Generating System Package Compliance
Your system package compliance is viewed by clicking on the Compliance button at the top of the system package page and choosing View Compliance. Compliace is based on your RMF level of confidentiality, integrity and availability for your system package, your FedRAMP level, your StateRAMPTM level, or your tailored control listing.
OpenRMF® Professional shows compliance against all relevant NIST controls based on the information set for your system package and displays a list in the table at the bottom of the page.
It also takes into account any overlays that you have added to your system package that are active. These can be available ones added into your package or ones you have created yourself. To view your compliance you have to at least Generate compliance once from your system package and save it. See information below on how to do that.
To see a list of all controls and subcontrols for your system package compliance, click the Export Controls button in the Compliance area of your system package. An XLSX file will download with either the default RMF or FedRAMP controls, default StateRAMPTM controls, or your tailored controls if you performed this (instead of the default listing for the system package type) as well as any controls required from your overlays actively applied to your system package.
Generating and Saving Compliance
To generate and save your compliance, as a System Owner of the system package click the Generate Updated Compliance button. Then specify a title and a good description for the compliance and why you are saving it. When you click the Save button, the main compliance record will save and the page refreshes.
The compliance is generated asynchronously in the background and shows the saved title, date created, description and a generated time and completion time (when done). While the compliance is being generated, you can click the Refresh button in the “Compliance Summary Map” area to refresh the listing.
When you first create a brand new system package there is no compliance generated by default. You must click the Generate Updated Compliance button as a System Owner in the system package to generates the most current compliance
As you keep saving compliance you will have more in the Open dialog box listing to choose from and view compliance generated at that date and time based on the checklists, vulnerabilities, inherited controls (if any), controls and overlays required for the compliance.
Note: There is only 1 active compliance at a time (the latest one saved). You can click the Open button to load and review older system package compliance results. And all compliance results saved can be used in the Compliance Status report.
If you change any vulnerability information on your checklists, add or remove checklists, add / edit / remove compliance statements, update the RMF or FedRAMP level, update the TM level, specify tailored controls, add or update inherited controls, or add or remove overlays you will need to regenerate your compliance to see the effect. All older compliance listings can be found and viewed by using the Open button on the Compliance page and choosing the correct one.
Your compliance takes into account all controls and subcontrols you must track (RMF, FedRAMP, StateRAMPTM, Tailoring, Overlays). The compliance engine looks into every single checklist (from SCAP, CIS, CKL, custom checklist), each vulnerability, and each CCI in those vulnerabilities and tracks overall compliance against the control or subcontrol. In addition, the compliance engine views all compliance statements against the control or subcontrol and CCI to help fill all required CCIs for compliance of your system package.
Compliance Summary Score
Your Compliance Summary Score also displays at the top and is generated once the compliance is completed. This score is shown as a percentage of vulnerabilities that are “Not Applicable” or “Not a Finding” (closed) compared to the total number of vulnerabilities tracked currently at the time of compliance generation. This data is also available as charts in the Reports area by family, by control or subcontrol, as well as historical trend charts at both of those levels.
Note: The saved Compliance Summary Score is new to version 2.8.5 and later. For older versions with previously saved Compliance data, click the “generate” button in the Compliance Summary Score area to generate, save, and display this score from that time forward automatically.
Viewing Results
Once you generate the compliance, you have two sets of data. A compliance summary map shows major controls and color coded as to compliance (based on total status). And the compliance listing table shows all checklists and compliance statements as they relate to the major controls and subcontrols to which you are matching. The checklist or compliance statement title is also color coded as to its status for the vulnerabilities that relate to that major control or subcontrol.
- Red = you have at least 1 Open vulnerability
- Gray = you have at least 1 Not Applicable vulnerability
- Black/White = you have at least 1 Not Reviewed vulnerability
- Green = your vulnerabilities are Not a Finding
You can click on the compliance map listings to filter the table on those control families quickly. You also can click the green plus icon to expand the Control-Checklist combination to see all vulnerabilities and their status across that checklist that correspond to the control. And you can click the green plus icon to expand the Compliance Statement combination to see all statements, CCIs, definitions and their status that correspond to the control. The summation of all vulnerabilities for that control in that checklist generate the status of the Control-Checklist or Control-Statements combination.
There are two exports to XLSX files you can choose as well. The first is the Summary view, which is similar to the listing on the Compliance screen. The second is a more detailed XLSX that shows the detail per CCI of the status, statement, comments, and details when available that rolls up to the summary status of that control or subcontrol based on the source information.
Viewing Checklists by Control
You can click on the checklist to open a separate browser tab for that checklist. If this is a checklist imported from inherited controls in a system package where you do not have access, the checklist will show but you will NOT be able to click on it to open it based on access permissions. The list of vulnerabilities are filtered so only those that relate to that control are shown. You also will see a definition of the major control those vulnerabilities match to. If this is an inherited checklist and you do not have access to the inherited system package, you will not be able to view that checklist in this way.
Viewing Compliance Statements by Control
You can click on the compliance statement title to open a separate browser tab for those statements that line up to the control or subcontrol. The list of statements are filtered so only those that relate to that control are shown. The control or subcontrol is automatically added into the Search box to filter quickly.
Vulnerabilities that fall into Configuration Management CM-6
You will notice any vulnerabilities that match to CCI and then subcontrols not specifically required in your RMF, FedRAMP, StateRAMPTM or tailored control listing automatically falls under CM-6. This is by design in OpenRMF® Professional.
There is a note at the start and end of this listing within CM-6 in the web view and MS Excel export. They will note what control they do match to on the listing as well as the view of compliance of the checklist if you click any resulting links on the Compliance page.
