Implement Continuous Monitoring with OpenRMF Professional

Dale Bingham
5 min readMar 6, 2023

You can use OpenRMF Professional to help implement 6 of the 11 security domains concerning Continuous Monitoring outlined in NIST 800–137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Here we showcase the main domains where our automation helps you and your team track ConMon proactively.

Continuous Monitoring, tracking, reporting, and dashboards in OpenRMF Professional

Security Automation Domains to Track

These are the security domains pertaining to NIST 800–137 that OpenRMF Professional helps you track in an automated fashion. This cuts down on manual tasks. Allows you and your team to make informed decisions. And enables active cyber hygiene on the way to proactive cyber security across your network.

Vulnerability and Patch Management:

For these domains, OpenRMF Professional takes in all types of scan data to show a full picture of your vulnerabilities and status. Whether it is SCAP scans, audit compliance scans, patch vulnerability scans or even software and container scans — ingest that data into our solution for your ATO or accreditation package and see a consolidated view of your data through a single pane of glass.

Then track trends over time, update manual checks, and generate compliance quickly and easily over time. Export checklists, reports, charts, graphs, and other data for your data calls and programs of record input.

Asset Management:

In this security domain, OpenRMF Professional can help pull out your hardware listing and software listing automatically from your credentialed scans. We also have areas to ingest lists of other hardware and software, or allow you to enrich the data with other information for a seamless view of assets.

Use this as your defined asset listing, or export from your other asset management and import here to track the specific RMF or FedRAMP compliance against those assets and accreditation boundaries.

Configuration Management:

Using your SCAP, audit compliance, Evaluate-STIG, OpenSCAP or other applications you can quickly upload and track configuration of all your assets through the scans you already are doing.

Automatically track changes and updates over time historically, and see how that data affects and impacts your compliance as well. And link to the live POAM to track impacts, changes, mitigations, and overall risk as well.

Track compliance and configuration as well as open vulnerabilities from scans and compliance checklists

Network Management:

For network management, OpenRMF Professional automate pulls from your credentialed scans the hardware listing, software listing, as well as the ports / protocols / services used across your devices.

Using this information, you can track vulnerabilities as mentioned above. You also can see the ports and protocols open on your devices, specify what boundaries they cross, and know what software is running on those devices.

Changes in any of the network devices or ports/protocols/services posture can actively show you areas to investigate or tighten security.

Automatically pull PPSM data from your credentialed scans, to know what is running where on your network

License Management:

Our solution helps in this area based on the software scans, software uploads, and other automated scans. This helps show what software you have in your accreditation, what software you are using to build your applications, and easily search and track that information for vulnerabilities as well as licenses required.

Other Applications in your ConMon Suite of Tools

Along with the items above, you also need to track the below security domains. There are several great applications and solutions out there now to help with this. And here at Soteria Software, we have a couple value added resellers (VARs) actively working to integrate OpenRMF Professional with these other suite of tools into a cohesive solution to cover every area of ConMon for you.

As those integration solutions become available, we will showcase those as well. Until then, please see the notes below on adding to your suite of Continuous Monitoring toolset. This is not an endorsement of these products. It is to show examples of other tools you can use in your suite of ConMon products for a full solution.

Event and Incident Management (SIEM):

There are plenty of applications in this area such as Splunk, ServiceNow and Elastic Stack. They can pull in all sorts of logs and event information, correlate them and have a single place to track that information.

Malware Detection:

For this type of application, you want something that can help detect viruses and spyware on your computers and devices. You also want to have it check any entry point and exit point on your network for web applications, firewall, VPC, and mobile devices as well.

Information Management:

This domain covers all your digital information stored in every location you have for your organization. It involves tracking the data, access control, data loss prevention, intrusion detection and prevention as well as traffic monitors. This can involved policy, procedure, ACLs, and checks across a multitude of applications on premise and cloud based.

Software Assurance:

The last domain mentioned here is not the least important one at all. Software assurance ensures you have a planned, repeatable way to make sure your products conform to requirements and security for trustworthiness as well as predictable execution.

You can do this with testing, static scanning, dynamic scanning, and tracking CVEs and other issues on software applications you use and you employ in your software development cycles. OpenRMF Professional can help showcase the vulnerabilities in this domain by reading in the scans. There is a lot more to this area than just that, though.

Free Evaluation — See For Yourself

As you can see from all this above, OpenRMF Professional allows you to do more with the information you already have in your cyber compliance processes. And it does it automatically, giving you back precious time, money and resources.

This enables better cyber hygiene to reduce security risks and costs, as well as improve security posture. And it allows you and your team to track all projects, programs, and system level cyber compliance in your portfolio in one place.

Evaluate OpenRMF Professional for yourself and see how it helps you and your team achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.

--

--

Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft