Compliance Assessments Made Easy with OpenRMF Professional

Dale Bingham
4 min readJun 16, 2024


If you are doing your assessment against RMF, FedRAMP or other NIST 800–53 based compliance frameworks then you are in luck! OpenRMF Professional helps you easily load information, see the latest results and compliance along with vulnerability data.

Then quickly compare to the accreditation package you are assessing to see how they match up. And discuss all risk based on real hard data and actual scan results. See how below.

Mange your ATO / accreditation package easily through the dashboard

Load the Latest Checklists Exported

First thing to do is to get the raw SCAP xml, Audit Compliance or CKL checklist files and load them into a new system package for your ATO or accreditation you are assessing.

  • Ask for the files
  • Load them into your package
  • See the results, numbers, and vulnerabilities in their entirety
All checklists loaded, with individual numbers and access to results

Load the Last Raw Patch Scan Results

Now, do the same for their patch scans. You could even ask for the last 2 or 3 scans and load them in order to see how they are doing over time.

This gives you patch data, hardware listing, ports/protocols/services used as well as the initial software listing.

Patch vulnerability data scores and listing

Load Additional Software BOM in XLSX format

Patch scans have software results in them when configured properly. You also can ask for their software export and import that yourself to your version of their accreditation package.

Software listing from scans and uploads

Load Compliance Statements

Now load the compliance statements. If they have a curated list, they can give you that. Or they can export the current listing in OpenRMF Professional to XML and send you their listing as well to load and read through.

Load their compliance statements against controls and subcontrols

Generate POAM

Click the Generate POAM button to see what is still Open or Not Reviewed across all the current data. Now you can compare to their generated / exported POAM and discuss results and any discrepancies.

Generated live Plan of Actions and Milestones on the latest data imported

Generate Compliance

Now that you have checklists, statements, and any inherited controls (if they have some, you can pull in) you can click the Generate Compliance button to see where they stand against all controls and subcontrols they have to answer.

Compare this to where they report they are for compliance against all controls and subcontrols. Then discuss results and any discrepancies.

Generate total compliance based on scans, statements, and inherited controls/common controls

Ask for Current Scan Results

Now that you have your baseline of all the data being reported, you can ask for the latest SCAP scans or checklists, as well as the latest patch scans and other data.

Load the latest data from the group, regenerate your compliance based on the latest data, and find out if there are any checklists that have a version or release update available.

Generate Results and Compare

Now that all of that is done, you can review the changes on checklist history, patch history, POAM and a newly generated compliance. And discuss results, differences, questions, mitigations, and all other risk.

And make your decisions based on real hard data, real scans, and the information they collected. You also can review their POAM with them on items to mitigate as well as scheduled completion dates on other items.

Checklist Vulnerability History results
Patch Vulnerability History results
Compliance History results

See For Yourself!

This is a glimpse into the many ways teams like yours are tracking their accreditations with OpenRMF Professional to make their lives easier.

Evaluate OpenRMF Professional for yourself and see how it helps you and your team perform assessments better with a known, good, structured RMF processes. And track the where, who, why, how, and history behinds your RMF package evolution.

You can achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators and documentation specialists.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft