Track Evidence and File Attachments for Cyber Compliance in OpenRMF Professional

Dale Bingham
5 min readSep 1, 2023

Tracking your cyber compliance for RMF, FedRAMP, StateRAMP, and the like requires more than scanning! To show all angles of cyber compliance it also requires evidence in the form of PDF, DOCX, PNG/JPG snapshots, write-ups and other documents that are not checklists or vulnerability scans.

OpenRMF Professional v2.9 allows for that now with Evidence Management. For your whole ATO / accreditation package. POAM items. Checklist Vulnerabilities. Or even Compliance Statements. Quickly see how below.

OpenRMF Professional v2.9 with Evidence Management

Why do you even need Evidence to Show?

A lot of the cyber compliance frameworks with RMF, FedRAMP, StateRAMP and others deals with scanning against baselines and patch vulnerabilities. That gives you results that OpenRMF Professional ingests and automates around fairly easily and rapidly.

However, there are several areas that are not “automated” per se. Things like awareness and training, program management, supply chain, and even incidence response. Some of those are policy or process driven. That is where documentation comes into play.

With our latest update, now you can add those documents to track your whole accreditation or system package in one area. And add in program management reports, PPTX, reviews, or notes just the same.

You also may need evidence for mitigations on vulnerabilities or POAM items, to show defense-in-depth of mitigating a threat down to a lower level. You could also show “this is a false positive” in a way with true screenshots versus just “word of mouth, trust me” kind of reviews.

Any of these and more are covered with the OpenRMF Professional v2.9 release. We have had a few customers ask for this specifically, along with other bulk updates and features in v2.9. So we responded and added those features in for all to use.

Now, even more of the cyber compliance process can be structured, repeatable, and automated including tracking documents and evidence. All in one web-based application. With role based access and security built-in for your whole portfolio of projects and products.

Adding Evidence to your ATO or Accreditation System Package

To add evidence you click the Documentation menu, go to Upload evidence, and drag/drop your files. Or you can use our API to upload documents as well. Once uploaded, all users with at least read-only access can see, view and download the files one at a time or in bulk.

This gives great organization to all the information needed when going after accreditation and authorization of your program or network infrastructure. And you know exactly what to use, where it is, and who has accessed and updated it using OpenRMF Professional.

Adding Evidence for POAM items

To specifically add evidence to an individual POAM item, you can log in with proper credentials and click the ... menu to access that feature. Click the “Add Evidence” link, drop in your file, add a title and description and then upload it. Or use the API to do the same thing.

Your file is now linked in your system package and specifically linked to that individual POAM item as well. You can get to it through the POAM or through the evidence listing screen as well.

Add evidence to POAM items listed for your system package

Adding Evidence for Checklist Vulnerabilities

You also may need to specifically add a file or screenshot to an individual checklist vulnerability. You can follow a similar process as above. Find the checklist, find the vulnerability, click on it to make it active, then click the Evidence button (again if you have permission).

Drop in your file, add a title and description and then upload it. Or use the API to do the same thing.

Your file is now linked in your system package and specifically linked to that individual checklist vulnerability as well. You can get to it through the checklist vulnerability details or through the evidence listing screen as well.

If this is used on more than one checklist, you can add it as a general one and reference it in the details or comments through the Bulk Edit Vulnerability screen as well!

Add evidence to individual vulnerability items in checklists

Adding Evidence for your Compliance Statements

Finally, add evidence to a specific compliance statement by listing the compliance statements and clicking the ... menu to access that feature. Click the “Add Evidence” link, drop in your file, add a title and description and then upload it. Or use the API to do the same thing.

Your file is now linked in your system package and specifically linked to that individual compliance statement as well. You can get to it through the compliance statement listing screen or through the evidence listing screen as well.

Add evidence for your compliance statements as well

Free Evaluation — See For Yourself

As you can see from all this above, OpenRMF Professional v2.9 allows you to do so much more with the information you already have in your cyber compliance processes. Whether through different scan results, documents, or even screenshots. And it does it automatically, giving you back precious time, money and resources.

This lets you map your processes and procedures around your chosen cyber framework to our solution. Or adjust those processes and procedures around the automation that OpenRMF Professional provides.

It enables better cyber hygiene to reduce security risks and costs, as well as improve security posture.

And it allows you and your team to track all projects, programs, and system level cyber compliance in your portfolio in one place.

Evaluate OpenRMF Professional for yourself and see how it helps you and your team achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.

--

--

Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft