Organize Your ATO Process with Team Subpackages

Your cyber personnel and program manager see and manage all your ATO information and status! Your system admins only see their checklists and devices. Your developers only see their checklists and devices. And your network admins only see their data. However, the automated compliance, POAM, vulnerability tracking and reporting is still working for you across your entire ATO system package all the time.

This is how you use OpenRMF Professional and its Team Subpackages concept to group information for your teams and impact areas. Divide and conquer the workload faster with consistency every time.

ATOs with Team Subpackages to manage team workload and move faster in OpenRMF Professional

ATO Process and Tracking Information

Tracking all the RMF and FedRAMP control compliance with checklists and statements, updating patch information, tracking vulnerabilities, updating checklists and managing the workload it is a LOT for even a small team to keep up with. All the while making sure you have the correct data. And that people are only editing THEIR data in the process.

From the demos and conversations we have had over the last couple of years at Soteria Software with customers and resellers, a lot of groups and agencies still use “Excel Hell”, CKL files, and other PDF reports to email back and forth the data, update checklists, track compliance manually, see what controls they must meet, generate SSP and reports or just answer data calls.

If you are tracking multiple ATOs that is a stressful nightmare!

With OpenRMF Professional you can automate most of those processes, keep the POAM automatically updated, bulk edit your checklists, upload patches, and keep your current compliance up to date with the click of a button.

That said, you probably DO NOT want every single person to be able to see every single patch, hardware, checklist, and vulnerability or worry on compliance and POAM data that is not their role or responsibility.

You want your teams focused on their part of the work.

YT Deep Dive on Team Subpackages

Divide up the Workload

That is where Team Subpackages come in! The concept was coined by our CISO Dave Gould, and allows you to gather checklists and/or hardware devices into logical groups. Then give access for users to JUST that group. Let them edit and update checklists. Let them bulk update if need be, but only their checklist data. Let them update the hardware patch scan data, hardware and software listing, and see the PPSM data as well. They can even use API calls designed to automate managing the Team Subpackage data at that level.

And only let them see and/or update THEIR OWN data. Not everyone else’s data.

Leave out the POAM, tailoring, compliance statements and listing, overlays, SSP and the other items that the owners of the package and the cyber security professionals see and manage. And get your team to just focus on their specific data in the system package / ATO.

Setup Team Subpackages for your ATO System Package so groups can manage their own data.

Track your ATO at the proper level

With Team Subpackages, your team can update their own data at the proper level. You keep all the automation of the updated scores, POAM, generating compliance, notifications, and the goodness that is OpenRMF Professional running behind the scenes for the whole system package so you still make everyone’s job easier!

The teams just manage and track their own data. And the personnel that view and manage the whole system package / ATO can see everything at their proper level. All the updates from the teams in Team Subpackages go into the same checklists, SSP, compliance, notifications, and vulnerability data and reports like they would if they were updating data at the main system package level. So the personnel managing the system package can see the updated data, notifications, and regenerate compliance once the teams have updated their part of the package.

It is the same great features and functionality of OpenRMF Professional, just used as a subset for a small team or group.

Delegate, Trust by Verify, and Move Faster

What this lets your cyber professions and program managers do is delegate the work down to those that do it every single day. Without accidentally updating the wrong checklist or scan or editing the POAM or compliance data they should not be changing.

Allowing each team to see only their information, manage their data, run reports on their checklists and vulnerabilities, while the cyber and program managers collectively track the whole system package / ATO is what OpenRMF Professional was designed to do. Ease the manual labor and non-value-added updates. Automate tracking and compliance. Automate the POAM. Let you easily see status and run reports and answer data calls. And give you back time to harden your systems and applications.

Do the work. Automate the paperwork!

Evaluate OpenRMF Professional for Free

Soteria Software’s OpenRMF Professional is revolutionizing the way you track RMF, FedRAMP and Cyber Compliance through automation! Whether you are tracking RMF and FedRAMP right now by itself, automating in a DevSecOps process, need a cyber compliance engine for your Software Factory or are even migrating on premise to cloud infrastructure — OpenRMF Professional can help ease the workload and get you there faster.

You also will have a standardized, structured way to track your cyber compliance across all your teams and customers.

You are in essence building your own Cyber Compliance Factory!

Have all team members manage and import/update their specific data. Generate compliance with a click of a button. Then export your Checklist (CKL) files, System Security Plan (SSP), Security Assessment Report (SAR), Risk Assessment Report (RAR) as well as your POAM for your approved government or corporate system of record.

See for yourself by downloading a copy with an evaluation license!



CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft