Skip to main content

Feature List

Benchmark Reference

  • Searchable list of all DISA STIGs, including previous versions back to 2016
  • Searchable checks under each STIG
  • Display of individual checks with all relevant text and DISA categorization
  • Association between all checks and relevant CCIs and RMF controls
  • Printable version of benchmark versions, including all check details
  • Version comparison, including text-level changes between changed checks

Control and Overlay Reference

  • Searchable list of all NIST RMF controls, DISA CCIs, and CNSSI 1253 overlays
  • Full description and supplemental information for all controls and CCIs
  • CIA levels for each control
  • Associated overlays for each control
  • Links from each control to all related controls, enhancements, and CCIs
  • Link from each CCI to related controls
  • USSF S3/6 Master Assessment Datasheet (MAD) information for each CCI
  • Complete list of control changes for every overlay

Client and Locations

Terminology clarification

A "client" within Xylok is the most basic collection of devices within Xylok. For users with a single network or site, you might have only one client. For users which have many sites or networks which are accredited separately, you may create a client for each of those networks.

  • Create multiple clients for separate authorization boundaries
  • Create multiple locations within clients to organize devices
  • Assign client CIA level and overlays
  • Add or remove individual tailored controls
  • View all assigned controls for a machine
  • View control coverage information, based on technical checks and interview questions from assigned benchmarks
  • Export and import client configurations
  • Export and import complete clients, with configuration, scan data, and ratings
  • Organize machines into "families" to allow for different baselines for otherwise similar machines
  • Answer benchmark questions at the client and/or location level
  • Client dashboard with graphs of compliance status over time
  • Duplicate a location to quickly create many similar devices
  • Upload and store documents relevant to compliance directly to Xylok
  • Comprehensive text-based search across all documents simultaneously
  • Group-based client visiblity and access permissions

Machine Management

  • Create machines that correspond to individual devices in your network
  • Optionally assign inventory information, including manufacturer, model, serial number, IPs, MAC addresses, host name, and purpose
  • Automatically pull in device information after importing a scan (if data would overwrite existing data, the user is prompted before applying changes)
  • Assign multiple benchmarks to machines
  • Search all machines by name, location, and OS
  • Answer benchmark questions for specific machines
  • Duplicate a machine to quickly create similar devices
  • For common operating systems, scans pull an installed software list. This software list is visible within Xylok and will recommend matching Xylok benchmarks that should be run on the next scan execution.

Technical Analysis

  • Download human-readable scripts for specific machines based on assigned benchmarks
  • Download CD image of scripts for all machines in a location (and sub-locations)
  • Scripts produce a single human-readable result file tied to the machine
  • Support for traditional OSes, basic applications, databases, network devices, virtual machines (ESXi, vCenter)
  • Import result files via drag-and-drop or browser upload
  • Searchable scan list across entire client
  • Searchable scan checks list, allowing filtering by check, command, comment, status DISA category, etc.
  • Support for manually entering results if a machine cannot be automatically scanned (i.e., enter the data by hand as if the command were actually executed)
  • Support for entering benchmark interview questions within Xylok
  • Copy interview answers between scans of the same or different machine
  • Export single scan, with comments and finding statuses, as an archive for importing into other Xylok instances
  • Export single scan as a STIG Viewer Checklist (CKL) file
  • Visually compare two scans (for the same or different machines) for textual changes

Automatic Analysis

  • Recommendations from Xylok staff-maintained processing scripts. For common OSes and benchmarks, often no manual analysis will be needed.
  • Text-based automatic analysis (AA)--if data from a check matches previously-marked data, the previous marking can be automatically applied
  • Global, family, and machine-level AA data pools, allowing AA data to quickly build up a baseline for your entire network, but also allow customized markings for individual machines or families as needed.
  • AA pool can be exported and imported into other Xylok instances
  • AA pool management via options to delete machine and family pools

CCI Rater

  • Rate Common Correlation Identifiers (CCI) per-client based on the client's selected CIA levels and overlays
  • All risk ratings calculated from the NIST RMF risk matrices
  • Ratings searchable by comment, rating, etc
  • Non-technical rating for every CCI, with a compliance status and comment
  • Technical rating for every CCI, with a summary technical comment and risk. Technical risk is calculated based on an impact determined from underlying technical data and a user-selected likelihood.
  • Opportunity to enter mitigation comments and lower the likelihood based on those mitigations
  • Opportunity to enter recommendation comments
  • Historical storage of all previous ratings
  • Ability to mark existing ratings as "reviewed" if there were no changes from the previous review
  • Ability to search for, view, and copy ratings from other CCI ratings
  • Side-by-side comparison and copy with other Xylok Client's ratings for quick analysis
  • Automatic document search based on CCI title to quickly locate relevant entries across all documents uploaded to Xylok

Control Rater

  • RMF Control ratings based on underlying CCI ratings
  • Ratings searchable by comment, rating, etc
  • Automatically built comments based on CCIs comments, with the option to manually override
  • Risk calculated from all underlying non-compliant CCIs
  • Historical storage of all previous ratings
  • Ability to mark existing ratings as "reviewed" if there were no changes from the previous review

Technical Rater

Ability to risk-rate all checks with findings in a client View all machines with findings under a particular check and provide a risk rating and summary comment for each check Ratings searchable by benchmark, check, impact, risk, comment, etc

POA&M Manager

  • Manage POA&M entries directly within Xylok, allowing CCI ratings and technical ratings to feed directly into the POA&M
  • When a CCI is resolved and compliant, the POA&M entry will automatically drop off
  • Ability to save POA&M DoD component, system name, registration number, etc. within Xylok to allow export POA&M spreadsheet to include appropriate header
  • POA&M row and risks descriptions built off CCI, other columns and comments can be manually managed
  • Historical storage of all previous POA&M entries
  • Ability to mark existing entries as "reviewed" if there were no changes from the previous review

Requirements Traceability Matrix Manager

  • Requirements Traceability Matrix (RTM) for systems in early development stages
  • Rows automatically built based on selected client controls, assigned benchmarks for machines, and manually selected benchmarks (for when no machines have actually been built within Xylok yet)
  • Track requirement owners, verification phase, and verification authority
  • Historical storage of all previous rows
  • Ability to mark existing entries as "reviewed" if there were no changes from the previous review

Reporting

  • Export USSF S3/6-approved Security Analysis Report spreadsheet with all rating data and appropriate risk charts
  • Export eMASS Test Results (TR) based on the CCI Rater, directly importable into eMASS
  • Export Technical Rater as spreadsheet
  • Export RTM manager as spreadsheet
  • Export POA&M as marked in the POA&M manager
  • Scan comparison spreadsheet with a matrixed comparison between all machines' data for a selected time period
  • Individual findings, showing the current findings for all devices in the client. Filterable to specific machines, categories, and checks to allow a system administrator to focus on working issues
  • STIG Viewer checklist (CKL files) exported for all devices in a client, organized by location. CKLs can be produced with just comments and statues or the full underlying data if needed
  • Hardware spreadsheet laying out all devices in a client. Where possible, each device will also include an installed software list as pulled by the last scan.
  • Benchmark status report showing compliance scores for each machine across each benchmark
  • Ports, protocols, and services matrix (PPSM) based on automatically collected listening port information for each device

Report Creation

  • Generate S6 CRA template-based reports as signable PDFs
  • All narrative portions fillable and trackable within Xylok
  • Copy reports for easy updating over time

Third-Party Integration

  • Export scans as DISA STIG Viewer checklist files
  • Export eMASS TR
  • Export eMASS POA&M
  • Import checklist, Nessus/ACAS .nessus files, and SCAP XCCDF files as scans into Xylok
  • Third-party scans are matched by IP address and/or host name. If Xylok is unable to automatically match imported data against existing machines, the user is prompted to manually match scans to machines.
  • STIG Viewer Checklist integration:
    • Tie directly to existing matching Xylok benchmarks, based on the benchmark title and/or benchmark ID.
    • Finding details in checklist ties to command output in Xylok, comments in checklist tie to comment in Xylok
    • Ties imported checks to appropriate CCIs
    • Findings appear identically to all other Xylok scans, integrating through all control ratings and reports
  • SCAP XCCDF integration:
    • Tie directly to existing matching Xylok benchmarks, based on the benchmark title and/or benchmark ID.
    • Compliance status pulled in. Comments and values are unable to be imported at this time.
    • Ties to existing checks within Xylok
    • Findings appear identically to all other Xylok scans, integrating through all control ratings and reports
  • Nessus scan integration:
    • Imported data is tied to a special Nessus benchmark, with checks created based on the Nessus plugin ID
    • Results appear on finding spreadsheets, other finding lists for machines, and the technical rater
    • Nessus scans do not contain CCI or control information, so they do not feed into the CCI, other control ratings or control-based reports such as the SAR

Administration

  • User groups and permissions to allow for different organizational roles
  • Self-hosted or Xylok-hosted server options, depending on classification and organizational requirements
  • API with examples and documentation for automating technical data collection
  • Benchmark updates handled by Xylok staff. Updates from Xylok are delivered on a regular basis and incorporate DISA STIG updates (and other custom benchmarks)
  • Docker and Podman support for the server
  • Hardened by default, with additional security options