Open Source Software

Home / Open Source / OpenRMF

OpenRMF 1.5 Just Released!

Cyber Compliance Automation across your DoD STIG checklists, DISA, OpenSCAP, and Nessus SCAP scans as well as Nessus ACAS scans

OpenRMF Tool v 1.5

OpenRMF is a web-based collaboration application that helps you automate your Cyber Compliance processes, procedures, and information. It lets you manage your system's DISA, OpenSCAP and Nessus SCAP scans, STIG checklists, Nessus ACAS scans, compliance reporting, and open item tracking to generate and update your checklists for the Risk Management Framework (RMF). Keeping track of all those checklists is EXTREMELY manual, filled with emails and Excel spreadsheets, and very hard to manage. This tool changes that. How?

Companies use the DISA, Nessus and OpenSCAP tools and OpenRMF Professional software as a way to automate much of the RMF process of collecting and managing information, thus decreasing the time to an ATO by roughly 50%. OpenRMF’s collaborative environment eliminates much of the manual labor and isolated work involved in aligning the DISA controls, checklists and patch scans, and then manages all information in a secure central database structure. This allows automatic generation and updating of the POA&M, Test Plan Summary, and various other security and RMF reports.

Companies believe that having a web-based central repository for all RMF data that has role-based security for each system, eases the RMF process using a single source of truth and eliminates errors, manually intensive individual tracking, and rework. It also provides leadership with direct insight into the status of all system security and risk information thus eliminating the mystery around implementing the RMF process. Once an ATO is achieved, OpenRMF in combination with other tools provides the ability to continuously monitor and track POA&M items, overall risk of systems and applications, and track updated scans and checklists throughout the life of the system.

OpenRMF - Join in!

The OpenRMF tool is on GitHub for download. On the release tab you can see the ZIP file to pull down, unzip, and launch the or start.cmd files to pull the latest images and run this application locally on your desktop, workstation, or server via docker-compose. Note: Docker is required to run this tool as all pieces are in containers.

TL;DR OpenRMF History

From the desk of the CTO - I have been using the STIGViewer.jar file for over a decade and hate it. Hate the tool. I understand the information is needed but I hate the damn tool. I have been saying "there has to be a better way" for over a decade back since almost 2006 when I had to do one of the first Application Security & Development STIG checklists. And it never got better. It bugged me...

So in July 2018 (on my "vacation" in FL at my dad's no less) I started to pick apart the CKL STIG checklist files and recognized they were just XML files with specific fields and a specific order they needed or the viewer would die (literally!). So in a few hours here and there I came up with a design and a working prototype to read in and "score" a checklist.

Then I got home, thought about it, and threw it in the trash! It was the same old same old, .NET website with code and APIs and MVC all rolled up. It bugged me because I knew it was not right. It was not fitting to containers or sitting on AWS or using serverless functions where it could. So I let it stew a bit. Then in January 2019 I figured it out during a workout session and scribbed it on my whiteboard (see this here) to digest it. That basically sat there a week or so as I thought on it. Then I started to create what is currently the OpenRMF tool. It has a few technologies in there like .NET Core 2.2, microservice APIs, NATS messaging server, as well as a few MongoDB instances to talk to the APIs. I wanted (eventually) Command Query Responsiblity Segregation (CQRS) and eventual consistency. And I wanted to learn these techniques and use them in a way that was easy to digest. So I put all this into the OpenRMF tool to get it done, to get it out of my head, and to mess with some technology I need to get better at using.

© 2021 Cingulara. All rights reserved | Design by W3layouts.