OpenRMF^® Professional Introduction

Welcome to the main Help area for OpenRMF^® Professional – Cyber Compliance Automation Achieved!

OpenRMF^® Professional is a 100% web-based cyber compliance collaboration and automation application. It enables storage, management, reporting, and continuously monitoring your applications, networks, patches, vulnerabilities, ports/protocols/services and devices within your System Packages and accreditation boundaries in an easy manner from a single source-of-truth.

This online help serves to aid users in features, functions and sections of OpenRMF^® Professional. This information is also available in the User Guide. For specific administrative tasks and features, please see the Administrator Guide. There is also a Developer Guide for API use and further automation and integration. As well as a Kubernetes specific installation document as well.

Please reach out to Soteria Software at support@soteriasoft.com or your sales representative for more information.

General Information

OpenRMF^® Professional is a collection of services and databases with a web-based frontend and external API that allow managing and coordinating the information for the NIST 800-53 listing of controls as it relates to Risk Management Framework, and FedRAMP and StateRAMP^TM levels. It relates the controls to the various STIG checklists and compliance checklists, as well as their individual vulnerability listings. And it shows the “Score” for checklists which is the number of vulnerabilities that are open, not reviewed, not applicable or not a finding (closed) per checklist. It also shows the Score grouped per system package (ATO).

OpenRMF^® Professional also relates patch vulnerability scans to a group of servers, patches, software, hardware as well as ports, protocols and services in a system package. For this information it shows the “Score” which is the number of open critical, high, medium, and low plugins or patches that are missing or misconfigured on servers scanned. It also collects the scanned software installed on systems through the scans. And it keeps track of all ports, protocols, and services found during the scan and allows you to specify the boundaries they cross inbound and outbound for security purposes.

Finally, OpenRMF^® Professional helps you track other vulnerability scans for software, containers (images), logs, infrastructure, and other technology in your system package. For this information it shows the “Score” which is the number of open critical, high, medium, and low findings based on the scan results. There is a DevSecOps dashboard for this information as well as listings, graphs, and charts to show the information relative to your POAM and cyber compliance package.

Additionally you can track your cyber compliance to require controls and subcontrols, manage compliance statements, track open items with a live integrated plan of actions and milestones (POAM), and perform searches for data calls across your entire ATO, system package or accreditation boundary.

How to Use OpenRMF^® Professional

There is no defined way you MUST use OpenRMF^® Professional. The power on its use is in your hands!

In general, you create system packages (RMF, FedRAMP, Custom, etc.) and you add your patch scans and checklists to that system package. You add your compliance statements, run your compliance check, generate POAM items, see your cyber compliance scores, and track progress and history in your system package. In addition to that, you could generate organizational and system templates and fill in items that are inherited or generated through automated setup scripts and computer/server images used to build devices.

You can do this through the web interface as well as through our documented API. Descriptions of the API calls and data can be found in the Developers Guide as well as our public GitHub Repo at https://github.com/SoteriaSoftwareLLC/openrmfpro-automation.

We have worked with government and commercial groups to allow your processes to fit within OpenRMF^® Professional with flexibility. You also can adjust your internal processes and procedures to use OpenRMF^® Professional. And you can do so directly or through our external API for even more automation!

If you see an improvement or suggestion for a feature you think would be valuable, please do not hesitate to send that to support@soteriasoft.com or through your management, value added reseller or sales channel partner representative.

Sections of OpenRMF^® Professional

There are sections or areas in OpenRMF^® Professional to group the type of data you are looking to use. They are outlined below and available on the left menu as well.

Home

The Home menu and area is for overall user notifications and your dashboard. The Dashboard is defined in detail in the General area of help. You will also see your Notifications and be able to mark them as read.

System Packages

The System Packages area is for managing your system packages (or accreditation boundaries), devices, hardware list, software list, groups of checklists, plan of actions and milestones (POAM), cyber readiness, evidence management, test plan summary and other data. It allows adding and editing of checklists, updating vulnerabilities, managing and applying overlays, tracking historical changes, tracking your score and continuous monitoring information. managing and applying mitigation statements to POAM items, listing the tailored controls (if you use a custom set), as well as generating the System Security Plan Control to Vulnerability matrix. You also can generate a PowerPoint summary slide deck, create Team Subpackages and more.

This is the largest area of OpenRMF^® Professional and is the main area you will probably use this application. You can find more detailed information in the System Packages Help Area.

Team Subpackages

Team Subpackages are used to separate a larger system package into smaller subsets for teams to review and edit their specific data. Team Subpackages allow you to group your checklists by the particular individual checklist(s) for a team to review or edit/update. It also allows grouping the hardware list, software list, ports/protocols/services listing as well as the score history of patches on those devices into smaller subsets from the larger system package. Based on permissions you can have users only edit data in the Team Subpackage or allow them to add checklists and devices here that are also added at the larger system package.

