Achieve an Authority to Operate (ATO) Faster Through Automation

Out With the Old

The old way of achieving an ATO is what a majority of groups have been doing for the past 15+ years, with some bandaids and patchwork done on pieces of the process to make them better. It is what most organizations have told us they are still doing during our conversations and demos with them over the past year+.

  • Scan computers with DISA or other SCAP scanners
  • Manually take scan results, put into STIGViewer for each scan, to create or update checklist CKL files
  • Track individual checklist files
  • Run patch scans on the operating system
  • Read reports on the screen or PDFs of scans to figure out what devices and patches to remediate across your infrastructure
  • Track separate CCIs and know how they relate to RMF controls for the process, procedure, policy questions (all manual checks) in yet another a spreadsheet
  • Keep track of all the latest information across the whole team through various emails, Slack messages, text messages, meetings, video calls, and phone calls
  • Backup files in case of bad data or to trace history
  • Live in “Excel Hell” with multiple spreadsheets for disjointed data for SAR, RAR, SSP, POAM, vulnerability trends, data calls and trying to keep that up-to-date in real time
  • Have all your files in some kind of shared drive or configuration management system to track changes (hopefully)
  • Do this at least every 3 years, maybe 1 time a year, with a flurry of work done a few months before the deadline
Frustrated by the old (i.e. current for most groups) way of tracking ATO for RMF and FedRAMP

In With the New

What does the new way to achieve an ATO and maintain that status involve? In a word: automation!

  • Use the same scanning tools you already have, just combine the disjointed data through an integrated application with RBAC
  • Automate scans with DISA / OpenSCAP / Nessus SCAP scanner and scheduling Nessus/ACAS SCAP or Audit Compliance Scans
  • Automate upload of raw SCAP or Audit Compliance results that turn in checklists and keep information up-to-date automatically (a.k.a. continuous monitoring)
  • Automate OS patch vulnerability scans with Nessus/ACAS patch scans
  • Automate ingest of those patch scans to track patch vulnerability is as near real-time as possible
  • Automate software and container scans with tools like MicroFocus Fortify, SonarQube, Netsparker, Anchore, Sysdig and more
  • Automate ingesting those scan results to track ALL vulnerabilities affecting your system package for the ATO
  • Use pre-defined checklist templates for all manual checks for your NIST control families — Awareness and Training (AT), Incident Response (IR), Media Protection (MP), Physical and Environmental (PE), Security Planning and Policy (PL), Program Management (PM), Personnel Security (PS), Risk Assessment (RA) and System and Services Acquisition (SA)
  • Create checklists from those templates listed above, fill them out easily through a web browser, and track them to ensure compliance for all the manual (a.k.a. not scannable) controls as well as those that can be scanned and automated
Reduce stress, automate to reduce time and money, trust your process for RMF and FedRAMP ATO

What You Can Do Now

Now that you have automated a lot of data generation and the process to group it and relate it across your entire system package, you can track and correlate all that data against your RMF or FedRAMP compliance needs in OpenRMF Professional quickly and easily:

  • Automated ingest of scan results = tracking history and trends over time
  • Have your POAM automatically update based on scan status and vulnerability changes
  • Push-button compliance generated against all data for all required RMF controls easily
  • Export CKLs where required for artifacts
  • Generate your SSP, SAR, RAR, and POAM in defined formats from your most up-to-date live data
  • See real-time information on your cyber compliance across manual processes, automated scans, policies, and procedures to make informed decisions
  • Track compliance with the click of a button
  • Have your cyber, network admin, system admin, developer, project manager, analysts, and even upper management go to one source-of-truth to get your information
  • Keep this automation going for true continuous monitoring and updated information for decision making
OpenRMF Professional v2.8 — Cyber Compliance Automation

Experience OpenRMF Professional For Yourself

Soteria Software’s OpenRMF Professional is revolutionizing the way you track RMF, FedRAMP and Cyber Compliance through automation! Whether you are tracking RMF and FedRAMP right now by itself, automating in a DevSecOps process, need a cyber compliance engine for your Software Factory or are even migrating on premise to cloud infrastructure — OpenRMF Professional can help ease the workload and get you there faster.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft