-square-sm.jpg){kind=icon}
Use our OpenRMF Professional solution for automated cyber compliance. Then brand it and configure it to host your own Automated Cyber Compliance server.
For your company. For your customers. For your business model.
On a VM. On a laptop. On a cloud instance. On premise. Wherever you need it.
Your Plan of Action and Milestones lists all ongoing issues, if they were completed, when they have to be done by, their impact and likelihood, and more.
And it does it on all the types of data you must track for cyber compliance across checklists, patches, scans, statements and more.
Sound like a lot? IT IS!! Which is why you need to automate that to keep the data valid. And get sanity back in your life. This article goes over how.
When we say automating cyber compliance, we mean automating all the tasks around cyber compliance as fully as possible. Hyper automation.
So you have time to study the data, do proper cyber hygiene, and secure your systems. While we track open vulnerabilities, checklists, compliance, your POAM and more.
RMF. FedRAMP. CMMC. CSF. IEC 62443. ISO 27001. HITRUST. Commercial Solutions for Classified (CSfC). Your own custom compliance framework.
Our updated engine in OpenRMF® Professional v2.13 can do it all. And more.
Any Framework. Any Team. Anywhere.
Track against any cyber compliance framework. Expanding bulk editing on POAM. Additional system package preferences for your control.
Same great automation. New features and frameworks. Available now.
We spent a few months rewriting our internal framework engine. Now, along with the NIST 800–53 controls for RMF, FedRAMP, and StateRAMP/GovRAMP you can include any number of additional cyber frameworks.
Compliance is your pre-flight checklist. Security Incident and Event Management (SIEM) tracks ongoing security. And it tests the actual compliance on your live networks.
You can use both for a continuous authorization process (cATO). Right now. Today. We explain how at a high level below, with a handful of examples.
When it comes to cyber compliance, there is usually a standard framework to use. The thing is, everyone has their own standard (RMF, CMMC, CSF, PCI-DSS, HITRUST, IEC 62443). They vary depending on the industry, use cases, rules, regulations, region of the world, specific verbiage, and group of people that created them.
So there is no one standard you can learn and use for various customers and industries. There are many standards, 80+ the last time we checked. And they overlap quite a bit — just search on “NIST 800–53 crosswalk” with your favorite framework to see that.
Soteria Software was born to automate cyber compliance. The founders realized it was way too manual. Way too hard. Way too complex. Was being run looking top down, answering questions over and over. And the “Great Oz” cyber gods behind the curtains were not making it any easier.
So we changed that. We automated from the ground up. We created a team collaborative environment in the process. And we democratized the process so all can understand and work toward a common goal.
I preach automation. ALL THE TIME! Automate your tasks. Do not do things manually if you do not have to. Keep using your brain for higher level functions and thinking. However, I have come to realize something. Automation is not necessarily about doing things better, repeatedly.
Automation is about how I value my time. And for me, it changes as I get older and have life experiences.
Time is the only currency you spend where you never know your remaining balance. Think about that.
Question for you: are you providing enough detail in your RMF accreditation to actually assess proper RISK? To actually assess risk?
Are you looking at patches, compliance, settings, mitigations, open POAM items and all network devices to see what is going on? And making sure you cover all your devices and those you inherit from as well?!?
If you are doing this manually, chances are you do not have enough time to do that!
To track the vulnerability burndown of images using scans, you note the open vulnerabilities based on the image tag. And track this over time. Images are not patched “in place” like workstations, servers, or virtual machines. You recreate them.
In OpenRMF Professional v2.12 coming out May 2025, you can automatically track your image vulnerability burndown over time. Just like you do with your patch vulnerabilities, software vulnerabilities, and checklist compliance vulnerabilities.
With software images and containerized applications on the rise, the question of scanning and compliance comes into view. These images are a little bit OS and application combined. We have vulnerability scanning. We have software bill of material (SBOM) generation. SWFT is working to use these two items to quickly get a preliminary ATO for software faster.
What about compliance checks in images? Can we scan images like we do workstations and servers? And get compliance results to generate checklists with the status and severity?
Come to find out, yes you can. Enter RapidFort.
Using our OpenRMF Professional solution, you track your open vulnerabilities on checklists and compliance scans, patch vulnerability scans, as well as other technology scans. You can quickly see your scores by status.
There is another way to score your accreditation packages: Residual Risk. Score your accreditations and network by actual RISK not just raw severity a scanner gave them.
Going through an accreditation and achieving an ATO is a team process and team goal. It takes a team of people all doing their part of the process to get the final product and achieve the required end results.
At Soteria Software, we enable organizations to use their team efficiently with proper collaboration and automation. To get past individuals doing their specific piece manually, without knowing what comes before, after, happens at the end, or anything in between.
This article show how to use DISA SCC SCAP scanner to perform a SCAP scan.
Navigating the world of information technology and cybersecurity can be overwhelming, especially for newcomers. Understanding the tools available to streamline your duties and gain insights into your area’s cyber compliance status is crucial.
DISA STIG Viewer is a GUI java based application provided to open content and create checklists for managing the security setting on your system or network. Many use it to manage and edit their checklists. It is free and useful for managing your technical compliance or just securing your computer.
This article explains the tool, how to incorporate SCAP scans and what to do with checklists manually.
DISA STIG Viewer is a new GUI provided to open content and create checklists for managing the security setting on your system or network. Many use it to manage and edit their checklists. It is free and useful for managing your technical compliance or just securing your computer.
This article explains the tool, how to incorporate SCAP scans and what to do with checklists manually.
Vulnerability management is a critical component of cybersecurity, and Nessus Professional is one of the most widely used tools for identifying security weaknesses. Among its many features, Nessus can perform patch scans to detect missing security updates across an organization’s systems. Understanding this is just a portion of your security and compliance posture. This article contains guidance on how to run a credentialed patch scan.
There are applications and tools (mostly gov’t created, some home grown) right now that do pieces of the RMF, FedRAMP and cyber compliance processes. The challenge with these — they are individual, separate, mostly manual, and disjointed. You do one, then you load into another. Then you bring up 1 of 17 .xlsx files to update and send out to the team.
And when one thing changes, you do it all over again. NO MORE!!
In the latest version of OpenRMF Professional, we added some preferences to control data to use, edit, and organize. These are features customers have asked for we had in our roadmap. But we moved the timeline to the left to get them into their hands faster.
Uncredentialed scans. Disable severity override. And tigher control on adding Team Subpackage items.
We have added ELK Stack into the mix for not just logging. We are now using it to full text all checklist information for quick search and access. On our way to full text indexing your whole accreditation package. Do this using our internal ELK stack or your own Elastic Stack or Elastic Cloud.
White labeling in general lets you add your own branding or look-and-feel to an existing application or design. Starting with v2.11 of OpenRMF Professional you can do just that!
Add your own logo. Your own application title and version. Your own footer and tagline and more.
We just released a major update to OpenRMF Professional with some features users have been asking to have. And some major innovations around automating and managing your ATO and cyber compliance information as well.
When you have a larger Authority to Operate (ATO) with multiple tenants running under you, you have to manage a lot more than just your infrastructure. You have to manage all theirs as well!
Using OpenRMF Professional and its unique Team Subpackages feature, you can have those groups track and update just their own compliance scans, patch scans, and POAM items. While you track the impact to your entire ATO. All from the same solution.
When you have a larger Authority to Operate (ATO) with multiple tenants running under you, you have to manage a lot more than just your infrastructure. You have to manage all theirs as well!
Using OpenRMF Professional and its unique Team Subpackages feature, you can have those groups track and update just their own compliance scans, patch scans, and POAM items. While you track the impact to your entire ATO. All from the same solution.
This quick article explains what files, scans, and information you need to quickly get OpenRMF Professional working for you and your team. Use these and in a few minutes you can see where you are, where you need to go, and how to get there.
