Upgrading your DISA STIG Checklists to the new Numbering Structure
DISA went ahead and finally made new STIG checklists and SCAP scan benchmarks with new group Ids and rule Ids. And you have to upgrade the older checklists as newer ones come out of course. BUT the newer checklist Vulnerability IDs and Rule IDs don’t match up one-for-one with old checklists! How do you update them to the new checklist version correctly then? WTF!?!? Enter OpenRMF…
What is OpenRMF, and why is it FREE!?
OpenRMF is Open Source Software (OSS) that lets you collaborate on, manage, report, and track your checklists, patch scans, and open items for your Risk Management Framework (RMF) process. It does not do the scans for you. It lets you import SCAP scans to auto-generate checklists. It allows importing ACAS (Nessus) scans to track your patch status. And it lets you import STIG Checklists you can create and manage with the (nasty) DISA STIGViewer Java application. And OpenRMF lets you update the vulnerabilities and status live right through the web interface! Check the links I just gave you for more information.
OpenRMF is free to download, setup and run with Docker Compose. Or you can use the Helm 3 chart to run it inside a Kubernetes platform. Our friends at NIWC also set it up in Red Hat OpenShift 3.11 so it works there also. Go read up and check it out!
How does it Upgrade older Checklists?
Behind the scenes, OpenRMF has the newer Templates originated from the public side of DISA in our database that match to the type of checklist you upload and view. Each time you open a checklist in OpenRMF to view its vulnerabilities and score (number of open items, not a finding, etc.) we check if there is a version or revision update of that checklist available. If there is one, we tell you and give you an “Upgrade Checklist” button. If you press this, behind the scenes it will update your checklist and save the new one in the newer format. And it does this while preserving your older data.
For older checklists, this is a great feature as it just tracks old to new and updates vulnerability information. For newer checklists where the IDs are totally renumbered, it is a LIFE SAVER!
How does it do this? It matches the information such as domain name, host, IP, etc. that is general information about your checklist on your system. Then it matches the Rule Version / STIG ID information that still stayed the same. It does a one for one update and pulls in for each one the STIG ID entries the status, comments, finding details, severity override, and severity override justification if any data is in there. No copy & paste, it does the copying for you automatically and correctly! Then it saves that new checklist into the database within OpenRMF and refreshes the page. Voila!! And it only takes a matter of seconds per checklist.
You will see this new numbering on a few of the newer checklist versions such as Windows 10, Windows Server 2012/2016, Outlook, Application Security and Development, and a few others. Not every single checklist has a new version with new numbering. But that is coming, so be aware. And trust me — it will happen at the worst time for you! So make sure you have a tool that can automate that process for you.
Also note that usually before you submit your RMF package with every checklist to your government representative, you have to make sure the checklists are using the latest version and revision. Don’t let them get you behind schedule! It is VERY PAINFUL to copy/paste your checklists data one vulnerability entry at a time for all 5 of those fields and remember to save your data correctly. Which is why we added that process in an automated way to this free tool.
DO NOT do this manually. Use the automation in this tool. It is free. Go get it.
What are the Gotcha’s?
- Well for one, if you are uploading a SCAP Scan to match to a checklist template you have to have the latest Benchmarks w/ the right group Ids and such or the scans won’t match up to the right template. The benchmarks may or may not be the same revision as the checklist but the data in them (STIG IDs, Vulnerability Ids, Rules, etc.) needs to match.
- Not all checklists, whether you are upgrading to a new release or the newer version, maintain the same EXACT vulnerability Ids. Sometimes DISA will add a bunch of new vulnerabilities to the list to track. And other times they remove some. Just be aware and keep a copy of your old one as well to spot check your data.
- Make sure you have the latest STIG Viewer 2.11.
- Make sure your whole team (if you have one) knows you are upgrading the checklists so they do not override with an old one. A lot of people still email CKL files or have a shared folder. Another reason to get OpenRMF — central repository source-of-truth for your checklists and scans!
- Test downloading and opening the CKL checklist files to be sure they open in that Java viewer. Not every government group has our tool. YET!
- Make sure your POA&M, Risk Assessment (if you have a separate one), reports, listings, and Open Item charts all use the correct new Vulnerability Ids or other Rule Ids if you use the checklists that have changed. Yes, it is a PITA but you have to have all that documentation link up correctly. The RMF process is pretty involved so make sure you double check that.
What’s Next?
Well glad you asked! We are working on our next major version of OpenRMF aimed at the agencies and companies asking us for improvements such as multi-tenancy (security per person per system), using tailored controls, ease of POAM generation and automation, more reporting, easier setup/installation, and a host of other innovative items to cut out all the manual processing that RMF makes us do.
That version should be out first quarter of 2021! So stay tuned to our website and Slack channel. We are currently finalizing the functionality and thoroughly testing the application security, installation, consistency and all the data it finalizes to make your cyber compliance easier.
And remember: Cyber Compliance automation is achievable — (Tutela Security)
