Remote “Controls” using Q-Compliance

CMMC and What You Need to Know

Following the much anticipated final draft of the Cybersecurity Maturity Model Certification (CMMC) V1.0, released January 31st, 2020, many contractors are hastening to improve their security standards. If your organization has not yet engaged in CMMC preparation activities, you have fallen behind the pack. Within the next few months, the Department of Defense will begin using the CMMC audit standards in determination of awarding business.

One of the most overarching aspects of the new certification is that even traditionally non-defense companies will need to show compliance with the practices and processes set forth by the CMMC Model. It is conservatively estimated that 200,000-350,000 contractors, even custodial companies, bookkeepers, caterers, and small IT firms will need to hold a CMMC. This follows from the conclusion Pentagon officials reached that one of their greatest cybersecurity risks derive from the second and third-tier contractors who work in tandem with the DOD. With this in mind, when it comes to awarding business, cybersecurity is set to be the “fourth critical measurement” for business, behind quality, cost, and schedule.

So what exactly is the CMMC and what are the requirements for certification?

The CMMC measures the maturity of an organization’s cybersecurity processes and practices across five levels covering seventeen domains, as shown in Figure 1.  The domains are broad categories of critical security functions such as Access Control, Identification and Authentication, Incident Response, etc. much like the control families from the NIST 800-53 security controls standard.  The seventeen domains are further broken down into 43 capabilities and 171 practices, essentially more granular security controls.

Figure 1: Maturity Levels and Domains of the CMMC

Each level specifies a certain set of processes and practices that have to be implemented across the domains.  The levels build on each other, and thus in order to achieve a higher CMMC level, your organization must demonstrate compliance in the preceding levels. The levels range from very basic safeguarding of Federal Contract Information, to continuous monitoring with optimized practices and efficient processes.  The table below summarizes the focus and requirements of each level.

Level Focus Process Requirements Practice Requirements
1 Safeguard Federal Contract Information (FCI) Requires that an organization performs the specified practices. Implement 17 practices to provide Basic Cyber Hygiene
2 Transition step to protect Controlled Unclassified Information (CUI) Requires that an organization establish and document practices and policies Implement the 17 Basic Cyber Hygiene practices, plus an additional 55 practices for a total of 72 practices to provide Intermediate Cyber Hygiene
3 Protect CUI Requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. Implement all the practices from Levels 1 and 2, plus an additional 58 practices for a total of 130 practices to provide Good Cyber Hygiene
4 Protect CUI and reduce risk of Advanced Persistent Threats (APTs) Requires that an organization review and measure practices for effectiveness. Implement all the practices from Levels 1, 2, and 3, plus an additional 26 practices for a total of 156 practices to provide Proactive cybersecurity practices
5 Protect CUI and reduce risk of Advanced Persistent Threats (APTs) Requires an organization to standardize and optimize process implementation across the organization Implement all the practices from Levels 1, 2, 3 and 4, plus an additional 15 practices for a total of 171 practices to provide Advanced/Progressive cybersecurity practices

Qmulos has created a sorted and filterable spreadsheet of all the discrete capabilities and practices required at each level that you can use to assess your organization’s maturity level. 

A screenshot of a cell phone  Description automatically generated
Spreadsheet can be downloaded here or below

As you can see, CMMC covers a broad set of domains with a comprehensive set of policy, procedure, management and technical controls that need to be implemented and assessed regularly.  If you’re feeling a little overwhelmed after reviewing all of those detailed requirements, not to worry – our Splunk premium apps Q-Compliance and Q-Audit are purpose-built to help you streamline and automate complex cybersecurity auditing and compliance requirements like CMMC. Q-Audit provides prescriptive, out-of-the-box auditing capabilities that satisfy many of the practice requirements from the CMMC Audit and Accountability domain.  Q-Compliance is built upon the same standards and best practices that the CMMC has adopted and we have enhanced it with features specifically for CMMC.  We align specific security controls with the domains, capabilities, and practices from CMMC and use real-time log and event data from Splunk to help you automate the assessment and scoring of your organization’s practices against the maturity levels defined in CMMC.  In addition, we have codified industry best practices into the workflow of the application that will help your organization institutionalize and optimize the processes that improve your cyber posture and protect sensitive information such as Federal Contract Information and Controlled Unclassified Information.

Stay tuned for more details on how Qmulos can help you with CMMC assessments.

NextGen GRC

Product Updates

Q-Compliance V3.1

Qmulos is proud to announce the general availability of Q-Compliance V3.1. With the end of official support from the Python Software Foundation for Python version 2.x on January 1, 2020, Q-Compliance V3.1 brings the much anticipated support for Python 3.7. This will enable our customers to update their environments to stay current with supported software, continue to leverage community support and maintain compatibility with the many third party projects that use Python. For more information about Q-Compliance and our Splunk premium apps’ compatibility with Python versions, please contact

Q-Audit V2.0

Qmulos is proud to announce the general availability of Q-Audit V2.0. Version 2.0 enhances Q-Audit’s industry leading support for the ICS 500-27 standard (a gold standard for comprehensive auditing in support of insider threat use cases) to add risk scoring capabilities. With the new risk scoring capabilities, organizations using Q-Audit can now automatically score users and assets to identify potential insider threats or high value individuals and assets that may be targets of external attacks. To make things even more actionable, Q-Audit now integrates with Q-Ticket, another Qmulos Splunk application, to allow users to create and track service tickets to investigate risky users and assets. For more information about Q-Audit and risk scoring, please contact

Qmulos: On-Prem or in the Cloud

Qmulos Premium Splunk Solutions are constantly expanding to keep up with the continuedgrowth of critical new datasets. Recently, we enhanced the coverage of our AWS service monitoring for Qmulos applications by more than 90%. Now, our Qmulos applications have the ability to monitor configuration changes, service executions, backups, account changes and more across all the critical AWS services. These enhancements are valuable to monitor not just what happens on your instances running in AWS but also to monitor changes made to major AWS services such as EC2, AWS Backup, ECS, IAM, ELB, Lambda, Redshift, RDS, Route 53, S3, SQS and many more. We now monitor a total of 78 AWS services all within the Qmulos applications. Whether your data comes directly from your servers, or the AWS services running them, Qmulos has you covered.

Qmulos provides a number of preconfigured data integrations allowing us to monitor many important datasources right away. These integrations exist for software provided by vendors: Cisco, Nessus, Bitdefender, WatchGuard, SourceFire and PaloAlto. Our customized software leverages the best aspects of security and audit logs on Linux and Windows operating systems. We make sure that every critical event is captured and monitored in real time.

We are constantly building more and more integrations and there is no limit to monitoring whatever kind of data you desire. Every bit of information can be mapped to our proprietary CIM compliant data models allowing you to make use of our Powerful Qmulos products with any kind of data.

Integrating Machine and Human Workflows for Compliance Automation

Maintaining the security and compliance posture of a system requires automated machine workflows augmented with human workflows for oversight and change control. With the features added in the recent V2.9 release, Q-Compliance now enables you to create integrated machine and human workflow actions to monitor, detect, and remediate compliance issues. Continuously monitor your systems’ control compliance and effectiveness using data in Splunk that represents an accurate up-to-the-minute view of your IT environment.

Figure 1: System Continuous Monitoring

Let’s walk through a short example.  In Figure 1, we see that the “CM-08 Information System Component Inventory” control is failing.  Using Splunk’s alerting workflows in conjunction with an extensive library of prebuilt compliance analytics from Q-Compliance (shown in Figure 2), we have detected that there are unauthorized software installations on the devices in the Qmulos Windows system. Q-Compliance has built-in custom alert actions to automatically pass or fail security controls based on the findings detected by the analytics. 

Figure 2: Analytics and visualizations to detect compliance findings

System owners will be automatically notified of any alerts on the System Actions dashboard (shown in Figure 3) where they can drill into the alerts to see the details of the findings. Any controls that failed as a result of those findings will also be displayed along with the compliance scores so system owners can see how the findings have impacted their system’s overall compliance posture. In our example, the Qmulos Windows system owner can use the new ticketing feature in Q-Compliance to create a ticket to assign someone to investigate and remediate the discovery of unauthorized software on the Windows machines. In many cases, users install unapproved software because they have a legitimate use for it so it is important to put a human in the loop to investigate before trying to automatically remediate the issue. With its compliance analytics, custom alert actions, and ticketing features, Q-Compliance enables you to combine the speed and automation of machine workflows based on Splunk’s alerting framework with human workflows to make controlled changes for compliance automation.

Figure 3: System Actions and Workflows to Investigate and Remediate Compliance Findings

Combining and automating machine and human workflows in this way has enabled our customers to monitor all relevant technical controls in near-real time, achieving true ongoing assessment, and turning compliance into real operational security! 

The Data-Driven Strategy to Compliance and Cyber Hygiene

Qmulos CEO and Founder, Matt Coose, along with Dr. Ron Ross, NIST Fellow, will host a discussion on compliance and risk management frameworks, and how the right data-driven approach can help organizations go beyond meeting regulatory requirements and provide a foundation for a robust security posture.

While compliance efforts are mandated and top-of-mind across government and education, the wrong approach can be costly and result in excruciating audits and a failing grade on scorecards. But innovators are leveraging their data and finding if properly executed, the initiative can be seamless and ensure critical cyber hygiene.

Within the webinar, the speakers hope to convey the latest in NIST guidance to enhance information assurance in an elevated threat landscape. They will also discuss best practices for implementing compliance frameworks and enabling self-reporting as well as how leveraging a data-driven approach can automate and accelerate compliance initiatives like RMF, FISMA, DFARS, and a host of others.

The event is being hosted from 11am – 2pm on Thursday, August 1st. Please visit the below link in order to reserve a spot to enhance your knowledge on time-relevant topics and learn from some of the brilliant minds pioneering compliance within the data sector.



Dr. Ron Ross

Dr. Ron Ross
National Institute of Standards and Technology
Twitter: @ronrossecure

Matt Coose

Matt Coose

Ashok Sankar

Ashok Sankar
Director, Solutions Marketing
Splunk Inc. 

David Hartley

David Hartley
IT Specialist
Western Area Power Administration

Splunk GovSummit 2019

Thank you so much for visiting Qmulos at Splunk GovSummit! It was a privilege introducing you to our revolutionary products, Q-Compliance and Q-Audit, both powered by Splunk.

Team Qmulos was fascinated to learn that along with interest from those in the government sector, we also had many people stop by from commercial industries ranging from finance and insurance to construction, healthcare, technology, and many others. The best practices and standards are clearly answering a need in the both the public and private sectors. It’s energizing to see the both sectors aligning in defense of our enterprises and missions alike.

Our top priority is to help the marketplace migrate from legacy GRC tools to real-time Risk Management solutions. Every year we work to update existing features to better meet our customers’ priorities and create new capabilities they don’t even know they need yet. We will continue to listen to our partners and customers as we challenge ourselves to open the world’s eyes to the value of security and compliance automation.

We rely on Splunk’s robust and scalable infrastructure to provide our IT risk management solution to meet the needs of the world’s largest enterprises. Thanks again to Splunk for featuring us on their Partner Spotlight Blog! Check it out to learn more about our passion for providing secure, cost-effective, and innovative real-time security solutions.