Use CIS Benchmarks to Track Cyber Compliance in OpenRMF Professional

Dale Bingham
5 min readMay 9, 2022

--

With version 2.8, you can now use CIS based benchmarks to scan your applications, software, and devices for tracking compliance and vulnerabilities. Automatically make a CIS checklist template from your .audit file. Scan your devices. Upload the results. Track over time using OpenRMF Professional’s automation engine.

CIS benchmarks turned into Checklist Templates in OpenRMF Professional v2.8

CIS Benchmarks

If you are coming from the US Federal or DoD world, you probably understand DISA based checklists. They have been using them for a while now for the automated scans for DISA benchmarks. And you have a bunch of them for your system package you are tracking (ATO, ATC, IATT, Type Accreditation).

But what about the CIS Benchmarks and their scan results? These are used in government and commercial industries. How can you use those for tracking RMF, FedRAMP or other cyber compliance as well? In a similar manner all together with other scans? Without copying/pasting information into other formats? Or drowning in Excel Hell!?

It is easy with OpenRMF Professional v2.8! Now, you can now take the .audit file used for a Nessus/ACAS Audit Compliance scan using CIS Benchmarks and automatically create a checklist template. Upload the .audit file, and you have a custom CIS-based checklist template that matches the audit file results you receive when using it for a scan. That is it!

All the underlying features in OpenRMF Professional to setup boilerplate answers to benchmark checks, locking vulnerabilities, setting the status and even creating specific system package based customizations of that checklist template are all there already! Apply those to CIS as well.

And you can use those new CIS based results to generate and track your overall compliance to RMF, FedRAMP, or tailored controls as well as include overlays. They link to the live POAM. They are included in report searches and data calls. They create new checklists or update existing ones. The vulnerability score changes are tracked over time. All the automation kicks in.

You can even combine your CIS benchmark results, DISA benchmark results, SCAP scan results and custom checklists all within your system package in OpenRMF Professional. Now you can see a true compliance across all automated checks, documentation, process, procedure, and policy using our compliance engine. All in one place. And track compliance over time with snapshots you save to see progress.

Creating Checklists to Match the CIS Benchmarks

To make one of these checklist templates that matches your CIS benchmark results (will be a .nessus file), you go to Templates → Upload CIS audit definition file and load the file. Done. Our templating engine parses the file, matches the checks in the .audit file, and creates a CIS based custom checklist for you to use in seconds.

Yes, that is it! You can do that for all your .audit file benchmarks you use. Then go to the Templates area and list all CIS checklist templates. You can view them just like any other DISA or custom checklist. They have the same structure, same process, same design to use them and fall right in line with the other automated features in OpenRMF Professional.

Upload the .audit file you use for your CIS benchmark to make a checklist template that matches your results

Uploading Your Results

To get your results into your system package, you can upload through the GUI. You can use the API. Or new to v2.8, you can import directly from your Nessus scan with the integration setup in your system package. Connect your scanner via their API through our GUI. List the folders, find your scan, and click the import button.

The results appear in a new checklist you made from the .audit file as discussed above. And the results will show the normal checklist structure as is pictured in the image just below. Your rules, status, details all from your scan in one place.

Tracking CIS benchmark scan results in your new checklist

Track Compliance, POAM, Vulnerabilities, and Reporting

When you uploaded your .audit file, the tracking of those benchmark checks to NIST 800-53 type controls was automatically done for you. You can edit the checklist template in the Templates area and adjust the controls and CCI items to add/remove relationships as well to further customize that CIS checklist template. You can even add extra manual checks if you wish with our editor to tailor the checklist to what you and your team require.

Those NIST controls tracked in your checklist mean these new CIS based checklists work in the compliance engine as well! Track your results and status to the require compliance level, overlays, tailoring, etc. you have for your system package. All vulnerabilities in these checklists link to the live POAM and are tracked accordingly as well. And all reporting on vulnerabilities, status, compliance, and checklists now include your new CIS based checklist!

The power of automation now applied to your CIS benchmark scans! See how the compliance works in our new YT video below.

Checkout out OpenRMF Professional v2.8!

Soteria Software’s OpenRMF Professional is revolutionizing the way you track RMF, FedRAMP and Cyber Compliance through automation! Whether you are tracking RMF and FedRAMP right now by itself, automating in a DevSecOps process, need a cyber compliance engine for your Software Factory or are even migrating on premise to cloud infrastructure — OpenRMF Professional can help ease the workload and get you there faster.

You also can have a standardized, structured way to track your cyber compliance across all your teams and customers. You are in essence building your own Cyber Compliance Factory!

Have all team members manage and import/update their specific data. Generate your compliance with a click of a button. Then export your Checklist (CKL) files, System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR) as well as your POAM for your approved government or corporate system of record.

See for yourself by downloading a copy with an evaluation license!

--

--

Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft