Automate Hardware and Software Listings for ATO with OpenRMF

Automatically list hardware devices, servers, and other hosts as well as software on them using OpenRMF Professional and ACAS Nessus scans.

OpenRMF Professional helps track hardware, noting patch scans and checklists

Automatically Track all Hardware from Scans and STIG Checklists

As we put in our PPSM article, there are multiple sections of great information in the ACAS scans that DoD and other Federal Agencies and corporations use for tracking patches. Most organizations use the scan results to automate their patch vulnerability management and track critical, high, medium, and low patches on servers and workstations that need to be fixed.

But did you know you also can track your hardware and devices scanned from your ACAS scans as well? Every single device you scan is listed with ports, protocols, software, services, and other data found. This gives you a great starting point for your hardware list (or device list if that is what you call it) that you need to track.

OpenRMF Professional automatically pulls hardware related data from the scans and helps you track your devices in your system package. And it notes in the Hardware listing page that you have a scan for that device with an “X”. This can quickly tell you if you have any devices for your system package you are tracking that have not had a scan. (You can also use the Activity Report in OpenRMF Professional to see how long ago your scans were done.)

In addition, OpenRMF Professional keeps track of the hostname from the SCAP scans or Checklist data you upload as well as far as STIG Checklists. The combination of tracking hardware from STIG checklists and ACAS scans allows you to automate as much information collection as possible. You can manually add more devices not scanned or those without a STIG Checklist as well if you have any. And you can edit each hardware entry to add things such as the firmware information, purpose, description, and other data.

Automatically track hardware and see if there is a patch scan and checklist for each device listed.

This hardware listing is automatically kept up-to-date for the hardware items you did not manually add. If there is a new device, it is added. If all scan records and STIG checklists are deleted for a particular device, it is removed from the listing. If a checklist changes the hostname, that is updated as well.

OpenRMF Professional was created to ease the data collection, documentation, and reporting burden so you can get back to securing your systems. At the same time you have a way to track your data, track changes, and audit those changes to see why they happened.

Automatically Track Software from Scans

The other great section of information in these scans is the automated list of software installed that is detected. Whether a Linux-based device/server or a Windows-based device/server, there are sections dedicated to list out software and patch information automatically detected on the device.

In OpenRMF Professional v 2.2 and beyond this is automated as well. Track the software name, version, and date if it can all be pulled from the ACAS scan. You also can add your own manual listing of software to supplement the automated listing. The automated software is updated and pulled from continuous monitoring efforts with ACAS scans to keep it relevant with the latest scan.

This is yet another great time saving feature in OpenRMF that lets you get your software listing started, keep it relevant, and list the Windows software installations and Linux packages installed on your devices.

Automatically list installed applications from ACAS scans with OpenRMF Professional

OpenRMF Professional v2.2 (the software pitch)

OpenRMF Professional automates much of the RMF process, helping decrease the time to an ATO by 40–50%. OpenRMF’s collaborative environment eliminates much of the manual labor and isolated work involved in aligning the DISA controls, checklists and patch scans, and then manages all information in a secure central database structure. This allows automatic generation and updating of the POA&M, Test Plan Summary, and various other security and RMF reports.

Having a web-based central repository for all RMF data that has role-based security for each system, eases the RMF process using a single source of truth and eliminates errors, manually intensive individual tracking, and rework. It also provides leadership with direct insight into the status of all system security and risk information thus eliminating the mystery around implementing the RMF process.

Once an ATO is achieved, OpenRMF continues with continuous monitoring and tracking of POA&M items, overall risk of systems and applications, and tracking updated scans and checklists throughout the life of the system.

Check it out here. Ask for an evaluation copy to try it yourself!

CTO of Cingulara. Software Geek by trade. Father of three daughters. Husband. Lover of newer tech where it fits. Follow at @cingulara