Information about programs and tools that support the continuous assessment and mitigation of potential security and privacy risks to CMS information and system
Cyber risk management and reporting at CMS is how we help ISSOs, Business Owners, and other stakeholders identify and mitigate security and privacy risks to FISMA systems. Our approach to risk management is part of a multi-year effort to modernize CMS’ overall approach to information system security. Instead of being focused solely on “compliance”, we are moving toward a proactive focus on continuous evaluation, identification, and management of risk.
Risk management and reporting activities include the use of targeted system assessments, real-time reporting tools, and the translation of policy requirements into concrete metrics that allow CMS components to gauge the overall security posture of their systems. Cyber risk management is a nonstop process that changes over time. The resources provided on this page will help stakeholders make smart, data-based decisions throughout the system security life cycle.
The CMS Cyber Risk Management Plan (CRMP) lays the foundation for modernizing our approach to identifying and mitigating security and privacy risks to CMS FISMA systems.