Qualys VMDR

Official deployment guide covering asset discovery, vulnerability scanning, prioritization with TruRisk, and patch management workflows.

NIST SP 800-40r4 Executive Summary: "Enterprise patch management is the process of identifying, prioritizing, acquiring, installing, and verifying the installation of patches, updates, and upgrades throughout an organization." §3.2: "Organizations should establish and constantly maintain up-to-date software inventories for their physical and virtual computing assets." §3.3: "Organizations should define the software vulnerability risk response scenarios they need to be prepared to handle." Qualys implements automated scanning, risk-based prioritization, and remediation tracking aligned with NIST guidance.

NIST SP 800-137 Executive Summary: "Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions." §2.3: "Automated processes, including the use of automated support tools (e.g., vulnerability scanning tools, network scanning devices), can make the process of continuous monitoring more cost-effective, consistent, and efficient." §3.3: "Through the use of automation, it is possible to monitor a greater number of security metrics with fewer resources, higher frequencies, larger sample sizes, and with greater consistency and reliability than is feasible using manual processes."

NIST SP 800-115 Abstract: "Provides organizations with recommendations for designing, implementing, and maintaining technical information security testing and assessment processes." §3.1: "Vulnerability scanning is used to identify vulnerabilities in hosts and their services, and can be used to identify outdated software versions, missing patches, and misconfigurations." §4.1: "Security testing should be performed on a regular basis and whenever significant changes are made to systems." Qualys implements automated vulnerability scanning aligned with NIST security testing methodology.

CIS Control 7 requires continuous vulnerability management. Qualys provides automated scanning, prioritization, and remediation guidance.

CISA directive requiring federal agencies to remediate known exploited vulnerabilities. Qualys integrates CISA KEV data for prioritization.

SOC 2 CC7.1: "To meet its objectives, the entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities, and susceptibilities to newly discovered vulnerabilities." Qualys VMDR provides continuous vulnerability detection, real-time threat intelligence, and automated prioritization that directly supports CC7.1 requirements for detecting configuration vulnerabilities and susceptibilities. Source: AICPA Trust Services Criteria.

ISO 27001:2022 A.8.8: "Information about technical vulnerabilities of information systems in use shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities shall be evaluated, and appropriate measures taken to address the associated risk." Qualys provides continuous vulnerability intelligence, exposure assessment with QDS scoring, and remediation prioritization that implements A.8.8 requirements for technical vulnerability management. Source: ISO/IEC 27001:2022 Annex A.

CCM TVM-02: "Define, implement and evaluate processes, procedures and technical measures for the detection of vulnerabilities on organizationally managed assets at least monthly." CCM TVM-03: "Define and implement processes, procedures and technical measures for timely remediation of vulnerabilities." Qualys automated scanning schedules and VMDR remediation workflows directly implement CCM TVM controls for vulnerability detection and remediation. Source: CSA Cloud Controls Matrix v4.0.