Qualys Enterprise TruRisk Platform Now Accelerates Federal Agency's Zero-Trust Journey with Automated Compliance for OMB M-24-04 and CISA BOD 23-01

Rhea-AI Summary

Qualys has announced enhancements to its Enterprise TruRisk Platform, aimed at supporting federal agencies' zero-trust implementation in compliance with OMB M-24-04 and CISA BOD 23-01 guidelines. The platform now integrates External Attack Surface Monitoring, risk-based vulnerability management, and patch management into a single, FedRAMP-authorized solution. This update helps agencies achieve real-time visibility and automated compliance, focusing on asset discovery, vulnerability assessment, and risk prioritization. The new solutions aim to address the 31% of unknown assets and the 45% of assets with undefined criticality in agencies.

These enhancements allow organizations to discover and manage both known and unknown attack surfaces, streamline vulnerability remediation, and fast-track zero-trust strategies. They also offer seamless integration for compliance with FISMA's broader risk assessment and remediation requirements.

Qualys is hosting a Public Sector Cyber Risk Conference in Washington D.C. to further discuss these improvements.

Positive

• Qualys' enhanced platform supports federal zero-trust strategies, aiding compliance with OMB M-24-04 and CISA BOD 23-01.
• Integration of External Attack Surface Monitoring (EASM), vulnerability management, and patch management into a unified FedRAMP-authorized platform.
• Automated compliance and real-time visibility into asset discovery and risk assessment.
• Helps agencies fast-track zero-trust implementation and manage entire attack surfaces.
• Addresses critical gaps, such as 31% of unknown assets and 45% of assets without accurate criticality defined.
• Seamless integration aids compliance with FISMA's risk assessment and remediation requirements.
• Platform supports visibility and reporting of high-value assets, including OT and IoT devices.

Negative

• Mean time to remediate CISA catalog vulnerabilities exceeds 30 days, while attackers exploit vulnerabilities within an average of five days.
• 45% of assets in agencies do not have accurate criticality defined, posing a risk to asset management.
• 31% of assets are unknown, indicating a significant gap in asset visibility.

Insights

Cybersecurity Expert

The integration of External Attack Surface Monitoring (EASM), risk-based vulnerability management and patch management into a unified FedRAMP-authorized platform by Qualys is significant for federal agencies. This platform addresses critical compliance requirements such as OMB M-24-04 and CISA BOD 23-01, which emphasize continuous monitoring and rapid remediation of vulnerabilities. The fact that 31% of assets are unknown to agencies and 45% lack proper criticality classification highlights a considerable gap in cybersecurity readiness. Qualys' platform aims to bridge this gap by providing comprehensive visibility and management of both known and unknown assets. This could potentially reduce the mean time to remediate vulnerabilities, which currently stands at over 30 days compared to the average of five days for attackers to exploit them.

The shift towards zero-trust principles, driven by EO 14028, necessitates platforms that can offer robust asset visibility and risk management. Qualys' solution offers these capabilities, which could significantly enhance the security posture of federal agencies. However, the real challenge will be the adoption and effective use of these tools by agencies, considering the complexity and scope of federal IT environments.

Financial Analyst

For investors, the expansion into the federal sector and the enhancement of Qualys' Enterprise TruRisk Platform represents a strategic move that could drive revenue growth. The federal government is increasingly emphasizing cybersecurity, allocating substantial budgets towards compliance and risk management solutions. By aligning its platform with federal mandates such as OMB M-24-04 and CISA BOD 23-01, Qualys positions itself to capture a significant share of this market. The immediate availability of the platform suggests readiness to capitalize on current government cybersecurity initiatives, potentially leading to a positive impact on Qualys' financial performance in the short to medium term.

However, it's important to consider the competitive landscape. Other cybersecurity firms are also vying for federal contracts and Qualys will need to demonstrate superior performance and ease of integration to secure significant contracts. Investors should monitor contract announcements and quarterly financial results to gauge the platform's market uptake and its impact on Qualys' revenue streams.

New update uniquely brings External Attack Surface Monitoring (EASM), risk-based vulnerability management and patch management into a single unified FedRAMP-authorized platform

WASHINGTON, May 21, 2024 /PRNewswire/ -- Qualys, Inc. (NASDAQ: QLYS), a leading provider of disruptive cloud-based IT, security and compliance solutions today announced it is expanding its focus on the government sector by enhancing and operationalizing the capabilities of the Qualys Enterprise TruRisk Platform. This expansion aims to accelerate support for federal zero-trust strategies through automated asset visibility and attack surface risk management as defined by OMB M-24-04, CISA BOD 23-01 and the broader FISMA guidelines.  

As defined in EO 14028, federal agencies must show progress in their zero-trust implementation (OMB M-22-09). To further help operationalize zero trust, the OMB released FY24 FISMA Guidance (M-24-04) to focus on the visibility and security of the entire attack surface, specifically on monitoring and real-time reporting on vulnerabilities and threats.

While agencies recognize the value of zero trust, they need to take fundamental steps to progress. Insights from the Qualys Threat Research Unit show that better management of the external attack surfaces is needed as, on average, 31 percent of the assets are unknown to enterprises and agencies, while 45 percent of the assets do not have accurate criticality defined and fail to classify high-value assets (HVA).* This aligns with the OMB M-24-01 directive emphasizing the importance of understanding the attack surface. Further, Qualys analysis shows the mean time to remediate CISA catalog vulnerabilities is over 30 days, while attackers exploit vulnerabilities within an average of five days. This discrepancy underscores the need for agencies to continuously discover their known and unknown attack surfaces, perform effective risk assessments, and prioritize remediation efforts to comply with CISA BOD 23-01.

