Automated Documentation Generated from your System Package
All your data for that is in OpenRMF® Professional already! So we help you generate documentation from compliance and POAM data that you can use for your ATO or approval process.
The System Security Plan (SSP), detailed SSP Control to Vulnerability Matrix, Security Assessment Report (SAR), and the Summary and Full Risk Assessment Report (RAR) are automatically generated and downloaded in MS Excel (.xlsx) format for you as well from all system package data. The SSP, SSP Matrix and Security Assessment Plan are generated from your main system package data as well as your latest generated compliance data.
The Risk Assessment data is generated from your POAM and the impact, severity, and risk data of open items from your POAM. And the Summary PowerPoint (pptx) contains a presentation with a title slide and summary data of scores, devices, POAM entries, CCRI and other placeholder slides for images and relevant information.
Generating Your System Package Security Plan (SSP)
The System Security Plan lists the main system package data, personnel involved in managing the system package, as well as the compliance data, overlays, tailoring, and CCI Numbers related to your system package. The SSP is a common DoD specific format downloaded in MS Excel (.xlsx) format. You can add names, data, and other specifics to finalize this data generated from your system package information.
Generating Your System Package Security Plan (SSP) Control Matrix
The SSP Control to Vulnerability Matrix is a large listing of all controls for your system package matched to all checklist vulnerabilities. The checklist vulnerabilities are matched by CCI numbers to the list of NIST controls and subcontrols and the vulnerability status or compliance statement status is shown.
For large system packages this is a very long listing (10,000+ lines in MS Excel) and is very hard to generate manually. Luckily, we do this for you!
To generate this from the system package page, click the Documentation menu at the top and choose the SSP Control Matrix menu option. This SSP Control to Vulnerability Matrix generation can take a few seconds to a few minutes to generate based on the number of controls and the number of checklists. When done, a MS Excel (.xlsx) will download to your local machine.
The information is broken down by control or subcontrol and lists the full compliance statement matched to the control or subcontrol, as well as the individual vulnerabilities and checklists matching that same control or subcontrol.
When done this listing will be an active listing of all SSP controls and by control, will show the vulnerability status of every vulnerability on every checklist that matches to that control or subcontrol. The status is also color coded to the status and severity of that vulnerability.
Generating Your Security Assessment Report (SAR)
The Security Assessment Report lists the main system package data, personnel involved in evaluating the system package, as well as the compliance data, overlays, tailoring, and CCI Numbers related to your system package. The SAR is a common DoD specific format downloaded in MS Excel (.xlsx) format. You can add names, data, and other specifics to finalize this data generated from your system package information.
Generating Your Risk Assessment Report (RAR)
The Risk Assessment Report lists the main system package data and the risk data related to your system package. The RAR generates data from your live POAM and risk classification of open or not reviewed items from all vulnerability data. The RAR is a common DoD specific format downloaded in MS Excel (.xlsx) format. You can add names, data, and other specifics to finalize this data generated from your system package information.
There is a summary RAR that only lists the top level information without specific POAM entries. The Full RAR lists all open or risk accepted POAM items.
