Enhance cybersecurity awareness and survivability for DoD, industry partners, and academia in the face of the ever-increasing threat of cyber attacks. Cybersecurity (CS) includes managing risks related to the use, processing, storage, and transmission of information and the systems and processes used for those purposes, including analog and physical form. CS includes information availability, identification and authentication, confidentiality, integrity, and non-repudiation as well as the economic considerations with respect to selection of CS techniques, CS processes, and industry trends.
Website for researching and indexing DIACAP, RMF, CCI, STIGs and SCAPs
This topic contains 12 replies, has 1 voice, and was last updated by 
-
Topic
-
Alcon,
I made a website to help with DIACAP, RMF, STIGS and SCAPs. The URL is:
This site will allow you to review all RMF and DIACAP security controls. The details for each control also shows related Security Controls and CCI items. There are also pages that show the details for DISA’s STIGs and SCAPs. These detailed pages allow you to analyze all security requirements and monitor changes in the requirements over time via comparison dialogs.
There is also a built in search engine that will accept keywords, terms, ID’s and phrases. For instance, you can search for “V-1080”, “SV-12345r1_rule”, “CCI-001234”, “cryptography” or even “password complexity”. The returned results will show you any linked security controls and STIG/SCAP requirements.
The site is about 3 weeks old and is ready for beta testing. Your feedback is welcome!
-
Replies
-
This is a great site and I appreciate you sharing this with all of us! I like the clean, simple design and layout of the website with a lot of good information in one place. I really like how you have added related controls, enhancements, references, and instructions all together. I do have a couple suggestions for the 800-53 RMF – Security Controls webpage since that is where most of my experience comes from.
1. I think you should show what revision you are referring to for the NIST 800-53 (the latest is Rev. 4) just so the user is aware they are seeing the latest updates.
2. Having the ability to search or filter by CCI level or control enhancements would be helpful.
3. I also noticed that it doesn’t contain anything from the NIST 800-53 – Appendix J, “Privacy Controls”. I think those should be included into your site and shown if an organization does anything with personally identifiable information (PII).
4. This suggestion is more of a fix, but it seems that when you click the “High” impact level button on the 800-53 security control screen, it only displays 11 controls when it says there should be 170.
5. It would be nice to just be shown all the applicable controls/enhancements/privacy controls, based on the users system or applications impact level selected. Currently, if you select “High”, you are only shown the high baseline impact level controls but not the high control enhancements from low or moderate baseline impact controls (ex. AC-2(5)).
The SCAPs and STIGs webpage looks and works great. I would just say make sure its kept up-to-date with the latest SCAPs & STIGs. I did a quick search for Microsoft Exchange 2016 and did not see it come up. Also, just make sure you change the page title for the SCAP page and also both descriptions for the pages which I’m sure you know.
Again, this site is great and has tons of potential to be a great reference or starting point for any organization having to do RMF work. Thanks for sharing!
Nick
-
1. I think you should show what revision you are referring to for the NIST 800-53 (the latest is Rev. 4) just so the user is aware they are seeing the latest updates.
wwwdaze2000 – Added to the heading at the top -
2. Having the ability to search or filter by CCI level or control enhancements would be helpful.
wwwdaze2000 – I’ve updated the search engine to allow for quoted searches that include enhancements. Such as: “AC-2 (5)” including the quotes -
3. I also noticed that it doesn’t contain anything from the NIST 800-53 – Appendix J, “Privacy Controls”. I think those should be included into your site and shown if an organization does anything with personally identifiable information (PII).
wwwdaze2000 – These controls were not part of the initial XML file NIST published. I will see about incorporating them soon. Right now I only have a PDF file, so it will take a bit to move things over. -
4. This suggestion is more of a fix, but it seems that when you click the “High” impact level button on the 800-53 security control screen, it only displays 11 controls when it says there should be 170.
wwwdaze2000 – This one was cumbersome, but I’m glad you pointed it out. The problem was each control can have multiple levels (high, medium and low). The table was only showing the ‘lowest’, not all of them. Should filter better now. I made this update on the details table as well. -
5. It would be nice to just be shown all…
wwwdaze2000 – I want to keep the two sections separate by design. I want the buttons on the main index to only affect the table on the main page. The details dialog is reloaded for each control selection and I think that would cause confusion if someone forgets they clicked the HIGH button for example. As such, I added a set of buttons within the enhancements section that should give you the filtering you are looking for. -
6. The SCAPs and STIGs webpage looks and works great. I would just say make sure its kept up-to-date with the latest SCAPs & STIGs. I did a quick search for Microsoft Exchange 2016 and did not see it come up. Also, just make sure you change the page title for the SCAP page and also both descriptions for the pages which I’m sure you know.
wwwdaze2000 – Well that was unfortunate. I loaded everything from the DISA Compilation ZIP files. It appears Exchange 2016 is not included in the release from July. Will have to find some other way to make sure all the data is present.As for the paragraph :)….looks like I ran out of coffee on those pages. Updating now.
-
Great work! I will be sure to use this site and recommend it to my colleagues in the RMF field.
-
Thanks so much. I hope it proves useful. Please feel free to keep the feedback coming, I really do want to make this the best site of its kind.
-
I’ve manually downloaded the STIGs updated since July 1 (100 of them) and am importing them now. Will work on scaps next. Exchange is included in this batch.
-
All the scaps (1.1 and 1.2) are now ingested and I’ve also ingested the sunsetted products. This should be every STIG and SCAP DISA has put out. Now it’s just a matter of hunting down the missing versions (say I have V1R1 and V1R5….I need to find V1R2 thru B1R4). Thanks again for all your feedback
-
Small update. I’ve added a CCI Panel (all the CCI’s in a sortable/searchable page)….and a client side Scans to Poam module that will ingest scans (ACAS, SCAP and CKL), and generate an XLS spreadsheet with a RAR/POAM/Test Plan and several other tabs of useful information.
You must be logged in to reply to this topic.
