Rethinking the Role of Compliance

Zero Trust Starts With Trust

Threats are on the rise. Active cyber threats against United States federal, civilian, and military digital assets and environments have been on a steady upward trend, with a noticeable increase in offensive activity coinciding with the rapid transition to remote work driven by the novel coronavirus pandemic. The recent spike in ransomware attacks against a broad range of U.S. critical infrastructure environments has highlighted the urgent need to address persistent cyber vulnerabilities and risk management maturity gaps on the national scale.


Federal Government Responds

Recognizing the urgency and the scope of resources required to deliver the desired maturity improvements in our national cybersecurity posture, in May 2021 the White House issued Executive Order 14028 “Improving the Nation’s Cybersecurity”. Amongst its provisions, the EO calls on the private sector to “adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.

The EO emphasized the critical need for trustworthiness and transparency across the national private and public digital infrastructure encompassing cloud, on-premise, and hybrid environments across Information Technology (IT) and Operational Technology (OT) domains.

Among its detailed mandates, the EO directs IT and OT service providers to “collect and preserve data, information, and reporting relevant to cybersecurity event prevention, detection, response, and investigation on all information systems over which they have control, including systems operated on behalf of agencies, consistent with agencies’ requirements.”

In short, the EO creates a set of new data-gathering and data-sharing mandates requiring organizations to rapidly achieve and credibly demonstrate continuous compliance with a broad range of control objectives. Those organizations continuing to rely on legacy, static compliance, assessment, remediation, and reporting models, will soon find themselves challenged by the emerging requirements.

Federal strategy calls for Zero Trust Architecture

As directed by the EO, the Office of Management and Budget (OMB) has recently released a draft federal strategy designed to move the U.S. government towards a Zero Trust Architecture. The Cybersecurity and Infrastructure Security Agency (CISA) also released their Cloud Security Technical Reference Architecture and Zero Trust Maturity Model to guide and assist agencies in their implementation planning.

The Zero Trust Maturity Model represents a gradient of implementation across five distinct pillars. The pillars include Identity, Device, Network, Application Workload, and Data. Visibility and Analytics, Automation and Orchestration, and Governance form the foundational layers of the Model, as illustrated on the left.

Continuous Monitoring as cornerstone of Zero Trust Architecture

It is important to recognize that each of the foundational capabilities within the Zero Trust Model carries the requirement for continuous, dynamic functionality. Meaning, the traditional, often manual, periodic approach to control assessment and remediation falls prohibitively short of the goals and objectives of Zero Trust. Simply put, the broad spectrum of control objectives and the need for comprehensive continuous visibility across the entire enterprise environment make automation a vital necessity, not a nice-to-have aspirational goal.

As an example of the asset visibility requirements, the OMB draft memorandum on Zero Trust Strategy requires the Federal Government to have a “complete inventory of every device it operates and authorizes for Government use, and can detect and respond to incidents on those devices.” Attaining this level of granular visibility requires mature telemetry, optimized data flow and collection architecture, and advanced analytics to enable organizations to not only achieve, but sustain indefinitely their compliant state.

Qmulos Converged Continues Compliance™ powers Zero Trust adoption

Q-Compliance, Qmulos’ flagship solution, enables automated enterprise-wide compliance with the NIST Risk Management Framework’s (RMF) six-step maturity model, NIST 800-53, NIST CSF, CMMC, SOX, PCI DSS, NERC CIP, and the recently released NIST Ransomware Framework (NISTIR 8374). As such, our solution is easily leveraged to accommodate the new compliance objectives on the timetable established by the EO.

Unlike legacy Governance, Risk, and Compliance (GRC) applications, the Qmulos Product Suite leverages Splunk, the preeminent big data analytics platform. Through this partnership, our solutions disrupt the legacy IT compliance and risk management models, demonstrating to CISOs that leveraging big data for compliance is the best way to dramatically improve real operational security. Instead of running separate and siloed operational security and compliance functions, organizations can finally combine their respective budgets and resources and align them toward one common goal: better enterprise security.

Qmulos leverages big data analytics as the core foundation of our product suite. Accordingly, our platform is equipped to easily handle emerging compliance obligations, providing on-demand access to near-real-time, fine-grain data about the state of enterprise controls, delivering intelligent insights in support of risk management and compliance decisions across the enterprise.

The Qmulos Product Suite delivers its unique automated capabilities by leveraging:

Our reliance on Splunk as the central repository of all relevant security and compliance data ensures ready access for current and future analytic and reporting use cases;

Parsing and contextualizing data in a manner that makes it easy to digest from a compliance, risk, and security perspective; and,

Hundreds of pre-built analytics that automate the passing/failing of controls, ATOs, and other tasks that ultimately drive operational security.

Play Video

Request a Demo

Learn how QMULOS can help your company grow by scheduling a demo with our team.