A Process Driven Approach to RMF and Cyber Compliance

Dale Bingham
5 min readDec 16, 2022

Good quality. Great speed. Correct results. Consistently delivered. That sounds like RMF right? If not, you may need to think of RMF from a process perspective and not a “throw a bunch of people at it” perspective.

Our OpenRMF Professional solution is like the <insert your favorite fast-food restaurant> of RMF. Get there. Place your order. Let the process work for you. And you will have consistent results for a great price!

Automate RMF and FedRAMP with a process-driven approach for excellent repeatable results.

RMF the Old (read, current) Way

Performing cyber compliance via the Risk Management Framework (RMF) is a common practice for US Federal, DoD, and even some international organizations around the world. It gives structure to cyber compliance and gives you the framework to get going toward better cyber hygiene and cyber security.

That said, it is not the easiest to grasp. Especially when viewing it for the first time. There is a lot of data. Many different team members with different “hats” to perform their part of the job. And a boat load (really, a cargo ship!) full of data to look at, sift through, relate, and track over time. So it has to be done right.

Most groups that we come in contact with at Soteria Software are still doing things manually. Don’t get me wrong. They are doing automated scans. Grabbing checklists and reports from patch and audit compliance scans. And making the computer go out and find all the data.

But then the automation stops…and all the manual things kick in for some reason!?

The team sifts through manual checklists created from the scans. They look through PDF reports or XLSX exports of patch vulnerability scans. Some groups just do representative scans on certain machines versus ALL because of the time and workload it takes to get down to individual devices. And they trace all that with multiple XLSX spreadsheets all over their machines, email, and shared drives.

Then they produce data calls, reports, track compliance manually based on looking at the PDFs and checklists and scans. Some may have even taken a step toward automation and have a one-off powershell script or excel pivot table wizardry they created themselves to help synthesize all this information for their job. It helps…but only partially.

This is like an orchestra with a lead violinist. That lead musician does very well. But the rest of the group does not have the same sheet of music. And the conductor is trying to get everyone to play together in harmony to produce great music. It does not work well and comes across choppy and may not sound nice.

RMF needs an orchestra, conductor, and sheet music all people can read and know their part.

That is how most groups approach RMF. The same way they did in 2020, 2015 and years past of other cyber frameworks. And it is past its due date.

The challenge with that is people only scale so much. And making this 100% people based means you probably will not get consistent results across your team, other teams, or the company or agency you work with.

Something needs to change…and change now.

RMF and Cyber Compliance the New Way

What we all need is a standard, repeatable PROCESS to use for going through RMF, FedRAMP and other cyber compliance frameworks.

Something all team members know about, can use, can understand, and know their piece of the RMF puzzle to do it and do it well. And it is repeatable, so you know what to expect.

Even newer folks to cyber or folks that are cyber personnel but new to RMF. Having a process that you can see, share, search, and learn from lets the newer team members ramp up on RMF faster as well. Whether you are a third party assessor (3PAO), do independent validation and verification (IV&V), or are an organization or agency that has to run through RMF and FedRAMP. Your current members and newer team members can learn the process, whether they are new or have decades of experience.

And they can all do it in the same way, like a well oiled machine. Or if you are old like me, similar to the 1996 Chicago Bulls. Everyone knows their role, their plays, their assignments, and does their job well. Consistently.

When you are process-driven around RMF, you start to gain economies of scale because people are doing the same thing across all your teams. Things that work well, you share them and all get smarter. When things do not work or there are some nuances around your process, again you share them and all get smarter. The process is followed, and smart people help shape it and follow it consistently.

When you start to implement a process around RMF with our OpenRMF Professional solution, you can start to have people become less “cyber administrators” and more “cyber engineers”. Doing good work that takes skills and brainpower. And for the right group of people, that excites and motivates them internally more than anything. Versus doing mundane manual tasks over and over that can kill your motivation.

And most importantly: you can have your process get you closer to cyber compliance. And start to move toward better cyber hygiene and improved cyber security, using the actionable data from your process combined with our OpenRMF Professional solution.

It is a beautiful thing! I bet you never thought you would see someone write that about cyber compliance, huh?!?

See for yourself

If you have read this far, you get it. And we thank you. And feel your pain!

See more of what we do via videos, sheets, and blogs at our website.

Better yet, sign up for an evaluation and download / setup the software for yourself. And see it with your own eyes, ears, and fingers!

--

--

Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft