RMF. Simplified.

Dale Bingham
9 min readDec 15, 2022


Nothing works more powerfully than simplicity. For the Risk Management Framework, map (or create) your processes and use OpenRMF Professional automation to simplify the RMF process into understandable, repeatable steps for you and your team.

In simple terms: Stop using the 1995 Rand McNally Road Atlas (manual RMF) and start using your cell phone with GPS and Waze (automated RMF with OpenRMF Professional) to navigate where you need to be.

Set your team up for successful RMF with automation and simplicity — OpenRMF Professional

A few Challenges with RMF

There are a few things that are challenging with applying and validating your Risk Management Framework cyber compliance. We will lay out a few below that are technical in nature. And some that are personal as well.

RMF is complicated. It is true, RMF is complicated. Especially if you are doing this manually (like it is 1995!). RMF’s goal is to get you and your team to be cyber compliant, have better cyber hygiene, and work toward better cyber security. There are many things to track here by design.

Imagine seeing a blueprint for a skyscraper in fine detail as a 12 year old. How overwhelmed and confused would you be if you had to understand all that?

RMF has many moving parts. You have process, procedure, security controls, computers, networks, physical security, training, and much much more. All rolled into a listing of NIST controls to group them by category or “family” so you can manage them better.

Imagine taking an elementary school grade class on a field trip and making sure everything stays on time, and everyone is safe. Herding cats anyone??

RMF involves many people who do not know where they fit. There are cyber personnel, program managers, engineers, administrators, analysts, developers, and other team members all working toward a goal of cyber compliance. On the way to better cyber hygiene and cyber security. There are a lot of tasks in RMF that cover many overlapping areas.

Imagine being a member of a US football team, playing in a game, and not knowing any of the plays in the playbook. How frustrating would that be? For you and your teammates!?

RMF involves disjointed data. There are scans of computers, patch OS scans, POAM files, reports, data calls, and a bunch of checklist files all over the place. And they all need to be working together and relatable in many directions

Imagine being in a scavenger hunt and trying to relate clues. But the clues are not very good. And they keep changing! How well would that go?

RMF reports are outdated as soon as you create them. Once you do a data call, the System Security Plan, the Risk Assessment Plan or the POAM…if anything on a scan or compliance statement changes that data is out of date. Having disjointed CKL, XLSX, PDF, and other files is a PITA to keep straight and up-to-date.

Imagine giving your 16 year old new driver an old Rand McNally map for directions. And then take away their cell phone or car automated driving directions and GPS. How well are they equipped to be successful?

RMF requires a LOT of documentation and proof. Because of the importance of cyber, you must show you know what you are doing and you are at least compliant with bare minimums. Or show mitigations and plans to get there. And again, all those CKL and XLSX files to show status an results are a pain to track and keep valid and updated. And there is a LOT of documentation to keep straight. Especially for larger accreditation boundaries.

Imagine all the paperwork you had to sign to get your home mortgage. Or take out a car loan. Or apply for an apartment lease. Then triple it! How much fun would that be? (he said sarcastically…)

Simple Solutions to those Challenges

Those examples above are all real. And all are relatable to personal experiences you may have gone through. And all can be daunting and frustrating.

The simple solution here: using our OpenRMF Professional solution. Match your teams processes and goals, and you can solve many if not all of the challenges listed above. And reduce the “RMF temperature” and the stress levels across your entire team. All at the same time. See how below.

Use an Automated Approach. STOP DOING MANUAL TASKS that do not add value. PLEASE! Automate those tasks that can be automated. Give yourself time back to do the cyber fixes. And have up-to-date information that is actionable at your fingertips to make that time much more productive.

Imagine having the Jetsons Robot (iRobot?) to automate the tasks around the house to keep it clean, neat, and organized. Then you can concentrate on all the harder things you need to get done in the house that take skills. It is like that, but for RMF and FedRAMP.

Match your compliance scans to checklists automatically. Automatically take scans, upload them, and match them to your current checklists to keep them updated. Use templates, audit compliance scans, CIS scans and other data to know exactly where your ATO boundary scans. Even include container and software scans for a software factory setup.

Imagine needing a tool to hang a picture, fix a door, put your kids toys together, or putting together your kids furniture for the house or college. And going to the toolbox or your set of tools and picking the exact right tool every single time no matter what you are trying to fix or assemble. It is like that, but for RMF and FedRAMP.

Track all your vulnerability trends instantly. By having a central place for all scans, you can track your Critical, High, Medium, and Low vulnerabilities for compliance, patches, and other items like software and container scans. As you upload the latest scans into the OpenRMF Professional solution you are building your history and tracking your trends. Automatically.

Imaging having the sports announcers at sporting games with all the history, examples, people, players, trends, analysis and up-to-date scores of all the games you like. All on one screen instantly. It is like that, but for RMF and FedRAMP.

Relate compliance to required controls easily. Click the Generate Compliance button and related all audit compliance checklists, compliance statements, and inherited controls to the NIST controls you have to answer to. Track the overall status of each control to that data point that created it. Then report on it easily. All from one central solution.

Imagine going to a country you barely know and being able to translate the language easily and beautifully. With all the nuances to go with it. It is like that just for RMF and FedRAMP.

Track the compliance over time automatically. From all the data collected and generated compliance (see above), track trends over time with percentage of compliance per NIST control or subcontrol. Do things like this people just do not do because of the massive amount of data and time it takes just to do it. And automate it. Make the computer do it for you.

Imagine viewing your vehicle’s service records, usage, gas mileage, and stats from the time you bought it all the way up to now. Including every oil change. Every service call. Every tire change. And every trip odometer. So you know exactly where you started, where you are, how you got there, and how healthy your vehicle is right now. It is like that just for RMF and FedRAMP.

Generate required documentation with a mouse click. Create your SSP, SAR, RAR, POAM, Test Plan, PPTX Summary all from the data you collected and organized already. All up to date based on your latest scans. Instantly.

Imagine filling out one of those forms for your kids school trip, sports team, or college application. But you click a few buttons and everything is filled out exactly where it goes based on all their latest grades, skills, age, and choices. Yes, it is like that just for RMF and FedRAMP.

Have a central repository to track all data changes. Built in configuration management shows you who did what, where, when, why and how. It shows older compliance checklists and vulnerabilities and tracks changes and trends to where you are now and everywhere in between. And the built in auditing shows what is happening on every CRUD action, list, good or bad.

Imagine going to your city or state archives and seeing the map of your state capital over time from the day it was incorporated. Every street name change. Every building that was built, updated, demolished, and rebuilt. It’s like that just for RMF and FedRAMP.

API interface to automate the data ingest and export. To take this even further, have Python scripts or even shell scripts to call the scanners, collect the results, and automatically put them into OpenRMF Professional. This gives you a near real-time compliance engine to know right where you are!

Imagine the newer home automation apps that can turn your lights on, set them to a certain brightness, turn on your music, lock your doors, activate your Christmas lights and turn and off your sprinklers and landscape outdoor lights. It’s like that just for RMF and FedRAMP.

Now stop imagining and go get OpenRMF Professional!

Examples in Use

All this talk is fine. And the ideas and visuals created make perfect sense. But you want to know about real world examples you can relate to? Ok see below.

Scanning and Vulnerabilities. Do your scans. Load them into OpenRMF Professional. Make new checklists, update current ones, see the impact of vulnerability changes automatically. Run reports for data calls and task lists of fixes to perform. Get actionable data in minutes from loading all your scans in one spot for your whole team.

Teamwork. Do what our USAF group in Germany does and load all your scans for devices. Then separate them into Team Subpackages within OpenRMF Professional so your specific team sees only they data they need to manage and edit. Network folks see switches and firewall devices. The Linux team has all the Red Hat servers. The desktop team sees all the information around the Windows workstations. And they focus on just their part of the playbook.

Cyber. Have all the compliance data, patch vulnerability data, trends, compliance statements, POAM, inheritance, common controls, and generated compliance snapshots all in one place. View all this data from the lens of cyber compliance, cyber hygiene, and cyber security. And be able to relate it to the team in charge of the areas you are viewing.

Program Manager. Have a single spot to see all the data, the timeline, the trends, the POAM, the mitigations and generate documentation. Even generate a PPTX presentation for status updates in seconds. All from one tool that tracks configuration management of all your data at the same time.

Need more? Download it locally, set it up on your infrastructure (even disconnected from the Internet) and test it out for yourself for 30 days to see how OpenRMF Professional fits with your specific cyber compliance needs. Get a license to fully unlock it for 30 days and see the future!

Free Evaluation — See For Yourself

As you can see from all this above, OpenRMF Professional allows you to do more with the information you already have in your cyber compliance processes. And it does it automatically, giving you back precious time and resources.

This enables better cyber hygiene to reduce security risks and costs, as well as improve security posture. And it allows you and your team to track all projects, programs, and system level cyber compliance in your portfolio in one place.

Evaluate OpenRMF Professional for yourself and see how it will help you and your team achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft