Rethinking the Role of Compliance

Qmulos Stands Ready to Support OMB Memorandum M-21-31

In an effort to address growing concerns about the maturity of cybersecurity practices within the Federal Government, in May of 2021 the White House released Executive Order 14028 (EO), Improving the Nation’s Cybersecurity, outlining a set of measures designed to improve the security of Federal networks, assets, and supply chains, to better identify and respond to cybersecurity incidents, and to set easily measurable compliance and effectiveness standards for Agency risk management programs.

Responding to the EO, the Office of Management and Budget (OMB) has developed Memorandum M-21-31 to address the requirements and guide the implementation of logging, log retention, log management, and centralized access and visibility provisions of EO Section 8.

In addition to internal enterprise log management objectives, both EO 14028 and M-21-31 seek to promote accelerated external sharing of threat and incident response information across the Federal government to enable more effective defense of Federal information and executive branch enterprise environments.

As organizations work to interpret the new requirements and assess their enterprise security monitoring and reporting capabilities, enterprises must be able to rely on relevant, accurate, credible, and timely data about the maturity of their security telemetry and log management infrastructure. Organizations still employing traditional compliance models that rely on manual control validation and periodic reporting will find themselves increasingly challenged by the new logging mandates.

Qmulos stands ready to support OMB M-21-31 and assist organizations in meeting and demonstrating adherence to the newly established Federal mandates.

Long-term focus on threat visibility and log management maturity

Advanced cyber threats continue to evolve and proliferate across private and public enterprise environments. Beyond simply assessing the current defensive posture and response capabilities, EO 14028 and M-21-31 establish a maturity roadmap and a set of clear objectives for improving threat visibility and incident response effectiveness as components of a long-term vision for securing U.S. national information assets and infrastructure.The security best practices outlined in M-21-31 align closely with guidelines set forth in the National Institute of Standards and Technology (NIST) Special Publication 800-92, which is now undergoing revision to adopt newly established objectives of the EO 14028 mandate.

The mandates are likely to continue undergoing revisions and additional development, producing a continuously emerging set of compliance objectives to be met on an ongoing basis.

Aggressive timeline demands novel approach, broad automation

EO 14028 and OMB M-21-31 set forth an aggressive timeline for organizations to achieve and demonstrate compliance with newly established provisions, setting March 2022 as the target for Federal agencies. The mandates are expected to evolve over time, producing additional provisions and reporting obligations that will increase the compliance burden on any organizations that fail to implement data-driven compliance automation as the foundation of a mature compliance and risk management program.Q-Compliance, Qmulos’ flagship solution, enables automated enterprise-wide compliance with the NIST Risk Management Framework’s (RMF) six-step maturity model, NIST 800-53, NIST CSF, CMMC, SOX, PCI DSS, NERC CIP, and the recently released NIST Ransomware Framework (NISTIR 8374).

Q-Audit, Qmulos’s Splunk-powered real-time audit software, enables enterprises to meet the most stringent audit requirements, and is able to support many of the OMB-21-31 requirements out-of-the-box.

The Qmulos platform is easily leveraged to accommodate the new compliance objectives, delivering defensible compliance on the timetable established by the EO.

Q-Compliance and Q-Audit by Qmulos offer broad out-of-the-box coverage of M-21-31 logging objectives, with user-friendly visualizations of control maturity metrics and source data validation.

Appendix A – Visual Sneak Peak into how The Qmulos Product Suite Assists with M-21-31

The AC-02 Control Coverage Dashboard assists with meeting the Identity & Credential Management objectives of M-21-31.
The AC-02 Control Coverage Dashboard assists with meeting the Identity & Credential Management objectives of M-21-31.
The Authentication Dashboard within Q-Audit assists with meeting the Authentication and Authorization objectives of M-21-31.
The Authentication Dashboard within Q-Audit assists with meeting the Authentication and Authorization objectives of M-21-31.

Qmulos delivers revolutionary Converged Continuous Compliance

Unlike legacy Governance, Risk, and Compliance (GRC) applications, the Qmulos Product Suite leverages Splunk, the preeminent big data analytics platform. Through this partnership, our solutions disrupt the legacy IT compliance and risk management models, demonstrating to CISOs that leveraging big data for compliance is the best way to dramatically improve real operational security. Instead of running separate and siloed operational security and compliance functions, organizations can finally combine their respective budgets and resources and align them toward one common goal: better enterprise security.Qmulos leverages big data analytics as the core foundation of our product suite. Accordingly, our platform is equipped to easily handle emerging compliance obligations, providing on-demand access to near-real-time, fine-grain data about the state of enterprise controls, delivering intelligent insights in support of risk management and compliance decisions across the enterprise.


The Qmulos Product Suite delivers its unique automated capabilities by leveraging:

  • Our reliance on Splunk as the central repository of all relevant security and compliance data ensures ready access for current and future analytic and reporting use cases;
  • Parsing and contextualizing data in a manner that makes it easy to digest from a compliance, risk, and security perspective; and,
  • Hundreds of pre-built analytics that automate the passing/failing of controls, ATOs, and other tasks that ultimately drive operational security.



Appendix B – Qmulos coverage of M-21-31 logging maturity reporting objectives

M-21-31 Event Logging Objectives

Qmulos Q-Compliance Mapped to NIST SP800-53rev5

Qmulos Q-Audit Mapped to ICS 500-27

Identity & Credential ManagementAC-02, IA-02
Privileged Identity & Credential ManagementAC-02, IA-02Admin Access, Privilege Escalation
Network Device Infrastructure (Access, Authorization, and Accounting)Built-in Q-Audit dashboards
Operating Systems – Windows Infrastructure and Operating SystemsBuilt-in Q-Audit dashboards
Operating Systems – BSD (Linux)Built-in Q-Audit dashboards
System Configuration and PerformanceContinuous Monitoring
Authentication and AuthorizationAC, IAAdmin Access, Privilege Escalation, User & Group Management
Email Filtering, Spam, and PhishingSI-08(02)
Anti-Virus and Behavior-Based Malware ProtectionSI-03
Network Device Infrastructure

(for Devices with Multiple Interfaces: Interface MAC – If Correlated to the De- NAT IP Address)

AC-04, CM-07, SC-07

IR-06, SI-04


Vulnerability AssessmentsRA-05, CM-08, SE-02, CM-07
Virtualization SystemBuilt-in Q-Audit dashboards
Container – OSBuilt-in Q-Audit dashboards

Others have also read ...


What is NY DFS Part 500 compliance?

NY DFS Part 500 compliance involves adhering to the cybersecurity regulations set forth by the New York Department of Financial Services (NY DFS). These regulations require financial institutions to implement a cybersecurity program to protect consumer data and ensure regulatory compliance.

Read More »

What is HIPAA compliance?

HIPAA compliance involves adhering to the Health Insurance Portability and Accountability Act (HIPAA) regulations, which protect the privacy and security of individuals’ health information. Organizations must implement measures to safeguard protected health information (PHI) and ensure compliance with HIPAA requirements.

Read More »

Qmulos Recognized in 2024 Splunk Regional Partner Awards

Qmulos Named 2024 Regional Partner of the Year Winner for Outstanding Public Sector
Partnership – Qmulos, a next-generation compliance, security and risk management automation provider, announced today it has received the 2024 Regional Partner of the Year award for exceptional performance and commitment to their Splunk partnership.

Read More »

What is Compliance Workflow Automation?

Compliance workflow automation involves using technology to automate the processes and tasks involved in managing compliance. This includes automating data collection, reporting, and monitoring to streamline compliance activities and reduce manual effort.

Read More »

What is NIST RMF?

The NIST Risk Management Framework (RMF) is a set of guidelines for managing information security risk. The RMF provides a structured approach to integrating security and risk management activities into the system development lifecycle.

Read More »

Request a Demo

Learn how QMULOS can help your company grow by scheduling a demo with our team.