Below you will find a list of our products and features comparing the Open Source and Professional versions.
Request an Evaluation License to test this locally yourself. Or Contact Us with your number of system packages to track, operating system, and number of installations so we can get you a price quote quickly.
| Feature | OpenRMF® OSS | OpenRMF® Professional |
|---|---|---|
| System Packages / ATOs | ||
| Role Based Access Control by System Package | ||
| Track RMF System Packages | ||
| Track FedRAMP System Packages | ||
| Track CMMC System Packages | ||
| Track CSF System Packages | ||
| Track StateRAMP™ System Packages | ||
| Track Custom NIST 800-53 rev 5 Controls System Packages | ||
| Track Additional Cyber Compliance Frameworks (HIPAA, SOC 2, HITRUST, custom) | ||
| Upload SCAP Scans (DISA, Nessus, OpenSCAP) and Checklists | ||
| Upload HBSS SCAP Scans | ||
| Upload Rapid7 Nexpose SCAP Scans | ||
| Upload Audit Compliance Scans (DISA Benchmark) | ||
| Upload Audit Compliance Scans (CIS Benchmark) | ||
| Upload RapidFort Image Benchmark Scan *.json | ||
| Upload Tanium SCAP Scan *.csv | ||
| Upload Nessus Credentialed Patch Vulnerability Format | ||
| Upload Nessus Uncredentialed Patch Vulnerability Format | ||
| Upload Rapid 7 Patch Vulnerability Format | ||
| Upload Universal Patch Vulnerability Format | ||
| Create Checklists from Templates Easily | ||
| Import Audit Compliance Scans Directly (API Integration) | ||
| Milestone Management | ||
| Automatically Track POAM Changes | ||
| Team Notifications | ||
| Automated Cyber Compliance (CCRI) | ||
| Evidence / Document Management | ||
| Test Plan Summary | * | |
| Bulk Edit Vulnerabilities | ||
| Bulk Lock Vulnerabilities | ||
| Bulk Upgrades | ||
| Bulk Edit Checklists | ||
| Bulk Tag Checklists | ||
| System Package Preferences | ||
| System Package Journal | ||
| PowerPoint Summary Download | ||
| Compliance Generation | ||
| Compliance Statements | ||
| Compliance Generation (Major Controls) | ||
| Compliance Generation (to Sub-Control Level) | ||
| Compliance Status Report to the CCI Level | ||
| Track Compliance Score Trends by NIST Control Family | ||
| Tailored NIST Controls | ||
| Compliance Overlays | ||
| Inheritance / Common Controls | ||
| System Security Plan Control Vulnerability Matrix | ||
| Team Subpackages | ||
| Group Checklists into Teams for viewing / editing | ||
| Group Hardware Devices into Teams for viewing / editing | ||
| Upload Patch Scans (*.nessus) for allowed Hardware Devices | ||
| Update Checklists / Upload SCAP scans for allowed Checklists | ||
| Bulk Edit Vulnerabilities | ||
| Checklists | ||
| Upload SCAP Scans (DISA, Nessus, OpenSCAP) and Checklists | ||
| Upload HBSS SCAP Scans | ||
| Upload Rapid7 Nexpose SCAP Scans | ||
| Upload Audit Compliance Scans (DISA Benchmark) | ||
| Upload Audit Compliance Scans (CIS Benchmark) | ||
| Upload RapidFort Image Benchmark Scan *.json | ||
| Edit / Upgrade Checklist | ||
| Support Newer CKLB Format | ||
| Download / Export Checklists | ||
| Checklist Applicability Wizard | ||
| Track Checklist Changes | ||
| Track Checklist Item Numbers over Time | ||
| Specify Non-Host-Related Checklist | ||
| Add Tags for Listing and Filtering | ||
| Download / Export Historical Checklists | ||
| Patch / Device Management | ||
| Upload Single Nessus/ACAS Patch File (16MB Max) | ||
| Upload Multiple Nessus/ACAS Patch Files | ||
| Upload Multiple Rapid7 Nexpose Full Audit Files | ||
| Track Patch Vulnerabilities | ||
| Track Open Patch Vulnerability Numbers over Time | ||
| Ports, Protocols, Services Management | ||
| Automated Hardware Listing | ||
| Add Hardware/Device Tags for Listing and Filtering | ||
| Automated Software Listing | ||
| Missing Checklist Wizard | ||
| Device Profiles for ports, protocols, services allowed on devices | ||
| Allowed ports, protocols, services listing | ||
| Support Uncredentialed Scans | ||
| Other Vulnerability Management | ||
| Upload Trivy JSON Container Scan Results | ||
| Upload Grype JSON Container Scan Results | ||
| Upload Amazon ECR JSON Container Scan Results | ||
| Upload RapidFort JSON Container Scan Results | ||
| Upload JFrog CLI JSON Container Scan Results | ||
| Upload Burp Software Scan XML Scan Results | ||
| Upload General Format Software, Container, Log or other Vulnerability Data | ||
| Import Fortify and SonarQube SAST Results Directly | ||
| Track Vulnerabilities | ||
| Track Vulnerability Score Over Time by Category, Source and Project | ||
| POAM | ||
| Automated POAM List and Tracking | ||
| POAM Bulk Edit | ||
| POAM Milestone Management | ||
| POAM Mitigation Statement Management | ||
| POAM eMASS Format Export | * | |
| POAM MCCAST Format Export | ||
| POAM General Format Export | ||
| Templates | ||
| Upload new DISA Checklists | ||
| Templating Engine for Checklists | ||
| Automatically Create CIS-based Checklist Templates | ||
| Custom Checklist Template Creation and Tracking | ||
| Boilerplate Checklist Templates Entries for All | ||
| Boilerplate Checklist Templates Entries for a System Package | ||
| Lock Vulnerabilities from Edits in Templates | ||
| Specify Non-Host-Related Template | ||
| Authentication | ||
| Login via Username / Password | ||
| Login via CAC, PIV, ECA or client certificate | ||
| Login via Windows Active Directory or LDAP | ||
| Login via OIDC | ||
| Login via Google Workspace or Equivalent | ||
| Video Training | ||
| Included Video on Demand User Training | **** | |
| Included Video on Demand Administrator Training | **** | |
| General | ||
| Setup via Docker, Podman or Kubernetes | ||
| OVA (Virtual Machine) images | ||
| API for Integration and Automation | ||
| Auditing | ** | |
| Support | *** | |
| Integrated Logging | ||
| Full Text Searching Data Source | ||
| White Labeling for title, logo, footer | ||
| Custom Themes for look-and-feel | ||
| Licensing | ||
* Export to MS Excel only
** Auditing of create, update, delete only; not read access
*** Support is only by Slack, GitHub, Email as time is available
**** Pricing per student