Managing Your Compliance Statements

Compliance Statements allow you to specify a required Control Correlation Id (CCI) matched to its control or subcontrol and set its status based on a statement. You can do this instead of a checklist vulnerability status or in combination to it.

List Current Statements

To list the current Compliance Statements you can click the Compliance –> Compliance Statements from the system package dashboard. Or click the Compliance Statements button from anywhere within the Compliance area for your system package. A listing will appear like below for any statement you have added or uploaded.

System Package Compliance Statements

You can filter the listing of Compliance Statements by clicking the Filter button and turning options on and off. The listing will refresh showing just those selected. Note this filter is also used for the Export feature as well. So you can export just the types of Compliance Statements you wish to report on or import into other system packages (see below).

Filter System Package Compliance Statements

If your statement entry contains any evidence files attached, a paperclip icon will show in the statement row listing to notify you there is evidence attached to that compliance statement record.

Add Compliance Statements

To add a Compliance Statement, click the Add button. This listing will show ALL control/subcontrol/CCI combinations required based on your RMF or FedRAMP level specified, tailoring, as well as overlays. For each one, you can specify a statement (or edit one if it is already saved) as well as the status. Click the Save button to save your information.

Note: If you add, update or delete any Compliance Statement you need to Generate a new compliance to view or save for use.

Add System Package Compliance Statements

Edit or Delete Compliance Statements

From the main Compliance Statements listing, you can click the … menu on the far right if you are a System Owner of the package. From that menu, choose Edit to edit and save the compliance statement and status. Or click Delete to remove it altogether.

Note: If you add, update or delete any Compliance Statement you need to Generate a new compliance to view or save for use.

Export Compliance Statements

There are 2 options to export your Compliance Statements: XLSX or XML.

Choosing XLSX will export to a Microsoft Excel file all statements shown on the screen based on your filter. You can do with that XLSX file whatever you need.

Choosing the XML option will export an XML file based on the filter showing your Compliance Statements. This XML file will be a saved listing in the correct format to share with other System Packages or OpenRMF^® Professional installations to reuse known good compliance statements. You can export and import multiple XML files if you wish to save different sets of statements and use and reuse them over and over.

Export System Package Compliance Statements

Upload Saved Compliance Statements

To upload a saved XML file of compliance statements (see above section), click the Upload button if you are a System Owner of that system package. Find your XML file saved from OpenRMF^® Professional and load it using the Upload File button.

Alternatively, you also can upload a list of compliance statements with the proper columns and status to add or bulk edit (based on CCI) statements for your system package. If you are a System Owner for the package, you can click the button and select a proper CSV, XLSX, or JSON file. There is sample data linked and listed below. This allows quick loading of compliance statements to use at your system package level.

Download a Sample XLSX as a starting point for uploading a spreadsheet or CSV file.

When you import an XML of statements into a system package, a few things take place automatically:

any new compliance statements based on Control/Subcontrol and CCI are added from what is in the XML file
any existing compliance statements based on Control/Subcontrol and CCI are updated from what is in the XML file
any Open or Not Reviewed statements are added / updated to the POAM if the POAM is live
any Not a Finding or Not Applicable statements are closed in the POAM if the POAM is live and there are currently entries for the statements

Upload System Package Compliance Statements XML

Note: If you add, update or delete any Compliance Statement you need to Generate a new compliance to view or save for use.

The JSON for the file upload or a JSON post with data in the body for the external API is shown below.

Available Status Values we borrowed from the default DISA checklist status listing as shown below:

Open
NotAFinding
Not_Reviewed
Not_Applicable

[
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000001",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "NotAFinding"
    },
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000002",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "NotAFinding"
    },
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000003",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "Not_Reviewed"
    },
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000004",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "NotAFinding"
    },
    {
        "family": "AC",
        "number": 1,
        "enhancement": 0,
        "cci": "CCI-000005",
        "statement": "The access control policy document addresses all purpose, scope, roles, responsibilities, and includes procedures, processes and update frequency information to validate and keep this up-to-date.",
        "status": "NotAFinding"
    },
    {
        "family": "AU",
        "number": 10,
        "enhancement": 0,
        "cci": "CCI-001899",
        "statement": "",
        "status": "Not_Reviewed"
    },
    {
        "family": "AU",
        "number": 11,
        "enhancement": 0,
        "cci": "CCI-000167",
        "statement": "",
        "status": "Not_Applicable"
    },
    {
        "family": "AU",
        "number": 11,
        "enhancement": 0,
        "cci": "CCI-000168",
        "statement": "",
        "status": "Open"
    }
]

POAM Status

When you generate a new POAM, any compliance statement saved as Open or Not Reviewed status are added, with a link back to the control/subcontrol/CCI combination in the statement listing. You can click the … menu on the POAM entry for a compliance statement to open the statement page and filter down to the specific statement in the POAM.

Just like the checklist vulnerabilities and patch vulnerabilities, if a POAM is live any change in status to Open or Not Reviewed causes that compliance statement to be added / updated in the POAM. And any status of a statement set to Not a Finding or Not Applicable, if that statement is on the POAM, is closed automatically as well. The history of the POAM entry is always saved historically per usual.

Compliance Statements in Your POAM