Use a Crawl-Walk-Run-Fly Approach to Cyber Compliance Automation

You are looking to automate around your cyber compliance, scans, checklists, authorizations, patches and more. You do not want to reinvent every single thing if you do not have to (a.k.a. nuclear option). So how can you right now automate in steps, at your own pace, to get where you and your team need to go?

By using an application designed to plug into what you are already doing. And then turning on the faucet to more as required and/or desired.

Whether RMF, FedRAMP, StateRAMP or some other NIST 800–53 based compliance you can use these steps to crawl, then walk, run, then fly on your journey to automating your cyber compliance.

Full Discloure: we are going to show you how with OpenRMF Professional. It is what it is, that is our product. However, you can use these steps below with a combination of a number of other tools and solutions to get the desired result. Even if you just use python/Go/Bash to get it all done.

We just think ours is better designed to do this out of the gate!

Automation. At your own pace. Matched to your use cases. To your desired goals.

Crawl (like a Watermelon)

This is where you first document all your types of data, scans, reports and where they come from at the very least.

• checklists
• SCAP / Audit Compliance
• Patch OS Scans
• Container/Image Scans
• SBOM
• Compliance Statements
• Controls you must meet

Realistically you would use an application like OpenRMF Professional to track your checklists and compliance against where you should be. And run reports through a database of information versus hundreds (or thousands) of individual files that may or may not be up-to-date.

• upload checklists
• track open vulnerabilities and severity levels
• track history / burndown of changes for compliance
• report on number, trends, dashboards

Track checklists, open vulnerabilities, and history automatically

You are now at a crawl, even if just a slow one. At least you are moving!

Walk (this way!)

Now that you have started crawling, it is time to walk. The time in between crawl and walk is up to you, your team, your priorities, and your skill level.

Here you add in automated Plan of Action and Milestone (POAM) tracking. Add in patch OS vulnerability scans and tracking that. Show the burndown of patches getting applied.

You also can read the software listing, hardware list, and ports/protocols/services from those patch scans and track that automatically as well now. Along with the checklists.

And report across all of them in an easier fashion. With all source-of-truth data loaded into your application to showcase and automate the information.

Patch vulnerabilities, POAM items, devices, and ports/protocols/services visually

Now you are at a steady walk!

Run (-ning down a dream!)

Let the processes and how you use your information bake in a bit. Then again, when you and your team are ready you can start to run.

This is where you add in compliance statements. Add in mitigation statements to use. Bulk edit checklists, bulk POAM items and other data to get consistency. Template checklists to quickly spin up new machines, devices or applications.

Run dashboards to quickly see information visually that is harder to see on paper or in tables and lists. And run reports to see trends and information to inform decisions on next steps and actions to take.

You even start to use an API and your own powershell / bash / python / etc. type of scripts or cron jobs to automate collecting and publishing the data into an application like OpenRMF Professional. You in essence automate your scanning. And then automate uploading files and publish to your system package / accreditation package area.

And again you use all the information to make decisions based on data. We have said that before. We will say it again.

This lets you make decisions based on the actual data around your network, hardware, software, and vulnerabilities. Not feelings. Not emotions. Not “I think we have…” items.

The actual data showing you where you need to concentrate. What are the priorities in order of criticality. And you can use that to focus your team on fixing issues and getting more assets and networks more secure.

Track all data in a live POAM to know risks, severity, items, and devices you need to address

Now you are running!

Fly (like an eagle!)

So what is after that? How else can you automate even further? Here are a few ideas to get you and your team brainstorming for your needs:

• Use SIEM products to automate events and learn your network “norm”, then alert you when it is out of the ordinary
• Use all your data around your network, cyber compliance, and data to create a digital twin for white hat hacking and pen testing
• Use all your data for scripting and automating a cloud instance where required for staging, testing, etc.
• Tie in alerts to Slack, Teams, Email, or another reporting engine
• Create a listener for files and objects to upload via your own API integration across your entire cyber security mesh architecture

A Cyber Compliance Automation Journey

Where do I start?

Start wherever you are. See what steps above you are doing now, if any, and go from there. At a minimum, start to crawl.

• see what data you have now and where it comes from
• see what data you need and where from
• organize it around tools, applications, solutions built for this
• keep moving forward and getting better as you need to and want to

Additional Links

I love music. I listen all day long working. I am listening right now as I type this. So…

In case you did not get the song references…