Link Search Menu Expand Document
OpenRMF Professional Help

Relating CCIs and Controls to a Framework

As stated earlier, a Cyber Compliance Framework is structured set of guidelines, standards, and best practices that organizations use to manage cyber risks, protect sensitive data, and meet regulatory obligations. It provides a roadmap for organizations to identify, assess, and mitigate threats by implementing security policies, controls, and procedures, thereby strengthening their overall security posture and fostering trust with stakeholders.

This list of controls and Control Correlation Identifiers (CCI) can be grouped together and mapped to the framework as-is (e.g. CSF or CJIS). It also can be grouped into levels like RMF with its Confidentiality / Integrity / Availability specifics or even CMMC with its Level 1 and Level 2 designations. When this happens there are 1 or more controls with 1 or more CCIs mapped to break down the control in the listing. And these are grouped together to form the framework or framework level.

You use these frameworks in system packages to track configurations, vulnerabilities, statements, common controls, inherited information and evidence to show how well you comply with these frameworks and their requirements. You also use them running several reports including listing controls, CCIs, and comparing frameworks for controls, CCIs, and requirements.

To sum it up, you need to relate the controls and CCIs in a framework / framework level to use it for generating and tracking compliance in OpenRMF® Professional.

Default Framework Control CCI Combination

There are 5 default frameworks included in this solution. The Risk Management Framework (RMF) based on NIST 800-53 controls for revision 4 and revision 5 are automatically included in OpenRMF® Professional. As are the Federal Risk and Authorization Management Program (FedRAMP) based on the same NIST 800-53 controls for revision 4 and revision 5. Also include is the State Risk and Authorization Management Program (StateRAMP / GovRAMP) framework and it is based on the same NIST 800-53 controls for revision 4.

Default frameworks cannot be edited or deleted. Their controls and control/CCI combinations also cannot be edited or deleted. The frameworks can be edited and disabled so people cannot use them to create new system packages or run comparison reports.

Adding Framework Control CCI Combination

To add a framework / control / CCI combination you first go to that framework page. If it has any framework levels, click the button to load the proper framework level to add this combination to. Then click the Add Control/CCIs button.

Choose your control from the dropdown. This will be the list of every single control loaded within your installation. Then choose one or more CCIs from the listing. And again, this will show every single CCI loaded within your installation. When done click the Save button.

OpenRMF Professional Add a Framework / Control / CCI Combination

The best way to add a large number of control / CCI combinations is to upload via a file. You can do this via the Upload menu in the Frameworks area. Make sure you choose the proper file to upload. You can download a Sample Framework Control CCI Combination XLSX as a starting point for uploading a spreadsheet or CSV file. You also can use data for this shown in our public GitHub repo linked off our Soteria Software website as well.

The main columns are Framework Acronym, Framework Version, Framework Level Category, Framework Level Value, Control Display, and CCIs (comma separated).

You can upload the Framework Control CCI data via JSON but you must have all fields filled in based on the design. It is much easier to have an XLSX or CSV to upload the initial listing. Then edit as required.

Editing a Framework Control CCI Combination

To edit a framework/control/CCI combination load the listing of controls and CCIs using the framework level (if any). Then click the ... menu on the right of the row containing the combination. Click the Edit option. A window loads with your control and all CCIs associated with the control for this framework and framework level (if any). You can add / remove the CCIs for this control to update it for this framework and/or level. Click Save when done.

OpenRMF Professional Edit a Framework / Control / CCI Combination

Deleting a Framework Control CCI Combination

To delete a framework/control/CCI combination load the listing of controls and CCIs using the framework level (if any). Then click the ... menu on the right of the row containing the combination. Click the Delete option. A window appears warning you that it only deletes for this framework and framework level (if there is a level).

This is a hard delete and cannot be undone. You can always re-create or reupload the files that generated the non-default framework/controk/CCI though.

OpenRMF Professional Delete a Framework / Control / CCI Combination

Copyright © 2021 - 2025 Soteria Software LLC.
Do The Work. Automate the Paperwork!SM