Setup — CyberRMF Integrate

Getting Started

Download and Install

CyberRMF ships as two desktop applications: Integrate (the ISSO compliance workstation) and Admin Tools (the administrator scanning engine). Both are Electron-based and run on Windows 10+ and Linux.

After purchasing a license, you will receive an email with your license key and a download link for the installer. Run the installer on the target machine and follow the on-screen prompts.

System requirements:

Windows 10 or later (64-bit), or a modern Linux distribution
4 GB RAM minimum, 8 GB recommended
500 MB disk space for the application
Network access to the shared workspace drive (for split deployments)

License Activation

When you launch CyberRMF for the first time, you will be prompted to activate your license.

Copy the license key from your purchase confirmation email.
Paste it into the activation field in the application.
The app sends your license key and hardware fingerprint to the licensing server.
Upon validation, the license is bound to your machine and stored securely.

One license covers both Integrate and Admin Tools. If running on two separate machines (split deployment), the license supports up to two machine activations.

Air-Gapped Activation

For systems without internet access, CyberRMF supports offline activation using cryptographic license verification.

Open the app on the air-gapped machine. It will display your Hardware ID.
On an internet-connected machine, navigate to the activation portal and enter your license key and the Hardware ID.
Download the signed activation certificate file.
Transfer the certificate to the air-gapped machine via USB or other approved media.
Import the certificate into the app to complete activation.

Offline validation uses ED25519 cryptographic signatures — the app verifies the certificate locally without any network call.

Deactivation and Transfer

To move your license to a new machine:

Open the app on the current machine and select Deactivate License.
The app generates a deactivation code and directs you to integratermf.com/deactivate.
Submit the deactivation code. The machine is unregistered from your license.
Install on the new machine and activate with the same license key.

Your license expiration date does not reset — the remaining time carries over to the new machine.

Integrate Setup

Create a Workspace

A workspace is the central container for all your compliance data. To create one:

From the Programs screen, click New Workspace.
Enter a workspace name (e.g., "Program Alpha").
Select a classification level.
Choose a security baseline overlay (this drives the SCTM controls).
Optionally set the ATO date and next assessment date.
Choose a parent folder on disk where the workspace data will live.

The workspace is created immediately and appears as a tile on the Programs screen.

Workspace Folder Structure

When a workspace is created, the following directory structure is established on disk:

{ParentFolder}/{WorkspaceName}/ — Workspace root
CyberRMF/data/.cyberrmf/ — JSON data files (inventory, SCTM, POA&M, admin results, etc.)
CyberRMF/{ArtifactRow}/{ArtifactTile}/ — File Manager artifacts
CyberRMF/STIG Validator/ — STIG checklist files
CyberRMF/Artifacts/CM/ — Change management attachments

A .workspace.lock file in the .cyberrmf folder prevents simultaneous edits. If the lock is stale (30 seconds), it is automatically released.

Import / Export Workspace

Export: From the Programs screen, select a workspace and click Export. A ZIP file is created containing:

A manifest.json with all workspace metadata
Inventory, POA&M, SCTM overrides, CONMON schedules, appointments, integrations config
STIG quarters and per-quarter validation data
Optionally: File Manager artifacts and Admin Tools results

Import: Select a ZIP file created by CyberRMF. Choose a parent folder, and the workspace is unpacked and registered. All data keys are restored.

Link Shared Drive

CyberRMF supports a split deployment where Admin Tools runs on a privileged admin workstation and Integrate runs on the ISSO's workstation. Both point to the same workspace folder on a network share.

Create the workspace from Integrate on any machine.
Place the workspace folder on a shared network drive (e.g., \\server\share\Program Alpha).
In Integrate, set the workspace parent folder to the network path.
In Admin Tools, click Select Folder and point to the same workspace folder.

Both apps read and write to the same .cyberrmf data directory. Admin Tools writes scan results; Integrate reads them on focus or reload.

Inventory

Add Inventory

The Inventory tab is the master asset database. Click Add to create a new entry with fields including:

Name, Location, Room, Type, Make, Model, Serial Number, Asset Tag
DNS Name, Domain, IP Address, Operating System
Cyber (Yes/No) — marks the asset for inclusion in Pulse and auditing
Virtual (Yes/No), Connection type, Router assignment
EOL Date, STIG Score, Memory type (Volatile/Non-Volatile)

Assets can be duplicated, highlighted for attention, and bulk-edited for EOL dates by model.

Inventory to Pulse

Any inventory item with Cyber = Yes automatically appears in Pulse. Pulse is the operational view that shows connectivity, reference compliance, and integration status for your cyber assets.

To populate Pulse, ensure your cyber assets have at minimum: DNS Name, IP Address, and OS fields filled in. These are used for scans, integrations, and STIG matching.

Hard Drive Tracking

For assets that contain hard drives:

Set Hard Drives = Yes on the inventory item.
A sub-panel appears to add individual drives with serial numbers and status (In Use / Out of Use).
Drives can be assigned to safes in the Floor Plans (Places) view.
The Hard Drives sub-tab shows all drives across all assets with their current assignments.

Export the hard drive list as CSV for physical tracking and audits.

Import / Export CSV

Inventory data can be exported as CSV from the toolbar. For Pulse, you can import a CSV that maps reference column values (DNS, SIEM, AV, Vuln, Logs) and STIG scores by IP address. Column file uploads can also provide DNS-to-IP mappings for batch updates.

Pulse

Pulse Overview

Pulse is the real-time operational view of all devices marked as Cyber = Yes in your inventory. Each device row shows:

Connectivity: Ping status (reachable/unreachable)
Reference columns: DNS, SIEM, AV, Vuln, Logs — each shows Yes/No
STIG Score: From quarterly STIG validation uploads
Integration columns: SIEM last seen, AV status, vulnerability counts (appear when integrations are configured)

Additional tools include Traceroute (per-IP or bulk), IP Ranges display, and a Ports reference table.

Toggling Mechanism

Each reference column (DNS, SIEM, AV, Vuln, Logs) can be toggled per device:

Click a cell to manually toggle between Yes and No.
Import a Pulse CSV to bulk-set these values — the CSV is matched by IP address.
Integration auto-population (if configured) fills SIEM, AV, and Vuln columns based on live queries.

Changes persist to the workspace data immediately.

Integrations

CyberRMF can connect to your existing security tools to auto-populate Pulse and Cyber Hygiene data:

SIEM: Splunk (REST API, port 8089, Bearer token) or ELK/Elasticsearch
Antivirus: Trellix, CrowdStrike, Defender, Symantec, Carbon Black, or a generic "Other" endpoint
Vulnerability Scanner: Tenable.sc or Nessus (API key authentication)

Configure each integration from the Integrations settings panel. Use Test Connection to verify before querying devices. Integration tokens are encrypted on disk using the operating system's secure storage (DPAPI on Windows, Keyring on Linux).

STIG Score Sync

When you upload STIG results (XCCDF files) in the STIG Validation tab, OS STIG scores can be synced back to Inventory and Pulse. The app matches STIG results to inventory items by hostname and IP address, then updates the STIG Score field. Both raw scores and reviewed/adjusted scores are available.

Artifacts and Documents

Artifact Manager

The Artifact Manager organizes your RMF documentation into rows (categories) and tiles (individual artifacts). You can:

Create, rename, recolor, and reorder rows and tiles
Upload and manage files within each tile (the File Manager)
View files in the built-in viewer (DOCX, PDF, spreadsheet support)
Switch between tile view and tree view
Export selected tiles as a ZIP package

Document Editors

CyberRMF includes built-in editors for standard RMF artifacts:

ATO (Authority to Operate) — Authorization document editor
SAR (Security Assessment Report) — Assessment findings editor
SSP (System Security Plan) — Plan documentation editor
RAR (Risk Assessment Report) — Risk analysis editor
PPS (Ports, Protocols, and Services) — PPS documentation tied to Admin Tools scan data

Changes are saved to the workspace and can be exported as DOCX.

SCTM (Security Controls Traceability Matrix)

The SCTM is driven by your selected security baseline overlay. It displays all applicable 800-53 controls with columns for:

Control ID, Name, CIA impact levels (Low/Medium/High)
Implementation status, frequency, justification, parameter values
Assurance, resiliency, ATT&CK mapping, related controls

You can edit implementation details, frequency, and comments per control. Overrides and field edits persist to the workspace. The SCTM can be exported as CSV, XLSX, or PDF.

POA&M (Plan of Action and Milestones)

Track remediation items from STIG findings or manual entry. Each POA&M item includes:

Status (Open, Working, Closed), POA&M ID, discovered by, date discovered
Affected controls (linked to SCTM), comments, last updated date

POA&M items can be created directly from STIG Validation findings with one click.

CONMON (Continuous Monitoring)

CONMON schedules track recurring compliance activities on a calendar view. Set frequencies for controls and monitoring activities, with per-year schedule management.

CM Tracker (Change Management)

Track hardware and software changes through the approval lifecycle:

HW/SW type, country of origin, make/company, model/version
EOL/EOSL dates, CCB needed (Yes/No), approval status (Requested, Approved, Rejected, Expired)
Attached documentation, in-use tracking

Publications

CyberRMF includes a built-in PDF reader for NIST Special Publications. Open any bundled publication in a split-view panel alongside your artifacts. Features include search within the document, zoom controls, and the ability to reference specific sections while editing your compliance documentation.

STIG Validation

Quarters

Organize STIG assessments by quarterly periods. Create a new quarter (e.g., "2026 Q1") to begin tracking. Each quarter stores its own set of STIG results independently.

Checklists

Import STIG results by dragging XCCDF files into the application, or use the batch import dialog. For each STIG benchmark:

View all rules with their pass/fail/not-applicable status
Override results with justifications and comments
Link findings to SCTM controls for traceability
Create POA&M entries from failed rules with one click
Filter by OS STIGs vs. application STIGs

Report

The Report tab generates per-quarter scoring tables. Each row is a device showing its OS STIG score and scores for each application STIG benchmark. Toggle between raw scores and reviewed/adjusted scores. Export as CSV, XLSX, or PDF.

Cyber Hygiene Dashboard

Dashboard Overview

The Cyber Hygiene Dashboard is a card-based compliance summary that pulls data from across the entire workspace:

Appointment schedules and upcoming deadlines
System information and workspace metadata
SCTM compliance coverage and POA&M status
Admin Tools scan summaries (PPS, encryption, logs, software)
Integration status (SIEM, AV, vulnerability scanner device counts)

Cards can be reordered by dragging. The layout persists per workspace.

HTML Export

Export the Cyber Hygiene Dashboard as a standalone HTML file. This creates a self-contained report that can be opened in any browser — useful for sharing with leadership or including in authorization packages.

Floor Plans (Places)

Room Editor

Create rooms to represent physical spaces. Within each room, draw shapes on the canvas:

Rectangles, squares, circles, L-shapes, and lines for room geometry
Classification stamps (Unclassified, Secret, Top Secret) as overlay markers
Safe shapes that can hold hard drive assignments

Shapes can be rotated, flipped, labeled, and repositioned. Each room has its own name and optional location field.

Device Placement

Drag inventory devices from the sidebar onto the floor plan to indicate their physical location. Devices can be displayed as icons or boxes. Hard drives from inventory can be assigned to safe shapes on the floor plan, creating a complete physical-to-logical asset mapping. Navigate to a device's floor plan location directly from Inventory or Pulse.

Admin Results

Overview

Admin Results is a read-only section within Integrate that displays data generated by Admin Tools. When Admin Tools runs scans on the shared workspace, the results are written to the .cyberrmf data directory. Integrate reads these results and presents them under the Admin Results tab.

This gives the ISSO full visibility into scan outcomes — PPS data, encryption status, installed software, AD users, and more — without needing access to the Admin Tools application itself.

Application Logs

Every scan action performed in Admin Tools generates an audit log entry stored in the shared workspace. Integrate displays these logs under Admin Results → Application Logs. Each log entry records:

PC User: The Windows/Linux account running Admin Tools
Account Used: The credential account passed for the scan (or current session)
Credential Type: Domain, Local, Current Session, or None
Date/Time: ISO timestamp of the scan attempt
Action: Successfully or Unsuccessfully initiated scan
Scan Type: PPS, Encryption, Logs, AD Users, Software, DNS, Domain Join
Target IP: The target device or "Batch" for bulk scans

Logs are persistent and never cleared. Table headers are sortable and filterable. Export with a date range filter as CSV or PDF.

Admin Tools Setup

Overview

Admin Tools is the scanning and data collection engine. It runs on an administrator's workstation and writes scan results to the shared workspace. Integrate reads these results for display in Admin Results, Pulse, and Cyber Hygiene.

This separation enforces separation of duties — the administrator performing scans operates on a different machine than the ISSO reviewing compliance data, aligned with NIST 800-53 AC-5.

Linking to Shared Workspace

In Admin Tools, click Select Folder and navigate to the Integrate workspace folder on the shared drive. The app validates that the folder contains a .cyberrmf data directory. Once linked, all scan results are written to this shared location.

The workspace path appears in the Admin Tools header. Both apps must point to the same folder for data to flow correctly.

Network Requirements

Admin Tools connects to remote targets using several protocols depending on the scan type and target operating system. Ensure the following ports are open between the Admin Tools machine and the targets:

Method	Ports	Notes
WMI / CIM (DCOM)	TCP 135 + RPC dynamic range	WMI service and DCOM permissions on target. For local accounts remotely, set `LocalAccountTokenFilterPolicy = 1`.
WinRM	TCP 5985 (HTTP) / 5986 (HTTPS)	`Enable-PSRemoting` on target. TrustedHosts or Kerberos for non-domain scenarios. The app can auto-configure WinRM.
SMB (log export)	TCP 445	Admin share (`\\target\c$`) access for WMI-path log collection.
SSH	TCP 22	Password authentication must be enabled on the target `sshd`. Used for all Linux scans.
DNS	UDP/TCP 53	DNS spot check resolves names from the Admin Tools host.
LDAP	TCP 389 / 636	AD user lookup and domain join check require LDAP access to domain controllers.

Domain-Joined Requirements

Admin Tools detects whether the host machine is domain-joined and whether the current user has administrator privileges:

Domain-joined + admin: "Using domain token" — no password is required. Windows remoting uses the current Kerberos ticket for authentication.
Not domain-joined or not admin: The app prompts for explicit Windows credentials (domain\username + password). For Linux targets, SSH credentials are requested separately.

AD Users and Domain Join scans require that the Admin Tools host can reach Active Directory domain controllers. The RSAT tools or Get-ADComputer cmdlet should be available for full domain join verification.

DHCP / Static IP

All scans target devices by IP address, pulled from your inventory. For environments using DHCP:

Ensure all target devices have DNS records that resolve to current IP addresses.
Use DHCP reservations to prevent IP address changes between scans.
Alternatively, use static IP assignments for critical infrastructure.

The DNS Spot Check scan can verify that your inventory's DNS names and IP addresses match what DNS actually resolves, helping catch stale records.

Credential Handling

Admin Tools stores credentials in process memory only. They are:

Never written to disk
Cleared after each scan batch completes
Subject to a 10-minute idle timeout — if no scan runs within 10 minutes, credentials are automatically wiped
Passed to scan processes via environment variables, which are cleared immediately after use

This design ensures credentials have minimal exposure, even in memory.

Admin Tools Scans

PPS (Ports, Protocols, and Services)

Collects running processes and active network connections from each target:

Windows (WMI): Win32_Process and MSFT_NetTCPConnection / MSFT_NetUDPEndpoint via CIM session
Windows (WinRM): Get-Process, Get-NetTCPConnection, Get-NetUDPEndpoint via remote PowerShell
Linux (SSH): ps aux + ss -Htulnp

Results are cross-referenced with a bundled ports CSV for service identification. PPS data can generate a DOCX artifact for your authorization package.

Encryption Check

Checks disk encryption status on each target:

Windows: Queries Win32_EncryptableVolume for BitLocker status, encryption method (AES-128, AES-256, XTS-AES), and completion percentage per volume.
Linux: Parses lsblk -f -J output to detect LUKS-encrypted volumes.

If BitLocker is not available on a target, the result shows "BitLocker unavailable" rather than an error.

Log Collection

Collects event logs from remote targets and saves them locally:

Windows: Lists logs via Win32_NTEventLogFile, then exports each log using wevtutil epl. Files are saved as .evtx organized by date and device name.
Linux: Collects journalctl boot logs and files from /var/log/ via SCP.

A Verify mode checks whether logs exist locally or remotely without collecting them.

AD Users

Queries Active Directory for all user accounts and their attributes:

SID, sAMAccountName, Display Name, Email, UPN
Enabled/Disabled status, Last Logon, Logon Count
Group memberships, Department, Title, Company
Password Last Set, Lockout Time, Bad Password Count

Uses ADSI/LDAP queries on Windows. Results are paginated (1000 per page) to handle large directories.

Installed Software

Enumerates installed software on each target:

Windows: Scans the registry (HKLM and HKCU Uninstall keys) plus Win32_Product via WMI. Results are deduplicated by name.
Linux: Uses rpm -qa (Red Hat/CentOS) or dpkg-query -W (Debian/Ubuntu).

Results can be viewed grouped by host or by software name. Export as CSV, XLSX, or PDF.

DNS Spot Check

Validates DNS consistency for all cyber inventory items. For each device, the app runs nslookup from the Admin Tools host and compares the resolved IP and hostname against inventory records. Results are classified as:

Match: DNS resolution matches inventory
Mismatch: Resolved IP or name differs from inventory
Unreachable: DNS query failed

Domain Join Check

Verifies that inventory devices appear in Active Directory as computer objects. The app queries AD using Get-ADComputer (or a LDAP fallback) and matches results against your inventory by DNS name, short name, or device name. Each device is marked as Joined or Not Found in AD.

Export

Export Formats

Most tables throughout CyberRMF support export in multiple formats:

CSV: Comma-separated values, compatible with Excel and other spreadsheet tools
XLSX: Native Excel format with formatting preserved
PDF: Formatted document suitable for printing and sharing

Admin Tools Export

Admin Tools includes both per-tool export (from each scan sub-tab) and a combined export dialog that lets you select multiple scan types and export them as a single multi-sheet document. This is useful for generating comprehensive scan reports for authorization packages.

Workspace Export

The full workspace export creates a ZIP containing all compliance data, STIG results, and optionally File Manager artifacts and Admin Tools results. Use this for backup, migration, or sharing workspaces between teams. Import on any machine with CyberRMF installed to restore the full workspace.