Custom Template Information
Custom Templates created in OpenRMF® Professional allow you to use the same checklist construct familiar to RMF, FedRAMP, or StateRAMPTM for your particular needs. You can create a new checklist to match to the Program Management or Physical Security controls required for accreditation, but that are not done with automation or with DISA or CIS based checklists.
You also can create custom checklists to match to cloud computing architecture that are not host specific, such as an AWS S3 bucket, AWS EBS storage, Azure AKS Kubernetes infrastructure and the like. You also can create a custom checklist to ask questions on documentation and processes you must track for RMF, FedRAMP, or StateRAMPTM related compliance. You are only limited by your imagination.
Only an Administrator or Template Administrator can create a custom checklist. But once created, anyone using OpenRMF® Professional can use that template. The templates also can be saved and downloaded as checklist files just like other templates and checklists throughout the application that open regular checklist viewing applications.
How Custom Templates are Created
If you are an Administrator or Template Administrator, from the Template listing page you can click the Create Custom Template button. The screen just below appears and lets you specify a title, description, version, release and other information. It also lets you specify if this is a template that will not specifically relate to a host. This could be a template that relates to processes, procedures, documentation, or even cloud computing resources that are general and not host specific.
Fill out all fields and then click the Create button. This takes you to the familiar “Template Record” type of page but with some extra editing features. Scroll to the bottom to see the area you can add vulnerability information.
How to add Vulnerability and NIST Control Information
To add a custom vulnerability entry with rule title and check content, click the Add Vulnerability Entry button. A screen like the below image appears. Fill out the rule title, choose severity, and enter the discussion, check content and fix text as you would see for a normal vulnerability entry on any other checklist.
To link this vulnerability to a CCI which gives you the link to the corresponding NIST 800.53 control, scroll to the bottom of the Vulnerability Entry window and choose a Control. Click the search CCIs button for that NIST control and a possible listing appears. Click the linked CCI to include it in the CCIs input box on this form. When done adding all relevant CCIs click the Save button.
As you add and edit vulnerabilities you will see the vulnerability listing appear in the table. From here you can edit the field data, or you can edit the normal data as on other templates such as status, comments, and details. You also can choose to Lock that vulnerability after filling out the details and comments and the entry will be locked by default. Any checklist created from this template will also automatically have that vulnerability on the checklist filled out and locked.
Updating the Version and Release of Custom Templates
If you are making major changes to your custom template or adding/removing vulnerabilities you should update the release and/or version of the checklist. You can do this by clicking the “Update details” button on the main custom template page. Here it will let you select the next release or version of the checklist. As with other areas of OpenRMF® Professional, the older template information is saved and available through the History button.
What you can do with Custom Templates
If you select one or more templates in the listing you can bulk download them all into a ZIP file locally. All the CKL files that you selected will be in that ZIP file. You also can create new checklists from them or copy to other Organizational or System Package templates.
Copying them to other Templates
Your Custom Templates can also be copied into other templates for another Organizational or even System Package templates. System Package templates require you to have a “Create Template” group permission in that system or you will not see the option to copy to a system template. Once copied they are independent and can be updated and edited unto themselves. You may want to do this to customize templates as has been discussed in other areas of the help sections.
Making new Checklists from Custom Templates
If you have any “Create Checklist in a System” permissions you can select a Custom template from the listing and choose the “Create Checklist” from the bulk menu item just above the table listing to the right. If you click the Apply button you can choose the system and then a checklist of that type is created in that system.
You will need to update any information such as hostname, FQDN, role, etc. for the checklist inside the system listing.