Find Missing Checklists in your ATO or Accreditation Package Easily
You want to find if you have everything for your ATO or assessment? Or your assessor found things you had that you did not know, and you want to make sure that does not happen again? Use these 4 ways to find and track missing compliance data, vulnerabilities, and hidden software. And enable you and your team to perform proper cyber hygiene.
Impact for Missing Checklists
Why search for this data? We have two recent customer examples as to why.
Our first customer was tracking a bunch of MS Windows workstations, servers, and devices and coming up for their ATO. They had all vulnerabilities tracked and checked, mitigations, POAM updated, compliance ran and knew where they were.
OR so they thought!!
They highlighted several workstations as a sanity check and ran our OpenRMF Professional missing checklist wizard. What they found shocked them!
They had Skype 2016 installed on every single workstation! Their software image they push out for workstations had that installed by mistake (forgot to uncheck on initial baseline installation). And they knew nothing about it.
No GPO or script to lock down. No Ansible to tighten the configuration. Nothing in their software bill of material (BOM). And nothing on their radar to track for Skype vulnerabilities.
That is a problem!
They fixed it by initially running scans, loading them to create up-to-date checklists in their system package, and tracking compliance for Skype across their 320+ workstations as a stopgap. The future goal is to update the baseline image and fix all by removing Skype.
The second customer had a similar situation, but was on a classified network and found they had OneNote installed. OOPS! They also fixed it by running scans, uploading to create up-to-date checklists, and tracking compliance across all 50+ Windows workstations. Then getting GPO and lockdowns in place immediately. The future goal again is to update the baseline and get all workstations reconfigured without OneNote.
Imagine if an Assessor found this and called them out on it? Trust in their group’s competence gets a little suspect.
Worse: imagine if a bug in those software items they did not know they needed to track and patch caused a larger issue.
So how do help alleviate these issues? See below 4 ways to do this today with OpenRMF Professional.
Option 1: Upload software listing / BOM and run missing checklist wizard
You can upload a list of software, hostname, version, and software type into your system package (ATO / accreditation package). Then go to the Hardware listing.
Select the devices/hostnames and from the bulk selection. Then choose “Run missing checklist wizard”. The list of software for each hostname selected is matched to available checklist templates to suggest any checklists you may be missing. Select the ones you wish to add, click the Add button and they show up in your list of checklists available.
Your number of vulnerabilities by status and category are updated, and your POAM is updated as well. Now you can run SCAP scans, Audit Compliance scans, etc. and fill in the status for those checklists automatically. Edit the data in vulnerabilities manually through the web or API. Or use your bulk edit vulnerability feature to update en masse.
Use the open vulnerabilities left to find out how to harden your systems or at least mitigate issues that may arise.
Option 2: Upload credentialed patch scan and run missing checklist wizard
In your system package, go to the Host Scan Data area and upload your raw patch scan result(s). Then go to the Hardware listing.
Just like in Option 1 above, select the devices/hostnames and from the bulk selection. Then choose “Run missing checklist wizard”. The list of software for each hostname found from the patch scans is matched to available checklist templates to suggest any you may be missing. Select the ones you wish to add, click the Add button and they show up in your list of checklists available.
Your number of vulnerabilities by status and category are updated, and your POAM is updated as well. Now you can run SCAP scans, Audit Compliance scans, etc. and fill in the status for those checklists automatically. Edit the data in vulnerabilities manually through the web or API. Or use your bulk edit vulnerability feature to update en masse.
Use the open vulnerabilities left to find out how to harden your systems or at least mitigate issues that may arise.
And yes, you can even combine Option 1 and Option 2 (even Option 3 and 4 below) to make sure you cover all angles of your compliance around software and even your operating system.
Option 3: Run the Applicability Wizard and choose checklists that you need
This method relies on you knowing your devices, commercial software as well as any custom software you have in your accreditation package.
From within your system package, go to the Checklists menu. Then choose the Checklist Applicability Wizard. Enter a hostname, then proceed through each screen with the Next button.
On the OS, Device, Applications, and Custom screens through the wizard you can choose the type of checklists to list. Then click the appropriate button near the top to load them. Click the Add button to add that checklist to the list required.
When done, on the Summary screen click the Create button. All required checklists are then created within your system package.
Your number of vulnerabilities by status and category are updated, and your POAM is updated as well. Now you can run SCAP scans, Audit Compliance scans, etc. and fill in the status for those checklists automatically. Edit the data in vulnerabilities manually through the web or API. Or use your bulk edit vulnerability feature to update en masse.
Use the open vulnerabilities left to find out how to harden your systems or at least mitigate issues that may arise.
Option 4: Create Checklists from Templates
This final fourth option is a manual way to do Option 3 above. Again this method relies on you knowing your devices, commercial software as well as any custom software you have in your accreditation package.
From within your system package, go to the Checklists menu. Then choose the Create Checklist from Template option. Choose the type of Templates you wish to list and then click the List Templates button.
Select the Templates on the screen you wish to use. Then click the Create Checklists button. You can specify hostname, asset type, IP and other information on the next screen shown below. Then click the Save Changes button.
Your new checklists are created with all the relevant information entered.
Your number of vulnerabilities by status and category are updated, and your POAM is updated as well. Now you can run SCAP scans, Audit Compliance scans, etc. and fill in the status for those checklists automatically. Edit the data in vulnerabilities manually through the web or API. Or use your bulk edit vulnerability feature to update en masse.
And again, use the open vulnerabilities left to find out how to harden your systems or at least mitigate issues that may arise.
Next Steps: See For Yourself
This is just a glimpse into one of the many features teams like yours are leveraging toward automating their accreditations with OpenRMF Professional.
Evaluate OpenRMF Professional for yourself and see how it helps you and your team perform assessments better with a known, good, structured RMF processes. And track the where, who, why, how, and history behinds your RMF package evolution.
You can achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators and documentation specialists.
You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.
We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.
You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.
Get them OpenRMF Professional.
