CSIAC

Cyber Security and Information Systems Information Analysis Center

Cybersecurity

Website for researching and indexing DIACAP, RMF, CCI, STIGs and SCAPs

  • Creator
    Topic
  • 2018-10-09 at 20:15 #50866
    wwwdaze2000
    Participant

    Alcon,

    I made a website to help with DIACAP, RMF, STIGS and SCAPs. The URL is:

    https://cyber.trackr.live

    This site will allow you to review all RMF and DIACAP security controls. The details for each control also shows related Security Controls and CCI items. There are also pages that show the details for DISA’s STIGs and SCAPs. These detailed pages allow you to analyze all security requirements and monitor changes in the requirements over time via comparison dialogs.

    There is also a built in search engine that will accept keywords, terms, ID’s and phrases. For instance, you can search for “V-1080”, “SV-12345r1_rule”, “CCI-001234”, “cryptography” or even “password complexity”. The returned results will show you any linked security controls and STIG/SCAP requirements.

    The site is about 3 weeks old and is ready for beta testing. Your feedback is welcome!

  • Creator
    Topic
Viewing 11 reply threads
  • Author
    Replies
    • 2018-10-10 at 11:48 #50872
      nmaida
      Moderator

      This is a great site and I appreciate you sharing this with all of us! I like the clean, simple design and layout of the website with a lot of good information in one place. I really like how you have added related controls, enhancements, references, and instructions all together. I do have a couple suggestions for the 800-53 RMF – Security Controls webpage since that is where most of my experience comes from.

      1. I think you should show what revision you are referring to for the NIST 800-53 (the latest is Rev. 4) just so the user is aware they are seeing the latest updates.

      2. Having the ability to search or filter by CCI level or control enhancements would be helpful.

      3. I also noticed that it doesn’t contain anything from the NIST 800-53 – Appendix J, “Privacy Controls”. I think those should be included into your site and shown if an organization does anything with personally identifiable information (PII).

      4. This suggestion is more of a fix, but it seems that when you click the “High” impact level button on the 800-53 security control screen, it only displays 11 controls when it says there should be 170.

      5. It would be nice to just be shown all the applicable controls/enhancements/privacy controls, based on the users system or applications impact level selected. Currently, if you select “High”, you are only shown the high baseline impact level controls but not the high control enhancements from low or moderate baseline impact controls (ex. AC-2(5)).

      The SCAPs and STIGs webpage looks and works great. I would just say make sure its kept up-to-date with the latest SCAPs & STIGs. I did a quick search for Microsoft Exchange 2016 and did not see it come up. Also, just make sure you change the page title for the SCAP page and also both descriptions for the pages which I’m sure you know.

      Again, this site is great and has tons of potential to be a great reference or starting point for any organization having to do RMF work. Thanks for sharing!

      Nick

    • 2018-10-10 at 21:00 #50880
      wwwdaze2000
      Participant

      1. I think you should show what revision you are referring to for the NIST 800-53 (the latest is Rev. 4) just so the user is aware they are seeing the latest updates.
      wwwdaze2000 – Added to the heading at the top

    • 2018-10-10 at 21:01 #50881
      wwwdaze2000
      Participant

      2. Having the ability to search or filter by CCI level or control enhancements would be helpful.
      wwwdaze2000 – I’ve updated the search engine to allow for quoted searches that include enhancements. Such as: “AC-2 (5)” including the quotes

    • 2018-10-10 at 21:04 #50882
      wwwdaze2000
      Participant

      3. I also noticed that it doesn’t contain anything from the NIST 800-53 – Appendix J, “Privacy Controls”. I think those should be included into your site and shown if an organization does anything with personally identifiable information (PII).
      wwwdaze2000 – These controls were not part of the initial XML file NIST published. I will see about incorporating them soon. Right now I only have a PDF file, so it will take a bit to move things over.

    • 2018-10-10 at 21:07 #50883
      wwwdaze2000
      Participant

      4. This suggestion is more of a fix, but it seems that when you click the “High” impact level button on the 800-53 security control screen, it only displays 11 controls when it says there should be 170.
      wwwdaze2000 – This one was cumbersome, but I’m glad you pointed it out. The problem was each control can have multiple levels (high, medium and low). The table was only showing the ‘lowest’, not all of them. Should filter better now. I made this update on the details table as well.

    • 2018-10-10 at 21:10 #50884
      wwwdaze2000
      Participant

      5. It would be nice to just be shown all…
      wwwdaze2000 – I want to keep the two sections separate by design. I want the buttons on the main index to only affect the table on the main page. The details dialog is reloaded for each control selection and I think that would cause confusion if someone forgets they clicked the HIGH button for example. As such, I added a set of buttons within the enhancements section that should give you the filtering you are looking for.

    • 2018-10-10 at 21:12 #50885
      wwwdaze2000
      Participant

      6. The SCAPs and STIGs webpage looks and works great. I would just say make sure its kept up-to-date with the latest SCAPs & STIGs. I did a quick search for Microsoft Exchange 2016 and did not see it come up. Also, just make sure you change the page title for the SCAP page and also both descriptions for the pages which I’m sure you know.
      wwwdaze2000 – Well that was unfortunate. I loaded everything from the DISA Compilation ZIP files. It appears Exchange 2016 is not included in the release from July. Will have to find some other way to make sure all the data is present.

      As for the paragraph :)….looks like I ran out of coffee on those pages. Updating now.

    • 2018-10-11 at 09:39 #50904
      nmaida
      Moderator

      Great work! I will be sure to use this site and recommend it to my colleagues in the RMF field.

    • 2018-10-11 at 19:32 #50923
      wwwdaze2000
      Participant

      Thanks so much. I hope it proves useful. Please feel free to keep the feedback coming, I really do want to make this the best site of its kind.

    • 2018-10-11 at 21:02 #50929
      wwwdaze2000
      Participant

      I’ve manually downloaded the STIGs updated since July 1 (100 of them) and am importing them now. Will work on scaps next. Exchange is included in this batch.

    • 2018-10-12 at 00:35 #50940
      wwwdaze2000
      Participant

      All the scaps (1.1 and 1.2) are now ingested and I’ve also ingested the sunsetted products. This should be every STIG and SCAP DISA has put out. Now it’s just a matter of hunting down the missing versions (say I have V1R1 and V1R5….I need to find V1R2 thru B1R4). Thanks again for all your feedback

    • 2018-12-04 at 18:20 #52131
      wwwdaze2000
      Participant

      Small update. I’ve added a CCI Panel (all the CCI’s in a sortable/searchable page)….and a client side Scans to Poam module that will ingest scans (ACAS, SCAP and CKL), and generate an XLS spreadsheet with a RAR/POAM/Test Plan and several other tabs of useful information.

  • Author
    Replies
Viewing 11 reply threads

You must be logged in to reply to this topic.