Blogs & Articles

Large Prime contractors in the Defense Industrial Base (DIB) are currently navigating a “Compliance Paradox.” While they are contractually liable for the cybersecurity posture of their entire supply chain via “Flow-Down” requirements, it is functionally impossible for them to manage thousands of diverse subcontractor environments within their own internal Governance, Risk, and Compliance (GRC) tools.

To resolve this, forward-thinking organizations are adopting OpenRMF^® Professional as a standardized compliance engine. This solution bridges the gap between the Prime’s liability and the subcontractor’s autonomy, satisfying the needs of CISOs, Supplier Risk Management (SRM) leads, and Procurement officers who need to ensure their supply chain is “ready” for the next contract award without slowing down the mission.

The most effective cyber defense is not a single tool or a thicker binder, but a biological-style ecosystem. By integrating the structural rigor of OpenRMF^® Professional with the real-time sensory intelligence of Elastic SIEM and Elastic AI, organizations can transition from passive vulnerability to active, evolutionary survival. This synergy transforms compliance from a bureaucratic hurdle into a high-functioning immune system — one where defense is not an event, but a continuous process of life.

The reality is that modern cyberspace is a living, breathing environment where threats move at the speed of light. To survive, organizations must abandon the “checklist” mentality. You cannot defend a dynamic, shifting ecosystem with a rigid, unmoving wall; you need a defense that is as organic and adaptive as the predators it faces.

See if automating your cyber compliance using OpenRMF Professional is right for you. There are a few quick things to check to find out.

If you are using current STIG checklists. Do not want to be locked into a cloud offering. SCAP, Audit Compliance, and Evaluate-STIG usage. Tenable Nessus / ACAS scanning. Doing things heavily manual right now. A need for automation and time saving. US Federal Government ATO requirements. Or have Special Access Programs or air gapped networks.

RMF can be tedious, drawn out, paper heavy, and disjointed. It does not have to be. We explain how Soteria Software was born to help solve this problem. Now and into the future.

At Soteria Software, our two founders (me being one of them) have done this for over 20 years, starting with DITSCAP and then DIACAP and now RMF. And we saw it done manually from 2004 onward when we were just getting into cyber compliance heavy. Some groups are still doing the same manual processes today. Our mission is to change that.

Use our OpenRMF Professional solution for automated cyber compliance. Then brand it and configure it to host your own Automated Cyber Compliance server.

For your company. For your customers. For your business model.

On a VM. On a laptop. On a cloud instance. On premise. Wherever you need it.

Your Plan of Action and Milestones lists all ongoing issues, if they were completed, when they have to be done by, their impact and likelihood, and more.

And it does it on all the types of data you must track for cyber compliance across checklists, patches, scans, statements and more.

Sound like a lot? IT IS!! Which is why you need to automate that to keep the data valid. And get sanity back in your life. This article goes over how.

Track against any cyber compliance framework. Expanding bulk editing on POAM. Additional system package preferences for your control.

Same great automation. New features and frameworks. Available now.

We spent a few months rewriting our internal framework engine. Now, along with the NIST 800–53 controls for RMF, FedRAMP, and StateRAMP/GovRAMP you can include any number of additional cyber frameworks.

Compliance is your pre-flight checklist. Security Incident and Event Management (SIEM) tracks ongoing security. And it tests the actual compliance on your live networks.

You can use both for a continuous authorization process (cATO). Right now. Today. We explain how at a high level below, with a handful of examples.

I preach automation. ALL THE TIME! Automate your tasks. Do not do things manually if you do not have to. Keep using your brain for higher level functions and thinking. However, I have come to realize something. Automation is not necessarily about doing things better, repeatedly.

Automation is about how I value my time. And for me, it changes as I get older and have life experiences.

Time is the only currency you spend where you never know your remaining balance. Think about that.

Question for you: are you providing enough detail in your RMF accreditation to actually assess proper RISK? To actually assess risk?

Are you looking at patches, compliance, settings, mitigations, open POAM items and all network devices to see what is going on? And making sure you cover all your devices and those you inherit from as well?!?

If you are doing this manually, chances are you do not have enough time to do that!

