You can use OpenRMF OSS open source to track just your specific STIG Checklists for your application, even if that is just a small piece of a larger overall ATO or System Package effort. It is worth the few minutes to setup this application as it will save you hours of work and cut down on copy/paste work, errors, frustration, elevated blood pressure, and bad data.

OpenRMF OSS is free to download and use at https://www.openrmf.io/

What is OpenRMF OSS?

OpenRMF OSS is the open source application that helps you manage your Risk Management Framework (RMF) data in one easy-to-use interface. …


Automatically list hardware devices, servers, and other hosts as well as software on them using OpenRMF Professional and ACAS Nessus scans.

OpenRMF Professional helps track hardware, noting patch scans and checklists

Automatically Track all Hardware from Scans and STIG Checklists

As we put in our PPSM article, there are multiple sections of great information in the ACAS scans that DoD and other Federal Agencies and corporations use for tracking patches. Most organizations use the scan results to automate their patch vulnerability management and track critical, high, medium, and low patches on servers and workstations that need to be fixed.

But did you know you also can track your hardware and devices scanned from your ACAS scans as well? Every…


Show differences in vulnerability status across all your similar checklists in your System ATO Package.

Quickly pick a System Package, Checklist Type, and Devices to find differences across your STIG Checklists

Finding Differences in Status and Severity Override

Picture this. You have a network enclave or group of servers and devices to manage. They are a mix of Windows Server 2012, 2016, 2019 as well as Red Hat Linux 7.8, 7.9 and 8.x servers. And you have web servers, database servers, application servers, a couple Active Directory servers, storage appliances, routers, switches, and firewalls.

And you have to keep up with device patching, ACAS scanning and SCAP scanning to make sure they are secure as far as vulnerabilities go. …


Automate the tracking and management of ports, protocols and services for your network with ACAS scans and OpenRMF Professional.

PPSM Listing automated through ACAS scans and OpenRMF Professional

Automatically Track PPSM through your Scan Results

For US DoD, US Federal and corporate networks your ACAS scans are a wealth of knowledge. Most organizations use them to automate their patch vulnerability management and track critical, high, medium, and low patches on servers and workstations that need to be fixed.

But did you know there is other very valuable information in these scans? The ports, protocols, and services (i.e. PPSM where “M” is management) that are running is captured in each server scanned. And this information is contained…


Track changes in STIG Checklists, Patch Vulnerabilities, POA&M updates, Open Items and more with a single web-based application. OpenRMF is here to simplify your life!

OpenRMF Professional dashboard for all System ATO Packages across your RMF workload.

Automatically Track Changes of STIG Checklist

Being able to show changes in vulnerabilities over time for their status, override, comments, and details has been a very big pain up until now. Keeping multiple copies of CKL files, putting files into a code repository like GitHub or GitLab, or even keeping checklists in folders that are named for dates of the year (i.e. 2021–02–15) have been going on for well over a decade. …


The chaos of numerous STIG Checklist files, SCAP scans, Patch Scans, and POA&Ms stretched across files, spreadsheets and shared folders is gone! If you track more than one System Package or ATO for your group, you need to use OpenRMF Professional.

Chaos Incarnate — normal look of an RMF tracking package. This needs OpenRMF Professional!

The Current Situation is a Mess

If you do any kind of work around cyber security or information assurance in the US DoD or Federal Agency space you probably recognize the picture above. The DISA STIGViewer application and a bunch of MS Excel spreadsheets for your POA&M and Test Plan Summary. Tracking open items in your applications and devices/hosts separately and manually. …


Use OpenRMF Professional to upload your patch scans, run reports, and track updated to STIG Checklists to make your ConMon reporting efforts a breeze! Automate the non-value-added work and spend time patching and securing your systems and infrastructure.

OpenRMF Professional Continuous Monitoring tracks patch vulnerabilities scans over time.

Track Patch Vulnerabilities for your System Package

Continuous Monitoring is the “last step” in the RMF process that we use for U.S. DoD, Federal Systems as well as corporate networks and infrastructure. Of course this “last step” does not really end. It involves making sure your software platforms and main servers, hosts, and devices all have the latest fixes and patches for operating systems. …


DISA went ahead and finally made new STIG checklists and SCAP scan benchmarks with new group Ids and rule Ids. And you have to upgrade the older checklists as newer ones come out of course. BUT the newer checklist Vulnerability IDs and Rule IDs don’t match up one-for-one with old checklists! How do you update them to the new checklist version correctly then? WTF!?!? Enter OpenRMF

What is OpenRMF, and why is it FREE!?

OpenRMF is Open Source Software (OSS) that lets you collaborate on, manage, report, and track your checklists, patch scans, and open items for your Risk Management Framework (RMF) process. It does not do the…


You too can use a combination of Keycloak Roles and Groups in your application stack for a multi-tenant application within a single Keycloak realm. This post explains how I am doing it and may possibly lend information to you to get started doing something similar. I am using Keycloak 10.0.2 for this example.

Using Keycloak with Groups and Roles for AuthN and AuthZ

Introduction to Multi-Tenancy

Multi-tenancy to me at least is a way to define the authentication and authorization (AuthN and AuthZ) of an application and how it relates inside your code. If your code is multi-tenant (think apartment building) then each user/group/organization can see its data and only its data. But…


When thinking performance, there are some non-complex ways to quickly add great performance to .NET Core Web APIs. I thought I was going to need Redis and another container, networking, complex logic, and a lot of trial and error to get caching APIs to work correctly. Turns out after studying the different ways for a couple hours, it took about 10 minutes of coding to add great performance to my APIs for what I needed! Below is how I did it and some links for safe keeping. You may be able to do the same.

The Idea

Putting it in basic terms…

Dale Bingham

CTO of Cingulara. Software Geek by trade. Father of three daughters. Husband. Lover of newer tech where it fits. Follow at https://www.cingulara.com/ @cingulara

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store