Rethinking the Role of Compliance

Financial Agency

Qmulos and Splunk partnered to deliver compliance automation to the agency, enabling it to meet the OMB M-21-31 mandate and deliver real-time risk visibility.

Federal civilian agencies are under increased pressure to gain control over their environments, identify and mitigate unknown risks, and minimize impact when a compromise does occur.

In August 2021, the Office of Management and Budget (OMB) issued Memorandum 21-31. The M-21-31 cybersecurity rule refers to a 2021 Office of Management and Budget (OMB) memorandum titled “Advanced Persistent Threat Cybersecurity Policies for Civilian Agencies”, and it provides updated guidance on how federal civilian agencies should assess and manage cybersecurity risks associated with advanced persistent threats (APTs). The memorandum established federal agency requirements to increase the government’s visibility “before, during, and after a cybersecurity incident.”

Customer Challenge:

A large U.S. government agency that falls under the jurisdiction of the Department of the Treasury was working to meet the new M-21-31 mandate’s initial deadline level, which meant having to log an extensive amount of computer-generated events within the organization. Logging and monitoring help agencies identify patterns of activity on their networks, providing indicators of compromise. In the event of incidents, logging data can help more effectively identify the source and the extent of compromise. Comprehensive logging across hundreds of IT systems is time and resource-intensive requiring manual data calls, sorting large amounts of data, and printing out each log individually. Manual risk, security, and compliance management processes like these cannot keep up with today’s complex, dynamic IT environments.

Qmulos Solution:

The government agency uses Qmulos’ Q-Compliance app, combined with Splunk Core Index and Search infrastructure to create an all-in- one solution that optimizes risk management efforts with real-time continuous monitoring to meet the EL2 logging deadline of February 27, 2023. Rather than have to print each log manually, Qmulos searches the data in Splunk so Q-Compliance can demonstrate real-time evidence and that the agency is compliant at all times with the M-21-31 mandate. Without Q-Compliance, it would have taken the agency large amounts of manpower to identify each log within the multi-system infrastructure. Qmulos was able to show that the agency was operationally secure and provided a repeatable and scalable way to continuously monitor controls in real-time for all future compliance deadlines.

The agency uses Splunk for many purposes and Qmulos was able to leverage the shared data in Splunk and the shared Splunk infrastructure to deliver significant value. By partnering with Splunk, customers can support many different requirements across the agency from CyberOps, Audit, Compliance, and IT Ops. All of this enhances their resiliency and provides broad visibility across all systems and platforms across the agency.

Qmulos Professional Services, partnered with Splunk Professional Services, provided a breadth of expertise to help bring the agency into a state of converged continuous compliance, ingesting massive amounts of data and using its bench of technical subject matter experts to navigate the complexities of the mandate and help with data onboarding. This approach empowers real-time control observability and up-to-the-minute risk visibility that enables well-informed risk management decisions.


Qmulos collaborated closely with the agency’s development team, and its internal ISSOs to help them decode requirements in the context of the M-21-31 mandate.

According to Nominet research in early 2020, 88% of CISOs reported feeling “moderately or tremendously stressed,” and a CISO’s average tenure on the job was just 26 months due to stress and burnout. In addition, 66 percent of CISOs admitted that their stress levels affect their ability to enact critical security measures.

Finding the right people who understand the M-21-31 mandate is hard. Agencies are strapped for people and ISSOs are overworked. Qmulos helped lessen the burden on the entire organization and helped bring the civilian agency into a new era of operational security.

“The fact that we can give you this kind of specificity is really impressive. Typically, we ask the ISSOs to eyeball it. The Qmulos team did a great job. We were able to raise our compliance scores and get the major platforms to 100% compliance!”

“Translation of new critical mandates is absolutely critical. Qmulos was able to help ensure that we were speaking the same language and vernacular and tailor their solution to work with our unique idiosyncrasies within each technical environment.”

Request a Demo

Learn how QMULOS can help your company grow by scheduling a demo with our team.