Order from Chaos: Manage Multiple System ATO Packages with OpenRMF
The chaos of numerous STIG Checklist files, SCAP scans, Patch Scans, and POA&Ms stretched across files, spreadsheets and shared folders is gone! If you track more than one System Package or ATO for your group, you need to use OpenRMF Professional.
The Current Situation is a Mess
If you do any kind of work around cyber security or information assurance in the US DoD or Federal Agency space you probably recognize the picture above. The DISA STIGViewer application and a bunch of MS Excel spreadsheets for your POA&M and Test Plan Summary. Tracking open items in your applications and devices/hosts separately and manually. And juggling all that information in a group of different silos and shared folders, possibly with backup ZIP files in case something gets messed up and you need to pull historical data.
Tutela Security and I know the problem well, all the way back to 2004 at the NAVEODTECHDIV! Which is why we came up with OpenRMF in the first place. Trying to manage the vast amount of information across many, many CKL checklists files, SCAP scans, Nessus scans, historical data, and making sure the information in your Test Plan Summary and POA&M is correct and up-to-date is a stress infested mess! And it is past the point that the human brain can manage all that information without automation. Even if your team or company has automated some of the scripts and collection of the data, it is still a massive amount of data to keep in sync and make sure it tells the true story of your cyber compliance and security posture.
On teams I was on, we had one person in charge of making sure they collected all CKL files and updated the POA&M manually. Sometimes they had to export the CKL file to MS Excel, format it, color code it, and email it to team members that could not figure out the STIGViewer. They get the XLSX file back in email with changes highlighted. And then they copy/paste the data into the STIGViewer and save the updated CKL file. Then put the CKL file into a shared area for safe keeping so all can have the latest. And update their numbers of open items by category, Not a Finding items and the like. And there are permissions and backup strategies on all those files to be safe.
Raise your hand if this is you! And that “process” I mentioned just above is for a small team. Imagine a System Package that has 100 Windows servers, a handful of Red Hat Linux servers, application servers, switches, firewall, an F5 device, 25 business applications and other pieces you have to track! It is a nightmare to make sure you manually collect all that data and correlate it correctly. Then match it to your NIST Controls and generate a compliance listing of how well you are doing.
Now you have an alternative! And a great one at that! (Ok, I am biased a bit)
OpenRMF Professional — Order from Chaos
Enter OpenRMF Professional — a web-based application that is specifically designed to automate the data collection and reporting around the RMF process and related standards. You can have one application that can do the heavy lifting of the manual collecting, editing, and reporting around your System Package.
You have one place to put all checklists, upload SCAP scans to create or update current checklists, and track all ACAS scans for patch vulnerability management. You also link all that data to a POA&M that is automatically updated on new vulnerabilities, closed patch issues, and updated STIG Checklist vulnerability items. And you can generate your compliance to NIST Controls in seconds with a click of a button, including tracking compliance to a tailored list of controls.
A full list of features is available on our website. Here are some highlights:
- Manage multiple System Packages, with security specified at the system package level
- Upload Checklists, SCAP Scans (automatically turned into Checklists), and Nessus ACAS scans to track open items and compliance
- Generate a compliance listing against NIST controls, including tailoring
- Track historical changes on STIG Checklists automatically
- Track patch scans for continuous monitoring (ConMon) easily
- Integrated live POA&M linked to STIG Checklists and Patch Scans automation
- Auditing on all create, read, update, delete, and list functions throughout
- Reporting across all STIG Checklists in your package for data calls
- Team notifications for updated checklists, scans, POA&M information
- Currently in Beta: generating a hardware and software asset listing from scans; automatically generating a MS PowerPoint on your System Package summary for meetings and presentations to management; automating your ports, protocols and services management (PPSM) tracking.
OpenRMF Professional — Cyber Compliance Automation
Companies, agencies, and organizations use OpenRMF Professional software as a way to automate much of the RMF process, decreasing the time to an ATO by 40–50%. OpenRMF’s collaborative environment eliminates much of the manual labor and isolated work involved in aligning the DISA controls, checklists and patch scans, and then manages all information in a secure central database structure. This allows automatic generation and updating of the POA&M, Test Plan Summary, and various other security and RMF reports.
Having a web-based central repository for all RMF data that has role-based security for each system, eases the RMF process using a single source of truth and eliminates errors, manually intensive individual tracking, and rework. It also provides leadership with direct insight into the status of all system security and risk information thus eliminating the mystery around implementing the RMF process.
Once an ATO is achieved, OpenRMF provides the ability to continuously monitor and track POA&M items, overall risk help of systems and applications, and track updated scans and checklists throughout the life of the system.
Want a demonstration or an evaluation copy to see for yourself? See how at the OpenRMF Professional website. We are looking forward to showing you how you can simplify your RMF life!
