Transcription
OpenRMF 1.5 - Innovation,Automation and Collaboration forDISA STIGs and scans, Nessus scans,OpenSCAP and NIST Controlshttps://www.openrmf.ioThe only web-based open source tool to helpyou edit and manage your DISA STIGChecklists, Nessus Scans, NIST Controls, andcorrelate them automatically! Upload Checklists (CKL or XCCDF SCAP)Run Compliance and Information ReportsFilter on Open Items remainingEdit and Manage Checklists by System 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io1
Current Challenges Implementing RMF Slow process driven by disparate systems Compliance with STIGs means checklists are numerous and not automaticallyrelated directly to NIST control families Information shared via Email, DISA STIG Viewer, Excel, and shared folders – nosingle source of truth Limited management oversight into the IA status and security posture Must install Java to use the DISA STIG viewer to edit Checklists Teams need actionable data from Nessus ACAS scans easily IT Teams must manage the checklists manually Checklists are managed and edited manually, one at a time Leadership sees Cybersecurity as “black magic” and “too hard” Leadership does not see value in Cybersecurity – only hardship No correlation of errors and deltas across checklists 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io2
The RMF Process – 6 StepsTime ConsumersOpenRMF hereOpenRMF hereOpenRMF hereA.B.C.D.E.F.Categorize the SystemSelect the Control FamiliesImplement the ControlsAssess the ControlsAuthorize the SystemMonitor ControlsABFECDCurrent TimeframeABQ1AQ2BDCC 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.Q3Q4DQ5EFEQ6Q7Q8Fhttps://www.openrmf.io3
Complexity of RMF in your SystemExample: 1 system consisting of 10 Windows Servers with 1 ApplicationeMass ProcessDISA STIG ProcessIdentify necessarychecklists for yoursystemCategorize System(High / Moderate /Low) (10) Windows 2016 OS Checklists (272items each) (10) Internet Explorer Checklists (136items each) (10) .NET Checklists (16 items each) (1) SQL Server 2014 DB Checklist (42items each) (1) SQL Server 2014 Instance Checklist(92 items each) (1) Application Security & DevelopmentChecklist (288 items) (10) Java Checklists (16 items each)OutputsSelections toNIST ControlCategoriesModerate Levelsystem could have180 controlsAC-1AC-2AC-12PM-2PM-12Open a new checklist (53) foreach with the STIG Viewer tomodify and update 4,822 items!No AutomatedCorrelationCompletely Manual! 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io4
Current RMF ProcessCategorizeSystemeMASSDocumentthe ResultsSelect theControlFamilieseMASSImplementthe ControlsDone by IT TeamSCAP ScansACAS ScansImport Multiple ChecklistsMS ExcelJava ViewerEmailMS WordMS ExcelMS WordChecklistACAS scanSCAP scaneMassAssess theControlsDone by Validator and IT TeamSCAP ScansACAS ScansImport Multiple ChecklistsMS ExcelJava ViewerEmailMS WordAuthorizethe SystemContinuouslyMonitorControlsDone by IT TeamSCAP ScansACAS ScansImport Multiple ChecklistsMS ExcelJava ViewerEmail 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io5
RMF Process with OpenRMF AutomationCategorizeSystemeMASSDocumentthe ResultsSelect theControlFamilieseMASSChecklistsCompliance ReporteMassImplementthe ControlsDone by IT TeamImport Multiple ChecklistsCompliance GenerationReport GenerationAssess theControlsDone by Validator and IT TeamImport Multiple ChecklistsCompliance GenerationReport GenerationAuthorizethe SystemContinuouslyMonitorControlsDone by IT TeamImport Multiple ChecklistsCompliance GenerationReport Generation 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io6
Saving Time and FrustrationTaskCurrently (manual)OpenRMFImport SCAP scans to create a checklist2 - 5 minutes per scan4 secondsi.e. 200 checklists afew days* up to 10 at a timeCreate a Starting POA&M on Open and Not ReviewedItems1 day minimum,depending on the size ofthe system5 secondsCreate a Test Plan Summary to 90%1 day minimum,depending on the size ofthe system5 secondsUpgrade a Checklist to the new Release (Quarterly)1 hour minimum,depending on the # ofitems in the checklist10 seconds perchecklistKeeping Track of the # of Open Items, Not a Finding, NotReviewed, and N/A by Severity (Category) across allchecklists in a complete systemToo hard to keep current,not done usually5 seconds to view5 seconds to Excel 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io7
