Qmulos is pleased to announce the general availability of Q-Compliance V3.8.0! Here are some of the key exciting upgrades for this release:

• More granular assessments and correlation against specific control requirements, e.g., objectives from NIST 800-53A or custom control sub-requirements
• Improved performance of analytics and visualizations for security controls
• Streamlined interface for responding to triggered control alerts

Read on for more details about how our latest features enhances the data-driven approach to risk management and compliance for your organization!

Compliance Against Specific Control Objectives or Sub-Requirements

In Q-Compliance, systems can be configured for compliance on the control-level or the Control Correlation Identifier (CCI) – level.  Starting in this version, you can now work off control objectives that are derived from the NIST 800-53A test procedures for both revision 4 and revision 5!  For added flexibility you can also import your own control sub-requirement or objective definitions for NIST 800-53 controls or custom controls.

As an ISSO, you might be wondering: what is the significance of this feature, and how is it beneficial for me? Let’s walk it through in the context of RMF.

As part of the “Categorize” step in RMF, our system management page provides an option for you to configure your systems to be assessed at the objective level.

To support the “Select” step of RMF, you can apply the objectives that you deem applicable to the system using our Control Configuration dashboard.  Like security controls, objectives may also be inherited from common control providers.  In addition, a common set of objectives can easily be applied to multiple systems using our overlay feature in Q-Compliance.

As you move to the “Implement” step, you will need to describe how your controls are to be implemented. On our Control Compliance Hub, this is where implementation statements are created for your security controls.  Now with objectives coming into the picture, you can assign these implementation statements to individual objectives as well.

We’ve also added a number of enhancements to our Control Compliance hub to enable the “Assess” step of RMF to be done at the more granular objective level. POAMs and test procedures can be assigned to specific objectives, while uploaded document evidence can be assigned to multiple objectives. Control automation alerts can now also be configured to automatically set statuses and findings for multiple objectives based on real-time technical evidence.

When time comes for the official assessment, the assessor can record the status and findings for each individual objective, and you will see the final assessment score for the objectives, similar to how you can view the CCI score on the Control Compliance Hub.

For a higher-level view of control objective assessment information, you can navigate to our Control Overview dashboard to view the scores and individual statuses for each objective in your entire system.

­­Now comes the “Authorize” step. You want to get your system ATO approved by your authorizing official, right? This means building up the ATO package for your authorizing official to review, which includes a system security plan (SSP) report. With our SSP dashboard, you can quickly generate that report with a click of a button, and have it ready to present to your authorizing official in no time, with all the control objective implementations, statuses, and findings for your entire system.

Alternatively, our security control traceability matrix (SCTM) dashboard can export and provide you a similar assessment report for your system’s control objective information as well.

Finally, when the system ATO is approved and you transition to the “Monitor” step, it is important to monitor any changes occurring in your system environment. With our Continuous Monitoring dashboard, not only will you be able to monitor such changes for your main security controls, but also monitor changes for specific objectives as well.

Overall, supporting objective compliance in Q-Compliance really enhances the RMF experience that you, as the ISSO, don’t want to miss out on!

Improved Performance of Control Analytics and Visuals 

Need for speed? Being built on top of Splunk, Q-Compliance leverages the performance and scalability of Splunk’s platform, but we’ve made some important changes that really takes performance to the next level. By taking advantage of Splunk’s capability to use accelerated data, queries that drive visuals in Q-Compliance are sped up significantly. So, if you are ingesting terabytes of data each day, expect to see visuals load quicker than ever before!

Responding to Triggered Control Alerts

Alerts are often used to automate certain actions within Q-Compliance, such as setting a control’s audit and/or assessment status, creating a POAM, or even setting an ATO status for your system. In large systems where hundreds of alerts can be triggered within a short period of time, it might seem overwhelming to monitor what alerts have been triggered in your system. Wouldn’t it be nice to narrow down the scope and only see alerts for a specific control? Our Control Compliance Hub now contains an additional alerts table to show you the triggered alerts for the current control being viewed. You can view the alert in search for more detail, create a ticket with our Q-Ticket app, or simply delete alerts that are no longer relevant.

Other Enhancements

Other enhancements in Q-Compliance include updating various pages across the app to support objective-level compliance, usability enhancement, and various bug fixes. For more details on how Q-Compliance supports objective-level compliance or to request a demo, please contact us at sales@qmulos.com!