OpenRMF is a web-based Cyber Compliance Automation and Collaboration software suite to allow you and your teams to track your cyber compliance via Risk Management Framework (RMF) online. It allows adding STIG checklists, patch scan data, and SCAP scans into a collaborative environment to track and act on RMF data. It replaces a lot of manual file updates and manipulation and manual tracking of open vulnerability items into a single source-of-truth web application.
OpenRMF is for "C" level company executives, government CIOs and CSOs, directors, division heads, branch managers, cyber analysts, administrators, developers, testers, and third-party as well as government assessors for ATO compliance checking.
It is also for any person or group that performs Continuous Monitoring or has to edit STIG Checklists for their application, server, device, or component in a larger System ATO Package or equivalent process for their organization or agency.
OpenRMF was designed for U.S. DoD and Federal Government agencies in mind. However, we have seen commercial organizations use this software as well to keep their system secure and cyber compliant at a DoD or Federal Government level as well. And with the DISA SCAP Scanner now open sourced to allow groups to scan for known vulnerabilities in their software and operating systems, it is even more widely used.
Currently there are 2 versions. The OpenRMF OSS open source version that is available for free and is primarily for smaller project teams or single system ATOs being tracked.
There is also the OpenRMF Professional version that is designed for larger teams, companies, large organizations, and government agencies who want more fidelity on their data and more automation around compliance and RMF. This version has a license and is a paid version with updates, support, and more features.
You can go to https://www.openrmf.io/ to learn more on the open source version, and see links to the GitHub codebase, Slack channel, and other documentation.
You can contact us on the Contact page to schedule an online demonstration for you and your group at a time that is convenient. The OpenRMF Professional version is not online for a demonstration as of yet, that is coming soon!
The OpenRMF OSS has an online demonstration at https://demo.openrmf.io/. You can sign up there for a free read-only account and see it in action. You also can download OpenRMF OSS components for free and install them locally to run.
For OpenRMF Professional, you need to contact us to figure out licensing. And then you need access to download one of the installs for your setup.
For OpenRMF OSS you can go to the https://www.openrmf.io/ website and signup for the Slack channel, then go to the Code link and download the code to run locally. Follow the online documentation instructions to get started quickly.
OpenRMF is not a Software as a Service (SaaS) provided by us. It is software that can be installed at your discretion on an on-premise server or servers, cloud-based virtual server (we recommend a private virtual cloud setup), or even on a local laptop. This goes for both the OpenRMF Professional software or the open source version.
Yes, this can be run on a totally disconnected network. You will need another computer, not on that network, to download the software application services and containers. And you must have software such as Docker and Docker-Compose (Community Edition is fine) or equivalent on your disconnected computer network on at least one machine to run OpenRMF. This goes for OpenRMF Professional as well as OpenRMF OSS.
There is an additional step of copying off the software onto a medium you can use to transport it to the disconnected network. This would be the same for any software updates, operating system updates, or patches that network requires for other software outside of OpenRMF. This process is scripted and documented to allow disconnected installation of OpenRMF on your isolated network or computer.
OpenRMF Professional has been tested on Windows 2016 Server, Windows 2019 Server, Windows 10, Mac OS X, Red Hat Linux 7.9 and 8.0, as well as Ubuntu 18 and 20 LTS. It also will run on CentOS 7.9. Any operating system that can run Docker and Docker Compose should work. We also have customers that have installed this on AWS EC2 instances directly running the Amazon Linux and other operating systems. Since the application components are run within software container images, any of the operating systems that can run tools like Docker, Docker Compose and Docker Desktop will work.
In the Kubernetes installation (not Docker and Docker Compose) of OpenRMF we have seen this run on AWS EKS with Kubernetes 1.16 or higher, minikube, as well as OpenShift 3.11. We are currently testing on GKE, Azure AKS, and OpenShift 4.5 to ensure any assumptions of those platforms allow OpenRMF to work correctly.
If you are running Windows 2016 or 2019 server in a virtual environment, your VMWare ESXi must be setup for nested virtualization as well as your hardware and VMWare hardware version. Check the VMWare documentation for more information on nested virtualization.
There are some main features of the Professional version that stand out. The Multi-Tenancy and Role Based Access Control by System Package, Data Revision saving as you change and upload STIG Checklists, merging of Patch Scan Vulnerability data, and online Editing and Automation of the POA&M are the ones that most people are excited for with OpenRMF Professional. There are also several additional reports available in this version. And OpenRMF Professional tracks RMF as well as FedRAMP level compliance for you and your team.
Additionally you can track compliance and tailoring down to the NIST sub-control level (not just major controls), apply overlays, and track milestone events. You can see a full list of features at the OpenRMF Professional page as well as the Feature page.
As of version 2.5, you can also group subsets of checklists and/or hardware devices into Team Subpackages. The Team Subpackage has its own group permissions to allow individuals or teams to view and edit their data and only their data. And it segments other checklists and/or hardware from being seen or edited by the team. It also hides the POA&M and Compliance information as well. The automation built into OpenRMF Professional for linking in the POA&M items based on checklists and scans as well as compliance generation still works for those with access to the larger System Package.
OpenRMF Professional is licensed by production installation as well as active System Packages*. It comes with a license for 5 active packages to track and additional 5-pack of licenses can be purchased as well. All licenses are generated for a year by default. However, licenses for less than a year as well as multi-year licenses can be purchased. We also have multi-install and volume pricing options as well.
* - For the license one System Package is defined as a collection of all checklists, servers, switches, applications to be a part of an accreditation/ATO package. You could think of it as one system package = one ATO package. Licenses cover active System Packages. You can mark a System Package as read-only and that does not count against your license.
This software follows a microservices design, with RESTful APIs using .NET Core 3.1 and message services using Synadia NATS and .NET Core 3.1 as well. Other components include MongoDB, Elasticsearch, Logstash, Kibana, Prometheus, Grafana, and Keycloak 12.
Currently the installation runs under a Docker or other OCI-Compliance container engine as well as under a Kubernetes configuration. We are continually improving our installation options to include a VMWare RAW image using Windows desktop, Windows Server, Ubuntu or Red Hat Linux operating system.
Currently the OpenRMF OSS 1.x is Navy DADMS approved. We are working with a sponsor for the OpenRMF Professional version to go through the same Navy DADMS approval. We are also working to get resellers associated with other DoD agengies and Federal agencies to add this to their approved software listing.
Recently the US Air Force signed a 3-year Certificate to Field (CTF) for the 2.x version of OpenRMF Professional. Contact us if you need a copy of that for your cyber professionals or network approvers to run this software.
Yes. You can configure this application to match client certificates, CAC, PIV, ECA type of certificates. The Common Access Card (CAC) is a common login use. We have documented procedures on how to configure this successfully for HTTPS and CAC to match the user on the certificate to a user in the application. Upon successful login, they pull the proper roles and permissions from the application and start using OpenRMF Professional.
Yes. You can configure the authentication to pull from Windows AD or another LDAP tool to setup your user accounts. Use rules, synchronization, and regular expressions to pull in the correct groups of users. Upon successful login, they pull the proper roles and permissions from the application and start using OpenRMF Professional.
Yes. You can contact us for your specific needs as far as the number of installs, time period on the licenses, and the number of active system packages (i.e. ATOs) you wish to track. We will work with you to discount volume purchasing so it makes sense for all involved.
Yes, we do. We have a reseller program and a value added reseller (VAR) program. The difference in these is the VAR handles all tier 1 and tier 2 helpdesk calls, questions, and tickets for their customers. Contact Us for more detailed information on our reseller programs.
No, this does not replace software tools like eMASS that US and foreign federal government agencies use. OpenRMF Professional compliments those tools by allowing teams focused on approvals and ATOs to track the checklists, patches, and other information as a team. It gives you the single source-of-truth for all that data and reporting. And it helps you track the work required to put your software, network, device, and system packages in a position to obtain approval from those tools like eMASS.
OpenRMF Professional also lets you track trends, show work done to reduce risk and tighten cybersecurity, and gives confidence to assessors and validators that you are performing your job as you should. Showing due diligence in securing systems and software, as well as creating policies and procedures for lessening risk can be shown through this tool over time to "tell the story" of the team to get to a lower risk for authority to operate, to connect or to test as desired.
DISA comes out at least quarterly with updated checklists that may contain new vulnerability listings, remove older ones, or just have updated guidance and wording around existing ones. With that, you usually have to have the latest version and release of a checklist when you go for accreditation, assessment, or update government tools such as eMASS with your latest information. That is a process you cannot skip.
To that end, we are on the email listings on the updates that are quarterly as well as ad-hoc and within a couple days download the latest XCCDF manual XML format files. We load them into our application, test them for creating and upgrading checklists, and then include them in a minor revision update to our Template API container image. This image is pushed out to our hosted private container registry and all users are notified of the updated version and files to update in order to pull the latest upgraded checklists. We do this to ensure that the latest checklist upgrades have not changed structure and work within the OpenRMF Professional suite of tools.
For the PKI-only checklists that DISA releases, we DO NOT include those automatically into our software distribution.
In the Professional version, we do allow an application administrator to upload the "xxxxxxxxxx_Manual-xccdf.xml" files into OpenRMF so those checklists and templates are available to you and your team. So as we update the public checklists, you and your team can make sure the PKI-only checklist updates are added as well.
The open source version lets you add a system package, which is a collection of servers, devices, checklists, patch scans, etc. It equates to an ATO. OpenRMF OSS allows you to have multiple system packages, checklists per system package to track and edit, and lets you upload 1 .nessus patch file to associate with the system package. It is basically for smaller groups of people who do not want to edit the POA&M online and do not care on multi-tenancy and tracking score trends on patches and system packages over time.
This version is for people who want to try out OpenRMF to see what it does. For small teams or individuals who are only managing one ATO or at most two and have a small number of hosts and devices to track. They also can get away with using 1 .nessus scan data file as the listing of devices is not too large. It is still powerful enough to save you time, money and frustration in automating collection, reporting, display and actions relating to RMF data.
You need a computer with Docker on it. And you need access to either a) pull the container images off DockerHub.com directly or b) pull them down on another computer, save them off as files, and load them onto your computer running Docker that will launch OpenRMF. Alternatively, you can use the included Helm chart for Kubernetes 1.15 or higher.
Indirectly, yes we do. It is done via GitHub issues, the OpenRMF Slack channel (linked off the https://www.openrmf.io/ website), email, and community support. There is not a "helpdesk" email or phone number per se in the truest sense of the word support. But there is support that is active in the community in various ways.