The Qualys Enterprise TruRisk Platform's integrated solutions, CyberSecurity Asset Management, Vulnerability Management, Detection and Response (VMDR) and Patch Management, now seamlessly help federal agencies fast-track the implementation of zero-trust strategies with continuous compliance and posture visibility into M24-04 and FISMA's broader risk assessment and remediation requirements. With the Qualys platform, agencies get visibility and reporting for all their high-value assets, physically and virtually connected devices, including OT and IoT devices and their applications.

The Qualys Enterprise TruRisk Platform, with its unified view, allows agencies to: 

• Clearly understand the assets and attack surface in compliance with OMB M-24-04: Qualys allows agencies to discover and inventory both the known and unknown internal and external attack surface of IT, IoT, cloud, and mobile assets across hybrid environments, along with software and applications, including open-source packages, while also identifying high-value assets.
  
  
  
• Address FISMA patching requirements per CISA BOD 23-01: In addition to discovering high-value assets, detecting, and assessing vulnerabilities and prioritizing risks according to the CISA catalog, Qualys allows patching from within the same integrated solution to minimize the risk of exploitation of federal assets.
  
  
  
• Showcase and fast-track measurable progress to zero-trust implementation: Qualys helps agencies identify and manage the entire attack surface along with integrated detection, prioritization, and remediation of vulnerability risks, allowing agencies to easily implement FISMA's foundational guidance.

"The administration's push for modernization with zero-trust principles shifts the focus from compliance to visibility of cyber assets and risk management," said Sumedh Thakar, president and CEO of Qualys. "Qualys is committed to helping the public sector as it works to ensure a more secure environment through enhancing and operationalizing the capabilities of our Enterprise TruRisk Platform. This includes fast tracking the federal zero-trust journey by leveraging Qualys solutions to identify and secure high-value assets and automating risk management."  

Qualys Public Sector Cyber Risk Conference
Qualys is hosting its first Public Sector Cyber Risk Conference in Washington, D.C. today. The conference will emphasize a comprehensive security approach across federal agencies, with a specific focus on High-Value Assets (HVAs), Internet of Things (IoT)/Operational Technology (OT) devices and other internet-connected assets. Notable conference speakers include Paul Selby, chief information security officer at the Department of Energy (DOE), Bailey Bickley, Chief DIB Defense, Cybersecurity Collaboration Center at the National Security Agency (NSA), and Paul Blahusch, chief information security officer at the Department of Labor (DOL), amongst other esteemed public sector luminaries. 

Availability
The enhanced and operationalized Enterprise TruRisk Platform supporting the federal zero-trust journey is immediately available. To learn more, visit qualys.com/forms/federal-zero-trust or attend our webinar, "Jumpstarting FISMA (M-24-04) Requirements with the Qualys Enterprise TruRisk Platform" at qualys.com/federal-zero-trust-webinar.

Additional Resources  

• Read our blog post, "Meeting FISMA (M-24-04) Requirements with a Unified Attack Surface Management Strategy"
• Learn more about the Qualys Enterprise TruRisk Platform for federal agencies
• Follow Qualys on LinkedIn and X 

About Qualys  
Qualys, Inc. (NASDAQ: QLYS) is a leading provider of disruptive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organizations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.

The Qualys Enterprise TruRisk Platform leverages a single agent to continuously deliver critical security intelligence while enabling enterprises to automate the full spectrum of vulnerability detection, compliance, and protection for IT systems, workloads and web applications across on premises, endpoints, servers, public and private clouds, containers, and mobile devices. Founded in 1999 as one of the first SaaS security companies, Qualys has strategic partnerships and seamlessly integrates its vulnerability management capabilities into security offerings from cloud service providers, including Oracle Cloud Infrastructure, Amazon Web Services, the Google Cloud Platform and Microsoft Azure, along with a number of leading managed service providers and global consulting organizations. For more information, please visit http://www.qualys.com

* Based on Qualys Threat Research Unit (TRU) analysis of anonymized customer data

Qualys, Qualys VMDR®, Qualys TruRisk and the Qualys logo are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies. 

Media Contact:   
Rachel Yap Winship 
Qualys 
Media@Qualys.com 

 

View original content to download multimedia:https://www.prnewswire.com/news-releases/qualys-enterprise-trurisk-platform-now-accelerates-federal-agencys-zero-trust-journey-with-automated-compliance-for-omb-m-24-04-and-cisa-bod-23-01-302150845.html

SOURCE Qualys, Inc.

FAQ

What is the Qualys Enterprise TruRisk Platform?

The Qualys Enterprise TruRisk Platform is a FedRAMP-authorized solution integrating External Attack Surface Monitoring, vulnerability management, and patch management to support federal zero-trust strategies.

How does Qualys help with OMB M-24-04 compliance?

Qualys' platform provides automated compliance, real-time visibility, and risk assessment for federal agencies to meet OMB M-24-04 guidelines.

What are the benefits of the Qualys platform for federal agencies?

The Qualys platform aids in asset discovery, vulnerability assessment, risk prioritization, and seamless integration for compliance with FISMA's broader risk assessment and remediation requirements.

What issues does the Qualys platform address?

It addresses the lack of visibility into 31% of unknown assets and the undefined criticality of 45% of assets in federal agencies.

How quickly can Qualys' platform remediate vulnerabilities?

On average, the mean time to remediate CISA catalog vulnerabilities is over 30 days, while attackers exploit them within five days.

Is the Qualys Enterprise TruRisk Platform available now?

Yes, the enhanced platform is immediately available for federal agencies.