Automation in OpenRMF® Professional
There is built in automation in OpenRMF® Professional to ease your manual workload. A few examples are below. More are explained throughout the help documentation.
SCAP / Audit Compliance Scans turning into Checklists
In making checklists, you can import SCAP scans or Audit Compliance scans and automate matching the correct template/checklists type and importing the results into the matching checklist. This saves a lot of time and manual labor in converting SCAP XML or Nessus .nessus results into a Checklist in the JAVA STIGViewer. It also updates the “Score” of the checklist and system package as depicted below.
Your SCAP scans are imported and matched to the corresponding templates in the Templating engine in OpenRMF® Professional. It matches based on the corresponding DISA Templates or CIS checklist templates in the application. From there you can update your checklist details as well as update and/or lock checklist vulnerabilities as well.
Checklist Configuration Management
As users add, update, and delete checklist vulnerability and details OpenRMF® Professional automatically tracks changes to the data. An older checklist is saved historically as read-only. Then the new information is applied to the latest checklists. You can review older checklists, download them, and see who did what change to them as well.
Tracking the Number of Open Checklist Vulnerabilities (Checklist Score) Over Time
The number of open, not reviewed, not application and not a finding (“closed”) items per checklist are automatically numbered and saved for display. This includes counting the “severity override” on vulnerabilities if used as the real severity or category of the vulnerability. The number of open items are tracked by severity or category for CAT 1 high, CAT 2 medium, and CAT 3 low severity.
Any updates on vulnerabilities or additions/deletions of checklists makes this number update automatically.
Tracking the Number of Open Patch Scan Vulnerabilities (System Package Patch Score) Over Time
The number of critical, high, medium, and low patch items per system package is also automatically tracked and saved for use. OpenRMF® Professional saves this data per server, and displays it also as a summation of all the data across all servers for the same 4 severities automatically.
And patch scan updates and new scans uploaded adjusts this number automatically per server and per system package.
Tracking the Number of Open Technology Scan Vulnerabilities (System Package Technology Vulnerability Score) Over Time
The number of critical, high, medium, and low vulnerability items from things like software scans, container scans, and other items per system package is also automatically tracked and saved for use. OpenRMF® saves this data per category (Software, Container, Log, Other/Custom), source and project name, and displays it also as a summation of all the data across all category/source/project combinations automatically.
And vulnerability scan imports or uploads of new scan data adjusts this number automatically per category/source/project and per system package.
Tracking POAM Items and Updates
You can generate a POAM from all patch scan items that are open, all open or won’t fix technology vulnerability items, as well as all open or not reviewed vulnerabilities across all checklists automatically. Once done, any patch scan update/upload, technology vulnerabilty import or upload, checklist or SCAP scan upload, as well as vulnerability updates (including bulk edit, manual edit, deleting checklists or adding checklists) in a system package automatically updates the POAM entries. There is a “reason for update” tracked with specific details on why the POAM item was changed and what changed it.
POAM entries are also added and tracked for Compliance Statements that have a status of Open or Not Reviewed. And it tracks entries based on Inherited Controls that have a status of Open or Not Reviewed.
Generated Documentation
The System Security Plan (SSP), detailed SSP Control to Vulnerability Matrix, Security Assessment Plan, and the Summary and Full Risk Assessment Report are automatically generated and downloaded in MS Excel (*.xlsx) format for you as well from all system package data. The SSP, SSP Matrix and Security Assessment Plan are generated from your main system package data as well as your latest generated compliance data. The Risk Assessment data is generated from your POAM and the impact, severity, and risk data of open items from your POAM.
You also can generate a PowerPoint summary slide deck of your latest System Package information as well. Apply your corporate design, add charts generated from OpenRMF® Professional and present your information in minutes.
Tracking Test Plan Summary per Server
The Test Plan Summary which shows the number of CAT 1 through CAT 4 items and patch scan numbers is automatically generated and updated based on the score data of checklists and patch scans. As those items are updated, these numbers get automatically updated based on the score generation talked on earlier.
Tracking Ports, Protocols, and Services Management (PPSM)
The PPSM listing per system package package is tracked by the latest Patch Scans (Nessus) uploaded through the continuous monitoring of servers and devices. The scans show all devices and their open running ports, protocols, and services. This data is added to the listing of a system package package automatically when a scan is uploaded. Any ports that disappear from the latest scan are marked as removed and marked completed on any linked POA&M entry based on the date the scan was run.
For all PPSM entries, you can specify if it crosses the inbound or outbound path of the 8 boundaries. They are listed below. If you have the proper permissions (Patch Administrator or System Owner) you can check the box for the IN or OUT boundary for that PPSM entry. All changes are tracked for versioning and historical purposes. More information can be found in the PPSM Help.
Tracking the Hardware Asset (Device) List
The hardware asset listing to show devices is automatically updated by Patch Scans as well as SCAP scans or STIG Checklist (CKL) file uploads. When you upload a SCAP scan or STIG checklist, the hostname filled in is automatically added to the list of hardware assets if it is not there already. And the fact of having a checklist is recorded. If the device name is already there in the listing, it makes sure the fact of having a checklist is marked correctly.
In the same way, when a patch scan is loaded all devices scanned are entered in the hardware asset listing if not already there. And the fact of having a patch scan is recorded. If the device name is already there in the listing, it makes sure the fact of having a patch scan is marked correctly.
You also can manually add a device or hostname by clicking the Add button and filling out the fields correctly.
When all devices are removed that automatically add a device, the record is deleted. You can manually delete a record that is added manually as well.
Tracking the Software Asset List
The software asset listing to show installed software is automatically updated by Patch Scans as well. When you upload a SCAP scan or STIG checklist, there are certain parts of the scan that can pull a listing of all Windows software installed or Linux software installed automatically. This software list is added to the list of software assets if it is not there already. You also can add software to the listing manually by clicking the Add button and filling out the form correctly.
Any automated software that is not on the next scan for that device or hostname is automatically removed. And any software that has an updated version or installed date will also be recorded and updated correctly.
Tracking Inherited Controls (Common Controls) Updated
If you inherit controls (sometimes referred as common controls) from another system package for your system package, when those inherited controls are updated (generated and saved compliance) in OpenRMF® Professional your inheriting system package gets a notification. The notification will tell you what system package you inherit has just updated its controls. That way you can go back to your inherited controls, review them, and then regenerate your own compliance information to see changed and save the latest compliance data.