OpenRMF® is a web-based Cyber Compliance Automation and Collaboration software suite to allow you and your teams to track your cyber compliance via Risk Management Framework (RMF), Federal Risk and Authorization Management Program (FedRAMP) and other cyber compliance frameworks. It allows adding STIG checklists, patch scan data, audit compliance scans, SCAP scans and other vulnerability data from systems such as software and containers scanners into a collaborative environment to track and act on that data. You can do this on your own network, VPC, workstation, laptop, and even a disconnected network easily and efficiently.
OpenRMF® replaces a lot of manual file updates and manipulation and manual tracking of open vulnerability items into a single source-of-truth web application. And it automatically tracks POAM and Compliance Generation across system packages.
Integrate your processes and procedures with our API and you can move toward a more continuous monitoring and automated way to track your Cyber Compliance needs!
OpenRMF® enables automated cyber compliance at scale!
OpenRMF® is for "C" level company executives, government CIOs and CSOs, directors, division heads, branch managers, cyber analysts, administrators, developers, testers, and third-party as well as government assessors for ATO compliance checking.
It is also for any person or group that performs Continuous Monitoring or has to edit STIG Checklists for their application, server, device, or component in a larger System ATO Package or equivalent process for their organization or agency.
OpenRMF® was designed for U.S. DoD and Federal Government agencies in mind. However, we have seen international governments have interest. And we have commercial organizations use this software as well to keep their systems secure and cyber compliant at a NIST, DoD or Federal Government level just the same. And with the DISA SCAP Scanner open sourced to allow groups to scan for known vulnerabilities in their software and operating systems, it is even more widely used.
Currently there are 2 versions. OpenRMF® Professional is designed for larger teams, companies, large organizations, and government agencies who want more fidelity on their data and more automation around compliance and RMF. This version has a license and is a paid version with updates, support, and more features.
There is also theOpenRMF® OSS open source version that is available for free and is primarily for smaller project teams or single system package ATOs being tracked.
You can go to https://www.openrmf.io/ to learn more on the open source version, and see links to the GitHub codebase, Slack channel, and other documentation.
You can contact us on the Demo Request page to schedule an online live demonstration for you and your group at a time that is convenient.
OpenRMF® Professional has an online demonstration at https://demo.openrmfpro.com/. You can sign up there for a free read-only account and see it in action right now.
OpenRMF® OSS has an online demonstration at https://demo.openrmf.io/. You can sign up there for a free read-only account and see it in action. You also can download OpenRMF® OSS components for free and install them locally to run.
For OpenRMF® Professional, you can contact us to figure out licensing. And then you need access to download one of the installs for your setup. You also can use the button at the top to request an evaluation license and download the software to try for yourself just as easily.
For OpenRMF® OSS you can go to the https://www.openrmf.io/ website and signup for the Slack channel, then go to the Code link and download the code to run locally. Follow the online documentation instructions to get started quickly.
OpenRMF® is NOT designed as a Software as a Service (SaaS) provided by Soteria Software. It is software that can be installed at your discretion on an on-premise server or servers, cloud-based virtual server (we recommend a private virtual cloud setup), or even on a local laptop. This goes for both the OpenRMF® Professional software or the open source version.
That said, you could use this as your own SaaS hosted in your data center, private cloud, or local network that lets you track RMF and FedRAMP cyber compliance across your entire portfolio of products, projects, and infrastructure programs.
Absolutely! Yes, this can be run on a totally disconnected network. You will need another computer, not on that network, to download the software application services and containers. And you must have software such as Docker and Docker-Compose (Community Edition is fine) or equivalent on your disconnected computer network on at least one machine to run OpenRMF®. This goes for OpenRMF® Professional as well as OpenRMF® OSS.
There is an additional step of copying off the software onto a medium you can use to transport it to the disconnected network. This would be the same for any software updates, operating system updates, or patches that network requires for other software outside of OpenRMF®. This process is scripted and documented to allow disconnected installation of OpenRMF® on your isolated network or computer.
Well over half of our customers and those evaluating our software right now are setup in this exact way. We designed it from day 1 to be run like this on purpose.
OpenRMF® Professional has been tested on Windows 2016 Server, Windows 2019 Server, Windows 10, Mac OS X, Red Hat Linux 7.9 and 8.0, as well as Ubuntu 18 and 20 LTS. It also will run on CentOS 7.9. Any operating system that can run Docker and Docker Compose should work. Or Podman and Podman-Compose.
We also have customers that have installed this on AWS EC2 instances directly running the Amazon Linux and other operating systems. Since the application components are run within software container images, any of the operating systems that can run tools like Docker, Docker Compose and Docker Desktop will work.
