OpenRMF Professional v2.6 Released, API Included!
Yesterday we released the latest version of OpenRMF Professional, version 2.6. The main feature: our OpenRMF Professional API. This is used for integration with other applications, automated ingestion of SCAP, Checklist, and Nessus data as well as pulling out vulnerability summary information, checklists, system ATO package information, and other lists from your system package. This is the #1 request from customers since we came out of stealth mode earlier this year. And now it is available!
Using the API for SCAP and Checklists
The OpenRMF Professional API lets you further automate several of the processes around RMF and FedRAMP. The main one requested: automating ingesting the SCAP scans, Nessus/ACAS scans and Checklist files created for STIG and Vulnerability tracking. Using the OpenRMF Professional API, you can do that at the system package level as well as the team subpackage level.
A curl example is below to paint the picture. You need the API Integration key created, the token for authentication, the file, the URL, and the system key from your system ATO package. Then you can automate your scan, for example, with the SCC tool or even OpenSCAP. And then in the next step of your script for this, automatically post results to OpenRMF Professional. All automated! We will have a public repo soon in GitHub with example code for curl, dotnet core, Golang, and other languages as we move along.
curl -X POST -H "Accept: application/json" -H "Authorization: Bearer {TOKEN-Generated}" -F "checklistFile=@./{Filename for SCAP XCCDF or CKL}" https://{OpenRMF-URL}/api/external/systempackage/SYSTEMKEY/scapchecklist/\?applicationKey\=APIKEYAll the other automation already included in OpenRMF Professional still happens when you automate the ingest of these types of files. You just don’t have to log in, click a few times, and then upload the files. You can automate that for a more continuous process that saves you time. And this keeps your information as up-to-date as possible!
Below are all the processes that are kicked off when you upload a SCAP or Checklist file:
- matching SCAP to Checklist, if SCAP
- Saving the data
- Calculating the Checklist Score — Vulnerability numbers
- Updating the overall System Package Checklist Score
- If an update, creating a historical record of the checklist
- Automated updating of your POAM if created inside the system package
- Automated updating of report data for data calls, reports, exporting data
Using the API for Nessus/ACAS Data
In the same manner, you can have .nessus scan file data automated with the API. This is the second most requested API call from customers. An example curl is below:
curl -X POST -H "Accept: application/json" -H "Authorization: Bearer {TOKEN-Generated}" -F "patchscanFile=@./{Filename of patch scan}.nessus" https://{OpenRMF-URL}/api/external/systempackage/SYSTEMKEY/patchscan/\?applicationKey\=APIKEYAgain: all the automation inside OpenRMF Professional still happens when you automate the ingest of these types of files. You just don’t have to log in, click a few times, and then upload the files. You can automate that for a more continuous process that saves you time. AND keeps your information as up to date as possible!
Below are all the processes that are kicked off when you upload a Nessus/ACAS file:
- Pulling out patch vulnerability data
- Updating the patch score (total vulnerability count) of each individual device
- Updating the patch score of the whole system package
- Saving the device listing for the Hardware bill of materials
- Saving the software listing for the Software bill of materials
- Saving the ports / protocols / services (PPSM) that come from the scan of actual PPS running on those devices
- Automated updating of your POAM if created inside the system package
- Automated updating of report data for data calls, reports, exporting data
Other API Calls
The other API calls within OpenRMF Professional are listed below. We just highlighted the main ones being requested so far from customer feedback and requests. As we update OpenRMF Professional software further, the API listing will grow as well. And the integrations will grow along with it.
Update: View the OpenRMF Professional Automation public repo to see scripts and updated examples of using automation around the APIs for a more continuous ATO process as well as continuous monitoring.
Is there one you want/need but it is not on this list? Let us know!
- Test Authentication
- List System Package information and Checklists
- Download a Checklist to CKL
- Get the total System Package Checklist Vulnerability Score
- Get the total System Package Patch Vulnerability Score
- Download the Hardware List
- Download the Software List
- Download the PPSM List
- Download the POAM List
Calculate the Cost Reduction in Time and $$$
Have you ever added up all the costs and lost time associated with manually tracking RMF and FedRAMP processes and data? We have. And it is A LOT! Which is what started us on this journey three years ago.
Try this: Our Cyber Cost Reduction Calculator. It lets you plug in peoples rate, hours spent updating SCAP scans and checklists. Upgrading checklists. Tracking vulnerability numbers. And correlating the vulnerability data with the RMF or FedRAMP controls you must comply with for your system package.
And then it compares it to the time/money spent when using OpenRMF Professional. Any time someone asks for a price quote, based on the number of installations and number of system ATO packages to track, we have them compare the quote to that number to show the savings and ROI. Even with the time learning a new system, through our training program or on their own. The ROI is usually 2 to 3 months.
And do not worry: this is purely Javascript running in the client. There is no reach back to us. There is no saving of your data. This is for YOU to take a hard look at money and time, and figure out how to save both while having your teams concentrate on the value added work of cyber security!
Try the Evaluation on Your Own Network
You can register and download your own copy of this software. Pull down an OVA to quickly spin up a Red Hat 7.9 or Ubuntu 20.04 virtual machine with the software already installed. Set a few IP parameters and get going in minutes. Or perform an installation on your own machine (server, VM, laptop, cloud machine) and have it use your own data.
We give you a 30-day full featured evaluation license to test everything we have been talking about and showing groups just like yours. And it does NOT reach back to us for anything. You install this on your own on-premise or cloud VPC and run it with full security, auditing, and autonomy.
Get a Demo
You can also request a live demonstration of OpenRMF Professional to see for yourself. See how easy it is to add SCAP and CKL checklists, .nessus patch information, and in minutes have a full view of your entire system ATO package. We are happy to show the tool and chat on its use, scenarios, and how it may help you automate as much of this process as possible.
Automation. Less Stress. Time and Money Saved.
Check out OpenRMF Professional for yourself. See how it can help you automate tracking of vulnerabilities and compliance for your RMF or FedRAMP packages. See how you can reduce your stress level and increase your ability to make informed decisions based on data. And let it quicken your time to market for your ATO and help you maintain continuous monitoring and reporting. Without the painstaking manual processes that are long past their due date.
Your Automation Tool for RMF and FedRAMP workload is here. And its name is OpenRMF Professional!
