Blog

Q-Compliance V3.8.0 General Availability

Qmulos is pleased to announce the general availability of Q-Compliance V3.8.0! Here are some of the key exciting upgrades for this release:

  • More granular assessments and correlation against specific control requirements, e.g., objectives from NIST 800-53A or custom control sub-requirements
  • Improved performance of analytics and visualizations for security controls
  • Streamlined interface for responding to triggered control alerts

Read on for more details about how our latest features enhances the data-driven approach to risk management and compliance for your organization!

Compliance Against Specific Control Objectives or Sub-Requirements

In Q-Compliance, systems can be configured for compliance on the control-level or the Control Correlation Identifier (CCI) – level.  Starting in this version, you can now work off control objectives that are derived from the NIST 800-53A test procedures for both revision 4 and revision 5!  For added flexibility you can also import your own control sub-requirement or objective definitions for NIST 800-53 controls or custom controls.

As an ISSO, you might be wondering: what is the significance of this feature, and how is it beneficial for me? Let’s walk it through in the context of RMF.

As part of the “Categorize” step in RMF, our system management page provides an option for you to configure your systems to be assessed at the objective level.

Qmulos Q-Compliance V3.8 Figure 1: Configure system for objective compliance on the system management page

Figure 1: Configure system for objective compliance on the system management page

To support the Select” step of RMF, you can apply the objectives that you deem applicable to the system using our Control Configuration dashboard.  Like security controls, objectives may also be inherited from common control providers.  In addition, a common set of objectives can easily be applied to multiple systems using our overlay feature in Q-Compliance.

Qmulos Q-Compliance V3.8 Figure 2: Applying objectives to systems from the Control Configuration page

Figure 2: Applying objectives to systems from the Control Configuration page

As you move to the Implement” step, you will need to describe how your controls are to be implemented. On our Control Compliance Hub, this is where implementation statements are created for your security controls.  Now with objectives coming into the picture, you can assign these implementation statements to individual objectives as well.

Qmulos Q-Compliance V3.8 Figure 3: Creating an implementation statement for an objective in the Control Compliance Hub

Figure 3: Creating an implementation statement for an objective in the Control Compliance Hub

We’ve also added a number of enhancements to our Control Compliance hub to enable the Assess” step of RMF to be done at the more granular objective level. POAMs and test procedures can be assigned to specific objectives, while uploaded document evidence can be assigned to multiple objectives. Control automation alerts can now also be configured to automatically set statuses and findings for multiple objectives based on real-time technical evidence.

Qmulos Q-Compliance V3.8 Figure 4: Add POAMs, test procedures, and technical evidence for objectives on control compliance hub

Figure 4: Add POAMs, test procedures, and technical evidence for objectives on control compliance hub

When time comes for the official assessment, the assessor can record the status and findings for each individual objective, and you will see the final assessment score for the objectives, similar to how you can view the CCI score on the Control Compliance Hub.

Qmulos Q-Compliance V3.8 Figure 5: Setting objective assessment statuses and findings on the Control Compliance Hub

Figure 5: Setting objective assessment statuses and findings on the Control Compliance Hub

For a higher-level view of control objective assessment information, you can navigate to our Control Overview dashboard to view the scores and individual statuses for each objective in your entire system.

Qmulos Q-Compliance V3.8 Figure 6: Summary-level view of objective score and statuses on the control overview dashboard

Figure 6: Summary-level view of objective score and statuses on the control overview dashboard

­­Now comes the Authorize” step. You want to get your system ATO approved by your authorizing official, right? This means building up the ATO package for your authorizing official to review, which includes a system security plan (SSP) report. With our SSP dashboard, you can quickly generate that report with a click of a button, and have it ready to present to your authorizing official in no time, with all the control objective implementations, statuses, and findings for your entire system.

Qmulos Q-Compliance V3.8 Figure 7: Microsoft word document SSP report generated with objective status and finding details

Figure 7: Microsoft word document SSP report generated with objective status and finding details

Alternatively, our security control traceability matrix (SCTM) dashboard can export and provide you a similar assessment report for your system’s control objective information as well.

Finally, when the system ATO is approved and you transition to the Monitor” step, it is important to monitor any changes occurring in your system environment. With our Continuous Monitoring dashboard, not only will you be able to monitor such changes for your main security controls, but also monitor changes for specific objectives as well.

Qmulos Q-Compliance V3.8 Figure 8: Monitor objective-specific visuals for changes on the continuous monitoring dashboard

Figure 8: Monitor objective-specific visuals for changes on the continuous monitoring dashboard

Overall, supporting objective compliance in Q-Compliance really enhances the RMF experience that you, as the ISSO, don’t want to miss out on!

Improved Performance of Control Analytics and Visuals 

Need for speed? Being built on top of Splunk, Q-Compliance leverages the performance and scalability of Splunk’s platform, but we’ve made some important changes that really takes performance to the next level. By taking advantage of Splunk’s capability to use accelerated data, queries that drive visuals in Q-Compliance are sped up significantly. So, if you are ingesting terabytes of data each day, expect to see visuals load quicker than ever before!

Qmulos Q-Compliance V3.8 Figure 9: View control visuals on the control compliance hub

Figure 9: View control visuals on the control compliance hub

Responding to Triggered Control Alerts

Alerts are often used to automate certain actions within Q-Compliance, such as setting a control’s audit and/or assessment status, creating a POAM, or even setting an ATO status for your system. In large systems where hundreds of alerts can be triggered within a short period of time, it might seem overwhelming to monitor what alerts have been triggered in your system. Wouldn’t it be nice to narrow down the scope and only see alerts for a specific control? Our Control Compliance Hub now contains an additional alerts table to show you the triggered alerts for the current control being viewed. You can view the alert in search for more detail, create a ticket with our Q-Ticket app, or simply delete alerts that are no longer relevant.

Qmulos Q-Compliance V3.8 Figure 10: View control alerts triggered on the control compliance hub

Figure 10: View control alerts triggered on the control compliance hub

Other Enhancements

Other enhancements in Q-Compliance include updating various pages across the app to support objective-level compliance, usability enhancement, and various bug fixes. For more details on how Q-Compliance supports objective-level compliance or to request a demo, please contact us at sales@qmulos.com!