Skip to content
This repository was archived by the owner on Sep 25, 2023. It is now read-only.

CMS ARS Overlay Tracker Setup

Jump to bottom
Shivani Karikar edited this page Sep 11, 2023 · 1 revision

Export Control IDs and NIST tags

  1. Clone your baseline profile: git clone <profile-git-url>
  2. Run that profile: inspec exec <profile-name> -t mock:// --reporter json:<relative-path-and-name>.json
  3. Load up the JSON report in Heimdall
  4. From Heimdall, export to CSV with the following fields: ID, Title, Description, CCI (optional), 800-53 Controls. Let's call this Control Data file.
  5. Again from Heimdall, export the unique controls using: CAAT Spreadsheet

Outline changes that are needed in the Overlay

  1. Open the exported CSVs using MS Excel
  2. Open the template (below) to copy contents into
  3. Follow instructions from sheet 1 of the template to fill out the columns
  4. Use unique controls that you got from step 5 above to fill the third column on NA Caveats sheet (remember to pad them to conform to XX-NN(NN) format)
  5. Start going through NIST controls for every STIG/CIS control to find changes/applicability according to CMS ARS 5
    • Note: NIST controls listed as Supplemental in ARS 5 are applicable to all system categorizations
  6. Find out which values in the baseline need to be parameterized (create a branch accordingly)
  7. Note down input names and new ARS values in the tracker for those controls

Notes:

  • Top alignment and unwrap text so nothing is missed

Resources:

Tracker Template

Clone this wiki locally