Link Search Menu Expand Document
OpenRMF Professional Help

Tailoring Your System Package Controls Listing

When your system package is added you specify the confidentiality, integrity, and availability level for your system package you determined early on in the RMF process. Or the appropriate level if you are managing a FedRAMP or StateRAMPTM package. These settings allow you to specify the specific NIST control families, major controls, and subcontrols that you must meet for system package compliance. Setting these levels gives you a default listing of controls and subcontrols you need to meet.

However, if applicable you can tailor your controls by adding and removing control families that match your system package. This is done with the Tailoring page in OpenRMF® Professional. You must be a System Package Owner to use this page and update your settings. Otherwise, you can view but not change.

Updating Your Controls

To update your controls use the Tailoring page. This will show all your controls used on the left and then all available controls on the right. Use the arrows to add or remove controls from the listing. When done click the Save button and all major controls on the left will be added and set to your system package as the tailored listing.

If you wish to go back to the default framework listing of controls required after setting up Tailoring, click the Reset button at the bottom of that page to remove the tailored control listing.

NOTE: OpenRMF® Professional applies tailoring, overlays, and generates compliance to the subcontrol level. So we use tailoring, overlays, and compliance at a level of AC-4(19) not just at the major control of AC-4. Keep this in mind as you determine your tailoring controls and overlays.

System Package Control Tailoring

What is Impacted by Control Tailoring

The list of controls you add or remove for tailoring affects a few key areas in OpenRMF® Professional. And any overlays you add are combined with your tailored controls for a full view.

First, it determines the controls you will match against when generating system package compliance. As an example if you have an RMF system package and you specify the C-I-A levels only, you will use the default listing for that framework, version and levels. If you just pick one of the 4 FedRAMP levels or 3 StateRAMPTM levels, we use the controls designated for that level as well. Same thing holds for any other framework you create or upload. However, if you tailor them we match to the tailored list of major controls and subcontrols selected.

Second, it impacts documents like the System Package Security Plan (SSP), the SSP Control to Vulnerability Matrix, and the Security Assessment Report (SAR). These types of documents list every single control and subcontrol for your system package and then matches it to all checklist vulnerabilities across all your checklists. If this sounds like a lot, IT IS! This list can take you several weeks to match up by hand.

Even in OpenRMF® Professional it can take a couple minutes to generate a MS Excel (*.XLSX) spreadsheet containing all the data. The controls listed in this matrix are either the default listing based on your framework settings and level, or it is based on your tailored listing. It can also include any overlays if used.

Copyright © 2021 - 2025 Soteria Software LLC.
Do The Work. Automate the Paperwork!SM