OpenRMF® Professional

Cyber Compliance Automation and Collaboration
for professionals, teams, organizations, and agencies


Do The Work. Automate The Paperwork!
OpenRMF Professional System Package Listing

OpenRMF® Professional is for...

CEO, CIO, CSO, Directors

View all ATOs and accreditation packages across your entire portfolio in seconds

Cyber Analyst Professionals

See active compliance status, open vulnerabilities, POAM and trends easily

Assessors

Quickly see compliance status, open items, status, risk, and continuous monitoring activity

Program Managers

Gain insight into your ATO's, vulnerabilities and POAM updates directly in seconds

Administrators

Upload scans, track open items, watch trends, and report on your devices quickly

Project Analysts

Get POAM status updates, vulnerablity updates via notifications, and run reports

Major Organizations using OpenRMF® Professional today

A better way to do Risk Management Framework, FedRAMP and Cyber Compliance!

Multi-Tenant System Packages Approach to track all checklists, scans, and vulnerability data for your entire team with proper permissions and roles

Automatically generate SSP, SAR, RAR, POAM and other documentation, including a PPTX summary slide deck for your system package in seconds

Upload SCAP or Audit Compliance scans (DISA or CIS benchmark) and automatically create Checklists, or upload Checklists directly

A living, breathing POAM is automatically updated and linked to checklists, scans, and other vulnerabilities that caused a POAM entry

Automatically track checklist Score (# of vulnerabilities by severity and status) per checklist, system package, and the history of changes

Create custom checklists for manual processes, procedures, and documentation as well as IT products

Use DISA, Tenable Nessus / ACAS, OpenSCAP, Rapid7 Nexpose SCAP, HBSS SCAP or Tanium SCAP CSV results for checklist vulnerabilities.

Add Compliance Statements per Control -- CCI for detailed compliance information detail required for full compliance generation

Automatically track host scan/patch Score (# of vulnerabilities by severity and status) per checklist, system package, and the history of changes

Generate Compliance across all checklists, statements, vulnerabilities, CCI items matched to your NIST / RMF controls and subcontrols with the click of a button

Use Tenable Nessus / ACAS Patch Vulnerability or Rapid7 Nexpose Full Audit scan for patch vulnerabilities.

Team Subpackages allow you to group checklists and hardware devices into smaller teams -- they only see and edit that data, nothing else

Automatically track other Vulnerability Scores from software scans (i.e. Fortify or SonarQube), container scans, log scans, or other scans

Track all history and changes of checklist and scan data

Data Reports to view data from the lens of vulnerabilities, checklists, system package, controls, activity or tracking trends

API to allow integration, automation of data upload and download, as well as linking to external processes to track cyber compliance from the start

Audit, Logging, and Metrics to track changes, performance, errors, and usage of the software

Use on your IT resources locally, disconnected, in a virtual private cloud, or even a laptop as you see fit

Export proper Checklist (CKL) files individually or download multiple as a ZIP for submission to your system of record

Generate and export your POAM SSP, SAR, RAR and CCRI to an MS Excel spreadsheet for your government or corporate system of record

US Navy DADMS Approved #134221

In use at a major US Army Command as well as Space Force, USMC and other federal agencies

US Air Force Certificate to Field as of May 2021

Can use anywhere you need to comply with NIST 800-53 controls

Manage all System Package data

Track all STIG Checklists, Patch Vulnerabilities, Software and Hardware, PPSM, Tailoring, Overlays, CCRI, reporting and more from a single web-based application. Built in history, configuration management, and trends show you where you were, where you are, and where you need to go.

Use Team Subpackages to limit access to areas of your entire accreditation package. Export out your artifacts for uploading into your program of record.


System Package Record


System Checklists

Single Source of Truth for all Checklists

OpenRMF® Professional gives you a single definitive source-of-truth for all DISA, CIS, and Custom Checklists across your entire system package. We read in raw SCAP scan results, CKL checklist files, Tanium CSV SCAP results and track your checklists from there.

Track your vulnerability counts automatically at all levels. And bulk lock, bulk edit, and generate compliance with a couple clicks.

