New Features in OpenRMF Professional 2.3

OpenRMF Professional = Cybersecurity Compliance Automation. To help you get more automation out of your data and give you time back to harden and secure your systems, we added some new features in 2.3 we think you will love. These include managing RMF as well as FedRAMP compliance, tracking compliance to sub-controls, tailoring to sub-controls, managing compliance overlays, managing POA&M mitigation statements to use, adding milestone events, speed improvements loading large lists, quick filtering of list data, and more reports. Highlights are below!

OpenRMF Professional 2.3 System Package Dashboard

New FedRAMP controls mapping and reports

OpenRMF Professional v2.3 now adds the ability to track system packages going for FedRAMP compliance. FedRAMP stands for the “Federal Risk and Authorization Management Program” and standardizes security assessment and authorization for cloud products and services used by U.S. federal agencies. The goal of FedRAMP is to make sure federal data is consistently protected at a high level in the cloud.

With the US President’s recent Executive Order on cybersecurity and specifically pushing groups toward FedRAMP this has become even more important in the United States of America. To that end, we now have a setting for the system package you are managing to specify if you are tracking to RMF compliance or FedRAMP compliance.

The list of NIST controls at the various levels of FedRAMP compliance are somewhat different from the RMF levels of confidentiality, integrity, and availability (CIA). OpenRMF manages all that internally for you and matches the NIST controls for you when generating FedRAMP compliance or your corresponding System Security Plan (SSP) Control to Vulnerability Matrix. There are also FedRAMP related reports included as well.

Tracking Compliance to the Sub-Control Level

Tracking Compliance to the NIST Sub-Control Level

Your compliance against the NIST controls in OpenRMF now track to the sub-control level. Instead of seeing how you compare to AC-1, SC-7, and IR-3 now you will see how you also comply with AC-2(12), IR-3(1) and SC-7(4). This has implications as you go from low to moderate to high in any of the RMF CIA levels or FedRAMP levels. As you go higher in impact level the controls and sub-controls you have to comply with increase.

We also now group all items not matched to controls and sub-controls you have to comply with (based on compliance level / tailoring and overlays) to the general CM-6 Configuration control. We note what actual NIST controls and sub-controls the items are for but that they are under CM-6 for general configuration management.

Tailoring Controls to the Sub-Control Level

Along with compliance and your SSP Control to Vulnerability Matrix, tailoring controls for your system package is now at the sub-control level. With OpenRMF Professional versions 2.0 to 2.2 you could only match to the major control level, such as AC-4 or SC-7 as talked on earlier here.

Now you can also tailor down to the sub-control level for your list of controls when generating compliance or the SSP matrix. When you tailor your controls, that takes the place of your general RMF CIA level default controls or your FedRAMP level default controls. You can run reports in OpenRMF to see what the default controls are for the various levels of compliance.

Managing and Using Compliance Overlays

Managing and Using Compliance Overlays

A nice new feature in OpenRMF Professional 2.3 is the ability to create, manage, and apply compliance overlays to your system package when generating compliance and your SSP Matrix. These overlays are added to your RMF level controls, FedRAMP level controls or your tailored list of controls when tracking compliance and SSP Matrix information.

As an administrator you can create top level overlays that anyone using your OpenRMF installation can pull into their system package. In addition, if you own your system package and have the right permissions you can create your own overlays just at the system package level. As long as they are marked “active” they automatically apply to your compliance and SSP Matrix generation.

There are 2 overlays automatically created for you when version 2.3 is installed. The National Security System (CNSSI) and Privacy/Personally Identifiable Information (PII) overlays are automatically added at the top level for all to pull into their system package and use where appropriate.

Managing POA&M Mitigation Statements

Managing and Adding Canned Mitigation Statements

A common thing when filling out your POA&M is using mitigation statements over and over. Prior to version 2.3 of OpenRMF Professional you had to copy/paste those statements into the Mitigation Statements block and hope people did not mess them up. Kind of like when you do it in XLSX and share it out.

Now you can create, manage, and use mitigation statements by selecting them and adding them to your POA&M record. Just like overlays above, you can add them at an application-wide level for all to use or just at your system package level. You can create mitigation statements and get them all correct, and then and just attach them to the POA&M record. You can still add additional mitigation statements to a POA&M record by typing into the Mitigation Statement box as well when editing.

When you view the POAM in OpenRMF you can see the canned statements you added displayed. If you have the right permissions you also can see a red X to remove those no longer needed on your POA&M record. When you export the POA&M to MS Excel the mitigation statements are added to the cell for that POA&M record row in the order they are added to the record. Any manually added mitigation statements entered are also added at the end in that same cell.

Adding Milestone Events to Track toward

Tracking to Milestone Events for your Program and System Package

This feature came from a request from a user to track specific events related to their system package. There are milestone events such as a preliminary design review, test event, critical design review, 3 month review, and the like that groups can work toward. Now you can add those milestone events within OpenRMF Professional inside your package to list and track toward.

You also can click the linked title to pull down a *.ics file and add to your calendar to track as well. This is a small thing for some folks for sure. However, having all this information in one spot to track makes things a lot more organized and a lot easier to track for your group.

Quick Filtering and Searching on Lists

Filter your list data quickly by clicking on field values for automatic searching

A suggestion from a participant in a demo led to this additional feature! (Thank you, you know you you are!) For some larger lists, you can type into the Search box at the top right just above the listing. This additional feature now lets you click the text and have it automatically add to the Search box and filter the data easily.

You can still type into the Search box. And you can remove the search text to list all. This is just a “one click away” type of feature we look to add to make your job easier and faster, so you can get back to what matters…


Speed Improvements with Large Lists

Faster loading for large lists of data

For some lists in OpenRMF such as the patch vulnerability listing, software listing, and reporting data we also worked on speed improvements to load and display your data faster. This does not change the data or how you upload and process it. It does make it much faster to load it, report on it, automate it, and again give you time back to do what is vastly important…


More Reports on Your Data

There were a few more reports added for this version, specifically around the FedRAMP controls and compliance as it relates to the NIST major controls and sub-controls. There is also a comparison report to show how the controls differ across FedRAMP and RMF as well as RMF to RMF when you have different levels of confidentiality, integrity, and availability.

OpenRMF Professional v2.3 is here!

OpenRMF Professional automates much of the RMF and FedRAMP process, helping decrease the time to an ATO or approval by 40–50%. OpenRMF’s collaborative environment eliminates much of the manual labor and isolated work involved in aligning the NIST controls and sub-controls, checklists, patch scans, POA&Ms, and compliance generation and then manages all information in a secure central database structure. This allows automatic generation and updating of the POA&M, Test Plan Summary, and various other security and RMF or FedRAMP reports.

Having a web-based central repository for all cybersecurity compliance data that has role-based security for each system package, eases the RMF and FedRAMP processes using a single source of truth and eliminates errors, manually intensive individual tracking, and rework. It also provides leadership with direct insight into the status of all system package security and risk information thus eliminating the mystery around implementing the RMF and FedRAMP processes.

Once an ATO or approval level is achieved, OpenRMF continues with continuous monitoring and tracking of POA&M items, overall risk of systems and applications, and tracking updated scans and checklists throughout the life of the system.

Check it out here. Ask for a 30-day no obligation evaluation to try it yourself!



CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft