Qmulos is thrilled to announce the general availability of the Q2 release of our Converged Continuous Compliance solution, Q-Compliance, along with new versions of supporting apps and technical add-ons (TAs).
We’ve added support for several new and updated compliance frameworks and standards. In addition, we’ve added many exciting new features that improve and streamline integration with the DoD’s eMASS system, the set-up of new systems/accreditation boundaries, data onboarding, assessment, and continuous monitoring of controls. The following versions of the applications are now available with these new features:
- Q-Compliance V4.3.0
- Qmulos Compliance Content V1.10.0 and V1.11.0
- Qmulos TA VMware V1.0.0, Qmulos TA Solaris V1.0.0, Qmulos TA Windows V2.1.0, Qmulos TA Linux V1.6.1 along with many other new or updated TAs
New/Updated Compliance Frameworks
In our latest release, Qmulos has added new compliance content and analytics to support the following compliance standards and frameworks:
- SOC 2 – a standard from the American Institute of Certified Public Accountants (AICPA) that specifies how customer data should be protected; an important standard to consider for organizations that want to assure their customers that their data is secure.
- NIST SP 800-172 – enhanced security requirements for protecting Controlled Unclassified Information (CUI); these controls will be the basis for CMMC 2.0 Level 3 requirements; organizations that handle critical CUI for DoD programs need to start looking at these controls to prepare for the forthcoming CMMC Level 3 requirements.
- PCI DSS 4.0 – standard from the Payment Card Industry for securing payment card processing systems; any organization that has payment processing capabilities in their systems need to implement these controls.
- OMB M-22-09 – Zero Trust mandate from OMB issued January 2022 with specific goals and actions that agencies must implement by the end of FY2024; our solution helps agencies assess their compliance with the technical actions specified in M-22-09.
Streamlining Integration with eMASS
Version 4.3.0 of Q-Compliance now supports the ability to import and export a system implementation plan with the DoD’s eMASS system. DoD customers who have all their systems’ compliance information in eMASS can now export that out of eMASS and import it into Q-Compliance to quickly set up their systems in Q-Compliance. At the click of a button, users can now import an entire system with its applied controls, implementation statements, test procedures, monitoring frequencies, and assessment statuses automatically into Q-Compliance. With this capability, organizations can now set up hundreds of systems a day in Q-Compliance to leverage the power of its data analytics and automation capabilities to perform control assessments and continuous monitoring. In addition, all of the information can be exported out Q-Compliance and imported back into eMASS for reporting purposes.
New Technical Add-Ons for Data Onboarding
Our Data Engineering team has developed several new and updated TAs to ease the on-boarding and mapping of data to power Q-Compliance. By popular request from customers, we’ve added a TA for VMware to capture key activities and events from hypervisors and virtual machines that need to be monitored to address compliance requirements from NIST SP 800-53 and other standards. In addition, we’ve also added a new TA to onboard data from the Solaris operating system. Solaris is still being used today to power many mission-critical applications and it is critical to monitor the compliance posture of those Solaris devices. We’ve also made some significant updates to our Windows and Linux TAs to capture additional data for increased visibility into activities that can impact the compliance posture of those devices. In addition, there are several other new TAs that are available for commonly used tools and data sources. Please consult the Qmulos Technical Add-Ons space in our customer portal to see the entire list.
Additional Analytics and Automation
The latest releases of Qmulos Compliance Content (QCC), V1.10.0 and V1.11.0 add several new alerts to automatically detect issues that impact the compliance posture of systems. There is a new alert to detect open ports on each host to assess compliance against a system’s ports, protocols and services (PPS) policy for controls such as NIST SP 800-53 “CM-7 Least Functionality”. There is a new alert to detect hosts missing recent backups for assessing compliance against NIST SP 800-53 “CP-9 Information System Backup”. There’s also an alert to detect inactive accounts that have not been disabled to detect violations against requirements for NIST SP 800-53 “AC-2(3) Account Management | Disable Accounts”. These are but just a few of the new alerts that have been added. For a complete listing, please check out the release notes for QCC V1.10.0 and V1.11.0.
In addition to the new alerts in QCC to automatically detect compliance issues, we’ve also added some automation to pass or fail NIST SP 800-53 controls based on the compliance scores of each control’s objectives (aka the “Determine if …” statements from NIST SP 800-53A). Now organizations that conduct assessments against individual control objectives can have the overall control automatically pass or fail when the control’s objectives’ score exceed or drop below a configurable threshold.