WASHINGTON, D.C. – May 21, 2024 – Qualys, Inc., a leading provider of disruptive cloud-based IT, security and compliance solutions today announced it is expanding its focus on the government sector by enhancing and operationalizing the capabilities of the Qualys Enterprise TruRisk Platform. This expansion aims to accelerate support for federal zero-trust strategies through automated asset visibility and attack surface risk management as defined by OMB M-24-04, CISA BOD 23-01 and the broader FISMA guidelines.
As defined in EO 14028, federal agencies must show progress in their zero-trust implementation (OMB M-22-09). To further help operationalize zero trust, the OMB released FY24 FISMA Guidance (M-24-04) to focus on the visibility and security of the entire attack surface, specifically on monitoring and real-time reporting on vulnerabilities and threats.
While agencies recognize the value of zero trust, they need to take fundamental steps to progress. Insights from the Qualys Threat Research Unit show that better management of the external attack surfaces is needed as, on average, 31 percent of the assets are unknown to enterprises and agencies, while 45 percent of the assets do not have accurate criticality defined and fail to classify high-value assets (HVA).* This aligns with the OMB M-24-01 directive emphasizing the importance of understanding the attack surface.
Further, Qualys analysis shows the mean time to remediate CISA catalog vulnerabilities is over 30 days, while attackers exploit vulnerabilities within an average of five days. This discrepancy underscores the need for agencies to continuously discover their known and unknown attack surfaces, perform effective risk assessments, and prioritize remediation efforts to comply with CISA BOD 23-01.
The Qualys Enterprise TruRisk Platform’s integrated solutions, CyberSecurity Asset Management, Vulnerability Management, Detection and Response (VMDR) and Patch Management, now seamlessly helps federal agencies fast-track the implementation of zero-trust strategies with continuous compliance and posture visibility into M24-04 and FISMA's broader risk assessment and remediation requirements. With the Qualys platform, agencies get visibility and reporting for all their high-value assets, physically and virtually connected devices, including OT and IoT devices and their applications.
The Qualys Enterprise TruRisk Platform, with its unified view, allows agencies to:
- Clearly understand the assets and attack surface in compliance with OMB M-24-04: Qualys allows agencies to discover and inventory both the known and unknown internal and external attack surface of IT, IoT, cloud, and mobile assets across hybrid environments, along with software and applications, including open-source packages, while also identifying high-value assets.
- Address FISMA Patching Requirements per CISA BOD 23-01: In addition to discovering high-value assets, detecting, and assessing vulnerabilities and prioritizing risks according to the CISA catalog, Qualys allows patching from within the same integrated solution to minimize the risk of exploitation of federal assets.
- Showcase and fast-track measurable progress to zero-trust implementation: Qualys helps agencies identify and manage the entire attack surface along with integrated detection, prioritization, and remediation of vulnerability risks, allowing agencies to easily implement FISMA’s foundational guidance.
"The administration's push for modernization with zero-trust principles shifts the focus from compliance to visibility of cyber assets and risk management," said Sumedh Thakar, president and CEO of Qualys. "Qualys is committed to helping the public sector as it works to ensure a more secure environment through enhancing and operationalizing the capabilities of our Enterprise TruRisk Platform. This includes fast tracking the federal zero-trust journey by leveraging Qualys solutions to identify and secure high-value assets and automating risk management.”
Qualys Public Sector Cyber Risk Conference
Qualys is hosting its first Public Sector Cyber Risk Conference in Washington, D.C. today. The conference will emphasize a comprehensive security approach across federal agencies, with a specific focus on High-Value Assets (HVAs), Internet of Things (IoT)/Operational Technology (OT) devices and other internet-connected assets.
Notable conference speakers include Paul Selby, chief information security officer at the Department of Energy (DOE), Bailey Bickley, Chief DIB Defense, Cybersecurity Collaboration Center at the National Security Agency (NSA), and Paul Blahusch, chief information security officer at the Department of Labor (DOL), amongst other esteemed public sector luminaries.
Availability
The enhanced and operationalized Enterprise TruRisk Platform supporting the federal zero-trust journey is immediately available. To learn more, visit qualys.com/forms/federal-zero-trust or attend our webinar, “Jumpstarting FISMA (M-24-04) Requirements with the Qualys Enterprise TruRisk Platform” at qualys.com/federal-zero-trust-webinar.
