OpenRMF Professional v2.8.5 — tracking compliance family score trends over time

The latest installment of our flagship product, OpenRMF Professional, brings great performance changes. We outlined what those are and why we did them here. Other than that, we had a new feature that was a by-product of reengineering our cyber compliance engine in this process — saving the compliance summary score by NIST control/subcontrol over time to show trends.

Automatically tracking Compliance of NIST Families for RMF

Tracking Compliance Trends Over Time

I do not know about you, but I NEVER tracked overall compliance of my RMF or FedRAMP ATO packages by family or by control/subcontrol. I just showed the latest one and used that as a basis for where we stood. It was too much information to track that by NIST family (AC), control (AC-2) or subcontrol (AC-2(4)) along with all the other patch vulnerabilities, checklist and scan vulnerabilities, compliance statements, data calls, POAM items, and all the other documentation required.

Not that I shouldn’t do it. But I mean come on! Who has time for that right?

I am a cyber ENGINEER not a cyber administrator! At least, I want to be…how in the world can I keep up with this level of detail?

Answer: a software solution when it is automated to do this job, that is how! Namely, OpenRMF Professional does this for you along with a host of other functions to help you and your team manage all your data around RMF and FedRAMP. And it does it well, quickly, collaboratively, and consistently while saving and tracking the compliance listing over time for you and your team.

Definition time: for OpenRMF Professional the compliance summary score or “compliance score” is defined as:

(total number of checklist or audit vulnerabilities, inherited controls, and compliance statements marked Open or Not Reviewed)

divided by

(total number of checklist or audit vulnerabilities, inherited controls, and compliance statements).

Basically, how many items you have “open” or “not reviewed” per control/subcontrol compared to the total number of items. Across your whole ATO. Down to the CCI in the vulnerability in each checklist, compliance statement, or inherited/common control.

Current Compliance Score by Control and Subcontrol with the AU family of NIST controls

Generating Compliance for your ATO or System Package

For a smaller ATO, generating a single compliance list for a moment-in-time is not entirely cumbersome to calculate and track when required. It may take you a couple weeks to track the detailed level of information on a listing of 100 checklists (with an average of 100 vulnerabilities each) for a small windows corporate network (20 machines).

For a medium sized or enterprise level ATO this takes several people coordinating efforts in steps over time to do this same thing. And your data will change as people update statements, do audit scans, update checklists, etc. So it is a constant moving target that cannot pause for a week or two while you calculate compliance every so often.

Generating and tracking compliance of your ATO or system package over time, with snapshots and scores

With OpenRMF Professional this can be done for you with the click of a button. Or now, even with an API call to say “please generate my latest compliance” and let our specific cyber compliance solution do the work.

From there, your cyber professionals can study areas that have a lot of issues, generate their test plan, study compliance statements and make sure inherited controls are still met correctly. And with the live POAM feature, they can see mitigations, track updates, and know when items are completed or accepted for their risk levels.

You have all your actionable data points at your fingertips now. All from one pane of glass, using the engineering data you already have in your scans.

This saves valuable time and money, reduces frustration and stress, and lets you and those around you know exactly where you stand on your cyber compliance. In near real time, as near as your latest scans you have uploaded allow.

Free Evaluation — See For Yourself

As you can see from all this above, OpenRMF Professional allows you to do more with the information you already have in your cyber compliance processes. And it does it automatically, giving you back precious time and resources.

This enables better cyber hygiene to reduce security risks and costs, as well as improve security posture. And it allows you and your team to track all projects, programs, and system level cyber compliance in your portfolio in one place.

Evaluate OpenRMF Professional for yourself and see how it will help you and your team achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.



CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft