Soteria Software Press Release

February 6th, 2025

OpenRMF® Professional v2.11 Released!

Soteria Software today released a major update to its flagship product OpenRMF® Professional! Please log into the Software & Documentation portal under the Resources link on the website and download the upgrade as soon as you can.


OpenRMF® Professional version v2.11 was released today. This is a feature and bug fix release. Features include CKLB checklist format usage, full text searching of all checklist data, system package preferences (uncredentialed scans, Team Subpackage settings, turn off Severity Override), new reports as well as the updated DISA checklists from January 2025 with NIST 800-53 revision 5 updates.


  • Reworked pages loading tables of data to perform faster
  • Added the CKLB JSON format checklist upload and download in a system package or team subpackage
  • Added a limit field entry on Fortify API calls for importing issues in Other Technology area of a system package (defaulted to 200)
  • Added a filter for locked and unlocked vulnerabilities on checklist screen for filtering in a system package or team subpackage
  • Added a patch score filter on patch score summary
  • Added Elasticsearch data source integration for full text searching of checklist vulnerabilities and details (when configured)
  • Added several new reports requested by users
  • Added newer metrics for tracking Vault and Keycloak metrics through Grafana
  • Added the Target Comments field when editing or bulk editing checklist details in a system package or team subpackage
  • Added parsing of .audit file vulnerabilitiy severity when creating CIS based checklists
  • Added Memorandum for the Record (MFTR) as a possible ATO Status for a System Package
  • Added counters on the Team Subpackage dashboard when users only have access to the subpackages
  • Added links on the System Package Dashboard to key areas for one-click access to information
  • Added System Package Preferences to allow uncredentialed patch scan uploads, disable severity override checklist editing, and limit items per Team Subpackage
  • Added an option for CKL or CKLB when downloading the checklist via API call
  • Added a lot of control and CCI API calls (See Developer’s Guide for v2.11)
  • Added “Policy Value” and “Actual Value” from .audit CIS results into the details in checklists from uploaded scan results
  • Added Target Comments field to checklists
  • Added a Journal for system packages to track all actions and impact to data and structures in the system package
  • Added a Journal for installation to track all other actions and impact to non-System Package information such as overall settings and templates
  • Added all DISA checklist templates up to January 24, 2025
  • Added Grafana dashboards for Keycloak health and Vault health, if enabled
  • Added links from the System Package Dashboard to key areas for one-click access
  • Added a title to show what checklists is being tracked for bulk upgrade when viewing what checklists have available upgrades
  • Added web or database fields to create checklist from template wizard
  • Added target comments field to create checklist from template wizard
  • Allow deleting Checklists at the Team Subpackage level for checklist creators and editors
  • Allow deleting hardware at the Team Subpackage level for Patch Administrators
  • Allow deleting (hard delete) POAM entries as a SystemOwner when entries are incorrect or need to be removed
  • Allow whitelabel entries for custom logo, footer, support email, title and version of your OpenRMF Professional installation
  • Allow custom themes and setting a default theme for your OpenRMF Professional installation
  • Added additional API calls for controls and CCIs
  • Updated the Created By and Updated By to “FirstName Last Name (login)” format for CAC and PIV users
  • Updated the Test Plan Summary table to show vulnerability separately for sorting and color coding
  • Update to use Host IP when a Nessus patch vulnerability scan has a blank hostname (no reverse DNS)
  • Updated Navy eMASS POAM to include Milestone Id and Mitigations columns that were missing
  • Updated checklists created from .audit files to include the severity of the vulnerability correctly
  • Updated patch score page to allow filtering on patch score by device
  • Updated the Team Subpackage POAM filter to add additional fields to mimic System Package POAM filter
  • Updated the CCI listing from 27 Jan 2025 from public.cyber.mil
  • Updated the Add POAM item to require status and source information at a minimum
  • Bug fix on showing the checklist type if using web/database/application fields for bulk editing vulnerabilities
  • Bug fix on checklist version upgrade available if the uploaded checklist is a higher version than the current DISA template
  • Bug fix showing duplicate CCIs for revision 4 and revision 5 of RMF
  • Bug fix on large software, hardware, and PPSM lists uploaded to save correctly
  • Bug fix on suppport drivers edit on uploading files to set to Support and Drivers application type
  • Bug fix on hostname not being used correctly in create checklist from templates
  • Bug fix on showing an updated date and name when adding evidence to a checklist vulnerability
  • Bug fix for POAM report to properly connect and use data and verify authentication
  • Bug fix for checklist report to update the web or database information correctly when switching between checklists
  • Bug fix for bulk edit vulnerabilities to show the web or database information for checklists properly
  • Bug fix for Add button on Administration Manage System Packages to go to the New System Package Wizard page
  • Bug fix for Patch Administrators to show checkboxes on the hardware page for bulk editing
  • Bug fix for updating current checklists when the type has a (, ), or / in the type of checklists for matching properly
  • Bug fix for showing evidence on checklist vulnerabilities at the Team Subpackage level
  • Bug fix for showing mitigations on the POAM at the Team Subpackage level
  • Bug fix to show scanner and scanner version for software and PPSM data correctly when from an automated scan upload
  • Fixed Keycloak registration template for the OpenRMF Professional theme
  • Updated the ELK stack 3rd party images to 8.17
  • Updated Grafana image to version 10.4
  • Upgrade Postgres to v16.2
  • Upgrade Keycloak to v26.1.0
  • Updated codebase to use .NET 8 for performance
  • Updated the base image for code builds for better vulnerability scanning


More information on the software release and its availability as well as training can be found at their website www.soteriasoft.com.