Link Search Menu Expand Document
OpenRMF Professional Help

OpenRMF® Professional Compliance Overlays

The Overlays area allows Administrators to create and edit compliance overlays. These overlays when added to a system package update the SSP Control to Vulnerability Matrix as well as the Compliance Engine when generating the compliance listings. Overlays are combined with regular RMF confidentiality, integrity, and availability levels or equivalent FedRAMP or StateRAMPTM levels for generating compliance. Alternatively, if you are tailoring your controls they are combined with the tailored list of controls for the same purpose.

OpenRMF Professional Overlays

Creating and Editing Compliance Overlays

To create a new overlay you click the Create Overlay button. You enter a title, a description, then click the arrow buttons to move the Available Controls to the Current Controls in the overlay. There are no controls filtered out in the Available Controls. It is a listing of all the NIST 800-53 controls.

Add an OpenRMF Professional Overlay

NOTE: Once a compliance overlay is created it can be marked active or inactive, but not removed just in case others are wanting to reference it. Only active compliance overlays are used to affect compliance generation and SSP generation in a system package.

Included Default Overlays

There are 5 overlays by default created at the Administrator level. These can be used within any system package and are included by default in the available listing. They cannot be removed. They can be added to a system package and from there can be edited or altered as required by that system package.

  • CNSSI - The Committee on National Security Systems (CNSS) Instruction No. 1253, Security Categorization and Control Selection for National Security Systems, provides all Federal Government departments, agencies, bureaus, and offices with guidance on the first two steps of the Risk Management Framework (RMF), Categorize and Select, for national security systems (NSS).
  • DoD Privacy and PII - Privacy and Personally Identifiable Information (PII) from NIST 800-53 rev 4 controls listing
  • Classified Systems - Security Controls that must be applied to the baseline for all classified systems.
  • Electronic Physical Access Control Systems (ePACS) - Security Controls for ePACS use a combination of IT components and physical security elements (e.g., card readers, doors/locks) to enable access to real-world resources such as secured facilities or controlled areas within facilities.
  • JSIG Special Access Programs - Security Controls called out in the JSIG that specifically apply to Special Access Programs.

Copyright © 2021 - 2025 Soteria Software LLC.
Do The Work. Automate the Paperwork!SM