Using our OpenRMF Professional solution, you track your open vulnerabilities on checklists and compliance scans, patch vulnerability scans, as well as other technology scans. You can quickly see your scores by status.

There is another way to score your accreditation packages: Residual Risk. Score your accreditations and network by actual RISK not just raw severity a scanner gave them.

Going through an accreditation and achieving an ATO is a team process and team goal. It takes a team of people all doing their part of the process to get the final product and achieve the required end results.

At Soteria Software, we enable organizations to use their team efficiently with proper collaboration and automation. To get past individuals doing their specific piece manually, without knowing what comes before, after, happens at the end, or anything in between.

DISA STIG Viewer is a new GUI provided to open content and create checklists for managing the security setting on your system or network. Many use it to manage and edit their checklists. It is free and useful for managing your technical compliance or just securing your computer.

This article explains the tool, how to incorporate SCAP scans and what to do with checklists manually.

Vulnerability management is a critical component of cybersecurity, and Nessus Professional is one of the most widely used tools for identifying security weaknesses. Among its many features, Nessus can perform patch scans to detect missing security updates across an organization’s systems. Understanding this is just a portion of your security and compliance posture. This article contains guidance on how to run a credentialed patch scan.

There are applications and tools (mostly gov’t created, some home grown) right now that do pieces of the RMF, FedRAMP and cyber compliance processes. The challenge with these — they are individual, separate, mostly manual, and disjointed. You do one, then you load into another. Then you bring up 1 of 17 .xlsx files to update and send out to the team.

And when one thing changes, you do it all over again. NO MORE!!

In the latest version of OpenRMF Professional, we added some preferences to control data to use, edit, and organize. These are features customers have asked for we had in our roadmap. But we moved the timeline to the left to get them into their hands faster.

Uncredentialed scans. Disable severity override. And tigher control on adding Team Subpackage items.

We just released a major update to OpenRMF Professional with some features users have been asking to have. And some major innovations around automating and managing your ATO and cyber compliance information as well.

The full list of updates is here.

When you have a larger Authority to Operate (ATO) with multiple tenants running under you, you have to manage a lot more than just your infrastructure. You have to manage all theirs as well!

Using OpenRMF Professional and its unique Team Subpackages feature, you can have those groups track and update just their own compliance scans, patch scans, and POAM items. While you track the impact to your entire ATO. All from the same solution.

Please do not make your smart Cyber people do Excel wizardry, documentation galore, and be paper pushers!

Automate tasks so they can use their skills and brain more. Easy to say, hard to do — or is it?

We show the problems and offer some solutions in this article. And ask you to prove us wrong!

We finally released our long-awaited v2.10 of Soteria Software’s flagship product, OpenRMF^® Professional. Here are highlights of 3 new features people have requested and are falling in love with already.

• Missing Checklist Wizard - search the OS and software list for checklists you missed
• Checklist Applicability Wizard - enter a hostname, pick types of checklists required, add them, create with a single click
• Device Profiles - track the ports/protocols/services allowed for your device by attaching a profile and running reports

One of the hardest things around tracking your different RMF, FedRAMP and other cyber compliance packages is the amount of data it generates. And aggregate it. Turn it into actionable information. Executing a plan against it.

Track configuration management and newer vulnerabilities. In an easily-to-digest way that does not involve opening 400 separate files.

The solution to handle that large amount of data, tracking changes and trends, as well as performing proper configuration management across your entire team is why we at Soteria Software created OpenRMF^® Professional.

OpenRMF^® Professional has a lot of automation built-in for tracking cyber compliance. This is especially true for device, network and device scans for compliance and patch vulnerabilities.

But what about Platform IT, that special purpose hardware and software? Can OpenRMF^® Professional help with Risk Management Framework (RMF) for that? In a word: YES!

Foreign Military Sales (FMS) with friendly country customers must also maintain cyber compliance. And trying to explain RMF and complex controls is difficult a best! So use OpenRMF^® Professional to quickly and easily accomplish that for all your FMS customers:

1. Track compliance, patches, POAM items, and milestones remotely in multiple ways
2. Train FMS customers on RMF easily by simplifying, structuring data, and showing how to do scans
3. Create SOPs around use of OpenRMF^® Professional with FMS and RMF
4. Get repeatable results across your entire portfolio of FMS

OpenRMF^® Professional v2.9 is finally here! Some of the new features include:

• New dashboard look and feel
• Evidence Management
• Bulk Upgrade Checklists
• Bulk Edit POAM
• New Team Subpackage^℠ Functionality
• StateRAMP^™ and Custom Compliance Frameworks
• Additional reports and charts
• Additional API calls

There are several good GRC tools out there. What sets OpenRMF^® Professional apart? A few things stand out immediately.

1. Automating cyber compliance around the scans you are already doing!
2. Hyper Automation around your compliance data to make it work for you
3. Team Collaboration around all your cyber compliance data and processes
4. Install, setup, and use on Day 1 with a little work, quick setup, and very little configuration

Use OpenRMF^® Professional to continually automate your Risk Management Framework (RMF) steps and the tasks involved. Reduce risk while reducing costs and manual tasks through automation of scans, trends, compliance, reporting, and live POAM tracking.

You can use OpenRMF^® Professional to help implement 6 of the 11 security domains concerning Continuous Monitoring outlined in NIST 800–137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.

OpenRMF^® Professional v2.8.5 allows tracking your RMF or FedRAMP compliance score trends over time.

Something that should be done but used to take a lot of time and resources. So we automated it!

Did you know…you can actually use OpenRMF^® Professional to comply with NIST controls in the CA, CM, PL, PM, RA, SA, and SC families?!?! Well you can. Not only does our OpenRMF^® Professional solution speed your ATO process, save massive time and money, and move you toward a Continuous ATO process. It also helps you comply with your required RMF and FedRAMP controls at the same time.

With our new feature release out July 8th, Soteria Software has added compliance statements and detailed compliance reporting for you, your ISSO/ISSM/ISSE and Cyber team. We also included NIST 800–53 Revision 5 controls and corresponding CCIs to use. Finally, we also added support for using Rapid7 Nexpose SCAP and Full Audit scan data.

Automation is key to attaining an ATO for your RMF or FedRAMP systems and applications faster. With OpenRMF^® Professional and its latest features, you can use our compliance engine, vulnerability tracking, and reporting mechanisms to quickly see where you are, what you need to do, get compliant and then generate the documentation to prove it.

Your cyber personnel and program manager see and manage all your ATO information and status! Your system admins only see their checklists and devices. Your developers only see their checklists and devices. And your network admins only see their data. However, the automated compliance, POAM, vulnerability tracking and reporting is still working for you across your entire ATO system package all the time.

This is the Team Subpackages^℠ concept.

Did you know you can use the checklist template engine in OpenRMF^® Professional to have checklists already pre-filled with your manual checks and known good automated check results? And you can use the Bulk Edit feature for your checklist vulnerabilities to have consistent standard answers across your checklist vulnerability entries? Even use the Bulk Lock feature to cut down on false positives across your checklist updates. Do the work and automate the paperwork with OpenRMF^® Professional!

Tracking your cyber compliance is NOT just for US Federal government or DoD in particular. Proper cyber hygiene and applying the right cyber frameworks is important regardless of you being a government agency, large business, or even a smaller business. With our latest version 2.8, you can use OpenRMF^® Professional to track your CIS benchmark scans as well as DISA benchmarks against the same NIST controls for Risk Management Framework or even a tailored list of controls just as easily.

With version 2.8, you can now use CIS based benchmarks to scan your applications, software, and devices for tracking compliance and vulnerabilities. Automatically make a CIS checklist template from your .audit file. Scan your devices. Upload the results. Track over time using OpenRMF^® Professional’s automation engine. Combine these with SCAP scans, DISA checklists and Custom checklists designed in the Custom Checklist designer to get a full picture of your system package cyber compliance.

To track RMF and FedRAMP system packages as you move them to your cloud, you first can use the new OpenRMF^® Professional v2.7 with Custom Checklists to create your base level infrastructure system package for your platform or cloud infrastructure. Then, use the new Inheritance feature (common controls) when generating and tracking compliance for applications, services, and platforms for your users that inherits these controls and your main infrastructure system package compliance.