With minimal training / help files. And without paying someone hundreds of dollars an hour to “configure” and “customize” your automated cyber compliance solution.
Please do not make your smart Cyber people do Excel wizardry, documentation galore, and be paper pushers!
Automate tasks so they can use their skills and brain more. Easy to say, hard to do — or is it?
We show the problems and offer some solutions in this article. And ask you to prove us wrong!
We finally released our long-awaited v2.10 of Soteria Software’s flagship product, OpenRMF® Professional. Here are highlights of 3 new features people have requested and are falling in love with already.
Here is a simple foundational model to go from manual cyber compliance scans and review, to automation of review, to automation of scans, to integration, to full up automation and more.
You build your solid foundation of automation from the ground up, automating tasks, freeing up resources and reducing your stress and blood pressure!
Use OpenRMF® Professional in your Cyber Security Mesh Architecture (CSMA) to create a best-of-breed suite of automation around your cyber needs.
You can use GitHub Actions to process new/changed files in a GitHub repository and automatically push them to OpenRMF Professional for tracking your cyber compliance.
If you use GitHub for storing scan results for your ATO or accreditation package such as CKL, SCAP XML, or .Nessus you can easily enable automated ingest into OpenRMF Professional.
Do the same for compliance statements, hardware, software, PPSM, mitigation statements and other lists to use for OpenRMF Professional with this simple workflow.
One of the hardest things around tracking your different RMF, FedRAMP and other cyber compliance packages is the amount of data it generates. And aggregate it. Turn it into actionable information. Executing a plan against it.
Track configuration management and newer vulnerabilities. In an easily-to-digest way that does not involve opening 400 separate files.
The solution to handle that large amount of data, tracking changes and trends, as well as performing proper configuration management across your entire team is why we at Soteria Software created OpenRMF® Professional.
It can be daunting as a new cyber person to be thrown into an RMF compliance project. And you get lost quickly when talking to a seasoned cyber professional, who seems to speak their own unique language.
But fear not! You do NOT need to know every single step from Day 1.
You can start to grasp concepts, perform tasks, and quickly begin to understand this whole process by having a structured, repeatable set of steps. You can automate around your data.
You do this with an automated solution designed specifically for RMF.
If you have ever been told “I need a DISA checklist on your servers/devices for accrediting the network”, this is for you! This is a quick step-by-step on how to scan your server, virtual machine, or workstation with the free SCAP Compliance Checker (SCC).
You can download the application for free. Load up the benchmarks to use against your devices. And quickly get results in minutes. Then turn that into a checklist quite easily. See the steps below.
This is a quick step-by-step guide on how to scan your server, virtual machine, or workstation with the free OpenSCAP tool and DISA Benchmark for your operating system.
That gives you an XCCDF XML file you can load into OpenRMF OSS or OpenRMF Professional to quickly get a checklist CKL file to give to your group asking for a DISA Checklist file for RMF, FedRAMP or cyber compliance.
OpenRMF® Professional has a lot of automation built-in for tracking cyber compliance. This is especially true for device, network and device scans for compliance and patch vulnerabilities.
But what about Platform IT, that special purpose hardware and software? Can OpenRMF® Professional help with Risk Management Framework (RMF) for that? In a word: YES!
Foreign Military Sales (FMS) with friendly country customers must also maintain cyber compliance. And trying to explain RMF and complex controls is difficult a best! So use OpenRMF® Professional to quickly and easily accomplish that for all your FMS customers:
OpenRMF® Professional v2.9 contains a new highly requested feature -- Bulk Upgrade of Checklists:
Tracking your cyber compliance for RMF, FedRAMP, StateRAMP, and the like requires more than scanning! To show all angles of cyber compliance it also requires evidence in the form of PDF, DOCX, PNG/JPG snapshots, write-ups and other documents that are not checklists or vulnerability scans.
OpenRMF® Professional v2.9 allows for that now with Evidence Management. For your whole ATO / accreditation package. POAM items. Checklist Vulnerabilities. Or even Compliance Statements.
OpenRMF® Professional v2.9 is finally here! Some of the new features include:
There are several good GRC tools out there. What sets OpenRMF® Professional apart? A few things stand out immediately.
Tired of manually generating your cyber compliance documentation? You know the PPSM, Hardware list, Software list, latest Vulnerabilities, Summary in a PPTX file, Cyber Readiness scores and the like?
Or even just tracking ALL OF THOSE CHECKLISTS and patch scan PDF files? Then let OpenRMF® Professional do it for you!
Load your raw data and lists, click a few buttons and get all your documentation you need. From the GUI or even via an API call!
Read more
Use OpenRMF® Professional to continually automate your Risk Management Framework (RMF) steps and the tasks involved. Reduce risk while reducing costs and manual tasks through automation of scans, trends, compliance, reporting, and live POAM tracking.
You can use OpenRMF® Professional to help implement 6 of the 11 security domains concerning Continuous Monitoring outlined in NIST 800–137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.
Generate your CCRI Scores and reports in seconds with the latest version of OpenRMF® Professional from Soteria Software.
You already are loading your compliance scans, patch vulnerability scans, software scans and container scans into our automation solution. Now add your weighted values and ranges to the vulnerability categories in our cyber readiness sections area. And DONE!
Instantly see your CCRI Scores by vulnerability area. And they are automatically updated as your scans and vulnerability data are updated as well!
Read more
We have added several great features for the latest release.
Automated Cyber Readiness (CCRI). Loading lists for easier bulk add/edit. A universal patch vulnerability format for patch scans. And more! Check out in this latest article.
Nothing works more powerfully than simplicity.
In simple terms: Stop using the 1995 Rand McNally Road Atlas (manual RMF) and start using your cell phone with GPS and Waze (automated RMF with OpenRMF® Professional) to navigate where you need to be.
OpenRMF® Professional v2.8.5 allows tracking your RMF or FedRAMP compliance score trends over time.
Something that should be done but used to take a lot of time and resources. So we automated it!
Did you know…you can actually use OpenRMF® Professional to comply with NIST controls in the CA, CM, PL, PM, RA, SA, and SC families?!?! Well you can. Not only does our OpenRMF® Professional solution speed your ATO process, save massive time and money, and move you toward a Continuous ATO process. It also helps you comply with your required RMF and FedRAMP controls at the same time.
Good quality. Great speed. Correct results. Consistently delivered. That sounds like RMF right? If not, you may need to think of RMF from a process perspective and not a “throw a bunch of people at it” perspective.
Read more
With our new feature release out July 8th, Soteria Software has added compliance statements and detailed compliance reporting for you, your ISSO/ISSM/ISSE and Cyber team. We also included NIST 800–53 Revision 5 controls and corresponding CCIs to use. Finally, we also added support for using Rapid7 Nexpose SCAP and Full Audit scan data.
Automation is key to attaining an ATO for your RMF or FedRAMP systems and applications faster. With OpenRMF® Professional and its latest features, you can use our compliance engine, vulnerability tracking, and reporting mechanisms to quickly see where you are, what you need to do, get compliant and then generate the documentation to prove it.
Yes you read that right! Combine your Compliance Statements, automated SCAP scan checklists, automated CIS checklists, and Custom checklists. Run through our compliance engine. Within a couple minutes, see your full compliance down to the CCI Level.
With the new Compliance Statement feature update to OpenRMF® Professional v2.8.3, now you can quickly track compliance of your ATO / system package all the way down to the individual CCI level, as well as at the RMF control and subcontrol level. You can also add compliance statements and status per Control/CCI combination where required or desired for your system package.
You can even export/import groups of statements based on status to share your desired, good answers with other system packages you are tracking in OpenRMF® Professional!
Read more
IT organizations throughout the U.S. Federal Government are constantly working to defend against cyber attacks, nation state actors, criminals, and have to do that while modernizing their network infrastructure and applications. The process to become certified to provide these requires an Authority to Operate (ATO).
In today’s environment, doing this the old fashion way of manually scanning, importing to checklists, tracking separate spreadsheets for compliance, and “checking off CCIs” manually has GOT TO GO!!
Read more
Your cyber personnel and program manager see and manage all your ATO information and status! Your system admins only see their checklists and devices. Your developers only see their checklists and devices. And your network admins only see their data. However, the automated compliance, POAM, vulnerability tracking and reporting is still working for you across your entire ATO system package all the time.
This is the Team Subpackages℠ concept.
Did you know you can use the checklist template engine in OpenRMF® Professional to have checklists already pre-filled with your manual checks and known good automated check results? And you can use the Bulk Edit feature for your checklist vulnerabilities to have consistent standard answers across your checklist vulnerability entries? Even use the Bulk Lock feature to cut down on false positives across your checklist updates. Do the work and automate the paperwork with OpenRMF® Professional!
Tracking your cyber compliance is NOT just for US Federal government or DoD in particular. Proper cyber hygiene and applying the right cyber frameworks is important regardless of you being a government agency, large business, or even a smaller business. With our latest version 2.8, you can use OpenRMF® Professional to track your CIS benchmark scans as well as DISA benchmarks against the same NIST controls for Risk Management Framework or even a tailored list of controls just as easily.
The latest version 2.8 automates SAR, SSP, and RAR documentation. Allows creating CIS based checklist from CIS benchmark scans automatically. Tracks other vulnerabilities from software, container, and other scans along with checklist and host patch OS vulnerabilities. And it integrates with program management software (Jira, GitLab, GitHub, ServiceNow) for tracking tasks and issues linked back to the screen in OpenRMF® Professional. Add in the ability to pull data straight from Nessus and your cyber compliance automation path just got a lot simpler!
Read more
With version 2.8, you can now use CIS based benchmarks to scan your applications, software, and devices for tracking compliance and vulnerabilities. Automatically make a CIS checklist template from your .audit file. Scan your devices. Upload the results. Track over time using OpenRMF® Professional’s automation engine. Combine these with SCAP scans, DISA checklists and Custom checklists designed in the Custom Checklist designer to get a full picture of your system package cyber compliance.
To track RMF and FedRAMP system packages as you move them to your cloud, you first can use the new OpenRMF® Professional v2.7 with Custom Checklists to create your base level infrastructure system package for your platform or cloud infrastructure. Then, use the new Inheritance feature (common controls) when generating and tracking compliance for applications, services, and platforms for your users that inherits these controls and your main infrastructure system package compliance.
Integrate a cyber compliance engine to your software factory to track RMF, FedRAMP, or other compliance frameworks from Day 1. Use scoring APIs for gated pipeline software delivery and deployment. Update and produce checklists and documentation easily and automatically. Keep track of issues with a live automated POAM.
Sound impossible?
It’s not!
Read more
OpenRMF® can fit into your DevSecOps process in several unique ways to help you with Risk Management Framework (RMF) and your ATO (Authority to Operate) process. It helps you manage security, compliance, reporting, scans and data calls in a much more automated fashion. This article takes the view of Risk Management Framework (RMF), looking at DevSecOps, through the lens of OpenRMF® Professional.
Have you ever calculated the cost of manually tracking your RMF or FedRAMP system packages? You know, the way most do it — manually editing and viewing checklists and spreadsheets, scan PDFs and reports. Have you ever tracked the same cost of manually doing the upfront work on compliance, that leads toward better cybersecurity, versus automating it?
It’s the same great RMF and FedRAMP cyber compliance and collaboration application. Now it includes Tracking Inheritance and Common Controls. More powerful bulk editing and locking. Massively expanded API. Tracking Cyber Compliance History. Bulk tagging. More charts and reports. And smoother setup and installation/upgrade. Major highlights are below!