OpenRMF Professional for Commercial Customers

Dale Bingham
4 min readMay 27, 2022


Tracking your cyber compliance is NOT just for US Federal government or DoD in particular. Proper cyber hygiene and applying the right cyber frameworks is important regardless of you being a government agency, large business, or even a smaller business. With our latest version 2.8, you can use OpenRMF Professional to track your CIS benchmark scans as well as DISA benchmarks against the same NIST controls for Risk Management Framework or even a tailored list of controls just as easily.

OpenRMF Professional for Commercial Uses

Tracking FedRAMP Compliance

If you are a commercial company tracking your FedRAMP compliance for software offerings to government organizations and agencies, that is a great use case for OpenRMF Professional. There are a lot of NIST controls and overlap of RMF and FedRAMP for sure and our software helps you in several key areas.

Tracking all the manual controls, processes, procedures, vulnerabilities, and scans for patches and compliance is a big lift. Especially for those not used to doing all that for the older DITSCAP, DIACAP or now RMF processes for the U.S. Federal Government.

OpenRMF Professional helps by having a single place to track all that information, have a live POAM to show areas of concern and risk to work on, and having a button to run compliance and show where you stand is a massive leap forward. It helps save time, save money, know where you are, organize your work, and get you and your team to a FedRAMP approval faster.

Adopt NIST RMF for Cyber Compliance

We also have seen banks, logistics companies, even international companies adopt the NIST Risk Management Framework for tracking cyber compliance and at least having a roadmap to work toward.

These companies are not necessarily going for an “ATO” or an approval. They are matching that known good framework to their company to have a way forward on cyber compliance toward better cybersecurity. Some of these groups may have former US DoD or Federal contractors and employees that know how the RMF process works at least. However, they all have the same challenge of the massive amount of work doing all this manually.

OpenRMF Professional helps here as well to automate the ingest of data, relating it, showing compliance, tracking open items, and linking in task management (think Jira, ServiceNow, etc.) to help manage the work to do.

One View of All Vulnerability Types

A third way we have seen commercial groups use OpenRMF Professional is in having a single view to track all their CIS benchmark scans (Audit Compliance), DISA benchmark scans (SCAP or Audit Compliance), manual checks as well as software scans (SAST, DAST, etc.) and container scans.

Having a single place to see your deficiencies on software scans, patch scans, operating systems, container scans as well as policy/process/procedure issues gives you a clear view of all the areas you need to address. Whether you are a cyber person, developer, engineer, administrator, analyst or the project manager you can see the impact to your area.

The live POAM still allows you to track it all in one spot, apply severity and risk, and work toward mitigations and fixes.

Same Great Automation Around Cyber Compliance

When we initially set out for OpenRMF Professional to be a solution for people, it was mainly driven from experience of doing all this manual work for U.S. Federal and specifically DoD customers. That is one of the largest multinational corporations in the world if you think about it. So it helps them for sure.

However, we have seen cybersecurity become extremely important in the last few years as well. And not just with CMMC coming and U.S. Federal government based cyber. Commercial companies must show due diligence for protecting IT systems, software, data and processes. Adopting a known, good framework to track to for cyber is a great start.

All of the automation built into OpenRMF Professional, whether it is the tracking of vulnerability numbers and history, or the live POAM, even the compliance engine to generate and track deficiencies and areas of concern work well for commercial companies the same exact way it does for U.S. Federal agencies.

We are all fighting the same fight.

Evaluate OpenRMF Professional for Yourself

Soteria Software’s OpenRMF Professional is revolutionizing the way you track RMF, FedRAMP and Cyber Compliance through automation! Whether you are tracking RMF and FedRAMP right now by itself, automating in a DevSecOps process, need a cyber compliance engine for your Software Factory or are even migrating on premise to cloud infrastructure — OpenRMF Professional can help ease the workload and get you there faster.

You also will have a standardized, structured way to track your cyber compliance across all your teams and customers.

You are in essence building your own Cyber Compliance Factory!

Have all team members manage and import/update their specific data. Generate compliance with a click of a button. Then export your Checklist (CKL) files, System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR) as well as your POAM for your approved government or corporate system of record.

See for yourself by downloading a copy with an evaluation license!



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft