Rethinking the Role of Compliance

Consumer Protection Agency

Qmulos automated manual compliance processes for the agency, providing it with real-time threat data on its security controls and removing the stress of NIST 800-53 compliance.

Considered the “gold standard” of cybersecurity compliance, NIST SP 800- 53, also known as “Security and Privacy Controls for Information Systems and Organizations,” is a publication by the National Institute of Standards and Technology (NIST) in the United States. The primary purpose of 800-53 is to provide a framework for selecting and specifying security and privacy controls for federal information systems and organizations, but it is widely used by private sector organizations and other entities as well. The controls outlined in 800-53 are meant to help organizations address the risks and threats associated with information and information systems, including but not limited to cyberattacks, data breaches, unauthorized access, and insider threats.

Customer Challenge:

To demonstrate operational compliance, a large, independent U.S. agency that operates within the framework of the Federal Reserve System needed to meet the NIST 800-53 requirements via the Risk Management Framework (RMF). Implementing the security and privacy controls outlined in NIST can be incredibly challenging when applied to large and complex information systems, making implementation difficult. Enacting technical measures mandated requires specialized knowledge, creating bottlenecks in the process. The drain on resources is intensive, involving large amounts of time, money, and skilled personnel, not to mention the adoption of new technologies to ensure continuous control monitoring and real-time data collection.

In response to data breaches over the last 10 years, there is now a more concerted effort to protect Controlled Unclassified Information (CUI) across the public and private sectors. The agency, which experienced a major incident in 2023, needed to demonstrate to the public and the White House that the agency was securing all of the data being stored and used in it and that it was sufficiently managing risk. It needed to break down information silos and to create a better way to see all of its data across its networks, in real-time. Previous paper-based compliance provided little visibility and blind spots around threat knowledge. The agency needed a way to gather real- time, automated evidence and to transform its processes from tedious, costly, and manual compliance to real-time monitoring.

Qmulos Solution:

To meet the NIST 800-53 standard, the agency understood it needed to go through compliance transformation. The agency engaged Qmulos and its Q-Compliance product, an all-in-one solution that optimizes risk management efforts with real-time continuous monitoring. In addition, it engaged Qmulos’ Splunk-powered real-time audit software, Q-Audit, to support the insider threat hub for user tracking and incident investigation.

Qmulos ingested more than a terabyte of data and transformed a tedious, manual process into real-time data on the status of technical controls with Q-Compliance. Q-Audit helps the agency monitor, track, and investigate what’s going on at any given moment, and provides alerts with any data anomalies.

Rather than requiring the agency to rip and replace its current systems, Qmulos developed an integration to connect to its existing system, the DOJ’s cyber security assessment and management (CSAM) application. The integration helped the agency through the compliance maturation process.


Qmulos provided the agency’s team with end-to-end support, from implementation through adoption, including training of relevant teams on Q-Audit and Q-Compliance, monthly touchpoints to stay connected on product updates, and the creation of user guides for the agency’s workflows. In addition, it fostered a close partnership with its Solutions Engineering team to create the CSAM integration.

NIST 800-53 is difficult to stand up and agencies need a really strong compliance team to be compliant with the standard. Q-Audit helps agency support insider threat investigation, which monitors logs, provides a risk summary dashboard, and displays unusual activity.

With Qmulos, it is taking the agency a fraction of the time to collect data, analyze it, and provide insights for achieving compliance, removing the stress of compliance with 800-53, while better securing the organization. By automating data capture and processing, the agency’s cyber personnel can focus on protecting the organization instead of gathering data. The agency is saving precious time and money, and eliminating headaches on personnel by being able to keep its finger on the pulse of bad actors.

“It’s great that you can take all our feedback for the Insider Threat Hub and produce something digestible for the team. I can take this to my leadership, to my Insider Threat Hub, and start digging into what the anomalies are, and take it from monitoring to investigating. Really appreciate the work of the professional services and CSM teams!”

Request a Demo

Learn how QMULOS can help your company grow by scheduling a demo with our team.