Qualys FedRAMP FAQ.

Qualys has obtained FedRAMP certification, an important seal of approval from the U.S. federal government for cloud computing service providers. This FAQ explains to our customers what is FedRAMP, why we embarked on this effort and why this is important and beneficial for you.

As of November 02, 2016 Qualys Cloud Platform is FedRAMP Moderate Authorized, sponsored by the IRS and FSA.

Most recently as of August 27, 2025, Qualys Government Platform is FedRAMP High Authorized, sponsored by the DEA.

FedRAMP Basics & Background

What is FedRAMP?

The U.S. federal government developed FedRAMP (Federal Risk and Authorization Management Program) to provide a single, unified and consistent process for federal agencies to assess, authorize and monitor the secure use of certain types of cloud computing services.

Specifically, FedRAMP standardizes how the Federal Information Security Management Act (FISMA) applies to cloud computing services via a security assessment framework.

When did the government launch FedRAMP?

As part of the Obama Administration’s Cloud First initiative, the use of FedRAMP is mandated by the Office of Management and Budget (OMB) for all federal agencies as they migrate their systems and applications to commercial cloud computing services.

The December 2011 OMB FedRAMP policy memo requires federal departments and agencies to utilize FedRAMP-approved cloud systems.

What is the process FedRAMP seeks to improve upon?

Prior to FedRAMP, each agency conducted its own evaluations for cloud computing services. This often resulted in redundant, inconsistent, costly and inefficient efforts.

What are some specific ways FedRAMP sharpens this process?

FedRAMP establishes a baseline set of security evaluation criteria for cloud services, creating uniform and standard guidelines and requirements for all agencies.

FedRAMP also allows agencies to reuse assessments and authorizations, so that a cloud service provider can be certified once, not multiple times by each agency.

FedRAMP also offers agencies standardized sales contract language that incorporates FedRAMP requirements and best practices that they can use when engaging in a sales negotiation with a cloud computing vendor.

In other words, the “do once, use many times” approach of FedRAMP cuts costs, saves time and streamlines and improves the quality of the security evaluations of cloud computing services for all federal government agencies.

Is FedRAMP certification a one-time event that grants vendors a perpetual right to call themselves compliant?

No. FedRAMP requires that certified vendors engage in continuous post-certification monitoring. The certificate can be revoked if the vendor is found to be at any point in non-compliance with FedRAMP requirements.

This gives U.S. federal government agencies the peace of mind of knowing that their cloud services providers (CSPs) must remain vigilant and continue to comply with the FedRAMP security requirements.

Which federal agencies are involved in FedRAMP?

FedRAMP, governed by the Executive branch of the federal government, involves multiple agencies, including the National Institute of Standards and Technology (NIST), the General Services Administration (GSA), the OMB, the Department of Defense (DoD), the Department of Homeland Security (DHS) and the Federal CIO Council

The FedRAMP Joint Authorization Board (JAB), made up of the CIOs from DHS, GSA and DoD, defines and establishes the FedRAMP baseline system security controls. The FedRAMP Program Management Office (PMO) manages its day-to-day operations.

Is Qualys listed on the FedRAMP Marketplace, and how can federal agencies access it?

Yes - Qualys is listed on the FedRAMP Marketplace; agencies can access the listing there and request demos/engagement via Qualys’ federal page.

• Government Platform with FedRAMP High
• Cloud Platform with FedRAMP Moderate

Qualys’ FedRAMP Objectives

Why did Qualys seek FedRAMP certification?

As a pioneer and leader in enterprise cloud cyber-security software, Qualys supports FedRAMP's goal of increasing the adoption, trustworthiness and consistency of secure cloud solutions in the U.S. federal government, where we have multiple customers. FedRAMP certification is a key milestone for Qualys as we continue to communicate our offering as a cloud services provider (CSP) throughout the federal government’s civilian, military and intelligence agencies.

The Qualys SaaS model, coupled with our current FedRAMP Authority to Operate (ATO) authorization and FedRAMP High Authority to Operate (ATO) authorization as a CSP, acts as a powerful foundation for our multiple cloud services offerings.

Update - Qualys Cloud Platform initially pursued FedRAMP Moderate authorization to support federal agencies handling unclassified data with moderate impact. Building on that foundation, Qualys Government Platform is now among the few platforms to have achieved FedRAMP High Authorization, aligned with 421+ NIST 800-53 High controls.

Achieving this milestone positions the Qualys Government Platform to protect mission- and business-critical workloads while enabling federal agencies, SaaS providers, and critical infrastructure operators to inherit validated controls, accelerate ATO timelines, and meet stringent Zero Trust and compliance mandates.

What is the difference between FedRAMP Moderate, FedRAMP High, and FedRAMP+?

• FedRAMP Moderate: Baseline for systems with Moderate impact (FIPS 199), used widely across civilian agencies. (Program basics.)
• FedRAMP High: Highest civilian baseline, aligned to NIST SP 800-53 High Impact; Qualys notes enforcement of 400+ technical controls (often referenced as “421+”). Required for the most sensitive unclassified workloads.
• FedRAMP+ (DoD SRG overlays): The DoD Cloud Computing SRG builds on FedRAMP with additional DoD-specific requirements at Impact Levels IL4/IL5/IL6 (reciprocity with FedRAMP, then added controls).

What continuous compliance capabilities does the Qualys Government Platform provide?

• Unified asset inventory across on-prem, multi-cloud, containers, IoT/OT, web apps/APIs.
• Continuous risk assessment & monitoring (vulns, misconfigs, EoS software, missing controls) aligned to RA-5/CA-7.
• TruRisk™ prioritization, automated remediation, and audit-ready compliance (NIST 800-53, DISA STIGs, CIS, FISMA/CMMC/HIPAA/BODs) with closed-loop patch validation & integrity monitoring.

There are different levels of FedRAMP compliance certification. Which one is Qualys aiming for?

Now that Qualys has become a FedRAMP certified CSP, Qualys foresees continuing to work with the DoD to leverage efforts towards FedRAMP+ certification. FedRAMP+ is the concept of leveraging the work done as part of the FedRAMP assessment, and adding specific security controls along with requirements necessary to meet and assure DoD’s critical mission requirements.

As seen in figure 1, continuing efforts into the DoD with FEDRAMP+ will enhance the Qualys offering beyond FEDRAMP moderate status (Impact Level 2) to FEDRAMP+ for Critical Unclassified Information (Impact Level 4).

Figure 1 - FedRAMP Moderate certification (Impact Level 2) for Qualys as a CSP is the foundation for DoD Impact Level 4, CUI certification

(Table courtesy of the Defense Information Systems Agency, Department of Defense)

Which Qualys applications were evaluated for FedRAMP compliance?

The Qualys Cloud Platform was evaluated and incorporates our full Enterprise TruRisk platform at a FedRAMP Moderate authorization level. Additionally, our new Qualys Government Platform has been granted an Authority to Operate (ATO) at a FedRAMP High authorization level.

The Qualys Government Platform (FedRAMP High Authorized) includes vulnerability management, compliance, endpoint detection & response (EDR), asset inventory, policy enforcement, web application security and more; cloud-native application protection is on the roadmap. The High boundary enables automated remediation workflows (patch/ticketing) and integrity monitoring as part of closed-loop compliance.

Who was the company in charge of doing an independent evaluation of Qualys’ platform as part of the FedRAMP certification process?

As required by the FedRAMP certification process, Qualys retained an accredited independent assessor – a Third Party Assessment Organization (3PAO) in FedRAMP parlance -- to test security implementations and collect representative evidence relevant to Qualys accreditation. Qualys’ third-party assessor is Coalfire.

Which agency sponsored Qualys’ FedRAMP certification process?

Sponsoring agencies for FedRAMP Moderate is the Internal Revenue Service (IRS) and Federal Student Aid (FSA).

Sponsoring agency for FedRAMP High is the Drug Enforcement Administration (DEA).

Benefits for Qualys Customers

How will existing and prospective Qualys U.S. federal government customers benefit from having Qualys be FedRAMP certified?

In a number of different ways.

Currently, agencies that use cloud computing services that haven’t been certified as compliant with FedRAMP must periodically provide written justification for their continued use of these services to the White House Office of Management and Budget (OMB).

Consequently, a FedRAMP certification for Qualys will not only give its customers security assurances, but also remove the need to justify their use of our products with the OMB.

A FedRAMP certification will also make it easier for new U.S. federal government customers to adopt our services, since they won't have to do their own baseline security evaluation before selecting Qualys products.

Is the FedRAMP process truly demanding and thus a valuable indicator of cloud service providers' security capabilities? Or is it a bureaucratic exercise any vendor can complete by just going through the motions?

FedRAMP is no walk in the park. Seeking FedRAMP compliance is an extremely rigorous process that involves meticulous, in-depth assessment of how secure a vendor’s cloud computing service ought to be maintained and preserved throughout its operating state.

Specifically, a vendor that has been FedRAMP certified has to submit multiple system and security documents, including the core System Security Plan (SSP), whose template alone is more than 400 pages long.

The SSP is a document that details a cloud system's security controls, to determine how U.S. federal information will be safeguarded. The SSP template is written in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18 titled "Revision 1: Guide for Developing Security Plans for Information Technology Systems."

A full list of the document templates that cloud computing providers and their independent evaluators must submit as part of the FedRAMP accreditation process can be found here: https://www.fedramp.gov/resources/training/200-A-FedRAMP-Training-FedRAMP-System-Security-Plan-SSP-Required-Documents.pdf

Is this relevant for Qualys customers that aren't U.S. federal agencies?

Yes. While FedRAMP was designed for the benefit of federal government agencies, organizations in the private sector and at other government levels can take this certification into account when evaluating a cloud computing provider.

A cloud services provider that has been certified FedRAMP Compliant has successfully undergone a stringent, painstaking evaluation of its data security safeguards and technology, and must continue to comply with FedRAMP requirements in order to retain its certification status.

How can other SaaS providers benefit from Qualys’ FedRAMP High authorization?

SaaS providers pursuing their own FedRAMP authorization can inherit 421+ validated FedRAMP High controls directly from the Qualys Government Platform. By building on the Qualys boundary, providers reduce the scope of their own audits, shorten ATO timelines by months, and cut compliance and engineering costs by up to 40%. This inheritance model allows SaaS vendors to focus on their core differentiators while accelerating entry into the federal market with a trusted FedRAMP High–authorized platform

How does Qualys support container security under FedRAMP requirements?

Qualys Container Security supports container infrastructure security across the SDLC: image hardening, CI/CD pipeline scanning, registry scanning, runtime/container-native vuln analysis, and asset tracking—mapped to FedRAMP control expectations.

What’s next for Qualys in FedRAMP adoption (e.g., DoD-SRG, FedRAMP 20x)?

Qualys indicates plans to reach parity with Moderate services and pursue targeted extensions into the DoD Cloud Computing SRG.

Context: FedRAMP 20x—GSA’s 2025 modernization initiative—aims to accelerate authorizations with automation and new processes, which may further streamline future expansions.

Qualys Platform FedRAMP Authorized Pods