Frameworks Explained
As stated earlier, a Cyber Compliance Framework is structured set of guidelines, standards, and best practices that organizations use to manage cyber risks, protect sensitive data, and meet regulatory obligations. It provides a roadmap for organizations to identify, assess, and mitigate threats by implementing security policies, controls, and procedures, thereby strengthening their overall security posture and fostering trust with stakeholders.
This list of controls and Control Correlation Identifiers (CCI) can be grouped together and mapped to the framework as-is (e.g. CSF or CJIS). It also can be grouped into levels like RMF with its Confidentiality / Integrity / Availability specifics or even CMMC with its Level 1 and Level 2 designations. When this happens there are 1 or more controls with 1 or more CCIs mapped to break down the control in the listing. And these are grouped together to form the framework or framework level.
You use these frameworks in system packages to track configurations, vulnerabilities, statements, common controls, inherited information and evidence to show how well you comply with these frameworks and their requirements. You also use them running several reports including listing controls, CCIs, and comparing frameworks for controls, CCIs, and requirements.
In OpenRMF® Professional several of these frameworks are included by default. Others are added individually and then matched together via input form or file upload (preferred) format to create these controls, CCIs and frameworks with levels. You can see the Frameworks when logged in with the Administrator role by going to the Administration – Manage Frameworks menu option.
Default Frameworks
There are 5 default frameworks included in this solution. The Risk Management Framework (RMF) based on NIST 800-53 controls for revision 4 and revision 5 are automatically included in OpenRMF® Professional. As are the Federal Risk and Authorization Management Program (FedRAMP) based on the same NIST 800-53 controls for revision 4 and revision 5. Also include is the State Risk and Authorization Management Program (StateRAMP / GovRAMP) framework and it is based on the same NIST 800-53 controls for revision 4.
Default frameworks cannot be edited or deleted. They can be edited and disabled so people cannot use them to create new system packages or run comparison reports.
How to Create Frameworks in OpenRMF® Professional
To create new frameworks you need to add / edit the information in the correct order shown below. Frameworks and Framework Levels are explained later on this page. The other areas of the Framework help show how to add controls, families, and CCIs to use within the frameworks and levels.
- Load Frameworks
- Load Framework Levels
- Load Control Families
- Load Control Family Sections
- Load Controls
- Load Control Correlation Identifiers (CCI)
- Load the Framework / Control / CCI matrix to fill out the framework data
That last one, to load the Framework / Control / CCI matrix, allows you to actually use a framework and its controls, CCIs, tailoring, overlays, and more.
Adding a Framework
To add a framework manually, click the Add Framework button on the Frameworks screen. The form below appears. Enter the title, version, acronym as a minimum for the framework. You also can add any tags, the originator of the framework and a description for users to understand its use. When done click Save. This is the first level of adding frameworks, controls, and CCIs into your installation.
You also can add frameworks by uploading an XLSX file in the proper format. You can do this via the Upload menu in the Frameworks area. Make sure you choose the proper file to upload. You can download a Sample Framework XLSX as a starting point for uploading a spreadsheet or CSV file. You also can use data for this shown in our public GitHub repo linked off our Soteria Software website as well.
The JSON structure for the framework is listed below:
[
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"frameworkDescription": "The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.",
"frameworkOriginator": "National Institude of Standards and Technology (NIST)",
"active": true
},
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 4",
"frameworkDescription": "The Risk Management Framework (RMF) provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle. The risk-based approach to control selection and specification considers effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies, standards, or regulations. Managing organizational risk is paramount to effective information security and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.",
"frameworkOriginator": "National Institude of Standards and Technology (NIST)",
"active": true
},
{
"frameworkTitle": "Federal Risk and Authorization Management Program",
"frameworkAcronym": "FedRAMP",
"frameworkVersion": "Revision 5",
"frameworkDescription": "The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide initiative that provides a standardized, reusable approach to security assessment, authorization, and continuous monitoring for cloud service offerings. It aims to enable the federal government to accelerate the adoption of cloud computing by creating transparent standards and processes for security authorizations, and allowing agencies to leverage these authorizations on a government-wide scale.",
"frameworkOriginator": "Office of Management and Budget (OMB)",
"active": true
}
]
Editing a Framework
You can edit a framework entry as well from the Framework listing page or from the individual Framework record page by clicking on the framework title. When you edit a framework you added, you can edit any of the fields. When you save the data, all corresponding information such as the title, acronym, version, etc. is updated throughout the solution wherever it is currently being used.
When done click the Save button to save the information. You also can click the Reset button to reset the information back to what it was if you changed something by accident and want it back.
From here you also can make a framework inactive. If inactive, any current system package using it can still be used. However, no new system packages can be created using that framework. And reports may not include that framework for listing controls, comparisons, CCIs, etc. either.
Deleting a Framework
To delete a framework, go to that framework page by clicking the framework title from the listing of available frameworks. Then click the Delete button (if available).
You cannot delete a framework that is in use or is referenced in any system package.
A warning page shows that when the framework is deleted, all framework levels (if any) and the listing of control/CCI combinations for that framework are also deleeted.
This is a cascading delete so please be careful when using it to know what it will affect.
You must click the Delete Framework button to actual delete the data. All other frameworks, the listing of control families and sections, controls and CCIs as well as the referenced CCIs with this control stay in tact.
This is a hard delete and cannot be undone. You can always re-create or reupload the files that generated the non-default framework though.
Adding a Framework Level
Some frameworks such as RMF and Cybersecurity Maturity Model Certification (CMMC) have levels within the framework. RMF has a combination of levels based on confidentiality, integrity and availability that can be set for Low, Moderate, or High. CMMC has a Level 1, Level 2 and Level 3 (TBD). Other frameworks such as the Cybersecurity Framework (CSF) or the Criminal Justice Information Services (CJIS) do not have levels.
If your framework has levels you can click the Add Level button on that framework’s main page. Click a framework title on the framework listing page to go to its individual page. Then see that button.
When you add a level you can put in the Level’s Category and Value (if there is a value). For some frameworks such as RMF they have a category and value (category of Integrity value of Moderate). Enter the information and click the Save button.
You also can add framework levels by uploading an XLSX file in the proper format. You can do this via the Upload menu in the Frameworks area. Make sure you choose the proper file to upload. You can download a Sample Framework Level XLSX as a starting point for uploading a spreadsheet or CSV file. You also can use data for this shown in our public GitHub repo linked off our Soteria Software website as well.
The JSON structure for the framework level is listed below:
[
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"levelCategory": "Confidentiality",
"levelValue": "Low",
"active": true
},
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"levelCategory": "Confidentiality",
"levelValue": "Moderate",
"active": true
},
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"levelCategory": "Confidentiality",
"levelValue": "High",
"active": true
},
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"levelCategory": "Integrity",
"levelValue": "Low",
"active": true
},
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"levelCategory": "Integrity",
"levelValue": "Moderate",
"active": true
},
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"levelCategory": "Integrity",
"levelValue": "High",
"active": true
},
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"levelCategory": "Availability",
"levelValue": "Low",
"active": true
},
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"levelCategory": "Availability",
"levelValue": "Moderate",
"active": true
},
{
"frameworkTitle": "Risk Management Framework",
"frameworkAcronym": "RMF",
"frameworkVersion": "Revision 5",
"levelCategory": "Availability",
"levelValue": "High",
"active": true
},
{
"frameworkTitle": "Federal Risk and Authorization Management Program",
"frameworkAcronym": "FedRAMP",
"frameworkVersion": "Revision 5",
"levelCategory": "Low",
"active": true
},
{
"frameworkTitle": "Federal Risk and Authorization Management Program",
"frameworkAcronym": "FedRAMP",
"frameworkVersion": "Revision 5",
"levelCategory": "Moderate",
"active": true
},
{
"frameworkTitle": "Federal Risk and Authorization Management Program",
"frameworkAcronym": "FedRAMP",
"frameworkVersion": "Revision 5",
"levelCategory": "High",
"active": true
},
{
"frameworkTitle": "Federal Risk and Authorization Management Program",
"frameworkAcronym": "FedRAMP",
"frameworkVersion": "Revision 5",
"levelCategory": "LI-SaaS",
"active": true
}
]
Editing a Framework Level
You can also edit framework levels if not a default framework. Click the ... button to the right of the framework level listed on the framework page. Edit the proper information and click the Save button.
Again when you save the framework level data, all corresponding information such as the category and value (if used) is updated throughout the solution wherever it is currently being used.
Deleting a Framework Level
To delete a framework, go to that framework page by clicking the framework title from the listing of available frameworks. Then click the ... menu next to the framework level you wish to delete. Click the Delete menu option (if available).
You cannot delete a framework level that is in use or is referenced in any system package.
A warning page shows that when the framework level is deleted, all listings of control/CCI combinations for that framework level are also deleeted.
This is a cascading delete so please be careful when using it to know what it will affect.
You must click the Delete Framework Level button to actual delete the data. All other frameworks levels, the listing of control families and sections, controls and CCIs as well as the referenced CCIs with this control stay in tact.
This is a hard delete and cannot be undone. You can always re-create or reupload the files that generated the non-default framework level though.
