OpenRMF Professional v2.5, now with Team Subpackages
Have you ever wanted to take your large system ATO package and get specific teams to review and fill out just their checklists and patch information? Now you can! With the recent update to OpenRMF Professional, you can assign checklists and devices (hardware, software, PPSM) to teams. They view and update their own data. All history and auditing is tracked. And the larger system package is kept up to date as well! See below for more specifics.
Definition of a Team Subpackage
So what is a Team Subpackage? Think of it as a subset of a system ATO package. A smaller grouping of checklists and/or devices so a team can edit their own data in OpenRMF Professional. But they cannot see other’s data. They cannot edit others data. All while the automation of opening and closing vulnerabilities still tracks through the larger system ATO package compliance, POA&M, and other items.
Team Subpackages are used to separate a larger system package into smaller subsets for teams to review and edit their specific data. And they allow grouping the hardware list, software list, ports/protocols/services listing as well as the score history of patches on those devices into smaller subsets from the larger system package.
The actions from the Team Subpackage also generate notifications to other team members and the users of the larger system ATO package as well. The concept is to take the managing and editing of the checklists and patch information and allow the team to manage their own data easily. Use the power of OpenRMF Professional for automation, editing, upload, auditing, tracking, and history. And have everyone use the same source of truth for their RMF and FedRAMP tracking.
Where You Would Use Them
Here are a couple examples of where and why you can use Team Subpackages. Read these. Then see how you can use the same concepts on your system packages and process.
Example 1: Imagine your system package that contains a large group of Windows servers. Along with that you have database servers, application servers, web servers, network devices, and workstations. You want people to keep their information up to date in this web-based system. But you don’t want them to have access to view or edit data that is NOT their own.
Team Subpackages to the rescue! Have a subpackage for the network team. One for the windows administration team. One for the DBAs. One for the Application teams. You could have 1 team subpackage for a major application and have their team keep the Application Security and Development STIGs updated even. All their edits and updates are tracked for history and auditing. And all changes are reflected in the larger system ATO package for reports, POA&M entry tracking and Compliance generation.
No more emailing CSV, XLSX, and CKL files back and forth. No more PDF reports sent. No more “you edited an old checklist, please use this one” conversations. Use the power and ease of OpenRMF Professional.
Example 2: You have an infrastructure system ATO package. And it contains Linux servers, Windows servers, network devices, and storage devices. You can create Team Subpackages for the Linux team. One for the Windows team. And one for the Network and Storage team. Now you can have them upload their own .nessus patch data and SCAP scans and keep the system ATO package up to date.
This works well for continuous monitoring as well. Let teams keep their information up to date. And be informed on open vulnerabilities and changes in status at the system ATO package level.
Other Updates in OpenRMF Professional v2.5
There were a few other updates in this version release as well. The way you edit Vulnerabilities in Checklists was made easier. Our goal is for you to get to your information with as few clicks as possible. So now, you click on the Vulnerability in the Checklist and a form pops up immediately to the right to show you all the information. If you have the correct permissions, you can edit and save the changes immediately.
We also added a way to specify the type of software and the approval Id/Number of the software in your listing. This way you can specify if software is OS software, a device or support driver, or an actual Application in use. We also track changes of software for history and configuration management, just like we do the rest of the data in this application.
And we added an Export to the Patch Vulnerability Score (number of critical, high, medium, and low patch vulnerabilities) to MS Excel for use outside the system.
Try the Evaluation on Your Own Network
You can register and download your own copy of this software. Pull down an OVA to quickly spin up a Red Hat 7.9 or Ubuntu 20.04 virtual machine with the software already installed. Set a few IP parameters and get going in minutes. Or perform an installation on your own machine (server, VM, laptop, cloud machine) and have it use your own data.
We give you a 30-day full featured evaluation license to test everything we have been telling people. And it does NOT reach back to us for anything. You install this on your own on-premise or cloud VPC and run it with full security, auditing, and autonomy.
Get a Demo
You can also request a live demonstration of OpenRMF Professional to see for yourself. See how easy it is to add SCAP and CKL checklists, .nessus patch information, and in minutes have a full view of your entire system ATO package. We are happy to show the tool and chat on its use, scenarios, and how it may help you automate as much of this process as possible.
OpenRMF Professional v2.5 = More Automation. Less Stress. Time and Money Saved.
Check out OpenRMF Professional for yourself. See how it can help you automate tracking of vulnerabilities and compliance for your RMF or FedRAMP packages. See how you can reduce your stress level and increase your ability to make informed decisions based on data. And let it quicken your time to market for your ATO and help you maintain continuous monitoring and reporting. Without the painstaking manual processes that are long past their due date.
Your Automation for your RMF and FedRAMP work is here. And its name is OpenRMF Professional!