OpenRMF Features 100% Open Source tool Automatically Relate DISA STIGs with NIST RMF Control Families and CategoriesSeamlessly Automatically Organize Checklists by System Single Source of Truth for all System Checklists Edit your Checklist data Live through a web browser! Includes Bulk Edit in v 1.1. Run Nessus scan, Checklist, Vulnerability and Controls reports across your whole System Management Insight into IA Status and Security Posture On premise, local machine, or in the cloud 100% Browser based Role Based Access Control Easily Find Errors and Deltas Across Checklists Run Nessus scan, Checklist, and Controls reports Removes the IA Mystery!More information at https://www.openrmf.io/ 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io8
OpenRMF Updates in 2020 and 2021 Nov 2020 - v 1.3 Severity Override usage in Checklist Scores Dec 2020 - v 1.3.1 Upgrade Checklist process allows upgrading to new Checklists with Vulnerability renumbering Fix on CCI subcontrol references for Compliance Generation Feb 2021 - v 1.4 Adding OpenSCAP scan result support to create/update STIG Checklists Feb 2021 - v 1.5 Reduced Container size and vulnerabilities Auto-Logout feature April 2021 - v 1.5.3 Download all STIG Checklists in a single ZIP Report Status highlighting Keycloak OpenRMF Theme Small UI Tweaks Various Bug Fixes June 2021 - v 1.6 Refactor Services for smaller footprint 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io9
OpenRMF Testimonials “The work you all have put into this project is phenomenal! I can't sayenough great things about the team and the amazing accomplishmentsyou all have achieved in a very, very short period of time. Now that's whatI call CodeHustle!” “Using the OpenRMF tool, we reduced the three weeks to generate ourcompliance report down to 5 minutes. And OpenRMF found an error inour compliance we did manually.” – former employee of MSG Nick, an ISSO for AWS that supports Joint Forces after seeing and usingOpenRMF: “Hey, guys, look! You’ve been doing RMF wrong this wholetime.” “I’m super happy that OpenRMF handles that upgrade of those STIGs andthe copy/paste does not have to happen!” “Using the list of checklists per system, we were able to updatemanagement on our number of open items across all checklists withinour system in seconds.” - Tutela 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io10
OpenRMF Core OSS Screenshots 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io11
Screen Shots – OpenRMF Dashboard 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io12
Screen Shots – OpenRMF Checklist Upload 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io13
Screen Shots – OpenRMF Checklists by System 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io14
Screen Shots – OpenRMF System Record 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io15
Screen Shots – OpenRMF Individual Checklist 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io16
Screen Shots – OpenRMF Individual Checklist 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io17
Screen Shots – OpenRMF Generate Compliance 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io18
Screen Shots – OpenRMF Compliance Details 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io19
Screen Shots – OpenRMF Reports 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io20
Screen Shots – OpenRMF Nessus Reports 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io21
Screen Shots – OpenRMF System Reports 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io22
Screen Shots – OpenRMF Checklist Reports 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io23
Screen Shots – OpenRMF Metrics (Grafana) 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io24
Screen Shots – OpenRMF Metrics (Grafana) 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io25
Screen Shots – OpenRMF Metrics (Grafana) 2020 Cingulara LLC. 2020 Tutela LLC. All Rights Reserved.https://www.openrmf.io26
SCAP scan eMASS eMASS Done by IT Team SCAP Scans ACAS Scans Import Multiple Checklists MS Excel Java Viewer Email MS Word Done by Validator and IT Team SCAP Scans . Run Nessus scan, Checklist, Vulnerability and Controls reports across your whole System Management Insight into IA Status and Security Posture On premise, local machine, or in the .