Automatically create, track, link, update and manage your POA&M entries for STIG Checklist vulnerabilities and OS Patch vulnerabilities with OpenRMF Professional!

OpenRMF Professional by Soteria Software
OpenRMF Professional by Soteria Software
OpenRMF Professional — Cyber Compliance Automation

Keeping your POA&M up to date is a full time job

If you or your team member has ever had to keep the plan of action and milestones (POA&M) up to date on a project that is going through accreditation for Risk Management Framework (RMF) or FedRAMP you know the pain and strife this causes! Even with the older DITSCAP and DIACAP processes you had to have a POA&M tracking open item vulnerabilities. You listed the actual issue or vulnerability, when you were fixing them (if not just accepting the…

OpenRMF Professional = Cybersecurity Compliance Automation. To help you get more automation out of your data and give you time back to harden and secure your systems, we added some new features in 2.3 we think you will love. These include managing RMF as well as FedRAMP compliance, tracking compliance to sub-controls, tailoring to sub-controls, managing compliance overlays, managing POA&M mitigation statements to use, adding milestone events, speed improvements loading large lists, quick filtering of list data, and more reports. Highlights are below!

OpenRMF Professional 2.3 System Package Dashboard

New FedRAMP controls mapping and reports

OpenRMF Professional v2.3 now adds the ability to track system packages going for FedRAMP compliance. FedRAMP stands…

You can use OpenRMF OSS open source to track just your specific STIG Checklists for your application, even if that is just a small piece of a larger overall ATO or System Package effort. It is worth the few minutes to setup this application as it will save you hours of work and cut down on copy/paste work, errors, frustration, elevated blood pressure, and bad data.

OpenRMF OSS is free to download and use at

What is OpenRMF OSS?

OpenRMF OSS is the open source application that helps you manage your Risk Management Framework (RMF) data in one easy-to-use interface. …

Automatically list hardware devices, servers, and other hosts as well as software on them using OpenRMF Professional and ACAS Nessus scans.

OpenRMF Professional helps track hardware, noting patch scans and checklists

Automatically Track all Hardware from Scans and STIG Checklists

As we put in our PPSM article, there are multiple sections of great information in the ACAS scans that DoD and other Federal Agencies and corporations use for tracking patches. Most organizations use the scan results to automate their patch vulnerability management and track critical, high, medium, and low patches on servers and workstations that need to be fixed.

But did you know you also can track your hardware and devices scanned from your ACAS scans as well? Every…

Show differences in vulnerability status across all your similar checklists in your System ATO Package.

Quickly pick a System Package, Checklist Type, and Devices to find differences across your STIG Checklists

Finding Differences in Status and Severity Override

Picture this. You have a network enclave or group of servers and devices to manage. They are a mix of Windows Server 2012, 2016, 2019 as well as Red Hat Linux 7.8, 7.9 and 8.x servers. And you have web servers, database servers, application servers, a couple Active Directory servers, storage appliances, routers, switches, and firewalls.

And you have to keep up with device patching, ACAS scanning and SCAP scanning to make sure they are secure as far as vulnerabilities go. …

Automate the tracking and management of ports, protocols and services for your network with ACAS scans and OpenRMF Professional.

PPSM Listing automated through ACAS scans and OpenRMF Professional

Automatically Track PPSM through your Scan Results

For US DoD, US Federal and corporate networks your ACAS scans are a wealth of knowledge. Most organizations use them to automate their patch vulnerability management and track critical, high, medium, and low patches on servers and workstations that need to be fixed.

But did you know there is other very valuable information in these scans? The ports, protocols, and services (i.e. PPSM where “M” is management) that are running is captured in each server scanned. And this information is contained…

Track changes in STIG Checklists, Patch Vulnerabilities, POA&M updates, Open Items and more with a single web-based application. OpenRMF is here to simplify your life!

OpenRMF Professional dashboard for all System ATO Packages across your RMF workload.

Automatically Track Changes of STIG Checklist

Being able to show changes in vulnerabilities over time for their status, override, comments, and details has been a very big pain up until now. Keeping multiple copies of CKL files, putting files into a code repository like GitHub or GitLab, or even keeping checklists in folders that are named for dates of the year (i.e. 2021–02–15) have been going on for well over a decade. …

The chaos of numerous STIG Checklist files, SCAP scans, Patch Scans, and POA&Ms stretched across files, spreadsheets and shared folders is gone! If you track more than one System Package or ATO for your group, you need to use OpenRMF Professional.

Chaos Incarnate — normal look of an RMF tracking package. This needs OpenRMF Professional!

The Current Situation is a Mess

If you do any kind of work around cyber security or information assurance in the US DoD or Federal Agency space you probably recognize the picture above. The DISA STIGViewer application and a bunch of MS Excel spreadsheets for your POA&M and Test Plan Summary. Tracking open items in your applications and devices/hosts separately and manually. …

Use OpenRMF Professional to upload your patch scans, run reports, and track updated to STIG Checklists to make your ConMon reporting efforts a breeze! Automate the non-value-added work and spend time patching and securing your systems and infrastructure.

OpenRMF Professional Continuous Monitoring tracks patch vulnerabilities scans over time.

Track Patch Vulnerabilities for your System Package

Continuous Monitoring is the “last step” in the RMF process that we use for U.S. DoD, Federal Systems as well as corporate networks and infrastructure. Of course this “last step” does not really end. It involves making sure your software platforms and main servers, hosts, and devices all have the latest fixes and patches for operating systems. …

DISA went ahead and finally made new STIG checklists and SCAP scan benchmarks with new group Ids and rule Ids. And you have to upgrade the older checklists as newer ones come out of course. BUT the newer checklist Vulnerability IDs and Rule IDs don’t match up one-for-one with old checklists! How do you update them to the new checklist version correctly then? WTF!?!? Enter OpenRMF

What is OpenRMF, and why is it FREE!?

OpenRMF is Open Source Software (OSS) that lets you collaborate on, manage, report, and track your checklists, patch scans, and open items for your Risk Management Framework (RMF) process. It does not do the…

Dale Bingham

CTO of Cingulara. Software Geek by trade. Father of three daughters. Husband. Lover of newer tech where it fits. Follow at @cingulara

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store