO) certification in November 2016.
FedRAMP certification is a key milestone for Qualys as we continue to communicate our offering as a cloud services provider (CSP) throughout the federal government’s civilian, military and intelligence agencies.
How Qualys Solutions Help Agencies Meet Federal Requirements
The Department of Defense and intelligence agencies may impose more stringent requirements for national security systems processing highly classified information. Policies governing security system robustness are specified in DoD Instruction Number 8500.2. Information assurance for the national security community is addressed in NSTISP #11 from the National Security Telecommunications and Information Systems Security Committee, which encourages use of Commercial-Off-the-Shelf (COTS) products. Guidance for information assurance – including risk management, vulnerability assessment, and mitigation is in the Chairman of the Joint Chiefs of Staff Instruction CJCSI 6510.01F. Also see policy documents issued by the Office of the Director of National Intelligence.
Requirements for Military and Defense
Qualys solutions enable immediate compliance with key FISMA requirements by allowing subscribers to automatically discover and manage all devices and applications on the network, identify and remediate network security vulnerabilities, measure and manage overall security exposure and risk, and ensure compliance with internal and external FISMA policies. Automation in Qualys solutions allows agencies to continuously monitor networks and systems for vulnerabilities – and meet federal requirements. Get more information on how Qualys solutions fulfill FISMA compliance.
The Qualys FDCC Module is certified to support SCAP content for FDCC and USGCB configuration standards. It allows agencies to scan internal devices on a global network to verify compliance with these federal requirements. Get more information on how Qualys fulfills SCAP compliance.
By using cloud-based Software-as-a-Service (SaaS) IT security and compliance solutions from Qualys, federal civilian and military/intelligence agencies may also tap benefits described in the Federal Cloud Computing Strategy that can significantly improve public sector IT, including more efficiency, agility and innovation.