Achieve an Authority to Operate (ATO) Faster Through Automation

Out With the Old

  • Scan computers with DISA or other SCAP scanners
  • Manually take scan results, put into STIGViewer for each scan, to create or update checklist CKL files
  • Track individual checklist files
  • Run patch scans on the operating system
  • Read reports on the screen or PDFs of scans to figure out what devices and patches to remediate across your infrastructure
  • Track separate CCIs and know how they relate to RMF controls for the process, procedure, policy questions (all manual checks) in yet another a spreadsheet
  • Keep track of all the latest information across the whole team through various emails, Slack messages, text messages, meetings, video calls, and phone calls
  • Backup files in case of bad data or to trace history
  • Live in “Excel Hell” with multiple spreadsheets for disjointed data for SAR, RAR, SSP, POAM, vulnerability trends, data calls and trying to keep that up-to-date in real time
  • Have all your files in some kind of shared drive or configuration management system to track changes (hopefully)
  • Do this at least every 3 years, maybe 1 time a year, with a flurry of work done a few months before the deadline
Frustrated by the old (i.e. current for most groups) way of tracking ATO for RMF and FedRAMP

In With the New

  • Use the same scanning tools you already have, just combine the disjointed data through an integrated application with RBAC
  • Automate scans with DISA / OpenSCAP / Nessus SCAP scanner and scheduling Nessus/ACAS SCAP or Audit Compliance Scans
  • Automate upload of raw SCAP or Audit Compliance results that turn in checklists and keep information up-to-date automatically (a.k.a. continuous monitoring)
  • Automate OS patch vulnerability scans with Nessus/ACAS patch scans
  • Automate ingest of those patch scans to track patch vulnerability is as near real-time as possible
  • Automate software and container scans with tools like MicroFocus Fortify, SonarQube, Netsparker, Anchore, Sysdig and more
  • Automate ingesting those scan results to track ALL vulnerabilities affecting your system package for the ATO
  • Use pre-defined checklist templates for all manual checks for your NIST control families — Awareness and Training (AT), Incident Response (IR), Media Protection (MP), Physical and Environmental (PE), Security Planning and Policy (PL), Program Management (PM), Personnel Security (PS), Risk Assessment (RA) and System and Services Acquisition (SA)
  • Create checklists from those templates listed above, fill them out easily through a web browser, and track them to ensure compliance for all the manual (a.k.a. not scannable) controls as well as those that can be scanned and automated
Reduce stress, automate to reduce time and money, trust your process for RMF and FedRAMP ATO

What You Can Do Now

  • Automated ingest of scan results = tracking history and trends over time
  • Have your POAM automatically update based on scan status and vulnerability changes
  • Push-button compliance generated against all data for all required RMF controls easily
  • Export CKLs where required for artifacts
  • Generate your SSP, SAR, RAR, and POAM in defined formats from your most up-to-date live data
  • See real-time information on your cyber compliance across manual processes, automated scans, policies, and procedures to make informed decisions
  • Track compliance with the click of a button
  • Have your cyber, network admin, system admin, developer, project manager, analysts, and even upper management go to one source-of-truth to get your information
  • Keep this automation going for true continuous monitoring and updated information for decision making
OpenRMF Professional v2.8 — Cyber Compliance Automation

Experience OpenRMF Professional For Yourself




CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Maritime Transportation System ISAC (MTS-ISAC) Expanding Automated Threat Sharing Capabilities with…

HashQuark Monthly Staking Report | Jan 2021

Update on the November 18th Exploit

PicoCTF 2022 — Crypto: Sum-O-Primes

Why Hacker Logic Should Matter to the Defender

Osaka Honeypot — 8hr Threat Analysis

EU Parliament Allows Proof-of-Work Algorithm Despite Energy Concerns

🔥🔥🔥 𝐈𝐧𝐬𝐭𝐚𝐠𝐫𝐚𝐦 𝐍𝐅𝐓𝐬 𝐓𝐨 𝐒𝐮𝐩𝐩𝐨𝐫𝐭 𝐅𝐫𝐨𝐦 𝐄𝐭𝐡𝐞𝐫𝐞𝐮𝐦, 𝐏𝐨𝐥𝐲𝐠𝐨𝐧…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

More from Medium

Setup Palo Alto Firewall for personal lab

How to reduce AWS EBS cost by 20%

5 Tips for a Secure Cloud Migration

Cyber Security in Project Management