System Packages Help Information

System Packages are the main structures in OpenRMF^® Professional that information is related to in order to act on and use. A system package here is defined as a logical grouping of checklists, servers, boundaries, network ports/protocols, services, patch scans, and other related devices that are used together for a purpose.

A System Package to this application is an ATO package or accreditation boundary in essence.

Your “system package” could be just a set of servers, virtual machines, operating system software, and application code with a database. A “system package” could also be a platform-as-a-service that has its own boundary and accreditation that others inherit from. Or a “system package” could be your whole corporate network with all applications, desktops, servers, virtual machines, cloud instances, firewalls and network devices.

You define what your system package is and the controls that you must meet. OpenRMF^® Professional automates you from there!

Listing System Packages

Your main Home Dashboard as well as the System Packages main listing page shows all system packages that you have some kind of access to. To see the system package you at least the Reader role and the system package “Reader” permissions inside that specific package. See the Security Help Area for more information on roles and access levels. To view more detailed information visit the System Package Listing Help.

Add System Packages

To put checklists, scans, compliance, and evidence into a system package to use, you must first add your system package. Only a user with an Administrator or System Package Administrator role can add a new system package. To view more detailed information visit the Add System Package Help.

View a System Package

Anyone with any permission within a system package, whether a reader or creator or owner, is allowed to view the system package information. Your system package dashboard shows you the overall scores, cyber readiness, important dates, and details on the system package. It links to all main data groupings relevant for the system package. And it shows key data such as the number of checklists with high vulnerabilities, devices with high vulnerabilities, and a top 10 list of checklists and devices with open vulnerabilities as well. To view more detailed information visit the System Package Record Help.

Viewing Checklists

To view checklists, you view your system package as described just above and choose the Checklists menu option. Then you can see all checklists, scores, and click on them to open them in the browser window. To view more detailed information visit the System Package Checklist Help.

Bulk Editing Vulnerabilities

You can easily bulk edit vulnerabilities across checklists. If you have the proper permissions, you will see a Bulk Edit option on the “Checklists” menu button. Use it to edit a vulnerability’s information across multiple checklists in a much easier fashion. To view more detailed information visit the Bulk Editing Vulnerabilities Help.

Bulk Locking Vulnerabilities

You can bulk lock vulnerabilities across multiple checklists with the bulk locking feature. Lock or unlock vulnerabilities to protect them from false positive automated scan updates, uploading checklist files or manual edits. To view more detailed information visit the Bulk Locking Vulnerabilities Help.

Bulk Upgrading Checklists

You can bulk upgrade your checklists to the latest template version and release as well as do so one-at-a-time on the Checklist page. To view more detailed information visit the Bulk Upgrade Checklists Help.

System Package Scores

The System Package Checklist Score is the total of all CAT 1, 2, and 3 items across all the statuses across all checklists. The System Package Patch Scan Score is the number of critical, high, medium, and low open patch items across all servers scanned within this system package. The Technology Vulnerability Score is the number of critical, high, medium, low and informational vulnerabilities from software, container, log and other custom scans. To view more detailed information visit the System Package Listing Help.

Plan of Action and Milestones (POAM)

Your POAM, when generated, shows patch scan items with open issues (critical, high, medium, low) as well as all checklist vulnerabilities that are open or marked not reviewed. It also shows any compliance statements or inherited controls that are marked as open or not reviewed. Finally it links to all other technology scan vulnerabilities as well to round out your system package. It is automatically kept up-to-date as you edit vulnerabilities and upload patch scan results. To view more detailed information visit the System Package POAM Help.

POAM Raw Dashboard

The POAM Raw Dashboard shows major numbers as far as ongoing POAM Items by source and type. To view more detailed information visit the System Package POAM Raw Dashboard Help.

POAM Risk Dashboard

The POAM Residual Risk Dashboard shows major numbers as far as ongoing POAM Items from the viewpoint of resulting risk. To view more detailed information visit the System Package POAM Risk Dashboard Help.

Mitigation Statements

You can use canned mitigation statements that you create at your system pacakge level or that you pull in from the globally available listing. These can be used at each POAM record in combination with other data. To view more detailed information visit the System Package Mitigation Statements Help.

Evidence Management

Evidence Management allows tracking of all files uploaded for general use, against POAM items, against compliance statements or for checklist vulnerability entries. You can upload different types of files (*.docx, *.pptx, *.vsdx, *.xlsx, *.txt, *.rtf, *.csv, *.pdf, *.png, *.gif, *.jpg, *.jpeg, *.xml, *.nessus, *.ckl, *.zip, *.json) to add for evidence in these areas. To view more detailed information visit the System Package Evidence Management Help.

Test Plan Summary

The System Package Test Plan Summary shows all open patch scan issues as well as all open or not reviewed checklist vulnerabilities to check during your testing and assessments. To view more detailed information visit the System Package Test Plan Help.

Cyber Readiness Scores

The System Package Cyber Readiness Scores show calculations based on your settings of the cyber readiness score (v2.0). This is a weighted score across all your checklists/compliance scans, patch vulnerability data, and technology vulnerability data and shows a range of values for an overall look at your data. Many agencies view cyber readiness as an overall risk score and have several ranges specified to show where you and your accreditation fit as far as cyber compliance. To view more detailed information visit the System Package Cyber Readiness Help.

Mark Read-Only

To save your system package as-is and make it inactive or read-only, you can click the “Read Only” button and verify your intentions. To view more detailed information visit the System Package Read-Only Help. CAUTION: this cannot be undone. You do not lose your data; however, you will not be able to update it. This will free up a system package you can track with your license.

Automated Documentation

One of the hardest things to generate and keep track of correctly is your system package’s System Security Plan (SSP), SSP Control to Vulnerability Matrix, Security Assessment Report and the Risk Assessment Report. All your data for that is in OpenRMF^® Professional already! So we help you generate documentation from compliance and POAM data. To view more detailed information visit the System Package Generated Documentaiton Help.