This allows smaller groups or teams to view and edit their checklist data and/or patch and hardware data without viewing or editing data from other checklists and devices. The teams are given permissions into just their team subpackage and cannot view or edit other data or run compliance and other checks. They can only manage the POAM items related to their scans and devices. And the reports across the team subpackage are restricted to those with team subpackage level permissions.

You can find more detailed information in the Team Subpackages Help Area.

Checklists

Checklists are listed within your System Package or Team Subpackage and are matched to the proper DISA STIG checklist, CIS based checklists created with a proper .audit file, or custom checklist created within OpenRMF^® Professional. Compliance scans and checklists show compliance to the NIST 800-53 baseline controls as well as open vulnerabilities and status across all checklists. From here you can do bulk edit operations, bulk update operations, edit vulnerabilities and create other checklists from templates.

You can find more detailed information in the Checklists Help Area.

Host Patch Scans

Host Patch Scans are also under the System Packages in OpenRMF^® Professional. Within each system package you will see the hardware asset list, software asset list, PPSM (ports, protocols, services management) list as well as the patch vulnerabilities and open patch score information. You can find more detailed information in the Host Patch Scans Help Area.

Tech Vulnerabilities

The Tech Vulnerabilities area is where you find information on uploading and importing scan information for software, container, log and other types of vulnerability scans. You can track each of these by their project and source and have them automatically link to your POAM as well. We have a few native formats we read into OpenRMF^® Professional, as well as a generic format for transposing and reading in all other types of data.

You can find more detailed information in the Tech Vulnerabilities Help Area.

Compliance

The compliance pages cover generating RMF, FedRAMP, StateRAMP^TM or custom compliance for your system packages as well as managing compliance statements, tracking inheritance, tailoring controls, adding overlays and exporting all controls required for your system package compliance. You can find more detailed information in the Compliance Help Area.

Templates

Templates are checklists without data filled in for your specific server or device. There are five types of Templates in OpenRMF^® Professional. DISA templates are from the public.cyber.mil website and are created by DISA for use. We include the public ones in the application and allow you to add others as well. We have a process to test and include newer DISA checklist templates with our updates and patches. And provider Template Administrators a way to add newer ones before that as well. DISA templates are available across every user and system package in OpenRMF^® Professional.

There are also Organizational templates which are other templates (DISA, CIS, Custom) that have some information already filled in by application administrators and saved for boilerplate checklists or starter checklists. They can have prefilled data and can even have vulnerabilities locked from the outset. Organizational templates are available across every user and system package in OpenRMF^® Professional.

There are also CIS based checklist templates created from .audit files that ACAS/Nessus provides for CIS benchmark scans. And you can create custom checklist templates within OpenRMF^® Professional as well for your use. CIS based and Custom checklist templates are available across every user and system package as well.

Finally there are System Package templates. These are filled out from other types of template baselines mentioned above and are used specifically within a system package only. They can have prefilled data and can even have vulnerabilities locked from the outset. This information and more is available in the Templates Help Area.

Reports

There are several groups of reports that are run within this area and we are always adding more based on roadmap or customer requests. The reports allow searching for vulnerabilities, controls, servers, ports, services, POAM, and other information contained in your systems and checklists but hard to find and track manually. The Reports Help Area has more detailed information.

Integrations

OpenRMF^® Professional integrates natively with external applications for task management, Nessus/ACAS scanner ingest, as well as software scan imports. You can find more detailed information in the Integrations Help Area.

Security & Permissions

This application and its features have baked-in role based access and group permissions for all actions and pages. You can choose from a number of overall roles for users. And then more specifically detailed permissions within each system package or team subpackage. You can find more detailed information in the Security and Permissions Help Area.

Metrics

We have Grafana and Prometheus included behind the scenes in OpenRMF^® Professional. This allows you to track performance of the computer/server for the application, as well as the application components health and performance from a few pre-built dashboards in Grafana. You can find more detailed information on the Metrics Help Page.

Administration

For application administrators, you can set your banner top and bottom, splash page or consent text, as well as auditing settings for the whole application. This is also the area you use to upload your license for OpenRMF^® Professional. Additionally you can find options to manage globally available overlays, manage globally available mitigation statements, manage global device profiles and approved ports/protocols/services listing, as well as list all current System Packages across the application installation. The Administration Help Area has more detailed information.

Help

This is the help area which you are viewing right now! It shows information on using OpenRMF^® Professional and processes and procedures you can incorporate OpenRMF^® Professional into for your organization. It also explains several of the ways data is displayed and can be used for your RMF and ATO processes.

---