RMF Continuous Authorization and Monitoring with OpenRMF Professional

Dale Bingham
8 min readMar 6, 2023


Use Soteria Software’s OpenRMF Professional to continually automate your Risk Management Framework (RMF) steps and the tasks involved. Reduce risk while reducing costs and manual tasks through automation of scans, trends, compliance, reporting, and live POAM tracking.

Automate RMF steps with OpenRMF Professional

Summary (TL;DR)

The Risk Management Framework is a cyber compliance framework used by many government and commercial entities to track cyber compliance, enable better cyber hygiene, and proactively work toward better cyber security.

OpenRMF Professional automates a vast majority of the steps associated with RMF. The areas we chose to concentrate on are those areas that are the most time consuming, soul sucking steps where a large majority of the work is performed. Using the updated RMF 7 Step process that starts with the Prepare step, we focused strongly on Steps 3–7.

We did this through automation applied on the scans you are already doing, making a live bi-directional POAM, allowing ease of checklist updates through bulk edit and templating, as well as built in configuration management of data and automatic trend tracking and analysis.

Allow your WHOLE TEAM to collaborate in ONE PLACE so all the data is related, viewed, seen, reported on, and updated in one spot across all types of scans and data. Then export out your formatted XLSX files, checklist artifacts, trends and ConMon charts, even a PowerPoint status presentation automatically generated from your own information.

OpenRMF Professional dashboard for tracking your portfolio of RMF accreditation packages

Risk Management Framework (RMF)

The NIST Risk Management Framework is a very mature set of processes that provides you and your team a common cyber compliance framework. There are many scanning tools, articles, PDFs, instructions, SOPs and other information available for RMF to support you and your team using this framework. And for the US Federal Government it is all but mandatory.

Even state, local, international governments as well as commercial entities are adopting RMF for its framework standard for their critical infrastructure and cyber framework.

There is a Prepare step, and then 6 steps in succession that have specific tasks to work toward compliance. These steps can involve hundreds of controls to adopt and apply to your infrastructure. For larger agencies and entities with sensitive data this can quickly escalate into thousands of controls you must track across your infrastructure, processes, people, and policies.

It can be VERY daunting…if you do not automate.

High Level Features of OpenRMF Professional

OpenRMF Professional works across all levels of teams to take in compliance scans, patch scans, and other vulnerability scans (software, container, IaC) and relates them all to your network or accreditation boundary simply and easily. See your total open vulnerabilities, trends, and compliance in one spot.

Whether you are on a connected network or totally disconnected from any other network, you can use our automation solution to make your teams job much easier and much more fulfilling.

Automatically keep up-to-date with a live POAM that is bi-directional in nature. Add in compliance statements, inheritance and common controls. And generate compliance against all the controls you must track with the click of a button.

You can view your trends of vulnerabilities, compliance, and other data with the built in automation for history and data tracking. And run your data calls on open items, hardware, software, ports/protocols/services used. And use the data to show your team which are the hot areas of the infrastructure right now that are vulnerable and need the most focus.

Track your whole portfolio of projects, platforms and accreditations in a role based web interface. That has an API to automate even further!

Steps 1 and 2: Prepare and Categorize

Where RMF is concerned, these steps allow you to define your boundary and all assets included. It also is where you collect the types of systems and applications you have in that boundary, which will guide you to the overall impact and system categorization. There are plenty of processes, procedures, best practices and policies that dictate these steps.

This is done as you have always done it. OpenRMF Professional uses this information to guide and automate the rest of the steps in the RMF process. If you need help in this area, reach out to us and we can introduce you to one of our value added resellers.

The remaining steps outlined below are where most of the work is done. Where the difficulty is in tracking larger sets of data. Where your team is stressed and overburdened. And where our automation takes charge and enables your team to make better informed decisions easily.

Step 3: Select

Here is where OpenRMF Professional starts to shine! Create your system package. Apply the RMF levels for confidentiality, integrity, and availability (CIA). Include any tailoring of those controls from earlier steps. And add any overlays of additional controls from those steps as well.

All RMF and FedRAMP revision 4 and 5 controls are listed to use. And they automatically line up with your control correlation identifiers (CCI) to help track compliance.

Add in common controls and inheritance, and you are ready to start tracking your data in minutes! We even have reports to help you view available controls and CCIs to help in this process.

Step 4: Implement

This step is where the heavy lifting begins, with tracking all data in your RMF process toward authorization and continuous monitoring. Run your SCAP and Audit Compliance scans and upload raw results that create and update your compliance checklists. Use templates for boilerplate answers and manual checks. And bulk edit other vulnerabilities to make this job easier and more structured.

Pull in patch scans, container scans, software scans and other vulnerability scans into one place. Automatically track status in your live POAM that is kept up-to-date and tracked historically.

With the latest updates you can also use Evaluate-STIG, OpenSCAP, Nessus/ACAS Audit Compliance CIS scans, as well as Tanium CSV data and HBSS SCAP as well. There are multiple types of scan data we take in natively, and we have a universal format for other types of data as well.

You can even automate the scanning and ingest using our API for even greater speed and accuracy, in a standard way across all teams.

Using OpenRMF Professional, you view all that information under one pane of glass easily, and relate it to all the other steps in the RMF process.

RMF Step 4: Implement and track your data automatically with OpenRMF Professional

Step 5: Assess

Now that you have all that data in one spot, you can start to assess. Notice trends. See “problem children” devices and types of checks that are causing the most heartache. This enables you to make decisions based on real data and kickstart your cyber compliance into gear toward better cyber hygiene.

Run data reports. Track and recalculate compliance based on the latest data. See live POAM status based on RMF Step 4. Load compliance statements. Fix and patch devices and rescan them to update your compliance checklists. Calculate your cyber readiness (CCRI).

All in one spot. All in an automated fashion. The same way. Across multiple teams. With role based access and auditing on every action done to your data.

Automatically relate patch vulnerability data and trends, broken down by device and history

Step 6: Authorize

When ready, have your government Security Control Assessor (SCA) sit down side-by-side and view all you and your team have done toward your RMF status and authorization. Generate your test plan and send it before they arrive. Show them past, present, and where you are going and trending toward better cyber hygiene and cyber security.

Generate reports, data calls, and required documentation. Even set them up a temporary system package and have them ACTUALLY LOAD the same scans to show where you and your team are based on the latest scans. Then compare to your active RMF package in OpenRMF Professional for accuracy and verification. And build trust with your assessor in your data and your team along the way!

Even have a 3rd party assessor or your internal teams view your data and track progress periodically. If they have access to your OpenRMF Professional installation over the network, they can view what you have done so far and where you are going.

No matter where they are in the world.

Step 7: Monitor (Continuously)

Doing all those steps previously is the start of RMF for sure. More and more, agencies and corporations want Step 7 to be THE STEP you concentrate on quite a bit that feeds back to the other steps.

This is where you proactively take in scans, automatically update vulnerability data, automatically track your live POAM progress and keep your eyes on newer devices and ports/protocols/services that pop up along the way.

Actively monitoring the cyber hygiene of your network, applications, and devices through OpenRMF Professional automation allows this step to truly happen. And this informs your technical team, management team, analysts, as well as higher level directors and agency representatives where you are and where you are going toward your authorization.

It is also proof that you are doing your job. In a structured and repeatable way. That is beneficial for everyone involved. And that reduces the task-oriented workload and enables cyber engineers to do ENGINEERING!

Free Evaluation — See For Yourself

As you can see from all this above, OpenRMF Professional allows you to do more with the information you already have in your cyber compliance processes. And it does it automatically, giving you back precious time, money and resources.

This enables better cyber hygiene to reduce security risks and costs, as well as improve security posture. And it allows you and your team to track all projects, programs, and system level cyber compliance in your portfolio in one place.

Evaluate OpenRMF Professional for yourself and see how it helps you and your team achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft