What You Need to Get Moving with OpenRMF Professional

Dale Bingham
4 min readApr 25, 2024


This quick article explains what files, scans, and information you need to quickly get OpenRMF Professional working for you and your team. Use these and in a few minutes you can see where you are, where you need to go, and how to get there. With minimal training / help files. And without paying someone hundreds of dollars an hour to “configure” and “customize” your automated cyber compliance solution.

OpenRMF Professional Dashboard listing System Packages based on RBAC

Scans, Files, and System Package Information

There are a few things you need to get going for your System Package (ATO, accreditation boundary, IATT) in OpenRMF Professional. They are listed below:

  • RMF, FedRAMP, StateRAMP level or Custom NIST 80–53 control listing
  • SCAP results, Nessus Audit Compliance results, and/or CKL checklist files
  • Nessus / ACAS , Rapid7 or other generic credentialed patch vulnerability scan results

With that you can quickly create a new system package, set your compliance type and levels, tailor any controls needed and add any overlays.

Then you upload SCAP and checklist files, upload your credentialed patch scans, click the “Create POAM” button, then generate compliance based on all this scan data.

You literally automate from the ground up. Using the scans you already have in your hands!

From that you know in minutes what your vulnerabilities are, gaps in the controls you need to meet, and how many open items you have on your POAM.

Better yet: you can do this manually through the web interface or you can use the API to do all this in a much more automated fashion.

Additional Items to use

You also can add in these things listed below to get standardized and move even faster across all your System Packages / ATOs / Accreditations:

  • Compliance Statements
  • Mitigation Statements
  • Milestones / Events
  • Evidence (PDF, XLSX, DOCX, PPTX, JPG, PNG, etc.)

Your compliance statements fill in your compliance gaps on controls for Access Control, Incidence Response, Program Management and more. So if you add/upload that list, you can then regenerate your compliance. Now you have an updated snapshot on controls and subcontrols to see where you stand.

You can even compare that to the last compliance snapshot and start to see trends over time.

Mitigation statements you can drop into your POAM items to standardize them as well. Do the same with your milestones.

Bulk Operations on Your Data

To track vulnerabilities across all your checklists you can do a Bulk Edit Vulnerabilities operation and set status, details, comments, and override information the same way across hundreds of vulnerability items in seconds.

Search by checklist / scan type, vulnerability number, status or severity to filter down what you need to edit.

Set the new information, and instantly you have several things happen:

  • all checklist data is updated and set
  • reporting data is refreshed for quick searches and answering data calls
  • historical data is saved for configuration management
  • new total vulnerability numbers by type and severity are generated
  • your total System Package vulnerability numbers are updated
  • your POAM is automatically updated for the status of vulnerabilities linked in — or POAM items created because you set some to Open
  • POAM item history is also saved for configuration management

You can do Bulk Edits on POAM items as well to set the severity, likelihood, scheduled completion date, risk and more as well. All within minutes to see exactly where you and your team are based on compliance requirements.

See For Yourself

Evaluate OpenRMF Professional for yourself and see how it helps you and your team perform better, structured RMF processes. And track the where, who, why, how, and history behinds your RMF package evolution.

You can achieve a faster ATO through automation. With consistent, repeatable results. Using the same team. With a LOT LESS stress on them! And letting your cyber engineers be engineers, not cyber administrators and documentation specialists.

You can download a prebuilt OVA to quickly stand up a virtual machine on your computer or network. Or you can download the installation and set it up yourself on your own equipment.

We give you a 30-day license that fully unlocks the power of OpenRMF Professional. Check out our documentation, blogs, YT videos or even schedule a demo or quick conversation on your use cases and questions.

You have nothing to lose and everything to gain! Time is one of our most valuable resources. As are the people on your team. Get them the solution they need.

Get them OpenRMF Professional.



Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft