Bulk Lock Vulnerabilities on your STIG Checklists in OpenRMF Professional v2.4

Dale Bingham
4 min readJul 8, 2021


Easily lock vulnerabilities from automated updates related to SCAP scans and manual edits in the new OpenRMF Professional v2.4. Eliminate automated false positive updates on checklists from SCAP uploads. And stop checklist uploads from updating vulnerability information that is set and finalized. All through the same web tool that helps you manage all your checklists, patch scans, POAM entries, overlays, and compliance generation in an easy-to-use web-based application.

Bulk Locking of Checklist Vulnerabilities entries

Stop False Positives from SCAP Scan Updates

I love automation. I hate wasting time. Especially non-value-added time. And OpenRMF Professional capitalizes on that idea tremendously. But with everything there is always some things to watch on hyper automation.

One of the downsides to the automated SCAP scans has got to be false positives. The normal “your DoD banner has an extra space in it” or “your login banner has DON versus DoD” takes your hard work of locking down your system and flipping the status of a vulnerability to “Open” because of an extra space or different letter. It sure would be nice to lock the vulnerabilities across checklists in your system ATO package to stop this nonsense.

Well you are in luck! With OpenRMF Professional 2.4 you can now lock (and unlock) vulnerabilities across multiple checklists in your system ATO package easily. The new “Bulk Lock/Unlock Vulnerabilities” feature lets you do just that. Get your information as you need it. Lock the vulnerabilities. And you are done.

There is a lock icon (see image below) next to the vulnerability ID that is locked to let you know. And as you upload newer SCAP scans or Checklists, that vulnerability information will stay there as-is. You can stop going back to fix the false positives or explain them away to your manager or assessor. Now you can just lock them. Combine this with the new “Bulk Edit Vulnerabilities” feature also updated in OpenRMF Professional v2.4 and you can get their information correct, lock them, and then call it a day!

Lock Vulnerabilities easily across checklists to stop false positives and improper updates.

Stop Manual Updates from Live Editing and Checklist Uploads

This locking feature also stops the live edits from happening through the web browser. So the “…” menu to edit the vulnerabilities as well as the Bulk Edit Vulnerabilities screen stops users from changing information on vulnerabilities that have been locked. If you need to change it, unlock them and then change the information. All through a web browser.

The reporting screens and vulnerability listing screens all show that locked icon. So you will know when one is locked. It is pretty easy to tell. And you can have confidence knowing it will stay that way until someone physically chooses to unlock it.

Of course this locking mechanism is only in OpenRMF Professional. If you export the CKL and edit it in OpenRMF OSS or the STIGViewer, you can still change it. But when you upload that back into OpenRMF Professional, the locking mechanism will stop the update from happening to the current checklist data on that particular vulnerability.

Same thing for the SCAP scans. If you upload the SCAP into another tool and get a checklist, that tool will not lock the vulnerability. But when you take that information and import it into OpenRMF Professional the lock feature makes sure your data is safe.

OpenRMF Professional to the Rescue

OpenRMF Professional automates much of the RMF and FedRAMP process, helping decrease the time to an ATO or approval by 40–50%. OpenRMF’s collaborative environment eliminates much of the manual labor and isolated work involved in aligning the NIST controls and sub-controls, checklists, patch scans, POA&Ms, and compliance generation and then manages all information in a secure central database structure. This allows automatic generation and updating of the POA&M, Test Plan Summary, and various other security and RMF or FedRAMP reports.

Having a web-based central repository for all cybersecurity compliance data that has role-based security for each system package, eases the RMF and FedRAMP processes using a single source of truth and eliminates errors, manually intensive individual tracking, and rework. It also provides leadership with direct insight into the status of all system package security and risk information thus eliminating the mystery around implementing the RMF and FedRAMP processes.

Once an ATO or approval level is achieved, OpenRMF provides continuous monitoring and tracking of POA&M items, overall risk of systems and applications, and tracking updated scans and checklists throughout the life of the system package.

Check it out here. Ask for a 30-day no obligation evaluation to try it yourself!



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft