Where OpenRMF Professional Fits in the Larger US Federal Gov’t Cyber Compliance Ecosystem
Most people when they evaluate or see a live demo of our solution get it within 5 minutes. Because they have been doing the work manually for years!! We do get the question though: where does this fit into the other tools that we use now?
This post will show the answer to that.
Current Landscape of Applications and Tools for Cyber Compliance
There are applications and tools (mostly gov’t created, some home grown) right now that do pieces of the RMF, FedRAMP and cyber compliance processes. If you have any part of this, you have probably seen these before:
- SCAP Compliance Checker (SCC) from NIWC Atlantic
- Evaluate-STIG from NAVSEA
- STIGViewer v2 and v3 from NIWC Atlantic
- ACAS/Nessus from Tenable
- HBSS and its derivatives
- Tanium
- eMASSTER
- Other Scanners
- and lest we forget, MICROSOFT EXCEL!!!
The challenge with these — they are individual, separate, mostly manual, and disjointed. You do one, then you load into another. Then you bring up 1 of 17 .xlsx files to update and send out to the team. And when one thing changes, you do it all over again!
The team members do scans, update PDFs and send them, or update CKLs individually for tracking compliance. Then you update the POAM. Then there is an urgent data call with an ALL STOP! You know the drill…
And as you do all these checklists and tracking, YOU HOPE they updated the latest one!
Then everyone tosses their work “over the fence” to the next person with no regard for what is done next. And the select few put it all together, track it, and put it into eMASS, MCCAST and other government approved programs of record. Manually.
This manual, disjointed process has been going on since the early 2000’s when Dave Gould and I learn how to do this manually with DITSCAP. Then DIACAP. Then RMF.
What We Needed
In a word: Automation.
We needed a way to track all these files, link them together, update the POAM, figure out compliance, do gap analysis, track burn down charts and more. All while doing other work, keeping our analyst updated for the POAM, and responding to zero day issues and data calls.
And this is a team process done manually with very little collaboration. That needed to be fixed as well.
So we came up the solution: OpenRMF Professional.
Team collaboration by nature. Take the scans/files you already use and automate around them. You already have to do scans so why not!
Automate your POAM. Track burn down on vulnerabilities. Generate compliance and track that history over time.
Run reports in seconds. Add full text searching of checklist data to find that “needle in a haystack” based on a word or phrase you remember.
All through the web. All with role based access. Tracking and auditing all interactions.
And then add an API to integrate and automate further.
Who This is For
The other question is: who is this for?
“I already have eMASS. Why woudl use this?”
For one thing, “I” is not “team”. This is for the whole team to automate as much of the whole process as possible. And your whole team would have access to this. They don’t to eMASS.
The other reasons including having all checklists and patch information in one place. Making your validator’s job MUCH easier (and their attitude toward you and the process better).
Automatically tracking the burn down (hopefully it is down) of vulnerability numbers. Automating the scanning, uploading, tracking, and scoring of your checklist vulnerabilities and patch vulnerabilities.
Keeping your POAM up-to-date with direct links back to the actual data that caused the POAM entry in the first place.
As you can see below this is for system admins, PMs, DBAs, analysts, cyber folks, developers, “C” level people, managers, ISSOs and even assessors to view and track all this information and its history and progress easily.
And it still lets you put stuff into eMASS (soon will be automated via API!) and other programs of record.
Even eMASSTER has its value in the ecosystem. However, it is client based. Manual. Not all people have it. It does not really track history. And you better have all files when you process or the data is wrong.
Using all these across the ecosystem gets you to answers of cyber compliance faster. And it is automated. And repeatable across all your teams.
The End Result
This is the end result. In the last 4+ years we have 39 customers (and growing 60+% year over year). 56 total installations of our solution. Tracking a total allowed 523 ATOs across them all.
Using our savings calculator, we did the math of 60% utilization of ATOs, 50 checklists per ATO (which is small), updates quarterly, people tracking vulnerabilities, tracking POAM, etc.
The result: a minimum time/money savings of $53M. PER YEAR.
Total cost of all those installations combined? Less than $2M. So spend $2M across almost 40 separate customers. Take a month or two to learn the solution. Use the data you already have. And save 25x that amount in time and money. All while reducing the stress of your team. Not bad…
Check it out for Yourself
Want to learn more? Check out our demo site.
Get a live interactive demo with our technical team.
Or download and evaluate for yourself with our software, documentation, and online video training site.
See for yourself how we can help your team automate cyber compliance!
