OpenRMF Professional v2.8.3 Feature Release with Compliance Statements and Rapid7 Support!

With our new feature release out July 8th, Soteria Software has added compliance statements and detailed compliance reporting for you, your ISSO/ISSM/ISSE and Cyber team. We also included NIST 800–53 Revision 5 controls and corresponding CCIs to use. Finally, we also added support for using Rapid7 Nexpose SCAP and Full Audit scan data.

Compliance Statement feature to add detailed Control — CCI status and statements for full compliance

Adding Compliance Statements to your System Package / ATO

In this feature release we added a way to include compliance statements down to the CCI level. So those statements and status you track per Control — CCI combination can now be added to your system package. Click the “Generate Compliance” button and have all CCIs from all checklist vulnerabilities from scans, custom checklists, and now compliance statements processed to give you compliance down to the NIST control and subcontrol level. This is tracked and listed based on RMF or FedRAMP level, tailoring, and overlays (if any).

You can even filter the listings, save them off as XML files, and reuse them on other system packages or other OpenRMF Professional installations to make your teams job easier and consistent.

We also have a report (the section just below) to show compliance for your system package per CCI, overall status, and the source of that status (checklist and/or statement) as well. This lets you find all relevant data, filter on status, and get the detail you need for your compliance data. In seconds!

You can even run this report against older compliance data generated and saved to see the before and after or trends over time. See the deep dive video at

Compliance Reporting to the CCI Level

There are 2 reports added for this level of compliance tracking. One is to show all CCIs required for your system package based on RMF or FedRAMP level, tailoring, and overlays (if any). It is just a listing of all you must answer to at some level.

The other one gives that same data and adds the overall status of that CCI as well as the sources that generated that status. As usual, you can filter this data (see the image below) and export to MS Excel for other uses and reporting.

Generate Compliance in your System Package down to the CCI level, with filtering and export

Rapid7 Nexpose Support

We had a few requests for Rapid7 support so now you have it! We can take in the Rapid7 Nexpose SCAP XCCDF XML export from a device scan and match it to the checklist just like we do with DISA SCC, OpenSCAP and Tenable Nessus SCAP scans. All the other goodness and automation baked into OpenRMF Professional takes over from there!

We also support the Full Audit w/o Web Spider (web spider = too much junk and non-compliant XML data) as a Nexpose 2.0 XML format file and use that just like the Nessus patch vulnerability scan .nessus file we already supported. Read in and update patch vulnerabilities, software listing, hardware listing, and the ports/protocols/services list as well.

Now agencies and commercial groups that depend on Rapid7 Nexpose can use OpenRMF Professional for tracking history, generating compliance, updating the live POAM, and generating all the documentation required for ATOs and compliance audits!

Use Rapid7 Nexpose SCAP scan and Full Audit scan to generate data for import into your System Packages

Added Graphs and Charts for Tracking Vulnerabilities

Along with the detailed compliance reports, we added 4 new charts for showing vulnerability and system package data visually. Sometimes, a picture IS worth 1,000 words! And it is easier to digest than just reading text on a page.

The newer visual reports are listed below. They show the same types of vulnerabilities as other reports, but these are from the viewpoint of the hardware device itself. Not just “what checklists do we have for this device and any open vulnerabilities”. The total number per devices so you can tell which have the most and quickly discern priority of your team to patch and fix the machines.

All from the most up-to-date consolidated data from all scans in your source of truth for your total system package data: OpenRMF Professional!

  • Show Devices with CAT 1 Open or Not Reviewed checklist vulnerabilities
  • Show Devices with any Open CAT 1, 2, or 3 Open checklist vulnerabilities
  • Show Devices with Critical or High Patch Vulnerabilities
  • Show Devices by Operating System
Charts to show checklist or patch vulnerability data per device across all scans

Free Evaluation — See For Yourself

Evaluate OpenRMF Professional for yourself and see how it will help you and your team achieve a faster ATO and compliance audit. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them!

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources.



CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft