OpenRMF® Professional

Cyber Compliance Automation and Collaboration
for professionals, teams, organizations, and agencies

Request an Evaluation License to test this locally yourself

OpenRMF Professional Listing

OpenRMF® Professional is used by Executives, Cyber Professionals, Program Managers, Analysts, as well as administrators

CEO, CIO, CSO, Directors

Gain access into all System ATO Packages, patch vulnerabilities and POAM updates directly in seconds, without distracting your managers

Cyber Analyst Professionals

See status of POAM items, STIG Checklist vulnerabilities, Patch Vulnerabilities, and system package score trends with a couple clicks


Quickly see Vulnerability status, Residual Risk items, download STIG Checklists in a ZIP file, and pinpoint areas of concern within minutes

Program Managers

Gain access into your team's ATO's, patch vulnerabilities and POAM updates directly in seconds, without distracting your team


Report on your hosts, devices, and servers quickly; upload the latest SCAP scans; update manual STIG Checklist Vulnerabilities online

Project Analysts

Easily find status updates on POA&M items, STIG Checklist and Patch Vulnerablity updates via Notifications, and run Reports quickly

A better way to do Risk Management Framework, FedRAMP achievement and Cyber Compliance!

OpenRMF® Professional is designed to help automate a lot of the manual tasks teams use for scanning, uploading, tracking, and reporting on STIG Vulnerabilities and Patch Vulnerabilities in their system packages and ATO's (Authority to Operate).

With the new OpenRMF Professional API in v2.6 you can automate the ingest of SCAP, Checklist, and Nessus data. And work toward a more automated continouous monitoring and more continous ATO process!

Save months off of the ATO process and drastically reduce your manual reporting and collection efforts across your whole team with a single source-of-truth for all your Vulnerability, POAM, and Continuous Monitoring needs. OpenRMF® Professional helps you in the RMF and FedRAMP Compliance process in the areas of Implementing Controls, Assessing those Controls, Documenting Results, as well as the Continuous Monitoring of those devices throughout the life of your ATO.

Welcome to the next revolution in cyber compliance automation and innovation!

Main Highlights

  • Multi-Tenant System Packages Approach
  • Login by CAC/PIV, Windows Active Directory, LDAP, User/Password
  • Role-Based Access by System Package (i.e. ATO)
  • Role-Based Access by Team Subpackage (i.e. subset of checklists and devices within a System Package)
  • Track RMF or FedRAMP system packages
  • Upload SCAP Scans (DISA, Nessus, OpenSCAP) and STIG Checklists
  • OpenRMF® Professional API as of v2.6 allows automating SCAP, Checklists and Nessus data ingest among other things
  • Track Data Revisions of STIG Checklist Updates and Upgrades
  • Bulk Edit and Lock/Unlock Vulnerabilities across multiple checklists
  • STIG Checklist Templates engine for Organizational and System Package checklist boilerplates
  • Custom Template and Checklist Creator
  • Lock/Unlock Vulnerabilities in Checklist Templates
  • Automated and Live POAM Updates
  • Continuous Monitoring for Patch Scans and Vulnerability Tracking
  • Reports by System Package, Checklist, Vulnerability, Device and Control
  • Tailor your Controls for Required Compliance
  • Upgrade your STIG Checklists to the latest version and release
  • Add tags to checklists and/or hardware devices for filtering
  • Improved Auditing for all reads, updates, creations and deletes
  • Integrated Logging and Metrics

Manage System Package data with a Single Application

Track all STIG Checklists, Patch Vulnerabilities, Software and Hardware, PPSM, Tailoring, Overlays, and more from a single web-based application.

  • Store all STIG checklists, convert SCAP Scans into checklists, and version changes automatically
  • Track open Patch Vulnerabilities as well as your open items, at the current time as well as historically through the life of the system package
  • Link your POAM, Test Plan, SSP Control to Vulnerability Matrix as well as Mitigation Statements to your live data
  • Track Milestone Events, download and setup in your calendar application
  • Apply Compliance Overlays and setup your Tailored NIST Controls to the sub-control level
  • Keep all your System Package data in one spot, where it is under configuration management and audited for changes and security
  • Download a Summary Presentation (PPTX) from your source of truth in seconds

System Package Record
System Checklists

Single Source of Truth for all System Package Checklists

OpenRMF® Professional gives you a single definitive source-of-truth for all STIG Checklists, Patch Vulnerabilities and NIST Controls Compliance across your entire system package.

  • Upload DISA SCAP results, Nessus SCAP results, or OpenSCAP results in XCCDF format to automatically create or update checklists
  • Create or Upload Checklists in the system package easily
  • Track the Checklist Score of each checklist and of the entire system package, including tracking Score History and changes over time
  • Automatically save data revisions on STIG Vulnerabilities or entire Checklists
  • Upgrade Checklists to the latest version and release with the click of a button
  • Bulk Lock/Unlock Vulnerabilities across checklists
  • Bulk Edit Vulnerability information across checklists

Interact with a Live POAM for your System Package

Remove the manual, cumbersome, error-prone editing of your POAM status on vulnerabilities and let OpenRMF® automate that work for you!

  • Entries linked directly to the related Patch Vulnerabilities and STIG Checklist Vulnerabilities
  • Edit POAM live, tracking versions of data you edit
  • Automated updates from updated Patch Scans, Uploaded Checklists, and updated STIG vulnerabilities tied to the POAM
  • Generate a Risk Cube from your POAM Data

The collaborative nature of this software allows teams to quickly track vulnerabilities, assess compliance, and work to lower risk of system packages who have an authority to operate (ATO), are working to obtain one or you are performing proper continuous monitoring of their entire system package.

System Package POAM
System Package Compliance

Generate Compliance against your RMF or FedRAMP levels or Tailored listing

OpenRMF® Professional allows you to generate compliance based on your STIG Checklists against your RMF levels, FedRAMP level, or your tailored list of controls. Add overlays on top of that list of controls to see a true compliance listing in seconds.

  • Upload DISA SCAP results, Nessus SCAP results, or OpenSCAP results in XCCDF format to automatically create or update checklists
  • Track Compliance against all your STIG Checklists in your system package easily
  • Create your own overlays and add them to the compliance listing
  • CNSSI and Privacy/PII overlays automatically created for you to use
  • Compliance and overlays also used when generating your SSP Control to Vulnerability Matrix
  • Use Custom Checklists to fill in gaps, document manual and procedural RMF and FedRAMP Information

Track Progress of System Packages and Checklists

See a historical chart by Checklist or by System Package of Vulnerability numbers over time. Track Patch Vulnerabilities over time as well.

  • Each upload of a checklist updates the System Package Vulnerability Score and tracks overall progress
  • Each STIG Checklist update, individual vulnerability update, or upgrade in checklist revision or version updates the individual checklist score
  • Overall System Package Score is automated against all these so you can see the trends over time and by date
  • Export Charts to JPG for presentations, monthly reports, or documentation
  • Search and Filter data by timeframe to track at a more detailed level
System Scores History

Checklist Scores
System Package Patch Servers

System Package Patch Scores

Combine Patch Scans for Continuous Monitoring

OpenRMF® Professional allows uploading of .nessus Patch Scan results and combines the results over time to show Patch Vulnerabilities and trends over time.

  • Upload Patch Scans over time, allowing groups of servers to be scanned and combined into the larger listing
  • See overall numbers of Patch Vulnerabilities, or by individual server from the scans
  • Track Patch Scan uploads and patch updates by server over the life of your System ATO
  • Export Charts to JPG for presentations, monthly reports, or documentation
  • Search and Filter data by timeframe to track at a more detailed level

Even after obtaining an ATO or interim authority to test, OpenRMF® Professional allows updates on continuous monitoring and tracking for required quarterly or ad-hoc updates on the cyber compliance and risk of your system packages.

Automate Ports, Protocols, and Services Management (PPSM)

From the Patch Scans, you can pull information on all running ports, protocols, and services across all your devices. Automate storing and tracking this information for your whole system package. You can easily enhance this data by specifing any boundaries they cross for reporting, tracking, data calls, and identifying your security posture.

  • Each upload of a patch scan file adds, updates, or removes open PPSM data
  • Track changes to PPSM data as data and boundary data changes
  • Quickly run reports on port ranges, services, protocols, and boundary crossing across your whole system package
System Package Scores History
System Patch Servers

Automated Hardware and Software Listings

Each update of STIG Checklists or Patch Scans automatically tracks the device listing for hardware as well as the software listing found in patch scans. You can track the device by hostname, enrich with other information such as purpose or firmware, and quickly find if that device has a scan or checklist identified.

  • Automatically track devices each time a STIG Checklist is added, updated, or deleted
  • Automatically track devices each time a Patch Scan is uploaded, or a server is deleted from the listing
  • Add firmware information, purpose, definition, and other data on hardware listings
  • Automatically read software listings from Patch Scans and note software on Windows or Linux servers
  • Manually add hardware and software to the listing for tracking all system package data in one place
  • Run reports on patches and vulnerabilities within your system package by server easily

Team Notifications across System Packages

Receive notifications on updated checklists, uploaded patch scans, hardware and software listings, as well as changes in ports, protocols, and services automatically. Team notifications across the system package are automatically filtered by access to that package.

  • Receive information when data changes in the system package quickly
  • Mark notifications "read" to only show the latest changes
  • Filter notifications to find information by hardware, software, POAM, scans and more
  • Only see the notifications you are allowed to see by system package
  • Notification icon in the top right indicates when there are newer notifications
  • Also works for Team Subpackage notifications for the allowed checklists and/or hardware devices
Notifications for the Team
Template Listing Checklists

Enhanced Templating Engine for Greater Standardization

Use the DISA Checklists as-is for Templates to start your STIG Checklists, or create your own Company wide or System Package based Template with boilerplate entries on manual vulnerability checks.

  • Search for the most recent DISA Checklists released
  • View Templates online (DISA Templates in OpenRMF® are read-only)
  • Create Custom Checklist Templates for making your own checklists
  • Use Custom Checklists from Templates for manual, documentation, process and procedure related RMF and FedRAMP items
  • Copy Templates to a particular System Package to create STIG Checklist Templates only for that System Package
  • Copy DISA Templates to an Organizational Template in order to edit Vulnerabilities and add boilerplate information for all

Advanced Settings, Auditing, and Banner

User Theme settings, Robust Audit Filtering, Banner Settings and Consent/Splash page settings allow more control over the user interface.

  • Filter auditing by type, action, component, IP, and other data
  • Setup a banner for top and bottom with color and text
  • Fill out Consent text or Warning text upon login
Application Settings