FedRAMP Authorized — Moderate Impact

Qualys GovCloud by Qualys. 6 compliance features verified.

Security

Qualys GovCloud

Name: Qualys GovCloud
Brand: Qualys
Availability: InStock
Rating: 4.8 (18 reviews)

by Qualys

Moderate ImpactAuthorized

Impact Level

Moderate

Status

Authorized

Pricing

mid market

Authorization Date: October 18, 2017 | Sponsoring Agency: GSA

Overview

Qualys GovCloud provides FedRAMP Moderate authorized cloud-based security and compliance solutions including vulnerability management, policy compliance, and web application scanning. It offers a unified platform for IT security and compliance visibility across hybrid environments. The platform automates compliance assessments against government benchmarks.

Key Features

✓FedRAMP Moderate baseline controls

✓Continuous vulnerability assessment

✓Policy compliance automation

✓Web application scanning

✓CIS benchmark auditing

✓Asset inventory and tagging

Certifications & Authorizations

FedRAMP Moderate Authorization (3PAO validated)DoD SRG IL2 Impact Level authorizationSOC 2 Type II certificationISO 27001:2013 certificationPCI DSS Level 1 Service Provider certificationFIPS 140-2 Level 1 validated encryption modulesNIST Cybersecurity Framework complianceHIPAA/HITECH compliance certification

Deployment Options

✓AWS GovCloud (US-West) — Dedicated FedRAMP Moderate tenant with isolated networking

✓AWS GovCloud (US-East) — Multi-tenant environment with logical separation

✓Cloud connector deployment for hybrid on-premises/cloud scanning architecture

✓Virtual scanner appliances deployed within customer VPC in GovCloud regions

✓API-only integration with existing SIEM/SOAR platforms in authorized environments

✓Distributed scanning architecture across multiple availability zones

NIST 800-171 Compliance Coverage

87% of controls covered

How to Procure Qualys GovCloud for Defense Contracts

Qualys GovCloud is available through GSA Multiple Award Schedule (MAS) under SIN 518210C (IT Professional Services) and SEWP V contracts. Government pricing typically reflects 20-30% discount from commercial rates with volume discounts for enterprise licenses exceeding 10,000 assets. The authorization boundary encompasses the Qualys cloud platform, scanning engines, and management console - contracting officers must ensure customer data handling agreements align with agency classification levels. Required documentation includes the FedRAMP security package, customer responsibility matrix (CRM), and incident response procedures. Standard procurement timeline spans 90-120 days including technical evaluation, security review, and ATO documentation. For CMMC assessments, include Qualys GovCloud within your assessment boundary as a critical security control provider supporting vulnerability management (AC.L2-3.1.18), system monitoring (AU.L2-3.3.1), and configuration management (CM.L2-3.4.6). Ensure contractual language addresses data location requirements, encryption in transit/at rest, and audit log retention periods. The service supports continuous monitoring requirements and can integrate with existing security orchestration platforms.

Compliance Cross-References

Qualys GovCloud's FedRAMP Moderate authorization directly supports DFARS 252.204-7012 safeguarding requirements by providing vulnerability scanning (3.11.2), security assessment capabilities (3.11.3), and audit logging (3.3.1-3.3.9). For DFARS 252.239-7010 cloud computing compliance, the platform maintains required security controls, incident response capabilities, and data location restrictions within CONUS. NIST 800-171 control families are comprehensively addressed: Access Control (AC) through role-based scanning permissions, System and Communications Protection (SC) via encrypted data transmission and storage, and Audit and Accountability (AU) through detailed vulnerability and compliance reporting. CMMC Level 2 domain alignment includes Asset Management (AM) for inventory discovery, Vulnerability Management (RA) for risk assessment and remediation tracking, and Situational Awareness (SA) for continuous monitoring. The platform's DoD Cloud Computing SRG IL2 authorization ensures appropriate security controls for CUI processing, including data segregation, encryption standards, and personnel security requirements essential for defense contractors.

Defense Contractor Use Case

Defense contractors use Qualys GovCloud for vulnerability management and compliance auditing, generating automated reports for CMMC assessments and continuous monitoring requirements.

Related Products

ModerateAuthorized

Tenable.io Government Cloud

Tenable

ModerateAuthorized

Splunk Cloud for Government

Cisco (Splunk)

More Security Products

High

CrowdStrike Falcon GovCloud

CrowdStrike

High

Palo Alto Prisma Cloud Government

Palo Alto Networks

High

Zscaler Government Cloud

Zscaler

Moderate

Tenable.io Government Cloud

Tenable

Related Compliance Assessments

CMMC Readiness: READY

87% NIST coverage, Level 2

CUI Audit: Safe

FedRAMP authorized, 0 violations

Frequently Asked Questions

What is the FedRAMP authorization level for Qualys GovCloud?

Qualys GovCloud is authorized at the FedRAMP Moderate impact level, with authorization granted on 2017-10-18 sponsored by GSA. The FedRAMP Moderate baseline includes approximately 325 security controls covering confidentiality, integrity, and availability.

Can defense contractors use Qualys GovCloud for CUI?

Qualys GovCloud is authorized at the FedRAMP Moderate baseline. While FedRAMP Moderate covers a broad range of government data, defense contractors handling CUI should carefully evaluate whether Moderate controls meet their specific DFARS 252.204-7012 and NIST 800-171 requirements. Some CUI categories may require FedRAMP High authorization depending on the sensitivity of the data and contract requirements.

How does Qualys GovCloud pricing compare to commercial?

Qualys GovCloud government pricing is generally competitive with commercial pricing, though the government edition may carry a premium of 10-20% to cover FedRAMP compliance and dedicated infrastructure costs. Mid-market organizations can often access government pricing through GSA Schedule contracts or reseller partners. Contact Qualys for a quote tailored to your organization size and requirements.

Browse All FedRAMP Authorized Tools

Search and filter 80+ FedRAMP authorized products for your defense contracting needs.

Open FedRAMP Finder

Track Qualys GovCloud FedRAMP compliance updates with AI-powered intelligence

Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.

Start Free — 90 Days

← FedRAMP Authorized Products

Overview

Certifications & Authorizations

Deployment Options

✓AWS GovCloud (US-West) — Dedicated FedRAMP Moderate tenant with isolated networking

✓AWS GovCloud (US-East) — Multi-tenant environment with logical separation

✓Cloud connector deployment for hybrid on-premises/cloud scanning architecture

✓Virtual scanner appliances deployed within customer VPC in GovCloud regions

✓API-only integration with existing SIEM/SOAR platforms in authorized environments

✓Distributed scanning architecture across multiple availability zones

How to Procure Qualys GovCloud for Defense Contracts

Compliance Cross-References

Frequently Asked Questions