Manage your Risk Management Framework and DoD STIG checklists with ease
OpenRMF is a tool for you to manage your system's DoD STIG checklists, compliance reporting, open item tracking and (soon) using your SCAP scans to generate and update your checklists for the Risk Management Framework (RMF) process being used. Keeping track of all those checklists is EXTREMELY manual and this tool eases that greatly. How?
This tool gives you a better way to do a required, needed part of your day in securing networks, systems, and software with specific checks and compliance reporting. At its heart, this helps implement a Risk Management Framework which any organization can use to better secure its networks, systems, and applications. This tool makes your job easier and automates away some parts of this process so it is more manageable.
One of Tutela's clients was managing 15 servers with 5 checklists per server: Yes that is 75 total checklists! He was generating a compliance report manually for the most recent updates to show what passed, what was still open, and tracking it against each individual checklist. By hand, this took over two weeks...
Loading the 75 checklists into a new system group for OpenRMF took about 5 minutes total. Generating the compliance and tracking the checklists took less than 1 minute when all checklists were loaded! And it found 1 item that he missed that was still open!
We believe in automation here, so we are working to automate this horribly manual process. Feel free to add issues or "wants" to our GitHub project area! Some upcoming features are listed below:
The main user interface of OpenRMF is built on bootstrap 4 and is responsive from the get go. The simple menu is on the left showing the
main areas of the tool. The Upload and some other UI buttons are based on permissions (roles) so you can control access to uploads, deletes,
exports, downloads, and other features.
Below is the Compliance Generator. You choose your system, click the button, and in a minute or less you can
generate a top level NIST 800-53 compliance listing against all your checklists. Color coded for each checklist, based on the control,
to say if it is not a finding (green), open (red), or not reviewed (blue).
Below is the view for a single checklist. You can view the number of issues per status and per category. You can see the asset information and
the type of checklist. And you can filter and view each vulnerability color coded by status.
Below is the view for a upload screen. OpenRMF allows you to upload up to 5 checklist files against a system at a time. When
checklists are uploaded, they are group by system, ran against a scoring machine for the number of items per status and category, and
immediately available for viewing and studying for your system security risk. This also allows OpenRMF to be your single source of truth for
all checklists which is a great improvement over searching email and file systems for the latest file by modified date!
The OpenRMF tool is on GitHub for download. On the release tab you can see the ZIP file to pull down, unzip, and launch the start.sh or start.cmd files to pull the latest images and run this application locally on your desktop, workstation, or server via docker-compose. Note: Docker is required to run this tool as all pieces are in containers.
From the desk of the CTO - I have been using the STIGViewer.jar file for over a decade and hate it. Hate the tool. I understand the information is needed but I hate the damn tool. I have been saying "there has to be a better way" for over a decade back since almost 2006 when I had to do one of the first Application Security & Development STIG checklists. And it never got better. It bugged me...
So in July 2018 (on my "vacation" in FL at my dad's no less) I started to pick apart the CKL STIG checklist files and recognized they were just XML files with specific fields and a specific order they needed or the viewer would die (literally!). So in a few hours here and there I came up with a design and a working prototype to read in and "score" a checklist.
Then I got home, thought about it, and threw it in the trash! It was the same old same old, .NET website with code and APIs and MVC all rolled up. It bugged me because I knew it was not right. It was not fitting to containers or sitting on AWS or using serverless functions where it could. So I let it stew a bit. Then in January 2019 I figured it out during a workout session and scribbed it on my whiteboard (see this here) to digest it. That basically sat there a week or so as I thought on it. Then I started to create what is currently the OpenRMF tool. It has a few technologies in there like .NET Core 2.2, microservice APIs, NATS messaging server, as well as a few MongoDB instances to talk to the APIs. I wanted (eventually) Command Query Responsiblity Segregation (CQRS) and eventual consistency. And I wanted to learn these techniques and use them in a way that was easy to digest. So I put all this into the OpenRMF tool to get it done, to get it out of my head, and to mess with some technology I need to get better at using.
© 2019 Cingulara. All rights reserved | Design by W3layouts.