Use OpenRMF OSS to Manage and Track your Application’s STIG Checklists

You can use OpenRMF OSS open source to track just your specific STIG Checklists for your application, even if that is just a small piece of a larger overall ATO or System Package effort. It is worth the few minutes to setup this application as it will save you hours of work and cut down on copy/paste work, errors, frustration, elevated blood pressure, and bad data.

OpenRMF OSS is free to download and use at

What is OpenRMF OSS?

OpenRMF OSS is the open source application that helps you manage your Risk Management Framework (RMF) data in one easy-to-use interface. RMF is normally chaos seen below with a separate STIGViewer application with multiple tabs with separate checklists, disjointed PDF scans of patch vulnerabilities, and MS Excel spreadsheets.

With OpenRMF you get a web interface with all that data under a System ATO Package grouping, relatable, searchable, and easily editable with a web browser. You do not have disjointed individual files. You have a system of checklists, vulnerability data, and scan data that you can quickly act on. You can, however, use this just for your group of checklists you have to manage in a larger System ATO as well.

Quickly see which checklists have the most open items.

Quickly see the total number of Open, Not a Finding, and N/A items along with those not yet reviewed. And see the Open items by their severity or category quickly as well.

Answer data calls, questions, and report to your manager, PM or CIO with truthful data you can trust in and back up your answers.

You can do this on a whole System ATO Package for sure. But that is not all. You can do this on your own subset or group of checklists that fit into a larger System ATO Package as well. And quickly update, edit, report on, and download the data to send to those that need the CKL files for the larger ATO.

Normal Chaos around the RMF process — STIG Viewer, XLSX, PDFs of reports and scans, separate and disjointed

Automate Your SCAP Scans and Checklists

You can quickly add a System ATO Package record in OpenRMF OSS and then upload STIG Checklists files (*.CKL) or SCAP scans (XCCDF formatted XML files) using the DoD SCAP scanner, Nessus SCAP Scanner or the OpenSCAP tool. The SCAP results are matched to the correct STIG Checklist and all pass/fail information is filled out for you automatically. Then the CKL file and metadata for it are saved in your System Package.

Or you can upload your generated CKL files from older checklists or from your own automated tools or manually created checklists.

Having all this in one spot where you know it is the “source of truth” for your checklists you manage is a great way to structure your checklists. You also can report on them, edit them through the OpenRMF web interface, upgrade them to the latest checklist version DISA puts out, and answer data calls quickly.

When asked for the actual CKL files you can download the files individually or as a ZIP to send off easily. The OSS version can definitely help in this area. It lets you manage your part of the checklists and data that roll up to the larger ATO package.

Upload SCAP results in XML or Checklist CKL files easily

Automate Tracking Open Vulnerabilities

One great thing the OpenRMF OSS application does is track your number of Open CAT 1, CAT 2, and CAT 3 vulnerabilities across all checklists. It also tracks the other Not a Finding, Not Applicable, and Not Reviewed items as well. We call this your “System STIG Checklist Score”. But it can be just for your group of checklists as well at a smaller level.

At the same time it tracks the individual checklists and their individual STIG Checklist Score. You can quickly report on open items by category/severity and run reports on them. You can find vulnerabilities within checklists or across all checklists in a matter of seconds.

That is something you cannot do with the individual STIGViewer or Excel spreadsheets easily. And it works whether you have all System ATO checklists or just your grouping of them.

Show Vulnerabilities by status and severity for the whole System ATO or Individual Checklists

Automate Upgrading Checklists

Another PITA in dealing with the checklists is when DISA comes out with upgrades on checklists. Especially in the fall of 2020 when they renumbered the V-xxxxx numbers in the Windows family and other checklists! The normal way of updating would be to copy/paste from one to the other. Or do a new SCAP scan, match the new benchmark to the new checklist, and import. Then copy/paste the manual checklist items.

Now: open the checklist in OpenRMF and see a note like below that there is an upgrade available. Click a button and within seconds all the items are copied over to the new checklist and saved. Even the renumbered ones! Any new vulnerabilities in the upgraded checklist are marked Not Reviewed. The rest have their information copied over in seconds.

That alone may be worth you downloading the application and using it!

Upgrade a STIG Checklist to the latest version and release with the click of a button.

Single Source-Of-Truth for STIG Checklists

The last thing to say on this: having an application that you know houses the source of truth for just your particular checklists and data makes your job A LOT easier and much less stressful. No more shared folders, emailing XLSX files around to get the latest data, and wandering through your server or computer, email, and files to make sure you have the latest.

OpenRMF OSS can be your single source of truth for your checklists, even if they are just a part of a larger System ATO Package. At least your stuff will be correct and you know your information!

OpenRMF OSS = Cyber Compliance Automation

The open source version of OpenRMF is indeed a massive time saver.

Beyond the OSS version, OpenRMF Professional has enhanced security down to the System ATO Package level, tracks changes and history, has more detailed Patch Vulnerability features. It also automatically reads your ACAS scans and keeps a running up-to-date list of ports, protocols, and services (PPSM), hardware listing, and installed software listing. And it has a lot more reports to answer data calls and to track vulnerabilities and actionable data on your system packages you can use to secure your systems.

Want a demonstration or an evaluation copy to see for yourself? See how at the OpenRMF Professional website. We are looking forward to showing you how you can simplify your RMF life!

CTO of Cingulara. Software Geek by trade. Father of three daughters. Husband. Lover of newer tech where it fits. Follow at @cingulara