Interact with a Live POAM

Remove the manual, cumbersome, error-prone editing of your POAM status on vulnerabilities and open items. Let OpenRMF® Professional automate that work for you!

With bi-directional traceability, you can add and update entries automatically based on your latest scans, edits, compliance statements and inherited controls. Export to a proper POAM XLSX file for your program of record.


System Package POAM


System Package Compliance

Generate RMF, FedRAMP, StateRAMP or a Custom Cyber Compliance with Tailoring and Overlays

OpenRMF® Professional allows you to generate compliance based on all your DISA, CIS, and Custom Checklists against your RMF levels, FedRAMP or StateRAMP level, a custom level as well as your tailored list of controls.

Add overlays on top of that list of controls to see a true compliance listing in seconds. Dive into checklists and compliance statements filtered by your control listing.

Track Progress, Trends, and History of Compliance

See historical charts of your entire system package compliance, checklists, and vulnerability numbers over time. See trends of compliance percentage by NIST control family or subcontrol as well.

Export charts to JPG for use in reports and updates. Automate for continuous monitoring made easy!


System Scores History


Checklist Scores


System Package Patch Servers


System Package Patch Scores

Track Progress, Trends, and History of Patch Vulnerabilities

Upload your Tenable Nessus, Rapid7 Nexpose or custom patch vulnerability results easily. Track your trends, open vulnerabilities, and devices for updates and compliance over time.

Export chart JPG or Excel listings for reporting, tasking, submission. Automate for continuous monitoring made easy!

See Vulnerability data from other types of scans

Import or Upload other vulnerability data from software scans, container scans, log scans, infrastructure as code scans, or other types of scans to view other vulnerabilities as well. Track trends of vulnerability data for other areas just like compliance and patches.

Export chart JPG or Excel listings for reporting, tasking, submission. Automate for continuous monitoring made easy!


System Package Other Vulnerabilities


System Package Other Vulnerability Score

Track other vulnerability data all in one spot

OpenRMF® Professional now includes a way to import, upload, or post (via API) other vulnerability data for your system package. Whether its from Fortify or SonarQube static scans, container scans, or other types of scans you can easily import or upload data to track those vulnerabilities and their score within your larger system package.

Combined with our API you also can plug this into a DevSecOps process or an even larger integration with your Software Factory to incorporate all scans and vulnerability data to allow tracking, gated deployment/delivery and other pipeline features for your automation.

Automated Ports, Protocols, and Services Management

Automatically pull PPS data from your patch vulnerability scans across all devices. Upload additional listings for those items that cannot be scanned. Easily enhance this data by specifing any boundaries they cross for reporting, tracking, data calls, and identifying your security posture.



System Package Scores History


System Patch Servers

Automated Hardware and Software Listings

Automatically track hardware devices from compliance scans and patch scans. Upload additional devices and data to enhance this listing from other asset management sources.

Automatically pull software listings from your patch scans as well. And you can Upload additional devices and data to enhance this listing from other sources as well.

Team Notifications across System Packages

Receive notifications on updated checklists, uploaded patch scans, hardware and software listings, as well as changes in ports, protocols, and services automatically.

Team notifications across the system package are automatically filtered by access to that particular accreditation package or Team Subpackage.


Notifications for the Team


Evidence Management

Evidence Management for tracking documentation and file attachments

Upload evidence on policy documents, screenshots, training information and more. Attach evidence to your system package, a POAM entry, a checklist vulnerability entry or even a compliance statement.

Keep track of all evidence and download as required. All in one spot. And all related to your specific system package.

Enhanced Templating Engine for Greater Standardization

Use the DISA Checklists as-is for Templates to start your Checklists, create CIS checklists from .audit files automatically, or create your own Organization wide or System Package based Template with boilerplate entries on manual vulnerability checks.

Lock vulnerabilities so standard answers are already included.


Template Listing Checklists



Application Settings

Advanced Settings, Auditing, and Banner

User Theme settings, Robust Audit Filtering, Banner Settings and Consent/Splash page settings allow more control over the user interface.

Specify specific audits to concentrate on based on components, user, timeframe, and more as well.