The OpenRMF Professional Difference

Dale Bingham
6 min readApr 18, 2023

There are several good GRC tools out there. What sets OpenRMF Professional apart? A few things stand out immediately.

1 — Automating cyber compliance around the scans you are already doing!

2 — Hyper Automation around your compliance data to make it work for you.

3 — Team Collaboration around all your cyber compliance data and processes.

4 — install, setup, and use on Day 1 with a little work, quick setup, and very little configuration.

OpenRMF Professional System Package Dashboard (coming in v2.9)

OpenRMF Professional in a Nutshell

OpenRMF Professional is a revolution in cyber compliance automation for Risk Management Framework (RMF), FedRAMP, and any other NIST 800–53 control based compliance framework.

Our solution takes in all your scan data, checklists, compliance statements, inherited controls and other information and automatically relates that to your RMF, FedRAMP or NIST 800–53 require controls. You can instantly automate updating your POAM status. Keep track of all checklist data from raw scan updates, manual updates or our bulk vulnerability edit feature. Setup compliance statements. Bring in inherited controls.

All from one solution that is web based, with role based access as well as group permissions and auditing at multiple levels.

See the four main areas below on where we differentiate ourselves for you and your team. Then download and evaluate for yourself!

1 — Automating Around Your Current Scans

OpenRMF Professional takes in the scans you are already doing and automates around them FOR YOU! You can use your raw SCAP scans or audit compliance CIS benchmark scans and quickly see where you are with regard to required compliance.

You can do this by using the UI or our external API to automate even further. See examples of scripts and data in our public GitHub repo.

You can even use the US Government SCC or Evaluate-STIG CKL results from scans. Or Tanium CSV exports of SCAP. Even the Rapid7 Nexpose ARF format. All those can be matched to checklists that fill out and track vulnerabilities and compliance to your required NIST 800–53 controls.

You also can use your Nessus/ACAS or Rapid7 Nexpose raw patch scan results. Or really any patch scanner as we have a universal format for ingesting those as well! That means your choice of tools here is limited only by you. Then track your patch vulnerabilities and trends.

Finally, we pull in Fortify or SonarQube/SonarCloud scan results for software scans. Or once again, we have a universal format for pulling on other scans for software, containers, logs, infrastructure, or any other type of scan you need to track for your accreditation package or ATO.

You are already doing the scans. Make them work for you!

Patch vulnerability scans showing continuous monitoring and progress automatically

2 — Hyper Automation Around Your Data

Now that your data is ingested, we take automation even further.

Automatically fill out your POAM and keep it up-to-date based on your latest uploaded/updated data on scans and compliance statements.

Automatically track trends on vulnerabilities from all scans, including software and container scans if you need that.

Automate your cyber compliance scores (a.k.a. Command Cyber Readiness Inspection or CCRI) instantly based on your most up-to-date data.

Automatically track the number of open vulnerability items per area and the number of active checklists.

Automatically related every single checklist — vulnerability — CCI, compliance statement, and inherited or common control to all cyber compliance controls you have to meet. And keep track of that trend over time with snapshots.

Have boilerplate pre-filled checklists with common answers and locked vulnerabilities so false positives are a thing of the past.

And save every single edit of all data to have traceability on who did what/where/when/why/how across your cyber compliance data.

All in one spot. All AUTOMATICALLY!

Automated Live POAM to keep all data up-to-date and tracked

3 — Team Collaboration for Cyber Compliance

With your information in one spot or single “pane of glass”, now your team can collaborate easier and get their jobs done faster.

Cyber compliance, RMF and all the cyber compliance frameworks look like magic to those not in the cyber space. OpenRMF Professional was designed to be collaborative from day 1 to help alleviate this problem.

You see your specific data, your impact, and the information in your accreditation package relates to anyone where an analyst, cyber specialist, system administrator, program manager, assessor or anyone that needs to see that information.

View the compliance data across all checklists, statements, and inherited information. See a checklist filtered by a certain NIST control or subcontrol. Show what has been fix, what has not, and the severity of the problem. Filter checklists to show only those with open vulnerabilities.

No matter what your role or what you are looking to do, we have a view for you to use.

Generate compliance with a single button click, and relate all data to your control listing instantly

See the POAM from the lens of a checklist, device, or vulnerability. And link right back to that issue from the POAM itself directly.

Cyber compliance is a team event. At least it should be. And it is continuously in motion. The whole team needs to know their part of the “playbook” and what role they play. Having one spot for viewing all this information in a way that makes sense to YOUR PART of the team makes this process much easier, faster, and a lot less stressful.

It also makes this process repeatable across multiple teams in a process driven way based on real data.

4 — Easy Install, Setup, and Use on Day 1

Installation and setup can be done in 15 minutes. We have seen it happen!

You do not have to configure massive numbers of questions, workflows, gates, and have a Masters Degree in the application tooling to get it to work. You also do not need an OpenRMF Professional specialist to install and run this. Anyone on your current team that is good at installing software and following guides can get this running for you fairly easily.

You can pull down an OVA file to make a quick virtual machine (VM). You can use our Ansible script for a quick setup in minutes. Or you can even do a manual installation if you prefer. With video tutorials on all the ways to setup and configure OpenRMF Professional, the install is fairly easy.

Load the license/key to get going and you are now ready to use OpenRMF Professional! Create a new system package. Upload your scans. See them work for you in minutes.

We have documentation on CAC login, Windows AD login, HTTPS setup, ELK Stack logging configuration as well as Quicksheets (step-by-step short guides) on everything from group permissions to generating compliance and tracking history.

We even have a video on demand training site setup to show off features and walkthrough use cases. And a series on “A Day in the Life” to show how all your teams can collaboratively use OpenRMF Professional for your cyber compliance needs.

Extensive Documentation and Quicksheets to get your team started rapidly

Evaluate for Yourself and Your Team

As you can see from all this above, OpenRMF Professional allows you to do more with the information you already have in your cyber compliance processes. And it does it automatically, giving you back precious time, money and resources.

This enables better cyber hygiene to reduce security risks and costs, as well as improve security posture. And it allows you and your team to track all projects, programs, and system level cyber compliance in your portfolio in one place.

Evaluate OpenRMF Professional for yourself and see how it helps you and your team achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft