Introduction

The https://cyber.trackr.live tool suite is a web based utility that aids in the development and validation of DIACAP and RMF packages. At its most basic level, the tool suite is a curated set of publicly available information that is presented to the end user in an easy to understand and use format. The tool was designed in a modular and portable format that allows for the singular code base to operate in both public and standalone environments. The tool suite is a web based application that supports the Department of Defense’s overall requirement to be informed and responsive across the full spectrum of cyber operations and package management. The tool suite enhances the organization’s ability to support the rapid changes in the Information Assurance field by presenting all applicable cyber-security data in an easy to use format. The tool suite also allow for both the exportation of requirement and security control information and the importation/parsing of scan data for artifact and planning use.

The commercial version of the https://cyber.trackr.live site utilizes the PHP web language, the Apache Web Server and a MySQL database. These services are all provided by the developmental environment and the commercial web host. The tool suite is external to the DoD and does not include any DOD For Official Use Only (FOUO) data. The web site is only capable of providing curated data to the user base as there are no data flows outside of the page requests. For all intents and purposes the commercial site is a static site of previous ingested data.

The standalone version of the site uses a portable version of the Apache web server, a portable version of the PHP language and a SQLite data file. The stand-alone version of the tool is provided in a ZIP file that can be unzipped onto any computing asset. The Apache server is run locally on that system with no reach-back to the commercial domains. For the stand-alone version of the tool, there is no requirement for a database. All data operations are performed on the SQLite data file utilizing the PHP Languages built in SQLite libraries.

All interactions with the user take place within a web browser and are completely sandboxed in nature. This means that any interactive processing of user supplied data only occurs within the web browser. There is no transfer of data from the web browser sandbox to any other system in any form. In a very technical sense, this means the stand-alone version of the tool can operate in a completely disconnected environment. Any scan files or user supplied data points are held entirely within the web browser and are deleted once the browser is closed. This enhanced sandboxed configuration will allow the stand-alone version of the tool suite to operate on data commensurate with the security classification of the environment the tool is operating in. As such, if the tool is running on a classified asset it can process scan results for classified machines with no risk of data spillage.

The tool suite typically operates in the commercial domain and is only utilized as a public information organization and dissemination tool. This tool ingests on a regular basis information from DISA about publicly available STIGs and SCAPs. This tool also presents hierarchical data relating to RMF Controls, DIACAP Controls and CCI information. All information presented is also cross-linked to all other applicable data points.

RMF

The RMF Panel on the tool suite displays all RMF Security control information, as well as all cross linked data with clickable buttons. For example, while viewing the consolidated data for the AC-3 control the end user will also be able to view the related DIACAP controls, the related RMF Controls, the linked CCI items all control enhancements. This information is quickly searchable and parse-able. Clicking on any of the available cross-linked data points will redirect the user to the applicable information. The RMF base page also presents all the security controls in a sortable and searchable table.

DIACAP

The DIACAP Panel on the tool suite displays all DIACAP Information Assurance (IA) control information, as well as all cross linked data with clickable buttons. For example, while viewing the consolidated data for the COED-1 control the end user will also be able to view the related RMF controls, the related DIACAP Controls, the linked CCI items all control enhancements. This information is quickly searchable and parse-able. Clicking on any of the available cross-linked data points will redirect the user to the applicable information. The DIACAP base page also presents all the security controls in a sortable and searchable table.

STIGs

The STIGs Panel on the tool suite displays all publicly available STIGs as they are released from DISA. Previous versions of all the STIGs are also available for review and comparison purposes. The base STIG page presents the available STIGs in a sortable and search table. The STIG data pages present all the requirements for each selected STIG in an easy to read and searchable format. Each individual STIG requirement is also available for review in a detailed format, including check and fix text. Export options are available to transmit the STIG Requirements in either CSV, JSON or XML formats.

The base STIG panel also provides a link to the ‘Benchmark – CCI – Control Crosswalk’ spreadsheet. This large spreadsheet is a filterable spreadsheet that merges the data between all STIGs, SCAPs, CCIs, and Security Controls. For instance, an end user can use this spread sheet to see all vulnerabilities for the latest Windows 10 STIG. The end user can also use this spreadsheet to see all STIGs that are related to RMF Control AU-3. It’s also possible to view which controls or SCAPs are related to CCI-002347. All of this information is updated with each release of the data sets from DISA.

The STIG Comparison module will allow the end user to compare two different versions of the same STIG. Each requirement that has changed between the two versions will be called out and the individual changes will be highlighted. This makes policy management and change control much easier for individual programs. For instance, using the tool we can compare V1R16 and V1R15 of the Windows 10 STIG. We see that between these two versions there were no new requirements created, no old requirements deleted, and only one requirement was updated. We can tell that the check and fix text for V-63337 was updated (old and new versions of the text are presented on screen).

The publicly available STIG information is manually ingested from DISA during their quarterly release cycles.

SCAPs

The SCAP Panel on the tool suite displays all publicly available SCAPs as they are released from DISA. The base SCAP page presents the available SCAPs in a sortable and search table. The SCAP data pages present all the requirements for each selected SCAP in an easy to read and searchable format. Each individual SCAP requirement is also available for review in a detailed format, including check and fix text.

The publicly available SCAP information is manually ingested from DISA during their quarterly release cycles.

CCIs

The CCI Panel shows all the CCI’s that DISA has released and deemed publicly available. Each control is presented in a searchable and sortable table, along with all linked RMF and DIACAP controls. Using the table search functions it is easy to see that RMF Control IA-5 and DIACAP Controls IAIA-1, IAIA-2, IATS-1 and IATS-2 are all linked to password related CCI items.

Search Engine

This tool also includes a custom built search engine that can be used to list data points relating to search terms and phrases. For instance, you can search for ‘password complexity’ or ‘v-1234’ to find controls, checks, fixes and CCIs related to those terms or phrases. All field types for all ingested data sets are parsed and indexed for inclusion on the custom search engine.

The tool suite is developed is such a way as to create a client based sandboxed environment that prevents application or user submitted data from leaving the client side web browser. This ensures that the application is able to run in an entirely disconnected environment and does not transmit any information or requests over the network. This sandboxed environment is used to allow the tool to operate on any data that is commensurate with the classification level of the system processing the data. The sandbox disconnects all data flows from the web browser to external sources, so there is no risk of data spillage.

CKL Updating

With the restricted sandbox in place, the tool is able to safely process scan related data. As such, each of the STIG pages has an Update STIG functionality available. With this function, an end user can take an old or outdated CKL and update that CKL to the current version and release. For instance, if a user has V1R12 of the Windows 10 STIG they can drop that CKL onto the current version of the Windows 10 STIG and a new CKL will be generated containing all the old status and comment data.

Scans to POA&M

The https://cyber.trackr.live tool also has the ability to generate an advanced POAM type artifact based on use submitted scan results. The Scans to POAM module is able to ingest and parse ACAS Scans, SCAP Scans and STIG CKLs. The resulting excel spreadsheet has the following tabs:

The POAM has the following tabs:

• STIG Data - This is just a dump of the requirements for the STIGs that were executed. This is just included for research purposes to the agent can review what is required.
• CCI Data - This is a dump of all of the CCI Requirements, similar to the above STIG data. This is just used for research purposes.
• RMF Data - As above, this is a dump of all the data for each RMF Control.
• ACAS Unique Vuln - This is a conglomerated ACAS Unique Vulnerability report. Just like the reports submitted with each package, only this is a single report based off of all processed ACAS Scans.
• ACAS Unique IAVA - Just like the unique vulnerability report, this is a combined IAVM report based off of ACAS scan data.
• Local Users - This is a report of all the local users for each host scanned. This is based off the submitted ACAS Scans.
• Operating Systems - This is a breakdown of all the Operating Systems present in the selected ACAS Scans.
• PPSM - This is the dump of the PPSM data based off the processed scans. This can be used for the PPSM artifact for a package.
• Windows Software - This is a dump of all the software (including vendors and versions) for all the windows hosts that were present in the processed ACAS Scans.
• Issues - This tab shows issues between SCAP and STIG results. For instance, if a CKL says a requirement is closed but the same SCAP scan shows it as open....it will show up on this page. Ideally, this tab should be empty.
• Raw Data - This is a raw dump of all the scans that were processed. This is used to get granular details on findings and entries within the tab.
• Summary - This is a summary of all the scans that were processed. This includes the type of scan, the impacted hosts, the open findings and a 'score' that is calculated using the Tenable score algorithm
• RAR/POAM/POAM56 - These are the respective artifacts. The RAR tab is expected to be uploaded as an artifact. The POAM56 tab is the current version of the POAM in the format eMASS is expecting. This tab can be imported once it is pasted into the eMASS Import template.
• Test Plan - This is the test plan that is generated based off the scans that were selected
• Traceability - This tab is used to ensure traceability between the RAR/POAM/POAM56 tabs. This is used to make sure all the findings are properly designated on each tab. For instance, if you mark a requirement as completed on the RAR, but not on the POAM or POAM56 tabs....the numbers on the traceability tab will show that inconsistency.