Link Search Menu Expand Document
OpenRMF Professional Help

Managing Your Compliance Statements

Compliance Statements allow you to specify a required Control Correlation Id (CCI) matched to its control or subcontrol and set its status based on a statement. You can do this instead of a checklist vulnerability status or in combination to it.

List Current Statements

To list the current Compliance Statements you can click the Compliance –> Compliance Statements from the system package dashboard. Or click the Compliance Statements button from anywhere within the Compliance area for your system package. A listing will appear like below for any statement you have added or uploaded.

System Package Compliance Statements

You can filter the listing of Compliance Statements by clicking the Filter button and turning options on and off. The listing will refresh showing just those selected. Note this filter is also used for the Export feature as well. So you can export just the types of Compliance Statements you wish to report on or import into other system packages (see below).

Filter System Package Compliance Statements

If your statement entry contains any evidence files attached, a paperclip icon will show in the statement row listing to notify you there is evidence attached to that compliance statement record.

Add Compliance Statements

To add a Compliance Statement, click the Add button. This listing will show ALL control/subcontrol/CCI combinations required based on your RMF or FedRAMP level specified, tailoring, as well as overlays. For each one, you can specify a statement (or edit one if it is already saved) as well as the status. Click the Save button to save your information.

Note: If you add, update or delete any Compliance Statement you need to Generate a new compliance to view or save for use.

Add System Package Compliance Statements

Manually Edit or Delete Compliance Statements

From the main Compliance Statements listing, you can click the ... menu on the far right if you are a System Owner of the package. From that menu, choose Edit to edit and save the compliance statement and status. Or click Delete to remove it altogether.

Note: If you add, update or delete any Compliance Statement you need to Generate a new compliance to view or save for use.

Edit or Delete System Package Compliance Statements

When you edit a compliance statement you can set the status and the statement text. As you edit or bulk edit, the history records save the older version of the statements to list and review.

Edit or Delete System Package Compliance Statements

Bulk Edit Compliance Statements

You can click the checkbox next to the compliance statements to bulk edit the statements selected. Select Bulk Edit from the bulk menu and then you can set the status as well as the statement.

Bulk Edit System Package Compliance Statements

Bulk Lock and Unlock Compliance Statements

You can click the checkbox next to the compliance statements to bulk lock or bulk unlock the statements selected. When you lock the statements, you must unlock them first to edit or bulk edit them. This keeps the statements from being modified from an edit, delete, or upload of information.

Bulk Delete Compliance Statements

You can click the checkbox next to the compliance statements to bulk delete the statements selected. Note you cannot delete locked statements. You do have the option to delete any POAM items referenced for Open or Not Reviewed statements that have made POAM items all at the same time.

Compliance Statement History

For any compliance statements that have been edited or bulk edited, choose the ... menu to the far right of the statement. Then choose the View History option. You will see each older edit of the statement, date changed, who changed it, and what it was changed to as well.

System Package Compliance Statement History

Download Compliance Statements

There are 2 options to download your Compliance Statements: XLSX or XML.

Choosing XLSX will download to a Microsoft Excel file all statements shown on the screen based on your filter. You can do with that XLSX file whatever you need.

Choosing the XML option will download an XML file based on the filter showing your Compliance Statements. This XML file will be a saved listing in the correct format to share with other System Packages or OpenRMF® Professional installations to reuse known good compliance statements. You can download and import multiple XML files if you wish to save different sets of statements and use and reuse them over and over.

Download System Package Compliance Statements

Upload Saved Compliance Statements

To upload a saved XML file of compliance statements (see above section), click the Upload button if you are a System Owner of that system package. Find your XML file saved from OpenRMF® Professional and load it using the Upload File button.

Alternatively, you also can upload a list of compliance statements with the proper columns and status to add or bulk edit (based on CCI) statements for your system package. If you are a System Owner for the package, you can click the button and select a proper CSV, XLSX, or JSON file. There is sample data linked and listed below. This allows quick loading of compliance statements to use at your system package level.

Download a Sample XLSX as a starting point for uploading a spreadsheet or CSV file.

When you import an XML of statements into a system package, a few things take place automatically:

  • any new compliance statements based on Control/Subcontrol and CCI are added from what is in the XML file
  • any existing compliance statements based on Control/Subcontrol and CCI are updated from what is in the XML file
  • any Open or Not Reviewed statements are added / updated to the POAM if the POAM is live
  • any Not a Finding or Not Applicable statements are closed in the POAM if the POAM is live and there are currently entries for the statements

Upload System Package Compliance Statements XML

Note: If you add, update or delete any Compliance Statement you need to Generate a new compliance to view or save for use.

The JSON for the file upload or a JSON post with data in the body for the external API is shown below.

Available Status Values we borrowed from the default DISA checklist status listing as shown below:

  • Open
  • NotAFinding
  • Not_Reviewed
  • Not_Applicable
[
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000001",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "NotAFinding"
    },
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000002",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "NotAFinding"
    },
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000003",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "Not_Reviewed"
    },
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000004",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "NotAFinding"
    },
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000005",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "NotAFinding"
    },
    {
        "family": "AU",
        "number": 10,
        "enhancement": 0,
        "cci": "CCI-001899",
        "statement": "",
        "status": "Not_Reviewed"
    },
    {
        "family": "AU",
        "number": 11,
        "enhancement": 0,
        "cci": "CCI-000167",
        "statement": "",
        "status": "Not_Applicable"
    },
    {
        "family": "AU",
        "number": 11,
        "enhancement": 0,
        "cci": "CCI-000168",
        "statement": "",
        "status": "Open"
    }
]

POAM Status

When you generate a new POAM, any compliance statement saved as Open or Not Reviewed status are added, with a link back to the control/subcontrol/CCI combination in the statement listing. You can click the … menu on the POAM entry for a compliance statement to open the statement page and filter down to the specific statement in the POAM.

Just like the checklist vulnerabilities and patch vulnerabilities, if a POAM is live any change in status to Open or Not Reviewed causes that compliance statement to be added / updated in the POAM. And any status of a statement set to Not a Finding or Not Applicable, if that statement is on the POAM, is closed automatically as well. The history of the POAM entry is always saved historically per usual.

Compliance Statements in Your POAM

Copyright © 2021 - 2025 Soteria Software LLC.
Do The Work. Automate the Paperwork!SM