5 Ways to Build your Compliance Checklists

Dale Bingham
5 min readJun 3, 2024

--

There are 5 different ways you can build your compliance checklists in OpenRMF Professional. They are outlined below with explanations and use cases. This gives you and your team flexibility on ways to create your accreditation package, no matter what step in the process they are currently working.

It also aids you in making sure you did not miss scanning or locking something down on your network as well.

OpenRMF Professional v2.10 Dashboard

Uploading Scans or Checklist Files

The first and most obvious way is to upload your checklist / scan result files into your System Package from one of the following types:

  • CKL from Evaluate-STIG or STIGViewer
  • SCAP XCCDF XML results from SCAP scanners
  • Audit Compliance (*.nessus) scan results
  • Tanium SCAP (*.csv) results

When you upload your files via the GUI or API, you build your checklists and compliance within your System Package.

From there you generate your POAM, generate compliance, track vulnerabilities, and start to see ways for proper cyber hygiene.

Upload SCAP results, CKL files, Tanium CSV or Nessus Audit Compliance results into your System Package

Applicability Wizard

The 2nd way is the new Applicability Wizard introduced in version 2.10 of OpenRMF Professional. Enter your device or host name, then go through the wizard and click the “Add” button on appropriate checklists required.

  • Operating System checklists
  • Device (Router, Firewall, etc.) checklists
  • Application (General, Microsoft, Web Server, Database, etc.) checklists
  • Custom checklists (made within OpenRMF Professional)

When done selecting the checklists to add, click the “Create” button and all checklists added are created in your System Package.

From there you generate your POAM, generate compliance, track vulnerabilities, and start to see ways for proper cyber hygiene.

Create Checklists from templates using the Applicability Wizard

Upload Patch Scans, then Missing Checklist Wizard

Another new feature in v2.10 of OpenRMF Professional is the Missing Checklist Wizard.

Run your credentialed patch scans (Nessus / ACAS, Rapid7) and it will also pick up installed applications. Load the results into your system package to fill out patch vulnerabilities, hardware listing, PPSM, as well as software listings found.

From the Hardware screen you can click on the devices and choose the “Run Missing Checklist Wizard” from the bulk menu. It searches all software loaded and compares to available checklists within OpenRMF Professional.

Upload credentialed patch scans, then select devices and run the Missing Checklist Wizard

If there is a match it suggests the checklist templates you can choose to add. Check the appropriate results and click the “Add Checklists” button.

From there you generate your POAM, generate compliance, track vulnerabilities, and start to see ways for proper cyber hygiene.

Software List Upload, then Missing Checklist Wizard

The other way to use the new Missing Checklist Wizard is to load your software listing for your accreditation package. You can do this individually with the “Add” button. You also can upload an XLSX, JSON, or CSV formatted properly to load the software with your hostname/device as well.

Now, from the Hardware screen you can click on the devices. Then choose the “Run Missing Checklist Wizard” from the bulk menu. It searches all software loaded for your system package and compares to available checklists within OpenRMF Professional.

Add/Upload software listing, then select devices and run the Missing Checklist Wizard

If there is a match it suggests the checklist templates you can choose to add. Check the appropriate results and click the “Add Checklists” button.

From there you generate your POAM, generate compliance, track vulnerabilities, and start to see ways for proper cyber hygiene.

Upload Scans or Checklist Files through Team Subpackages

Finally you can use our unique Team Subpackage concept to have separate unique teams load their checklist files into your overall System Package from one of the following types:

  • CKL from Evaluate-STIG or STIGViewer
  • SCAP XCCDF XML results from SCAP scanners
  • Audit Compliance (*.nessus) scan results
  • Tanium SCAP (*.csv) results

When they upload their files into their specific area via the GUI or API, they build out their own checklists for the Team Subpackage. At the same time, they build your checklists and compliance within your overall System Package.

From there you generate your POAM, generate compliance, track vulnerabilities, and start to see ways for proper cyber hygiene.

Upload SCAP results, CKL files, Tanium CSV or Nessus Audit Compliance results into your Team Subpackage

See For Yourself!

This is a glimpse into the many ways teams like yours are tracking their accreditations with OpenRMF Professional to make their lives easier.

Evaluate OpenRMF Professional for yourself and see how it helps you and your team perform better, structured RMF processes. And track the where, who, why, how, and history behinds your RMF package evolution.

You can achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators and documentation specialists.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.

--

--

Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft