Blogs & Articles

To track the vulnerability burndown of images using scans, you note the open vulnerabilities based on the image tag. And track this over time. Images are not patched “in place” like workstations, servers, or virtual machines. You recreate them.

In OpenRMF Professional v2.12 coming out May 2025, you can automatically track your image vulnerability burndown over time. Just like you do with your patch vulnerabilities, software vulnerabilities, and checklist compliance vulnerabilities.

With software images and containerized applications on the rise, the question of scanning and compliance comes into view. These images are a little bit OS and application combined. We have vulnerability scanning. We have software bill of material (SBOM) generation. SWFT is working to use these two items to quickly get a preliminary ATO for software faster.

What about compliance checks in images? Can we scan images like we do workstations and servers? And get compliance results to generate checklists with the status and severity?

Come to find out, yes you can. Enter RapidFort.

This article show how to use DISA SCC SCAP scanner to perform a SCAP scan.

Navigating the world of information technology and cybersecurity can be overwhelming, especially for newcomers. Understanding the tools available to streamline your duties and gain insights into your area’s cyber compliance status is crucial.

DISA STIG Viewer is a GUI java based application provided to open content and create checklists for managing the security setting on your system or network. Many use it to manage and edit their checklists. It is free and useful for managing your technical compliance or just securing your computer.

This article explains the tool, how to incorporate SCAP scans and what to do with checklists manually.

There are applications and tools (mostly gov’t created, some home grown) right now that do pieces of the RMF, FedRAMP and cyber compliance processes. The challenge with these — they are individual, separate, mostly manual, and disjointed. You do one, then you load into another. Then you bring up 1 of 17 .xlsx files to update and send out to the team.

And when one thing changes, you do it all over again. NO MORE!!

In the latest version of OpenRMF Professional, we added some preferences to control data to use, edit, and organize. These are features customers have asked for we had in our roadmap. But we moved the timeline to the left to get them into their hands faster.

Uncredentialed scans. Disable severity override. And tigher control on adding Team Subpackage items.

We just released a major update to OpenRMF Professional with some features users have been asking to have. And some major innovations around automating and managing your ATO and cyber compliance information as well.

The full list of updates is here.

When you have a larger Authority to Operate (ATO) with multiple tenants running under you, you have to manage a lot more than just your infrastructure. You have to manage all theirs as well!

Using OpenRMF Professional and its unique Team Subpackages feature, you can have those groups track and update just their own compliance scans, patch scans, and POAM items. While you track the impact to your entire ATO. All from the same solution.

Please do not make your smart Cyber people do Excel wizardry, documentation galore, and be paper pushers!

Automate tasks so they can use their skills and brain more. Easy to say, hard to do — or is it?

We show the problems and offer some solutions in this article. And ask you to prove us wrong!

We finally released our long-awaited v2.10 of Soteria Software’s flagship product, OpenRMF^® Professional. Here are highlights of 3 new features people have requested and are falling in love with already.

• Missing Checklist Wizard - search the OS and software list for checklists you missed
• Checklist Applicability Wizard - enter a hostname, pick types of checklists required, add them, create with a single click
• Device Profiles - track the ports/protocols/services allowed for your device by attaching a profile and running reports

One of the hardest things around tracking your different RMF, FedRAMP and other cyber compliance packages is the amount of data it generates. And aggregate it. Turn it into actionable information. Executing a plan against it.

Track configuration management and newer vulnerabilities. In an easily-to-digest way that does not involve opening 400 separate files.

The solution to handle that large amount of data, tracking changes and trends, as well as performing proper configuration management across your entire team is why we at Soteria Software created OpenRMF^® Professional.

OpenRMF^® Professional has a lot of automation built-in for tracking cyber compliance. This is especially true for device, network and device scans for compliance and patch vulnerabilities.

But what about Platform IT, that special purpose hardware and software? Can OpenRMF^® Professional help with Risk Management Framework (RMF) for that? In a word: YES!

Foreign Military Sales (FMS) with friendly country customers must also maintain cyber compliance. And trying to explain RMF and complex controls is difficult a best! So use OpenRMF^® Professional to quickly and easily accomplish that for all your FMS customers:

1. Track compliance, patches, POAM items, and milestones remotely in multiple ways
2. Train FMS customers on RMF easily by simplifying, structuring data, and showing how to do scans
3. Create SOPs around use of OpenRMF^® Professional with FMS and RMF
4. Get repeatable results across your entire portfolio of FMS

OpenRMF^® Professional v2.9 is finally here! Some of the new features include:

• New dashboard look and feel
• Evidence Management
• Bulk Upgrade Checklists
• Bulk Edit POAM
• New Team Subpackage^℠ Functionality
• StateRAMP^™ and Custom Compliance Frameworks
• Additional reports and charts
• Additional API calls

There are several good GRC tools out there. What sets OpenRMF^® Professional apart? A few things stand out immediately.

1. Automating cyber compliance around the scans you are already doing!
2. Hyper Automation around your compliance data to make it work for you
3. Team Collaboration around all your cyber compliance data and processes
4. Install, setup, and use on Day 1 with a little work, quick setup, and very little configuration

Use OpenRMF^® Professional to continually automate your Risk Management Framework (RMF) steps and the tasks involved. Reduce risk while reducing costs and manual tasks through automation of scans, trends, compliance, reporting, and live POAM tracking.

You can use OpenRMF^® Professional to help implement 6 of the 11 security domains concerning Continuous Monitoring outlined in NIST 800–137 Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.

We have added several great features for the latest release.

Automated Cyber Readiness (CCRI). Loading lists for easier bulk add/edit. A universal patch vulnerability format for patch scans. And more! Check out in this latest article.

Nothing works more powerfully than simplicity.

In simple terms: Stop using the 1995 Rand McNally Road Atlas (manual RMF) and start using your cell phone with GPS and Waze (automated RMF with OpenRMF^® Professional) to navigate where you need to be.

Your cyber personnel and program manager see and manage all your ATO information and status! Your system admins only see their checklists and devices. Your developers only see their checklists and devices. And your network admins only see their data. However, the automated compliance, POAM, vulnerability tracking and reporting is still working for you across your entire ATO system package all the time.

This is the Team Subpackages^℠ concept.

Did you know you can use the checklist template engine in OpenRMF^® Professional to have checklists already pre-filled with your manual checks and known good automated check results? And you can use the Bulk Edit feature for your checklist vulnerabilities to have consistent standard answers across your checklist vulnerability entries? Even use the Bulk Lock feature to cut down on false positives across your checklist updates. Do the work and automate the paperwork with OpenRMF^® Professional!

Tracking your cyber compliance is NOT just for US Federal government or DoD in particular. Proper cyber hygiene and applying the right cyber frameworks is important regardless of you being a government agency, large business, or even a smaller business. With our latest version 2.8, you can use OpenRMF^® Professional to track your CIS benchmark scans as well as DISA benchmarks against the same NIST controls for Risk Management Framework or even a tailored list of controls just as easily.

With version 2.8, you can now use CIS based benchmarks to scan your applications, software, and devices for tracking compliance and vulnerabilities. Automatically make a CIS checklist template from your .audit file. Scan your devices. Upload the results. Track over time using OpenRMF^® Professional’s automation engine. Combine these with SCAP scans, DISA checklists and Custom checklists designed in the Custom Checklist designer to get a full picture of your system package cyber compliance.

To track RMF and FedRAMP system packages as you move them to your cloud, you first can use the new OpenRMF^® Professional v2.7 with Custom Checklists to create your base level infrastructure system package for your platform or cloud infrastructure. Then, use the new Inheritance feature (common controls) when generating and tracking compliance for applications, services, and platforms for your users that inherits these controls and your main infrastructure system package compliance.

OpenRMF^® can fit into your DevSecOps process in several unique ways to help you with Risk Management Framework (RMF) and your ATO (Authority to Operate) process. It helps you manage security, compliance, reporting, scans and data calls in a much more automated fashion. This article takes the view of Risk Management Framework (RMF), looking at DevSecOps, through the lens of OpenRMF^® Professional.

Have you ever calculated the cost of manually tracking your RMF or FedRAMP system packages? You know, the way most do it — manually editing and viewing checklists and spreadsheets, scan PDFs and reports. Have you ever tracked the same cost of manually doing the upfront work on compliance, that leads toward better cybersecurity, versus automating it?

It’s the same great RMF and FedRAMP cyber compliance and collaboration application. Now it includes Tracking Inheritance and Common Controls. More powerful bulk editing and locking. Massively expanded API. Tracking Cyber Compliance History. Bulk tagging. More charts and reports. And smoother setup and installation/upgrade. Major highlights are below!