A Cyber Compliance Automation Journey

Dale Bingham
6 min readFeb 9, 2024

--

Here is a simple foundational model to go from manual cyber compliance scans and review, to automation of review, to automation of scans, to integration, to full up automation and more. You build your solid foundation of automation from the ground up, automating tasks, freeing up resources and reducing your stress and blood pressure!

Build your cyber compliance automation in steps to create a strong foundation

Introduction and Why

Since 2004, Dave Gould and I have seen DITSCAP, DIACAP, RMF, FedRAMP, StateRAMP and more be used for cyber compliance frameworks. And the commonality going all the way back to the NAVEODTECHDIV in 2004 — people doing things manually! Whether it is scans, reports, data calls, compliance, or tracking their vulnerabilities it is a mix of checklists, XLSX files and more. Even today in 2024, 20 years later!!

In 2018 we said “Enough” and worked to create OpenRMF Professional.

But this article is not a history of our company.

This is us sharing results and success stories of how people are using automation to make cyber compliance less stressful, more automated, and easier to manage and use. And how they have freed up time to do better cyber hygiene on the way to more proactive cyber security.

And giving you a simple model to compare and use to move your team into your next phase of cyber compliance automation as well!

What we have seen after 3 years @soteriasoft

From 2021 onward we have seen a great adoption of OpenRMF Professional and the automation engine behind it. Whether in the US military services, federal agencies, federal contractors, local government groups as well as foreign military sales partners — all of them see the benefits of automation, consistency, and organization of their data with inherent collaboration.

Automatically tracking checklists and open vulnerabilities. Keeping track of changes. Generating compliance from scans and manual statements. Data calls. Exporting out results to government programs of record. And integrating into other applications to create a larger integrated suite of cyber solutions.

All the while collaborating across the whole team to know where you are at any given moment in time based on real scan data.

The concept of automating away tasks that are repeatable and useful, and giving back time to help organize and manage your infrastructure seems like a no-brainer. Because it is!

However, it does not stop there. We believe that is just a step in the right direction to create a solid foundation of automation, collaboration, and integration for your cyber compliance data. And having that foundation as a set of processes and data in your large cyber ecosystem.

Ways to automate tasks even further

If you see the image at the beginning of this article, you can see at the bottom foundational block at least doing compliance, patch, and other scans to get your data. Step 1. So at least you know where you are.

From there you build in OpenRMF Professional to ingest your types of SCAP, Tanium, Nessus, container, software, and other scans and you aggregate and automate around them to get a better picture of your entire cyber compliance data. And measure that against where you should be based on RMF, FedRAMP and other cyber compliance frameworks.

But it does not stop there…

Next, you build in automated reporting, compliance, data calls and more with our OpenRMF Professional API. And you can use example scripts from our public GitHub repo to help automate one more level. This gets your data in and out of OpenRMF Professional automatically. So you do not have yet ANOTHER silo-of-information.

With that in place, now it is time to automate your scans as well as get the results and push them into OpenRMF Professional. (FYI, we have a few great stories from customers doing this right now that we will be publishing in a different article.) Automate your SCAP, Audit Compliance, Patch, and other scans, get the results, and push into OpenRMF Professional via API. Whether this is via an infrastructure-as-code (IaC) pipeline or other glue code or scripts, it goes a step further for automation.

Now that you have more automation, it is time to plug into your other cyber and network infrastructure solutions to share data. To generate reports and dashboards. To snapshot your compliance and trends over time. To actively track cyber information. And use it for better hygiene and better cyber security. The latest term here is CSMA. Regardless of what you call it, there are benefits in doing this as well.

Automation is key in going from active cyber compliance to better hygiene to better cyber security

With all that in place, you can now use tools such as Terraform or other IaC solutions to build your infrastructure and push it out to your network. Then apply STIGs or other compliance settings to lock it down. Then run multiple scans and ingest results into OpenRMF Professional. And add it to your CM database, scanning routines, and more. All automated from the push of a button or trigger from an event listener.

And on it goes with the automation path. As you build your solid foundation you can add more pieces on the top. On the sides. Feed to other applications and systems. And actively track your information with automation and best-of-breed applications designed to do their job well.

Where we are heading at Soteria Software

You can see here our write-up on how our solution is different at Soteria Software.

We are heading toward even more automation and ingesting of additional native format data to help aggregate and give a better picture for your entire cyber compliance view. Whether that is reading in additional native compliance scans, patch scans, software scans, container scans, or cloud-based scanners we are adding more ways to pull in data and automate around it. And exporting out known good formats for your programs of record.

We are also improving the view of your data with device profiles, approved boundary PPS, and a few wizards to setup your compliance or show areas where you may be missing information.

We are also working to customize reports, dashboards, lists, and adding more bulk operations on editing and ingesting of data. All the while working with existing customers on those ephemeral assets with containers and clouds to track the impact and usage in their cyber compliance frameworks.

Another great area is our work with customers on direct integration with programs of record through our value added resellers, sales channel partners, as well as government personnel invested in a more automated future.

In addition, we are working toward additional solutions in our product suite to automate comparison of baselines. For approval workflows. For integrations with other mainstream applications for ingest, export, communication and collaboration. For rules and automated triggers.

And adding a plugin framework to extend our solutions for others to use.

Finally, we are adding a larger reporting engine into the mix for consuming massive amounts of data across all cyber framework data and other vulnerability data. All this to inform all levels of folks invested in a more secure connected world. And do it in a way that is easy to use, easy to digest, and easy to act on.

See For Yourself

Evaluate OpenRMF Professional for yourself and see how it helps you and your team perform better, structured cyber security processes. And track the where, who, why, how, and history behinds your system package evolution.

You can achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators and documentation specialists.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.

--

--

Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft