OpenRMF for Configuration Management of Your System Packages
Track changes in STIG Checklists, Patch Vulnerabilities, POA&M updates, Open Items and more with a single web-based application. OpenRMF is here to simplify your life!
Automatically Track Changes of STIG Checklist
Being able to show changes in vulnerabilities over time for their status, override, comments, and details has been a very big pain up until now. Keeping multiple copies of CKL files, putting files into a code repository like GitHub or GitLab, or even keeping checklists in folders that are named for dates of the year (i.e. 2021–02–15) have been going on for well over a decade. And it is extremely manually intensive and error prone to do it that way.
Enter OpenRMF Professional! Through using OpenRMF to manage, edit, track and report on your STIG Checklists you gain an automatic configuration management repository for all your checklists. A single source-of-truth which also shows all changes, updates, when they happened, who did them, and how the open item count changed. And it has all the older checklists and their open item counts saved for historical viewing and reporting.
The changes that OpenRMF tracks are listed below:
- changing the status, details, comments, or override of a vulnerability
- updating the metadata of the checklist, such as hostname, FQDN, Technology Area
- upgrading a checklist to a new version or release from DISA
- updating a checklist based on the latest SCAP scan
- uploading a totally new checklist CKL file to replace the current one
Automatically Track Changes of ACAS Scans
A big priority in Risk Management Framework (RMF) in step 6 is continuous monitoring, or “ConMon”. Patching systems, scanning for updates, and reporting on the progress and the work performed is another area where saving multiple reports, PDFs, and data by date is done for data calls and showing proof of work and actions. And the folks that run the ACAS scanners do not always let others log in to their application. They only export the data for others to use however they see fit.
This is another area of configuration management where OpenRMF Professional can help easily! Upload the .nessus files into the application for your System Package and track the patch numbers for critical, high, medium, and low open items over time. Keep the data in the system to view the open items and see the issues and possible remedies. And report on the progress and show management or an assessor the work performed over time based on the report dates.
OpenRMF Professional makes it simple to manage ConMon in an easy-to-use web interface. Additionally, the data from these scans is used for generating a Software Asset list, Hardware Asset list, PPSM listing (ports, protocols, services) and more! OpenRMF capitalizes on the vast amount of intelligence from these scans and separates out the data for you to automatically use it for your needs.
Automatically Track Changes of POA&M Items
A third area for configuration management deals with your plan of action and milestones. This document tracks all open items across your patch vulnerability listing as well as your STIG checklists. Usually, this is a separate spreadsheet with columns from A to Z that has listed every single open item or item that at one time was open. It lists the source, device, if it came from a checklist or patch vulnerability, severity, likelihood and a lot of other data for you to manage the risk of that item.
Keeping track of item status for every checklist and every patch vulnerability in every scan is a nightmare task to do by hand. For larger system packages, one person could spend most of their work day just making sure this is up to date!
This is another area where OpenRMF Professional and its automation engine can help you drastically. The application automatically generates the POA&M based on open items whenever you click the “Create” button on the POA&M. From that time on any item from a STIG Checklist or ACAS scan that creates a new open item or updates the status of an existing item in the POA&M is automatically added and tracked.
A SCAP scan shows closed items on the latest scan? The POA&M is automatically updated for the status to be Completed and the date filled in. And the older POA&M item entry is versioned and kept for historical purposes automatically.
An ACAS scan shows 5 patches that were opened are now no longer showing up? The POA&M is automatically updated for the status to be Completed and the date filled in. And the older POA&M item entry is versioned and kept for historical purposes automatically.
A STIG Checklist is upgraded to the latest version DISA put out? The POA&M is automatically updated if there are any new items on the checklist that come up “Not Reviewed”.
The automation around the POA&M is a great feature of OpenRMF Professional and a welcome time saver! And it improves the accuracy and trust in your system package across the team, management, and for the assessor and government representatives reviewing your information.
OpenRMF Professional = Cyber Compliance Automation
Companies, agencies, and organizations use OpenRMF Professional software as a way to automate much of the RMF process, decreasing the time to an ATO by 40–50%. OpenRMF’s collaborative environment eliminates much of the manual labor and isolated work involved in aligning the DISA controls, checklists and patch scans, and then manages all information in a secure central database structure. This allows automatic generation and updating of the POA&M, Test Plan Summary, and various other security and RMF reports.
Having a web-based central repository for all RMF data that has role-based security for each system, eases the RMF process using a single source of truth and eliminates errors, manually intensive individual tracking, and rework. It also provides leadership with direct insight into the status of all system security and risk information thus eliminating the mystery around implementing the RMF process.
Once an ATO is achieved, OpenRMF provides the ability to continuously monitor and track POA&M items, overall risk help of systems and applications, and track updated scans and checklists throughout the life of the system.
Want a demonstration or an evaluation copy to see for yourself? See how at the OpenRMF Professional website. We are looking forward to showing you how you can simplify your RMF life!
