Link Search Menu Expand Document
OpenRMF Professional Help

What is an Audit Compliance Scan

Audit Compliance scans (based on DISA benchmarks or CIS benchmarks) compare the system you are scanning to a baseline (benchmark) which are open standards of security to find compliance or non-compliance of a system, device, server or platform. It uses specific standards to help organizations automate the way they monitor system vulnerabilities and make sure they’re in compliance with security policies.

The Scan Process

The Audit Compliance scans and benchmarks are available from Tenable on their Nessus product line. You use the benchmark files to load into the scanner and that allows the scan to match against good known security standards. The results of a scan can be exported as a .nessus format XML file and then uploaded into OpenRMF® Professional to create an actual checklist of findings. Alternatively, if you setup the Nessus integration you can use the Import feature to pull in audit compliance scans as well directly to create or update a checklist in your system package.

For CIS based audit compliance scans, you must use the .audit file for the scan in the Templates area with the CIS Audit File to Checklist feature. This creates a valid CIS-based checklist to match the results of the audit compliance.

You also can use Rapid7 Nexpose to do CIS based benchmarks. But it must be against a CIS template already in OpenRMF® Professional.

Turning a Scan into a Checklist

A scan by itself is great. However, it needs to be turned into a checklist to show proof and get actionable results. The best way involves creating your checklist from the exported .nessus and uploading into OpenRMF® Professional. If you use the Upload feature and upload a .nessus file, OpenRMF® Professional matches the scan to the proper checklist template and creates your Checklist for you.

For a brand new scan (it is not already a checklist in the system package), all items matching the Open, Not a Finding and Not Applicable from automated scan results are updated in the proper checklist file, the checklist is added to your System Package you upload into, and the results are available within seconds. You also will see the generated “score” of the total Category 1, 2, and 3 items grouped by their status. All other items are marked as Not Reviewed.

For a scan that is updating a checklist already in the system package, OpenRMF® Professional will only update those vulnerabilities matching the Open, Not A Finding or Not Applicable status that are automatically checked via the Audit Compliance settings. All other vulnerability items are left alone. Only the Status field and Finding Details field are updated according to the scan results when updating a checklist already in your system package. If you wish to use these scans to update your checklists, put all your comments in the Comments field as the Finding Details field is updated with scan findings automatically.

If you are updating a checklist that has locked vulnerabilities, those vulnerability records are not edited and are skipped. For any checklist that is locked at the checklist level, all scan results are skipped and the checklist is left alone as is.

If you upload an updated scan, based on the type of benchmark and the hostname your results will be updated. Otherwise, this process creates a brand new checklist and adds it to the System you chose. For all automated checks, the details section will show the tool, the time, and the result for each vulnerability entry as shown below.

Scan results in Checklist

The checklists you make per system per operating system or software application (i.e. one for MS Office, one for Windows 10, one for Windows defender, all on the same machine) are used as evidence of your security posture. You do this when going for compliance, security checks, or a DoD or Federal Government ATO to get your system or network connected to the infrastructure and in production.

Example of using a Scan

Understand that a scan “normally” will only have a subset of standards to perform on a host or device. To really understand the security compliance of your system, you need to take the results and import them into a checklist file of the same product. An example would be to perform a scan of a system using a Windows 10 Benchmark and then import the results into a Windows 10 checklist.

OpenRMF® Professional performs this function if you upload your scan results. The checklist will have the full set of security compliance items and when you import the scan results it will update the blank checklist with its findings. You will then go through the rest for applicability to your system. That includes any checks that cannot be done in an automated fashion that must be checked manually.

Copyright © 2021 - 2025 Soteria Software LLC.
Do The Work. Automate the Paperwork!SM