Track RMF Compliance Down to the CCI Level in minutes with OpenRMF Professional v2.8.3

Dale Bingham
4 min readJul 5, 2022


Yes you read that right! Combine your Compliance Statements, automated SCAP scan checklists, automated CIS checklists, and Custom checklists. Run through our compliance engine. Within a couple minutes, see your full compliance down to the CCI Level.

Watch the video below to see how easy it is to track all of this with the latest offering from Soteria Software.

Use Compliance Statements for Full Compliance Status

With the new Compliance Statement feature update to OpenRMF Professional v2.8.3, now you can quickly track compliance of your ATO / system package all the way down to the individual CCI level, as well as at the RMF control and subcontrol level. You can quickly add compliance statements and status per Control/CCI combination where required or desired for your system package.

You can even export/import groups of statements based on status to share your desired, good answers with other system packages you are tracking in OpenRMF Professional!

Then generate your overall compliance by combining all checklists generated (from SCAP and CIS scans), custom checklists and your compliance statements to see where you actually stand against all required controls and subcontrols. Save that compliance and use it on reports, status, and to know where you are before assessments.

You also can run reports on older compliance versus a later or current compliance to see where you were versus where you are now (more below).

As you update scans, add / edit statements, and close vulnerabilities you can once again click the “Generate” button on the Compliance page and see where you are against your RMF or FedRAMP required compliance level. If you want to, you save that as well. Then compare old to new over time.

This will save you WEEKS of time. Yes, WEEKS. If not more. And it lets you generate compliance based on your real updated data from your team with the click of a button.

Your single source-of-truth in OpenRMF Professional will let you know exactly where you stand at any moment in time. And track history of all your vulnerabilities, changes, compliance updates, and patch vulnerability items through our automated scoring engine.

This is that single pane of glass you have been looking for all these years. We know. Because we have felt the pain! That is why this application is here.

Quickly Generate Compliance Status to the CCI

With all your information uploaded and saved, now you can run the new System Package Compliance Status report to show status by NIST control, CCI, and the sources (checklists and statements) that generated that status down to the CCI level. In seconds!

The new Compliance Status Report for Control / CCI status and source based on saved compliance data.

No more tracking YET-ANOTHER-SPREADSHEET with the list of CCIs you must have based on RMF or FedRAMP level, tailoring, overlays, and all that madness. Then another spreadsheet for your answers and source. And getting the latest scans and checklists to manually update that status of the CCIs. PLEASE Stop Doing That!

Have all your data for your system package in OpenRMF Professional. Then click a few buttons to generate your compliance, save it, and track all your reports and status in MINUTES!

And like we mentioned earlier, you can even run that new report, and point it at the different compliances you have saved over time to show your history, tracking, and (hopefully) how you and your team have improved! Use that along with the history of vulnerabilities in your checklists as well as your patch vulnerability scans for your reporting, your assessments, and to show your auditors how you got to where you are with compliance as well.

Are you doing that now by hand? Tracking compliance down to the CCI level and showing all the changes over time? Probably not if you are like most folks we talk to. Or if you are, it is a “before and after”, not all the times in between.

Well now you can do just that. And you can automate it.

Do the work. Automate the paperwork!

Inheritance Included!

These compliance statements can also be inherited from an infrastructure package, platform package, or common controls package you have in OpenRMF Professional as well!

You could even have a separate package with all the compliance statements, manual checklists, custom checklists to track your policy / process / procedure requirements. Then save all that and generate compliance just using that package. Then allow others to inherit from it so everyone has the same base common controls.

When you update the base common controls and regenerate compliance, a notification goes out to all those that inherit from you so they know to review the changes, and regenerate their own compliance to pull in the latest inherited information.

Try OpenRMF Professional for yourself!

Evaluate OpenRMF Professional for yourself and see how it can help you and your team achieve a faster ATO. With repeatable results. Using the same team. With a LOT LESS stress on them!

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources.



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft