The UCF® Announces UCFinterchange to Support Cybersecurity

September 24, 2013 | News/Articles

Las Vegas, NV  -  September 24, 2013  -  Unified Compliance, the premier provider of IT compliance mapping and creators of the Unified Compliance Framework® (UCF), announced UCFinterchange (UCFi) at the PCI Security Standards Council 2013 Community Meeting.

Developed to support new global security regulatory demands as well as the U.S. Cybersecurity Initiative, UCFi enables Secure Configuration Management (SCM) and Configuration Auditing (CA) tools to communicate directly with Governance, Risk and Compliance (GRC) tools for security and compliance monitoring and reporting.

Continuous monitoring enables real-time response to new security threats and compliance demands. Without an interchange format such as the UCFi, continuous monitoring and cybersecurity are siloed operations, incapable of communicating in a meaningful way. This isolation approach has proven to be ineffective in securing systems, as well as being costly, unnecessarily complex, and time-consuming.

“We fully expect UCFi to have an impact on all aspects of the compliance industry. When something that saves significant time, costs, and effort becomes possible and is then implemented by industry leaders, regulators move to adopt those requirements and insist the features be included in solutions so they can also get those results,” said Craig Isaacs, CEO of Unified Compliance.

At this time, participating UCF partners include Qualys®, LockPath, MetricStream, NetIQ®, RSA Archer®, Allgress, BWise®, CAaNES®, eGestalt Technologies, Lumension®, TraceSecurity, and Wolters Kluwer.

Inside The UCFi

The systems that run many nations’ critical infrastructure -- such as the electric grid, drinking water, airports, trains, and other transportation systems -- are increasingly networked. As with any networked system, these systems are potentially vulnerable to a wide range of threats. Protecting these systems from cyber threats is obviously critical to maintaining safety, essential public services, the economy, and homeland security.

In 2013, U.S. President Obama signed an Executive Order designed to increase the level of core capabilities for our critical infrastructure to manage cyber risk. A key part of that initiative are the guidelines calling for continuous monitoring and auditing of these essential, intricate networked systems.

Cybersecurity guidelines such as FedRAMP, CAESARS, and SAIR Tier III in the US, as well as an increasing number of global cybersecurity initiatives such as the BSI Act in Germany and CIP/CIIP in Australia, all call for Secure Configuration Management (SCM) and Configuration Auditing (CA) tools to communicate directly with Governance, Risk and Compliance (GRC) tools.

UCFinterchange (UCFi) format facilitates that communication.

UCFi utilizes a guideline set of XML specifications which allow UCF XML licensees to share information between Governance, Risk and Compliance (GRC) tools and Secure Configuration Management (SCM) or Configuration Auditing (CA) tools, using the existing UCF data structures and content.

UCFi is slated to go live early 2014.

“The UCF is best known for making compliance with regulatory demands much easier,” said Isaacs. “But we’ve been enabling more effective security processes as well. UCFi is a great example of how compliance supports cybersecurity and vice-versa. When UCF developers leverage UCFi, their customers will be able to automatically apply any audits to any systems in the enterprise -- and then maintain those audits through continuous monitoring. It's win-win."

UCF Partners Show Their Support

Qualys®  (

“Unified Compliance Framework has built a comprehensive compliance database that unifies controls across all authority documents, thus simplifying and centralizing compliance efforts,” said Philippe Courtot, chairman and CEO for Qualys. “With the integration of the UCF into QualysGuard®, customers are now able to quickly map technical standards to their internal policies or regulations and report on them through QualysGuard and GRC solutions."

LockPath  (
"The UCF has become an integral part of IT GRC initiatives. As Unified Compliance continues to innovate, its UCFi format will enable GRC platforms like Keylight to form a deeper and more meaningful relationship within IT GRC ecosystems,” said Chris Caldwell, LockPath CEO. “This important context will benefit our customers who have adopted the UCF by providing powerful data correlation, enabling them to make better and faster business decisions."

MetricStream (
“When deploying a GRC solution, mapping policy and regulatory requirements to security configurations for continuous monitoring requires significant effort. UCFi provides the first standards based approach where security configurations can be directly mapped back to policy and regulatory requirements in an automated manner,” said Vasant Balasubramanian, VP of Product Management at MetricStream.“MetricStream is delighted to work on this important initiative as we are witnessing a growing demand from customers for this. UCFi will enable our solutions to seamlessly exchange information with solutions like NetIQ and Qualys to provide real-time visibility into the state of information security and compliance related risks while keeping up with evolving regulations and standards.

NetIQ®  (
“Given the complexity of today’s IT environments and regulatory landscape, IT organizations need visibility – derived from consistent, actionable intelligence – so that they can accurately report on business risk,” commented Michael Colson, senior product manager at NetIQ. “Participating in the UCF interchange ensures that we further our mission of helping IT demonstrate business value in a consistent manner across the IT domain. By standardizing how we report data the business uses to make decisions, organizations will be in a more advantageous position to manage risk, better understand security, and meet compliance demands.”

Allgress  (
“The information security industry is going through a major paradigm shift today from IT security centric organizations to risk management organizations. This requires CISOs and security leadership to work with business owners to automate their continuous monitoring efforts. Allgress is delighted to be part of the introduction and ongoing evolution of the UCFi initiative with Unified Compliance, the industry authority in IT compliance mapping. UCFi further extends unifying the interchange of configuration data along with standards, frameworks, best practices in a common way so that business leaders can make educated decisions when used in conjunction with the Allgress Insight Risk Management Suite,” said Gordon Shevlin, CEO at Allgress, Inc.

BWise®  (
“The BWise® GRC Platform is designed to cover all aspects of a company’s GRC needs: tracking, measuring, and managing key organizational risks. By integrating the UCF, BWise customers can easily select the set of regulations that it must comply with and immediately execute IT controls,” said Luc Brandts, CTO and Founder of BWise, a NASDAQ OMX company. “UCFi combined with BWise Data Analytics for Continuous Monitoring and Continuous Auditing provides even more value by enabling information sharing between our GRC platform and Secure Configuration Management or Configuration Auditing tools. This provides even more accurate and immediate risk reporting and auditing.”

CAaNES®  (
“RiskSense®is one of the first risk prioritization and attack mitigation platforms to leverage the power of UCFi to provide contextual awareness and address compartmentalized and silo approaches to risk management,” said Mark Fidel, president of CAaNES. “RiskSense facilitates communication between all levels of an organization, from upper management to IT technicians, providing users with a holistic and succinct assessment of their security posture and risks. Leveraging the power of UCFi, RiskSense automates a portion of the compliance process, easing the burden at all levels of an organization so users have more time to focus on improving their security posture.”

eGestalt Technologies  (
“We welcome the UCFi initiative from Unified Compliance,” said Anupam Sahai, eGestalt Co-Founder and President. “This aligns quite well with eGestalt’s vision to provide a unified security monitoring and compliance management solution through an easy-to-use cost-effective Cloud-SaaS solution. We like the ability of UCFi to help promote the interoperability of various GRC and Security monitoring tools, thereby benefiting the end customers. eGestalt is an SMB market leader in IT-GRC and security monitoring and this initiative will help us to further solidify our ability to better serve our customers through interoperability with other solution(s).”

Lumension®  (
“Lumension® Risk Manager consolidates multiple sources of IT risk information and correlates this assessment data across all IT assets, providing trending analysis and security posture scores,” said Chris Andrew, Vice President, Security Technologies, Lumension. “UCFi integration is a welcome addition for LRM and Lumension® Endpoint Management and Security Suite customers because it further streamlines the compliance process and increases overall visibility.”

TraceSecurity  (
“TraceCSO was built with open architecture to accommodate the integration of other technologies and point solutions. The UCFi aligns with this long-term strategic vision for TraceCSO, our flagship IT GRC software solution, and gives TraceSecurity the ability to expedite integration with other UCF-based systems, eliminating the need for complicated data model adaptation,” said Peter Stewart, president and CEO of TraceSecurity. “We see the UCFi as an essential addition to our TraceCSO toolset for enabling customers to realize more effective IT GRC programs in their organizations.”

Wolters Kluwer (
“Our customers value the UCF’s integrated and harmonised control content and will welcome an initiative such as UCFi, that will simplify the process of integrating information from the systems used to define, manage and monitor cybersecurity with their ARC Logics risk and compliance platform,” said Mike MacDonagh, Content Director, Enterprise Risk and Compliance.

About Unified Compliance and the UCF

Since 1992, Unified Compliance has developed ground-breaking tools to support IT best practices, with a focus on solutions and processes that further the science of compliance, including harmonization methods, metrics, systems continuity and governance. The UCF was created by Dorian Cougias and his research partner, Marcelo Halpern of the international law firm Perkins Coie, which oversees all legal aspects of the UCF. More information can be found at

About the Science of Compliance

By applying the scientific method to compliance -- rigorously testing best practices and methodologies as well as analyzing and organizing information into a rational format – Unified Compliance has developed a logical approach to IT compliance that reduces cost, limits liability, simplifies the compliance process and leverages the value of related technologies and services across the enterprise.

About Qualys®

Qualys, Inc. (NASDAQ: QLYS), is a pioneer and leading provider of cloud security and compliance solutions with over 6,000 customers in more than 100 countries, including a majority of each of the Forbes Global 100 and Fortune 100. The QualysGuard®Cloud Platform and integrated suite of solutions help organizations simplify security operations and lower the cost of compliance by delivering critical security intelligence on demand and automating the full spectrum of auditing, compliance and protection for IT systems and web applications. Founded in 1999, Qualys has established strategic partnerships with leading managed service providers and consulting organizations, including Accuvant, BT, Dell SecureWorks, Fujitsu, NTT, Symantec, Verizon, and Wipro. The company is also a founding member of the
Cloud Security Alliance (CSA).

About LockPath

LockPath solves the most complex problems involving governance, risk management and compliance programs. Experience from working with companies of all sizes has shaped the Keylight platform into an effective solution for top professionals seeking clearer points-of-view and streamlined processes. The Keylight platform empowers organizations to make better and faster business decisions by connecting people, processes, and technology.

About MetricStream

MetricStream is a market leader in Enterprise-wide Governance, Risk, and Compliance (GRC) Management Solutions for global corporations. MetricStream solutions are used by leading corporations in diverse industries such as Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-tech and Manufacturing to manage their information security and risk management programs, business continuity programs, regulatory and industry-mandated compliance and corporate governance initiatives, as well as several million compliance professionals worldwide via the portal. MetricStream is headquartered in Palo Alto, California and can be reached at

About NetIQ®

NetIQ is a global, enterprise software company with a relentless focus on customer success. Our portfolio includes scalable, automated solutions for Identity, Security, Access, Governance, Systems and Application, Service, and Workload Management that help organizations securely deliver, measure and manage computing services across physical, virtual and cloud computing environments.

About Allgress

Since 2008, Allgress has been enabling enterprise risk and security professionals to apply business context to technically oriented security management so senior management can make informed investment decisions that align with top business priorities quicker with less complexity. We provide Global 2000 organizations the insight to communicate and manage their risk posture in context so they can evaluate the cost vs. benefit of remediating enterprise risks, security, and compliance, Unlike other risk management solutions, Allgress customers derive value in days instead of months by streamlining implementation, automating manual tasks and providing operationally efficient visual management of the entire risk, security, and compliance management process without an army of consultants.

About BWise®

BWise®, acquired by NASDAQ OMX in 2012, supports organizations to track, measure and manage key organizational risks using the BWise® GRC Platform. BWise is positioned in the Leaders Quadrant of Gartner’s 2012 Magic Quadrant for Enterprise Governance, Risk and Compliance (GRC) Platforms.

About CAaNES®

CAaNES®offers products and services to proactively prevent damage from targeted attacks and solve complex security problems by providing automated, qualitative and quantitative indicators to identify, evaluate, prioritize, remediate, attribute, and mitigate known risks, and address un- known risks when they arise. RiskSense® provides a platform for continuous diagnostics and mitigation of vulnerabilities by aggregating and analyzing data from over 20 industry leading security scanners into a single, unified interface.  RiskSense®prioritizes remediation actions by correlating attack data in near real-time with required compliance regulations in a targeted manner, allowing customers to fix the worst problems first.

About eGestalt Technologies

eGestalt ( is a world-class, innovation driven, leading provider of cloud-computing based enterprise solutions for information security and IT-GRC management. eGestalt is headquartered in Santa Clara, CA, and has offices in the US, Asia-Pacific and Middle East. eGestalt was named a 2013 'Emerging Vendor' by CRN and UBM Channel in July 2013. eGestalt was named the Winner of TiE50 2013, a prestigious award for enterprising technology startups worldwide, May 2013.eGestalt SecureGRC was given a rating of 4.5 stars (out of a maximum 5) with 5 stars for Features, Support and Value for money by SC magazine in June 2012. In Feb. 2012 and 2013, eGestalt President Anupam Sahai was named a Channel Chief by Everything Channel's CRN. eGestalt has been ranked in the Top 10 Vendors for Compliance Management and Data Access & Security by Hypatia Research, Q4 2011.

About Lumension®

Lumension Security, Inc., a global leader in endpoint management and security, develops security software solutions that help businesses protect vital information and manage critical risk across network and endpoint assets. Lumension delivers an award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, and Reporting and Compliance offerings. Learn more at

About TraceSecurity

TraceSecurity, a leading pioneer in cloud-based security solutions, provides IT governance, risk and compliance (GRC) management solutions. The company’s cloud-based services help organizations achieve, maintain, and demonstrate security compliance while significantly improving their security posture. With more than 1,500 customers, TraceSecurity supports the security and risk management efforts of organizations in financial services, healthcare, high-tech, insurance, government, education and other regulated sectors. Founded in 2004, the company has executive offices in Silicon Valley and offices in Baton Rouge, LA.  For more information, call (225) 612-2121 or visit

About Wolters Kluwer

Wolters Kluwer enables legal, tax, finance, and healthcare professionals to be more effective and efficient. We provide information, software, and services that deliver vital insights, intelligent tools, and the guidance of subject-matter experts. We create value by combining information, deep expertise, and technology to provide customers with solutions that improve their quality and effectiveness. Professionals turn to us when they need actionable information to better serve their clients. Our 175+ years of history stretch across many geographies and areas of expertise. Our revenue is spread globally with 6% coming from fast-growing, emerging markets, 40% from Europe, and 54% from North America.