Control Mappings for Mandate Based Reporting
Mandate Based Reports allow you to view the compliance posture of an organization in terms of the underlying security baseline against selected mandates.
Qualys has introduced new control mappings, where each control is mapped to granular control objectives. This approach enhances the functionality of Mandate Based Reporting and helps you better understand your organization’s compliance against respective mandates.
In the older approach, each control was mapped to multiple control objectives, which allowed controls to appear in multiple control objectives in the mandate-based reports. The challenges with this approach were that the mandate reports were time-consuming, large, and confusing for organizations to understand their compliance against the respective mandates. In the new approach, each control is mapped to the most appropriate control objective.
Benefits:
- Qualys controls appear in the most appropriate control objective.
- Provides a better understanding of the compliance posture against the specified mandate.
- Ensures comparatively smaller and simple mandate-based reports.
What are the changes that I will notice in my mandate-based reports?
- Granular mappings listed for controls when you drill down into report details.
- Fewer controls listed in reports as we’ve taken an approach to show the most accurate mappings.
- Changes to control objectives. This may be especially noticeable when your report is grouped by control objectives for a harmonized report with multiple mandates included.
What will the mandate-based reports look like?
Below is an example that exhibits the difference between the older and the newer mandate reports.
Policy Compliance
Old Report: – In the old report, Control IDs: 2182 appears in multiple framework controls, i.e. AC-1, AC-6(10) and IA-2.
New Report: – In the new report, Control IDs: 2182 appears in only single framework controls, i.e. IAC-21.5.
CloudView
Old Report: – In the old report, Control ID: 44 appears in multiple framework controls, i.e. SC-7(5), CM-7.
New Report:- In the new report, Control IDs: 44 appears in only single framework controls, i.e. NET-04.1.
Does this mean Qualys controls will be listed only once in the reports?
No, this does not necessarily mean that Qualys control will be included only once in the reports. There is a possibility of scenarios, wherein control may appear multiple times based on the cross-mappings done against control objective standard.
For example, Control IDs 10027 and 10028 are appearing in multiple sections: 6.2 Activate audit logging, 6.5 Central Log Management, 6.8 Regularly Tune SIEM.
It is because the CIS control sections 6.2, 6.5 and 6.8 are cross-mapped to the Control Objective MON – 01.8 Reviews & Updates, because of which controls are listed multiple times.
Extending mandate coverage
Qualys Policy Compliance is extending mandate coverage by introducing new mandates and upgrading versions of the existing ones.
Introduction on New Mandates
Sr. No. | Mandate Name | Version |
---|---|---|
1 | NIST 800-53 (Special Publication) | Rev 5 |
2 | Essential Cybersecurity Controls | ECC – 1 : 2018 |
3 | European Union Agency for Network and Information Security | v2.0 |
4 | Control Objectives for Information and Related Technologies (COBIT) | 2019 |
5 | CERT® Resilience Management Model | v1.2 |
6 | Risk Management in Technology (RMiT) | 19 June 2020 |
7 | Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7008-7012 | 252.204-7008 |
8 | Federal Acquisition Regulation (FAR) | 52.204-21 |
9 | Technology Risk Management (TRM) Guidelines | January 2021 |
10 | US Food & Drug Administration (FDA) | 21 CFR Part 11 |
11 | Cybersecurity Maturity Model Certification (CMMC) | v1.02 (18 March 2020) |
Mandates with version upgrades
Sr. No. | Mandate Name | Current Version | New Version |
---|---|---|---|
1 | NIST Special Publication 800-171 | Ver 1.0 | Rev. 2 |
2 | The Australian Signals Directorate – The Essential 8 Strategies (ASD 8) | February 2017 | June 2020 |
3 | Criminal Justice Information Services (CJIS) Security Policy | Ver. 5.8 | Ver. 5.9 |
4 | Payment Card Industry Data Security Standard (PCI-DSS) v3.2.1 | Ver 3.2 | Ver. 3.2.1 |
5 | SWIFT Customer Security Controls Framework – Customer Security Programme v2019 | Ver. 1.0 | Ver. 2019 |
6 | Federal Risk and Authorization Management Program (FedRAMP H) – High-Security Baseline | Ver. 1.0 | Rev. 4 |
7 | Federal Risk and Authorization Management Program (FedRAMP M) – Moderate Security Baseline | Ver. 1.0 | Rev. 4 |
Conclusion
Granular control mapping to appropriate control objectives enhances the functionality of mandate-based reports and allows organizations to better understand their compliance against respective mandates.
Resources
- Learn more about Qualys Policy Compliance and Cloud Security Assessment
- Try Qualys Policy Compliance yourself as part of a free 30-day Qualys trial
- For questions, please contact your TAM or Qualys Technical Support
Contributors
- Aparna Hinge, Senior Manager, Compliance Research Analysis, Qualys
- Anu Kapil, Technical Product Manager, Compliance Solutions, Qualys
- Yash Jhunjhunwala, Security Analyst, Cloud Security Compliance, Qualys
- Jayesh Rajan, Manager, Compliance Analysis, Qualys