Open Source Software

Home / Open Source / OpenRMF


Manage your Risk Management Framework, DoD STIG checklists, SCAP scan and Nessus ACAS scans with ease

OpenRMF Upcoming Roadmap

OpenRMF Tool v 0.11

OpenRMF is a tool for you to manage your system's DoD and Nessus SCAP scans, STIG checklists, Nessus ACAS scans, compliance reporting, and open item tracking to generate and update your checklists for the Risk Management Framework (RMF). Keeping track of all those checklists is EXTREMELY manual, filled with emails and Excel spreadsheets, and very hard to manage. This tool changes that. How?

  • Dashboard showing the number of Open Items and Critical/High patch vulnerabilities by system in an instant
  • Upload DoD SCAP scan results in XCCDF format to create checklist
  • Import and Report on Nessus ACAS Scan results and patch vulnerabilities
  • Auditing of actions for creating, editing, deleting across the system
  • Filter Vulnerabilities on the Checklist page by status
  • Generate a Compliance listing of NIST 800-53 Controls to all checklists within a system
  • Compliance listing of a checklist filtered the Vulnerability IDs down to only those that match the NIST 800-53 Control
  • Save/Upload .CKL files for viewing and safekeeping - automatic naming based on type and revision
  • List and display active checklists by system
  • List and display templated checklists (starting points)
  • Group and list checklists and reports by System (a group of checklists for a single application, system, etc.)
  • Quickly show "scoring" on Open, N/A, "Closed" as well as "not yet reviewed" items in the checklists
  • Exporting the .CKL file for quick loading into the STIG Viewer Java application
  • Exporting a Checklist to MS Excel in seconds with color coded rows based on status (Open = RED, Not a Finding = GREEN, etc.)
  • Exporting of charts for download to PNG
  • Export the "score" of a system of checklists to MS Excel with a single click
  • Manage Roles for Administrator, Read Only, Editor, and Download access of data

This tool gives you a better way to do a required, needed part of your day in securing networks, systems, and software with specific checks and compliance reporting. At its heart, this helps implement a Risk Management Framework which any organization can use to better secure its networks, systems, and applications. This tool makes your job easier and automates away some parts of this process so it is more manageable.

Most Recent Use Case

One of Tutela's clients was managing 15 servers with 5 checklists per server: Yes that is 75 total checklists! He was generating a compliance report manually for the most recent updates to show what passed, what was still open, and tracking it against each individual checklist. By hand, this took over two weeks...

Enter OpenRMF...

Loading the 75 checklists into a new system group for OpenRMF took about 5 minutes total. Generating the compliance and tracking the checklists took less than 1 minute when all checklists were loaded! And it found 1 item that he missed that was still open!

OpenRMF - Upcoming Features!

We believe in automation here, so we are working to automate this horribly manual process. Feel free to add issues or "wants" to our GitHub project area! Some upcoming features are listed below:

  • Live Edits of Checklists
  • Automatically create your Risk Assessment Report (RAR)
  • Automatically create your Test Plan
  • Automatically create your POA&M
  • Select the fields to export to MS Excel, autofilter enabled on the header row
  • A wizard to ask questions and customize a starting checklist file for you with certain fields and comments filled in
  • Import the Manual XML STIG to create a starting checklist
  • Track changes / versions as you edit for a visual diff
  • Track projects and due dates with notifications on timelines as well as anniversaries and required updates
  • more...

OpenRMF Screenshots

The main user interface of OpenRMF is built on bootstrap 4 and is responsive from the get go. The simple menu is on the left showing the main areas of the tool. The Upload and some other UI buttons are based on permissions (roles) so you can control access to uploads, deletes, exports, downloads, and other features.

OpenRMF Dashboard

Below is the Compliance Generator. You choose your system, click the button, and in a minute or less you can generate a top level NIST 800-53 compliance listing against all your checklists. Color coded for each checklist, based on the control, to say if it is not a finding (green), open (red), or not reviewed (blue).

OpenRMF System Listing

Below is the System Listing in OpenRMF. It gives you a list of all your active systems currently being managed, with a brief description and a quick pie chart showing checklist items by status.

For more information please see the OpenRMF website

OpenRMF - Join in!

The OpenRMF tool is on GitHub for download. On the release tab you can see the ZIP file to pull down, unzip, and launch the or start.cmd files to pull the latest images and run this application locally on your desktop, workstation, or server via docker-compose. Note: Docker is required to run this tool as all pieces are in containers.

TL;DR OpenRMF History

From the desk of the CTO - I have been using the STIGViewer.jar file for over a decade and hate it. Hate the tool. I understand the information is needed but I hate the damn tool. I have been saying "there has to be a better way" for over a decade back since almost 2006 when I had to do one of the first Application Security & Development STIG checklists. And it never got better. It bugged me...

So in July 2018 (on my "vacation" in FL at my dad's no less) I started to pick apart the CKL STIG checklist files and recognized they were just XML files with specific fields and a specific order they needed or the viewer would die (literally!). So in a few hours here and there I came up with a design and a working prototype to read in and "score" a checklist.

Then I got home, thought about it, and threw it in the trash! It was the same old same old, .NET website with code and APIs and MVC all rolled up. It bugged me because I knew it was not right. It was not fitting to containers or sitting on AWS or using serverless functions where it could. So I let it stew a bit. Then in January 2019 I figured it out during a workout session and scribbed it on my whiteboard (see this here) to digest it. That basically sat there a week or so as I thought on it. Then I started to create what is currently the OpenRMF tool. It has a few technologies in there like .NET Core 2.2, microservice APIs, NATS messaging server, as well as a few MongoDB instances to talk to the APIs. I wanted (eventually) Command Query Responsiblity Segregation (CQRS) and eventual consistency. And I wanted to learn these techniques and use them in a way that was easy to digest. So I put all this into the OpenRMF tool to get it done, to get it out of my head, and to mess with some technology I need to get better at using.

© 2019 Cingulara. All rights reserved | Design by W3layouts.