Template Help Information

Templates are checklists without data filled in for your specific server, application, technology or device. They can be from DISA, CIS or even custom ones you make within the application. Templates can have asset and vulnerability information filled in, but it is done “in general” and not for your specific device or server.

You can use templates as a starter “boilerplate” for your system’s checklists required. And create checklists from the manually, through various wizards, through the API, or by uploading compliance or SCAP scan results to match instantly.

There are five types of Templates in OpenRMF^® Professional explained below.

Using Templates

DISA, CIS, Organizational and Custom templates (linked below) are available across every user and system in OpenRMF^® Professional. The system package specific templates you can create are only viewable and usable within that system package. To view more detailed information visit the Using Templates Help. Organizational and system templates allow editing of vulnerability data and locking of vulnerabilities within OpenRMF^® Professional.

A unique feature in OpenRMF^® Professional is the Custom Template. This type of template you create from scratch and set the title, type, as well as the vulnerabilities and the CCIs and NIST Controls the vulnerabilities correlate to for compliance generation.

These templates also can be copied to an Organizational and System Package template for more customized boilerplate settings and locking of vulnerability items within that template.

DISA Templates

DISA templates are blank checklists from the public.cyber.mil website and are created and updated by DISA for use. To view more detailed information visit the DISA Templates Help. DISA checklists are used as-is and not changed from their release on their designated website.

These templates are the most common type and have been used for over 20 years for tracking cyber compliance.

CIS Templates

CIS templates are blank checklists created by uploading an .audit file from Tenable made for their Nessus Professional / ACAS scanner. You can use CIS benchmarks in the Audit Compliance Scanner from Tenable Nessus and create audit compliance results.

Using those same .audit files from from the https://www.tenable.com/audits website, you can upload that .audit file to OpenRMF^® Professional and create a matching CIS checklist to use and match to those audit compliance scans automatically. To view more detailed information visit the CIS Templates Help.

Organizational Templates

OpenRMF^® Professional also allows creating Organizational templates which are DISA, CIS or Custom templates that can be filled out with vulnerability information and status already filled in by application or template administrators. These are checklist templates saved so any user in the OpenRMF^® Professional application can have a starter checklist for a particular checklist type.

Organizational templates can be copied from DISA, CIS, Custom, or other organizational templates and even other system templates. To view more detailed information visit the Organizational Templates Help.

If the DISA, CIS or Custom template this Organizational template is based on is updated to a newer version or revision, the Organizational template record will show an “Upgrade available” button just as Checklists are upgradeable. Click the Upgrade button to upgrade the template and track the historical changes within OpenRMF^® Professional automatically.

System Package Templates

Additionally there are System Package templates. System Package templates can be copied from DISA, CIS, Custom or other organizational templates or even other system package templates. These can then be filled out with vulnerability information and status and used specifically within a system package only. To view more detailed information visit the System Package Templates Help.

If the DISA, CIS or Custom template this Organizational template is based on is updated to a newer version or revision, the System Package template record will show an “Upgrade available” button just as Checklists are upgradeable. Click the Upgrade button to upgrade the template and track the historical changes within OpenRMF^® Professional automatically.

Custom Templates

Finally there are Custom templates. Custom Templates are created to match a particular piece of software, hardware, device, process, procedure, or documentation related to NIST Controls and RMF, FedRAMP, or StateRAMP^TM specific information. You also can create custom templates to match your system package (RMF, FedRAMP, or StateRAMP^TM) to cloud provider security controls to track those items that do not have a specific checklist as well. To view more detailed information visit the Custom Templates Help.

The https://www.soteriasoft.com/ Soteria Software website has blog articles on how to maximize use of Custom Templates as well. And there is more information in the “Curating Templates” video in our online video on demand training platform.

Scans and Templates

In making checklists, you can import SCAP or Audit Compliance (DISA Benchmark, CIS benchmark) scans and automate matching the right template/checklists type and importing the results into the matching checklist. This saves a lot of time and manual labor in converting scans into a Checklist in the JAVA STIGViewer.

To view more detailed information on SCAP scans visit the SCAP Scans and Templates Help. To view more detailed information on Audit Compliance scans visit the Audit Compliance Scans and Templates Help.