January 21st, 2026
OpenRMF® Professional v2.13.02 Released!
Soteria Software released a patch update to their flagship product OpenRMF® Professional v2.13 today. Please log into the Software & Documentation portal under the Resources link on the website and download the upgrade as soon as you can.
OpenRMF® Professional version v2.13.02 was released today. This is a patch for fixing bugs, updating components for security as well as adding a few features. The major update is an updated component for the MongoBleed CVE-2025-14847 vulnerability. Additional features include updated framework assessment procedures, eMASS System Export ingestion, additional framework reports as well as small bug fixes throughout.
- MongoDB Update to 7.0.28 to fix MongoBleed CVE-2025-14847
- Added a way to ingest a system export XML file from eMASS to start your new System Package accreditation (per user request)
- Added the framework to the listing on the Manage System Packages screen
- Added operatingSystem to the general JSON format patch vulnerability uploads allowed
- Added a way to set the prefix on STIG ID, Vulnerability Number, and STIG Name for custom checklists (per user request)
- Added a note on the Frameworks page to load default frameworks, if none exist
- Added Assessment Procedure Numbers and Text to generating compliance and compliance statements via CCI (per user request)
- Added source as a filter on the POAM listing page (per user request)
- Added 4 framework reports to show framework information to users, not just Framework Administrators
- Updated jQuery, DataTables and other UI libraries for the latest versions and various fixes
- Updated the Team Subpackage Last Updated date to show the last time any data in the Team Subpackage was updated (per user request)
- Updated our base image for software to include a RapidFort FIPS enabled updated Alpine Linux image
- Bug fix on default controls (CM-6 for NIST 800-53) not always filling in for system packages to generate full compliance
- Bug fix on CKLB files not updating in STIG Viewer 3.x because of a unique ID issue
- Bug fix on not removing all data from the report database when doing a bulk hardware delete
- Added a resync of report data based on the bug above from bulk hardware delete, to clean up old data
- Bug fix on exporting out Checklist to XLSX when comments or details are over 32k characters
- Bug fix on exporting out Compliance Details to XLSX when comments or details are over 32k characters
- Bug fix on checklist details showing a paperclip for evidence but not listing the evidence files
- Bug fix on trimming and normalizing CCIs, controls, overlays, and tailoring for uploads
- Bug fix to load Cyber Readiness Settings even if the Sample System Package load is disabled
- Bug fix on the Create Checklist from Template page to require Asset Type on creation
- Bug fix for showing the proper control and title on adding evidence files to compliance statements
- Bug fix on removing an extra slash / on Auditing calls that broke some Kubernetes installation pages
- Bug fix for updating the compliance statement structure on the external API calls
- Upgraded Prometheus to 3.8.0-jammy-fips-rfcurated
- DISA Template updates as of January 10, 2026 from DISA public.cyber.mil
More information on the software release and its availability as well as training can be found at their website www.soteriasoft.com.