OpenRMF Professional helps you comply with NIST Controls as well!

Did you know…you can actually use OpenRMF Professional to comply with NIST controls in the CA, CM, PL, PM, RA, SA, and SC families?!?! Well you can. Not only does our OpenRMF Professional solution speed your ATO process, save massive time and money, and move you toward a Continuous ATO process. It also helps you comply with your required RMF and FedRAMP controls at the same time. Read below to see where and how.

Full list of NIST Controls that OpenRMF Professional implements and supports

OpenRMF Professional Helps Its Own Cause

You may already know that our OpenRMF Professional solution totally revolutionizes how you track RMF, FedRAMP and Cyber Compliance through automation. And it helps automate cyber compliance, giving you actionable data for better cyber hygiene, and gets you on your way to proactive cyber security. As well as it being the engine that gets your Continuous ATO processes out of fairytale land and into reality.

However, did you know it also helps you comply with key areas of the NIST Controls that make up FedRAMP, RMF and other frameworks as well? Several of these controls already fall into the RMF Low/Low/Low or higher classification of controls, so you have to comply with them regardless.

You may as well use a solution that automates that and helps meet the required NIST controls at the same time! We break them down by family and control below.

OpenRMF Professional by Soteria Software

Security Assessment and Authorization (CA)

For the CA family, our main goal of helping track Assessment and Authorization through automation is an easy fit. Along with continuous monitoring of vulnerabilities and scans, you can generate compliance against your RMF or FedRAMP across checklists, compliance statements, and inherited controls / common controls in an automated, repeatable fashion.

Our OpenRMF Professional solution ingests scans to track your ports/protocols/services automatically from the data you are already collecting. And the automated, live POAM feature helps fully meet several controls including those in CA-5 for accuracy and keeping information relevant and truthful.

Whether you are a third party assessor, a government contractor, a federal or state agency, or any group adopting RMF as your standard OpenRMF Professional makes your team’s job easier. And with the version 2.8.5 coming out in November 2022, you can track the historical trends of compliance over time for your ATO packages by family or even by control or subcontrol!

  • Fully Implements — CA-5, CA-5(1)
  • Partially Implements — CA-1, CA-2, CA-2(1), CA-2(2), CA-2(3), CA-3, CA-6, CA-7, CA-7(1), CA-7(3)
Tracking compliance and trends over time

Configuration Management (CM)

Configuration Management is not a sexy topic to talk on. However, it is a must when it comes to tracking cyber compliance and security in general. With our solution we automatically track your checklists updates, POAM updates, trends on scoring around vulnerabilities, as well as track hardware device listings and software list updates.

OpenRMF Professional also snapshots and saves compliance data over time so you can see where you started, where you are now and everything in between. By using automation, you can put these items on auto-pilot and have our solution track things you NEVER even had time to track! Using the scan data you already have at your fingertips.

Even the point of tracking your development, test, and production environments for security posture and showing trends and differences is made easier. And with our new features and add-ons coming out in 2023, you will be able to automate this as well!

  • Partially Implements — CM-1, CM-2, CM-2(1), CM-2(2), CM-2(3), CM-2(6),CM-4, CM-4(1), CM-4(2), CM-6, CM-7(3), CM-7(4), CM-7(5)

Planning (PL)

For the Planning family, we help by taking all this data you have in OpenRMF Professional and generating your System Security Plan (SSP) as well as a more detailed SSP Control to Vulnerability Matrix. All from your current scanned data, structured, organized, and traceable throughout all your cyber compliance data.

Having all this information in one spot, related, correlated to controls, and tracked for trends and history is a key feature of our solution.

  • Fully Implements — PL-2

Program Management (PM)

With regard to Program Management, the OpenRMF Professional solution automatically tracks compliance and trends for your controls across your entire ATO package. And it can even do that for the inherited controls in other packages as well.

The big one here is the automated live POAM as well as tracking status and milestones. With our bi-directional POAM you can see what scan, statement, control, or vulnerability caused the POAM item. And it updates automatically based on the latest scan, bulk update, or manual entry from you and your team. All while tracking the editing history of the POAM entry as well.

Export that out to a MS Excel file (eMASS compatible format) and you can update your program of record with your latest compliance and risk information.

  • Fully Implements — PM-4
  • Partially Implements — PM-1, PM-5, PM-9, PM-14
Automated, live, bi-directional POAM for your compliance data

Risk Assessment (RA)

RMF and FedRAMP are about tracking, assessing and managing your cyber risks. With the RA family, OpenRMF Professional allows security categorization, tracking controls to your scans and vulnerability data as well as your compliance statements and inherited controls.

The trend analysis and showing the score trends over time for your compliance scans, patch scans, and other scans (software, container, etc.) specifically helps you answer the vulnerability scanning controls in particular.

  • Fully Implements — RA-5(6)
  • Partially Implements — RA-2, RA-3, RA-5, RA-5(2), RA-5(4)
Generate a Risk Assessment Report from all your ATO data automatically

System and Services Acquisition (SA)

In the System and Services Acquisition area, the developer configuration and testing/evaluation is aided by our ingesting of software scans and container scans. Linking all that information together with compliance scans and patch scans gives a single view into your ATO when it involves any software development component. And all of this is tracked again in our live POAM.

This is especially true if you are linking in our API with a software factory for automation around builds, gated releases, and cyber compliance.

  • Partially Implements — SA-10, SA-11, SA-11(1), SA-11(2), SA-11(8), SA-15(7), SA-15(8)

System and Communications Protection (SC)

The final family to consider is the System and Communications Protection group of controls. Specifically the boundary protection one. Using OpenRMF Professional you can bring in your Nessus/ACAS or Rapid7 scans and automatically find all running ports, protocols, and services (PPSM) that you must track. And we give you tools to specify the boundaries they do or do not cross as well.

As with everything, the history of edits on these are handled for you with ease. In a 2023 update we are adding in the ability to profile your devices so you can be alerted when any PPSM found does not match your device profile as well!

  • Partially Implements — SC-7

Free Evaluation — See For Yourself

As you can see from all this above, OpenRMF Professional not only automates the cyber compliance processes. It helps you comply with them at the very same time!

Evaluate OpenRMF Professional for yourself and see how it will help you and your team achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solutions they need.

Get them OpenRMF Professional.



CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft