Deploy OpenRMF on Docker

Happy devSecOps

Risk Management Framework(RMF)

The Risk Management Framework(RMF) is a set of guidelines deployed for a risk-based approach to information system security and information privacy. The framework is comprehensive and is used to design and embed risk management processes within the information system development and deployment lifecycle. It allows organizations to scale cybersecurity defenses depending on the level of threat and encourages ongoing monitoring of system security. There are at least five crucial components that must be considered when creating a risk management framework. They include risk identification; risk measurement and assessment; risk mitigation; risk reporting and monitoring; and risk governance. The RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector. The RMF was Originally developed by the Department of Defense (DoD). Then it has adopted by the rest of the US federal information systems to more effectively comply with policies like the Privacy Act of 1974, the Federal Information Security Modernization Act of 2014 (FISMA), and other regulations.

NIST RMF

There are several Risk Management Frameworks available which defines guidelines/controls to secure different type of systems(e.g NIST/NIST 800–53, COBIT, COSO, FEDRAMP). The NIST Risk Management Framework which also known as NIST 800–53 is a federal guideline for organizations to assess and manage risks to their computers and information systems. This framework was established by the National Institute of Science and Technology to ensure the security of defense and intelligence networks. Federal agencies are required to comply with the risk management framework, but private companies and other organizations may also benefit from following its guidelines. Even though it has targeted to United States government IT systems, NIST can be easily adopted by any organization(government or private) since it provides a solid foundation for any data security strategy. NIST defines 7-steps to handle the cyber risk management in United States government IT systems. Following are the RMF steps defined in the NIST.

1. Prepare - Prepare Essential activities to prepare the organization to manage security and privacy risks
2. Categorize - Categorize the system and information processed, stored, and transmitted based on an impact analysis
3. Select - Select the set of NIST SP 800–53 controls to protect the system based on risk assessment(s)
4. Implement - Implement the controls and document how controls are deployed
5. Assess - Assess to determine if the controls are in place, operating as intended, and producing the desired results
6. Authorize - Senior official makes a risk-based decision to authorize the system (to operate)
7. Monitor - Continuously monitor control implementation and risks to the system

Further it offers catalog of security guidelines/controls to guarantee how the United States government IT systems must be architected, secured, and monitored. The security controls described in NIST SP 800–53 are organized into 18 families. Each family contains security controls related to the general security topic of the family(more than 1000 individual controls in these control families). Security controls may involve aspects of policy, oversight, supervision, manual processes, actions by individuals or automated mechanisms implemented by information systems or devices. Following are the 18 security control families. The controls in these control families are applied based on the impact level of the system(there are three main impact levels High impact, Medium impact, Low impact).

1. Access Control (AC)
2. Awareness and Training (AT)
3. Audit and Accountability (AU)
4. Security Assessments and Authorization (CA)
5. Configuration Management (CM)
6. Contingency Planning (CP)
7. Identification and Authentication (IA)
8. Incident Response (IR)
9. Maintenance (MA)
10. Media Protection (MP)
11. Physical and Environmental Protection (PE)
12. Planning (PL)
13. Personnel Security (PS)
14. Risk Assessment (RA)
15. Systems and Services Acquisition (SA)
16. System and Communications Protection (SC)
17. System and Information Integrity (SI)
18. Program Management (PM)

Now let’s discuss more information about the RMF steps and controls with using some example scenario. Assume an organization have two systems, System 1 simple website which publish the basic information about the organization,System 2 data storage of customer credentials(e.g Social-Security Number etc). System 1 has Low impact and System 2 has High impact since it contains sensitive data. This categorization happens in the RMF Step 2. Based on the impact level we have to decide which controls needs to be applied to the system. This step happens in the Step 3 of the RMF. Once identified the controls, these controls needs to be implemented in the system. It will be done by system admins, database admins or security staff in the the organization. Different automation tools(e.g OpenScap) can be used to implement different controls. The implementation of control happens in the RMF Step 4. After that, the implemented controls needs to be assessed. It happens in the RMF Step 5. In RMF Step 6 the responsible official at the organization authorize and give guarantee that they have accept the security level of the system. In here, the responsible official accept and take the risk of the system since someone has to take the risk of the system. The final step(Step 7) is continuously monitoring the system and check its working fine based on the implemented controls. Read more details about the RMF steps from here.

Open RMF

According to the above discussion about the RMF process, you can see the it is a heavy weight process which takes lot of time. The current way to implement the Risk Management Framework is very manual and very slow. It is driven by disparate pieces of a Java Viewer for checklists, massive amounts of MS Excel spreadsheets for viewing the checklists for management, MS Word documents, various PDF files, your own home grown applications to help automate pieces of this process, and more. Information is shared via email and shared folders. And there is no one central place for developers, operations, management, and cybersecurity analysts to see the most up to date information that is needed to eventually submit to eMASS.

OpenRMF solves all the dilemmas in manual RMF process. All you need is a web browser to view the pertinent information on your checklists within your system. Checklists are grouped by system and quickly show information such as the number of Category 1, 2, and 3 items as well as the number of Open items versus the Not a Finding closed items. Without having to open every single checklist file in the heavy Java viewer DISA provides. OpenRMF manages your RMF documentation and allows management to view the status of checklists and RMF progress on their systems. It allows IT administrators and developers to store their checklists and scans in a single place. It allows cybersecurity analysts to see the status of systems in a quick glance. And it allows assessors to have a single place to view the system and all its checklists so their job is more organized. OpenRMF is the only web-based open source tool to manage your DoD STIG checklists, generate NIST compliance, keep track of your security items that are Open or Not Reviewed, and massively shrink your timeline to collect data and submit for an ATO. Read more information about OpenRMF from the official documentation. Following are some main features of OpenRMF.

1. It is 100% browser based for all the major browsers (Chrome, Edge, Firefox, Safari, IE 11)
2. You can import multiple checklists for a single source-of-truth for all checklists
3. You can organize and manage your data by systems for a quicker, less stress filled way to see your system’s risk profile
4. Reports for management highlight the most asked question on status and numbers of items by type
5. You can run a single compliance report across all your checklists based on the Low/Moderate/High label as well as PII data included
6. You can export any checklists to Excel or download a CKL file for viewing in the DISA Java Viewer
7. You can drill down to your problem areas across all your checklists quickly with a few clicks and get actionable data quickly

In this post I’m gonna discuss about deploying OpenRMF with Docker. Following are the main steps to follow. All the deployments which related to this post available on gitlab. Please clone the repo and continue the post.

Deploy KeyCloak

OpenRMF use KeyCloak(which is Identity and Access Management tool) to handle the authentication/authorization functions. First I need to deploy the KeyCloak and configure it. Following is the docker-compose.yml deployment of KeyCloak(it locates in the keycloak-deployment directory).

There is a start.sh command to deploy the KeyCloak services with docker-compose.yml. There are two volume mappings(themes and standalone-ha.xml) in the docker-compose.yml file. I put these volume contents into /private/var/services/keycloak directory before starting the services.

Once deployed the KeyCloak services, I have to configure it. The script setup-realm-linux.sh will do that. It will ask the IP address of the KeyCloak running machine and admin user credentials(username/password).

Once setup the KeyClock, the KeyCloak web will be start on http://<keycloak-ip>:9001. I can login into the web and change the password of the admin user as below(from the users, view all users, select admin user, credentials in the KeyCloak web). This user credentials will be used in the OpenRMF web to to sing-in.

Deploy OpenRMF

Now I can deploy the OpenRMF related services. Following is the docker-compose.yml file to deploy the services(it locates in the openrmf-deployment directory). OpenRMF is developed based on microservices architecture, so it has different services including OpenRMF Web, Nginx, Grafana, Prometheus , MongoDB , NATS Stream etc.

There is a start.sh command to start the OpenRMF services with docker-compose.yml. Before starting the services, I have to set the KeyCloak service IP address as an environment variable in the .env file as below. Then only OpenRMF will knows the IP address of the KeyCloak service.

There are several volume mappings(nginx.conf,initialize.js, prometheus.yml) in the docker-compose.yml file. I put these volume contents into /private/var/services/openrmf directory before starting the services.

Once started the services, the OpenRMF web will be running on http://<openrmf-ip>:8080. It first redirect to the login screen of KeyCloak since OpenRMF using KeyCloak as the auth service. I have login with admin credentials. Now from the OpenRMF web I can manage all RMF checklist, reports, nesses scan files etc.

Reference

1. https://www.titania.com/resources/guides/risk-management-framework-for-dod-contractors/
2. https://www.investopedia.com/articles/professionals/021915/risk-management-framework-rmf-overview.asp
3. https://blog.netwrix.com/2021/03/03/nist-800-53/
4. https://www.varonis.com/blog/nist-800-53
5. https://demo.openrmf.io/help/
6. https://medium.com/rahasak/automate-stig-compliance-server-hardening-with-openscap-and-ansible-85f2f091b00
7. https://dale-bingham-soteriasoftware.medium.com/introducing-openrmf-managing-your-rmf-compliance-a785e0c7adc6
8. https://dale-bingham-soteriasoftware.medium.com/devsecops-rmf-and-openrmf-1b23bd774c94