Cyber · Trackr The Free Compliance Library
⌘K
§ Mission
Why this site exists

A reference I needed,
kept open for everyone else.

Cyber Trackr started as a personal tool to make day-to-day RMF work less painful, and grew into a public reference for the wider cyber community.

§ I · Origin

A side project that stuck.

I built this to help with a full-time cyber security job. Public.cyber.mil left a lot to be desired, and I wanted a single place that was fast, easy to browse, and had everything I needed for RMF work in one spot — including the parts that turn into POAMs.

What started as a tool just for me grew into a reference others use too. It’s been running for nearly a decade at this point. I keep it going because the work still helps me, and because solving the puzzle is its own reward.

§ II · What this is, and isn’t

An independent project — not an authoritative source.

Cyber Trackr is not affiliated with, endorsed by, or sponsored by the Department of Defense, DISA, NIST, or any other government agency. There is no official funding behind it, and there’s no organization to escalate to. It’s just me.

For authoritative copies of any document published here, always go back to the source — public.cyber.mil for STIGs and SCAP, csrc.nist.gov for NIST publications. This site is a convenience layer over those, kept in sync but not a replacement.

§ III · Principles

What I optimize for.

  • Free and ad-free. No paywalls, no banners, no upsells. Everything visible to anyone with a browser.
  • No signup, no tracking. No accounts, no analytics chasing you around the web. Open the page, get what you need, leave.
  • Read-only by design. The site doesn’t accept user data or store anything personal — it can’t leak what it never collects, and there’s no surface for malicious input.
  • Fast and easy to browse. Pages are static-feeling and keyboard-friendly. Search hits across STIGs, controls, CCIs, and rules from one box.
  • Constantly updated. DISA and NIST sources are pulled and indexed on a schedule. The footer shows the freshness of each feed.
  • Open data via REST. A documented REST API mirrors the same dataset so other tools can pull from it without scraping.
§ IV · Who it’s for

Anyone doing the work.

The audience cuts across the whole RMF lifecycle. Assessors use it for research and to cross-reference controls. Sysadmins use it to look up the actual implementation steps when applying a STIG. Auditors lean on it for package support and traceability. Engineers, ISSMs, and policy folks use it to navigate between CCIs, controls, and SRGs without bouncing through five tabs.

If your day touches DoD or federal compliance in any form, there’s probably something here for you.

§ V · How it’s run

Self-funded, slowly improved, not going anywhere.

Hosting, sync infrastructure, and development time all come out of pocket. That’s a blessing and a curse: there’s no roadmap dictated from above, but there’s also no team — features land when I have time and motivation to land them.

The upside for you: the site has been online for almost ten years and it’s not going away anytime soon. As long as I find the puzzle interesting, the lights stay on.

§ VI · What’s next

More datasets, as I find them.

The roadmap is “whatever feels useful next.” Things on my list to evaluate include ACAS plugin data, CVE / NVD coverage, IAVMs, and selected DoD policy documents. If a dataset would clearly help RMF or assessment work, I’ll look at integrating it.

Have a dataset you wish were here? Tell me — the best feature requests so far have all come from people doing the work.