In the Kubernetes installation (not Docker and Docker Compose) of OpenRMF® we have seen this run on AWS EKS with Kubernetes 1.16 or higher, minikube, as well as OpenShift 3.11. We are currently testing on GKE, Azure AKS, and OpenShift 4.5 to ensure any assumptions of those platforms allow OpenRMF® to work correctly.
If you are running Windows 2016, 2019, or 2022 server, you need Mirantis Kubernetes to run Linux containers on Windows server OS. Docker Desktop will not work on the server products. And running Linux Containers requires Mirantis Kubernetes.
There are major features of the Professional version that stand out. The Multi-Tenancy and Role Based Access Control by System Package, Data Revision saving as you change and upload STIG Checklists, merging of Patch Scan Vulnerability data, and online Editing and Automation of the POAM are the ones that most people are excited for with OpenRMF® Professional. There are also several additional reports available in this version. And OpenRMF® Professional tracks RMF as well as FedRAMP level compliance for you and your team.
Additionally you can track compliance and tailoring down to the NIST sub-control level (not just major controls), apply overlays, and track milestone events. And with the latest version, you can also import Nessus data directly and link to task management systems (Jira, ServiceNow, etc.) to track tasks and issues for work to do with your data.
You can see a full list of features at the OpenRMF® Professional page as well as the Feature page.
You can also group subsets of checklists and/or hardware devices into Team Subpackages℠. The Team Subpackage℠ has its own group permissions to allow individuals or teams to view and edit their data and only their data. And it segments other checklists and/or hardware from being seen or edited by the team. It also hides the POAM and Compliance information as well. The automation built into OpenRMF® Professional for linking in the POAM items based on checklists and scans as well as compliance generation still works for those with access to the larger System Package.
OpenRMF® Professional is licensed by two things only:
That is it! You have unlimited users, CPU, memory, RAM, uploads, devices, downloads, API calls, etc.
It comes with a license for 5 active system packages / ATOs to track and additional 5-pack of licenses can be purchased as well. All licenses are generated for a year by default. However, licenses for less than a year as well as multi-year licenses can be purchased. We also have multi-install and volume pricing options.
* - For the license one System Package is defined as a collection of all checklists, servers, switches, applications to be a part of an accreditation/ATO package. You could think of it as one system package = one ATO package. Licenses cover active System Packages. You can mark a System Package as read-only and that does not count against your license.
This software follows a microservices design, with RESTful APIs using .NET Core message services using Synadia NATS and .NET Core APIs as well. Other components include MongoDB, Elasticsearch, Logstash, Kibana, Prometheus, Grafana, and Keycloak.
Currently the installation runs under a Docker/Docker Compose, Podman/Podman-Compose or other OCI-Compliance container engine as well as under a Kubernetes configuration. We also have pre-built OVA files for Ubuntu workstation and Red Hat Linux server console to quickly get up to speed on OpenRMF® Professional as well.
Yes. We have a Navy DADMS ID #141351 and all 5 major DoD commands have this running on networks. We also have several US Federal Government groups as well as contractor and commercial companies running this software right now.
Yes. You can configure this application to match client certificates, CAC, PIV, ECA type of certificates. The Common Access Card (CAC) is a common login use. We have documented procedures on how to configure this successfully for HTTPS and CAC to match the user on the certificate to a user in the application. Upon successful login, they pull the proper roles and permissions from the application and start using OpenRMF® Professional.
Yes. You can configure the authentication to pull from Windows AD or another LDAP tool to setup your user accounts. Use rules, synchronization, and regular expressions to pull in the correct groups of users. Upon successful login, they pull the proper roles and permissions from the application and start using OpenRMF® Professional.
OpenRMF® Professional is NOT a scanner. We take input from the scanners mentioned below to create checklists and update them to generate compliance. We also take input from scanners below for patch vulnerability management as well as software, hardware, and PPSM listings.
You can check out our Whitepapers and Product Sheets for more information on the types of data
OpenRMF® Professional can use SCAP results from the following software:
For patch vulnerabilities, list of software and hardware, and ports, protocols and services it can use the following as well:
For other types of vulnerabilities, it can use the following as well:
Yes. You can contact us for your specific needs as far as the number of installs, time period on the licenses, and the number of active system packages (i.e. ATOs) you wish to track. We will work with you to discount volume purchasing so it makes sense for all involved.
Yes, we do. First, we have a value added reseller (VAR) program. The VAR handles all tier 1 and tier 2 helpdesk calls, questions, and tickets for their customers.
We also have a Sales Channel Partner program for sales-only reselling to agencies and through a company's approved contract vehicles.
Contact Us for more detailed information on our reseller programs.
No, this is not intended to replace software tools like eMASS that US and foreign federal government agencies use. OpenRMF® Professional compliments those tools by allowing teams focused on approvals and ATOs to track the checklists, patches, and other information as a team. This is done before any final program of record receives the final artifacts and information. That way team members who have the responsibilities can have access to OpenRMF® Professional to update their own specific data with roles and permissions just for their specific view.
In OpenRMF® Professional your whole team can have access to do their part. Where the government-based products like eMASS are for a very limited set of users on final steps and approvals.
It gives you the single source-of-truth for all that data and reporting to track it, edit it, and get it correctly representing your system package. And it helps you track the work required to put your software, network, device, and system packages in a position to obtain approval from those tools like eMASS.
OpenRMF® Professional also lets you track trends, show work done to reduce risk and tighten cybersecurity, and gives confidence to assessors and validators that you are performing your job as you should. Showing due diligence in securing systems and software, as well as creating policies and procedures for lessening risk can be shown through this tool over time to "tell the story" of the team to get to a lower risk for authority to operate, to connect or to test as desired.
DISA comes out at least quarterly with updated checklists that may contain new vulnerability listings, remove older ones, or just have updated guidance and wording around existing ones. With that, you usually have to have the latest version and release of a checklist when you go for accreditation, assessment, or update government tools such as eMASS with your latest information. That is a process you cannot skip.
To that end, we are on the email listings on the updates that are quarterly as well as ad-hoc and within a couple days download the latest XCCDF manual XML format files. We load them into our application, test them for creating and upgrading checklists, and then include them in a minor revision update to our Template API container image. This image is pushed out to our hosted private container registry and all users are notified of the updated version and files to update in order to pull the latest upgraded checklists. We do this to ensure that the latest checklist upgrades have not changed structure and work within the OpenRMF® Professional suite of tools.
For the PKI-only checklists that DISA releases, we DO NOT include those automatically into our software distribution.
In the Professional version, we do allow an application administrator to upload the "xxxxxxxxxx_Manual-xccdf.xml" files into OpenRMF® so those checklists and templates are available to you and your team. So as we update the public checklists, you and your team can make sure the PKI-only checklist updates are added as well.
Yes, it can work with Office 365 for authentication of users. Please Contact Us for more information regarding that and we can put you in touch with people that can help you.
Yes, we do. First we have video on demand training for Users, Administrators as well as a group of scenario videos to show how to use multiple features for different scenarios.
We also have live virtual User Training as well as Administrator Training for OpenRMF® Professional features, usage, scenarios, including labs. Please Contact Us for more information on training your staff and users for OpenRMF® Professional.
For larger implementations, groups, or on-site consulting we also can do live training in a lab type environment. Please Contact Us for more information.
Yes, we do. Go to OpenRMF® Professional Automation Examples to see scripts and other code to showcase this. We are adding more here all the time, including future Grafana JSON data source dashboards as well as custom dashboard examples for integration efforts.
Yes, you can download the 100% full software suite for OpenRMF® Professional and we will generate an Evaluation License for you. This is the full software, so when you are ready to purchase a real license you can use the same evaluation you setup with your data to continue where you left off!
Go to the Evaluation License Form to request a copy of OpenRMF® Professional and an Evaluation license for 30 days.
The open source version lets you add a system package, which is a collection of servers, devices, checklists, patch scans, etc. It equates to an ATO. OpenRMF® OSS allows you to have multiple system packages, checklists per system package to track and edit, and lets you upload 1 .nessus patch file to associate with the system package. It is basically for smaller groups of people who do not want to edit the POAM online and do not care on multi-tenancy and tracking score trends on patches and system packages over time.
This version is for people who want to try out OpenRMF® to see what it does. For small teams or individuals who are only managing one ATO or at most two and have a small number of hosts and devices to track. They also can get away with using 1 .nessus scan data file as the listing of devices is not too large. It is still powerful enough to save you time, money and frustration in automating collection, reporting, display and actions relating to RMF data.
You need a computer with Docker and Docker Compose or Podman and Podman-Compose on it. And you need access to either a) pull the container images off DockerHub.com directly or b) pull them down on another computer, save them off as files, and load them onto your computer running Docker that will launch OpenRMF®. Alternatively, you can use the included Helm chart for Kubernetes 1.15 or higher.
Indirectly, yes we do. It is done via GitHub issues, the OpenRMF® Slack channel (linked off the https://www.openrmf.io/ website), email, and community support. There is not a "helpdesk" email or phone number per se in the truest sense of the word support. But there is support that is active in the community in various ways.