This is What’s New in OpenRMF Professional v2.8.6

Dale Bingham
4 min readFeb 6


We have added several great features for the latest release. Automated Cyber Readiness (CCRI). Loading of hardware and software lists for easier add/edit. Loading of ports/protocols/services list for easier add/edit. Universal patch vulnerability format for patch scans. Loading compliance statements and mitigation statements from .xlsx, .csv, or JSON. Expanded API for improved automation and integration. And updated 3rd party Keycloak and Elastic Stack components for OpenJDK fixes.

OpenRMF Professional v2.8.6 now with CCRI and better bulk data management

Automated CCRI

With the latest release of OpenRMF Professional v2.8.6, we have added the automated Cyber Readiness Scoring engine. Commonly referred to as Command Cyber Readiness Inspection (CCRI) in US Federal and DoD circles, this gives weighted values to types of open vulnerabilities by category and severity. And produces a risk score you can match to a defined scale to know your risk and risk tolerance.

For instance, you can have open CAT 1 / High vulnerabilities with a weight of 7.0 because of their greater impact. And then CAT 2 / Medium with a weight of 4.0 and CAT 1 / Low with a weight of 1.0. With that you quickly get a Readiness Score in OpenRMF Professional. We already had the listing of checklists and compliance, patch vulnerability data, and even software and container vulnerability data in our Technology Scan area.

With this new feature added you can instantly calculate those Cyber Readiness Scores and see where you sit currently from a risk perspective. You also can export that information to MS Excel to report on the readiness. And we have reports to group by operating system, host, type, and project.

You can even expand current CCRI processes to include your software scans and container scans in the process using our application.

And for those doing CCRI, this makes that process much, much faster and a lot less stressful!

View instant Cyber Readiness Scores for your CCRI and Risk Management team

Uploading Lists to add/edit Information Easier

There are several areas where being able to upload a list made editing and adding data a lot faster. We added this ability in JSON, CSV, or XLSX files to several areas for ease of use. And we also added those same calls to our external API so integration for adding/editing/reading that data was faster as well.

Compliance statements, mitigation statements, as well as the lists of hardware, software, and ports/protocols/services for your ATO or system package can now be added and edited this way. This is in addition to automatically pulling the hardware, software, and ports/protocols/services from your Tenable Nessus or Rapid7 Nexpose scan already.

Upload lists for faster adding or bulk editing your hardware, software, PPSM, compliance and mitigations.

OpenJDK Vulnerability Fixes

We have 2 third party applications in OpenRMF Professional that are Java based and required an update. Keycloak and the Elastic Stack (Elasticsearch, Logstash, Kibana). Keycloak for AuthN/AuthZ and Elastic Stack for logging and display. Both are Java based. And both versions had an older JDK.

In this release we updated those for vulnerability fixes and better compliance for your network installation. In our latest release the included Keycloak is at version 20. And the Elastic Stack is at 8.5.

Expanded API for Integration and Hyper Automation

Finally, we have added API calls for the new Cyber Readiness feature as well as management your templates, uploading JSON for hardware, software and ports/protocols/services lists, as well as uploading CSV and XLSX files for those lists to do bulk add and edit. You also can bulk add compliance statements and mitigation statements in the same way to quickly setup your system package for your ATO or accreditation boundary.

And by request, we now have a universal patch vulnerability data format for those not using the common Tenable Nessus or Rapid7 Nexpose scanners. As long as it is in that data format, we can take in and track your patch vulnerability data from any scanner used. And we are adding more native types in our roadmap as we move forward.

All in all we added about 19 new calls to automate our automation engine! You can quickly integrate and script setup to make your ATO and accreditation process even faster.

Free Evaluation — See For Yourself

As you can see from all this above, OpenRMF Professional allows you to do more with the information you already have in your cyber compliance processes. And it does it automatically, giving you back precious time, money and resources.

This enables better cyber hygiene to reduce security risks and costs, as well as improve security posture. And it allows you and your team to track all projects, programs, and system level cyber compliance in your portfolio in one place.

Evaluate OpenRMF Professional for yourself and see how it helps you and your team achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft