Nerd For Tech
Published in

Nerd For Tech

Automate your POA&M for RMF and FedRAMP with OpenRMF Professional

Automatically create, track, link, update and manage your POA&M entries for STIG Checklist vulnerabilities and OS Patch vulnerabilities with OpenRMF Professional!

OpenRMF Professional by Soteria Software
OpenRMF Professional — Cyber Compliance Automation

Keeping your POA&M up to date is a full time job

If you or your team member has ever had to keep the plan of action and milestones (POA&M) up to date on a project that is going through accreditation for Risk Management Framework (RMF) or FedRAMP you know the pain and strife this causes! Even with the older DITSCAP and DIACAP processes you had to have a POA&M tracking open item vulnerabilities. You listed the actual issue or vulnerability, when you were fixing them (if not just accepting the risk), why it was a problem, any mitigations, the severity and where it came from. And you did it (or still do it) manually.

For even a small team this is a lot of work. For a larger system implementation with a lot of servers, devices, software applications, operating systems, databases, and other network connections this was a project manager’s or project analyst’s bane of existence! Just working to have the most recent scan data, checklist status, tracking down people to get answers and matching up the particular POA&M item ID number to the proper checklist or scan was tedious at best!

Automatically Create and Track your POA&M Items

What we need for this situation is automation — enter OpenRMF Professional! This application takes in the checklists (SCAP scan results and/or checklist CKL files) and patch scans (Nessus files) and manages all that data in one spot. It tracks the most recent information, versions older data on each update, tracks the number of open checklist and patch vulnerabilities by status and type and gives you all that data at your fingertips.

And it does this in a web-based application that is role based with group permissions down to the system package level. With this data, OpenRMF Professional also generates a live POA&M that is linked back to the checklist entry or patch vulnerability that caused that POA&M item to be created. It is live because it is linked back to the issue that caused it.

OpenRMF Professional POA&M Listing generated

As that checklist vulnerability or patch vulnerability is updated and (hopefully) closed or marked “Not a Finding”, the POA&M automatically updates with that information for the corresponding POA&M entry. And a historical copy of the POA&M record is saved for configuration management and tracking purposes automatically. The history of the automatic transaction causing this also is audited as well. And a detailed reason for the automated update is added to the POA&M record as well.

This automation alleviates a lot of the manual back-and-forth of finding the data causing the POA&M item. It also helps to minimize or alleviate the manual updating of its status based on the latest conversation or meeting or email. And it gives exact traceability as to why the record is there and why it has that current status and information. All in a collaborative environment fully web-based and secure.

Automatically Link your POA&M Vulnerabilities

For the items that are automatically created, there is a … menu that links directly to the checklist or patch scan information. Click on that and a new browser tab opens taking you directly to that specific vulnerability. No more opening multiple files and trying to make sure you track the right version of a checklist or scan, match the numbers up and keep your POA&M items up to date.

Let OpenRMF Professional do that for you. So you can spend your time on the other value-added work for achieving your ATO, IATO, IATT or updated status.

Automatically link your POA&M item to the checklist or patch that created it
Automatically link to the Checklist or Patch vulnerability that created this POA&M item

Create manual POA&M Items where you need to

If there are POA&M items you must add manually you can do that as well. Just click the “Add” button with the correct role and permissions in that system ATO package and you are good to go.

These items will be manually updated and not link to any automated checklist or patch scan causing its creation of course. However, all these POA&M items give you a complete view into the present status and risk of your items as well as your plan to get them closed or mitigated for your ATO, IATO, IATT or scheduled compliance audit and update. All in one spot.

Automatically Show your Risk Cube

From all this live POA&M data you can run a report and quickly see the number of items lining up in your Risk Cube. You also can see the number of unassigned items that you need to match to the likelihood, impact, severity, and risk associated with that POA&M item entry. This report pulls live data. As your POA&M is updated through automated and manual means, this risk data is also updated.

No more naming MS Excel files with dates and times to make sure you have the latest information. OpenRMF Professional has it for you!

POA&M Risk Cube generated from your live POA&M in OpenRMF Professional
Risk Likelihood and Impact generated from live POA&M

OpenRMF Professional to the Rescue

OpenRMF Professional automates much of the RMF and FedRAMP process, helping decrease the time to an ATO or approval by 40–50%. OpenRMF’s collaborative environment eliminates much of the manual labor and isolated work involved in aligning the NIST controls and sub-controls, checklists, patch scans, POA&Ms, and compliance generation and then manages all information in a secure central database structure. This allows automatic generation and updating of the POA&M, Test Plan Summary, and various other security and RMF or FedRAMP reports.

Having a web-based central repository for all cybersecurity compliance data that has role-based security for each system package, eases the RMF and FedRAMP processes using a single source of truth and eliminates errors, manually intensive individual tracking, and rework. It also provides leadership with direct insight into the status of all system package security and risk information thus eliminating the mystery around implementing the RMF and FedRAMP processes.

Once an ATO or approval level is achieved, OpenRMF provides continuous monitoring and tracking of POA&M items, overall risk of systems and applications, and tracking updated scans and checklists throughout the life of the system package.

Check it out here. Ask for a 30-day no obligation evaluation to try it yourself!



NFT is an Educational Media House. Our mission is to bring the invaluable knowledge and experiences of experts from all over the world to the novice. To know more about us, visit

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dale Bingham

CEO of Soteria Software. Developer on OpenRMF. Software Geek by trade. Father of three daughters. Husband. Love new tech where it fits. Follow at @soteriasoft