CMS Risk Management Framework (RMF): Assess Step

What is the Risk Management Framework (RMF)?

The National Institute of Standards and Technology (NIST) created the RMF to provide a structured, flexible process to manage risk throughout a system’s life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.

The RMF is made up of 7 steps:

What is the Assess Step?

The purpose of the Assess step is to determine if controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and CMS.

System Level Assess Tasks

System level Assess tasks also take into consideration CMS mission/business process concerns. CMS collects, creates, uses, discloses, maintains, and stores personal, healthcare, and other sensitive information subject to federal law, regulation, or guidance.

Task A-1: Assessor selection

Select the appropriate assessor or assessment team for the type of control assessment to be conducted. The assessor or assessment team must be competent and independent enough to conduct assessment of management, operational or technical controls.

Potential Inputs:

Security, privacy, and Supply Chain Risk Management (SCRM) plans
Program management control information
Common control documentation
Organizational security and privacy program plans
SCRM strategy
System design documentation
Enterprise, security, and privacy architecture information
Security, privacy, and SCRM policies and procedures applicable to the system

It is critical to provide every bit of information about the information system and the implemented controls.

Expected Outputs:

Selection of competent and independent assessor or assessment team responsible for conducting the control assessment

Discussion:

CMS uses the Cybersecurity and Risk Assessment Program (CSRAP) as the security and risk assessment for its FISMA systems. The CSRAP Assessment Team (a Third-Party Assessment Organization (3PAO) serves as the agency's security assessment team. This satisfies the requirement for system security assessment to be conducted by skilled and independent assessors.

The Team members are assembled during the Planning phase of the assessment. Each Security Assessment Team is made up of assessors who are subject matter experts on security controls assessment to adequately cover all management, operational and technical controls. They possess the required skills and technical expertise to evaluate the technology, devices, databases, interviews, and documentation involved in the assessment.

The CSRAP Assessment Team consists of a Security Assessment Lead, Management and Operations (M&O) Assessor, Application Assessor, and Database (DB) Assessor (unless no DBs in scope). Others include Operating System (OS) Assessor, Network Assessor, Privacy Assessor, Mainframe Assessor, etc.

The Security Assessment Lead works with the Security and Privacy Officer (previously known as the ISSO) to determine the level of Testing Rigor to achieve with the security assessment. The Security and Privacy Officer provides to the CSRAP Assessment Team a copy of the current System Security and Privacy Plan (SSPP) and any additional information related to the system boundary (e.g. hardware/software listing, High Level Architecture (HLA) Diagrams, Data Flow Diagrams, etc.) that is not contained in the SSPP.

The CSRAP Assessment Team also works with the CSRAP Government Task Lead (GTL), Cyber Risk Advisor (CRA), Business or System Owner, Security Assessment Project Manager, and Technical Editors/Quality Assurance Analyst for a seamless assessment process.

Please see the Security Assessment & Authorization controls page for additional information on the assessment planning phase.

Cybersecurity Framework: N/A

TLC Cycle Phase:

New: Initiate
Existing: Operate

Task A-2: Assessment plan

Develop, review, and approve plans to assess implemented controls. This task underscores the coordination expected from stakeholders who must agree on, and document the planned security controls assessment.

Potential Inputs:

Security, privacy, and SCRM plans
Program management control information
Common control documentation
Organizational security and privacy program plans
SCRM strategy
System design documentation
Supply chain information
Enterprise, security, and privacy architecture information
Security, privacy, and SCRM policies and procedures applicable to the system

Every document which provides a clear description of the information system and the implemented controls to be assessed is required to develop a complete security and privacy assessment plan.

Expected Outputs:

Security and privacy assessment plans approved by the Authorizing Official, which for this task usually would be the Business or System Owner.

Discussion:

The Security Assessment Lead develops the Security Assessment Plan (SAP) for a system using the CSRAP Security Assessment Plan Template. All the information required to complete the SAP should be found in the control implementation information from the SSPP, CMS Information System Risk Assessment (ISRA), Privacy Impact Assessment (PIA), and Information System Contingency Plan (ISCP), as well as information gathered during the Preliminary Discussion Meeting. This meeting is between the System Team, which provides all the required information about the system and the Assessment Team, which comprises the assessors.

The SAP outlines the assessment type, defines the assessment scope, states any assumptions or limitations for the assessment, defines the CSRAP Team’s requirements to adequately assess the system, lists all applicable Points of Contact (POC) for the CSRAP Team, CMS, and System Contractor personnel for the system, and defines the proposed duration for the assessment.

The Security Assessment Lead must submit the SAP for review at the Assessment Plan Review Meeting to confirm, and correct, if necessary, the information contained in the SAP.

The Security and Privacy Officer briefs the Business or System Owner as needed and provides comments to the Security Assessment Lead. The Business or System Owner or the System Developer Maintainer approves the SAP. The updated document will serve as the final SAP to be delivered after the Readiness Review Meeting.

Cybersecurity Framework: N/A

TLC Cycle Phase:

New: Initiate
Existing: Operate

Task A-3: Control assessments

Assess the controls in accordance with the assessment procedures described in approved Security Assessment Plan (SAP).

Potential Inputs:

Security and privacy assessment plans
Security and privacy plans
External assessment or audit results (if applicable)

Expected Outputs:

Completed control assessments and associated assessment evidence

Discussion:

The CSRAP Assessment Team, on behalf of CMS, carries out security controls assessments. The Cyber Risk Advisor (CRA), the System/Business Owner, and the System Team provide input to the process based on the scope of the assessment. The System/Business Owner relies on the expertise of the CSRAP Assessment Team to assess implemented controls by using the assessment procedures specified in the SAP.

CFACTS is the GRC tool used by CMS to manage and track every step of the RMF, including Assessment. It replaces the Scheduling Interface for Government Navigation Alleviation (SIGNAL). The designated Security and Privacy Officer (previously known as ISSO) initiates the Assessment process by filling out the Intake Form.

During the assessment, the CSRAP Assessment Team executes the procedures outlined in the SAP using the CMS recognized methods of Examine, Interview and Testing depending on the scope of the assessment. Documents are examined, personnel are interviewed, while hardware and software are tested. The focus is to determine the extent to which the assessed controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting security and privacy requirements of the system and CMS. Any non-compliance is termed as a finding.

All findings are documented in the Security Assessment Report (SAR). The assessment team provides recommendations for responding to findings in order to reduce or eliminate identified vulnerabilities or unacceptable risks. Findings that are addressed (remediated) will reflect a closed status in the SAR, while findings not remediated will reflect an open status.

CMS also uses Continuous Diagnostics and Mitigation (CDM) tools to monitor cybersecurity risks on an ongoing basis, prioritize risks based on potential impacts, and enable cybersecurity personnel to focus on the most significant problems based on their impact severity.

The SAP clearly captures the level of the Testing Rigor the system is to be subjected. CMS has a default Testing Rigor Level of 3, which is the basic compliance verification. This could be increased depending on the type, nature and scope of assessment.

TLC Cycle Phase:

New: Initiate
Existing: Operate

Task A-4: Assessment reports

Prepare the assessment reports documenting the findings and recommendations from the control assessments. Upon completion of the assessment, the findings and recommendations are documented by the Assessment Team.

Potential Inputs:

Completed control assessments and associated assessment evidence

Expected Outputs:

Completed security and privacy assessment reports detailing the Assessment Team’s findings and recommendations

Discussion:

The Security Assessment Report (SAR), a key document in the Authorization Package, provides a comprehensive outline of the intent, execution, and results of the assessment process. The Security Assessment Lead utilizes the CSRAP Security Assessment Report Template to create a SAR and produce the applicable CAAT File.

Please see the Security Assessment & Authorization (CA) page for the CMS-specific process for developing a SAR.

Cybersecurity Framework: N/A

TLC Cycle Phase:

New: Initiate
Existing: Operate

Task A-5: Remediation actions

Conduct initial remediation actions on the controls and reassess remediated controls. Guided by the recommendations made by the CSRAP Assessment Team, the controls found to be non-compliant are remediated by the System Team. These remediated controls are again reassessed by the Assessment Team.

Potential Inputs:

Completed security and privacy assessment reports with findings and recommendations
Security and privacy plans
Security and privacy assessment plans
Organization- and system-level risk assessment results

Expected Outputs:

Completed initial remediation actions based on the security and privacy assessment reports
Changes to implementations reassessed by the assessment team
Updated security and privacy assessment reports
Updated security and privacy plans, including changes to the control implementations

Discussion:

The SAR describes the deficiencies in the implemented controls that could not be resolved during the development of the system (Initiate phase of the TLC) or that were discovered post-development, (during the Operate phase of the TLC). Such findings may be High- or Critical-risk findings that require immediate remediation efforts.

In cases where these remediation actions are immediately affected by the System Team during the assessment period, a reassessment of the remediated findings by the CSRAP Assessment Team is conducted. If no further findings are discovered, then the status is closed, otherwise it is recorded as open.

The Security Assessment Report is then updated with the reassessment findings and recommendations by the CSRAP Assessment Team. However the original assessment result is not changed.

Cybersecurity Framework: Profile

TLC Cycle Phase:

New: Initiate
Existing: Operate

Task A-6: Plan of Action and Milestones

Prepare the Plan of Action and Milestones (POA&M) based on the findings and recommendations of the assessment reports.

Potential Inputs:

Updated security and privacy assessment reports
Updated security and privacy plans
CMS ISRA and system-level risk assessment results
CMS risk management strategy and risk tolerance

Expected Outputs:

POA&M detailing the findings from the security and privacy assessment reports that are to be remediated

Discussion:

The POA&M describes the actions that are planned to correct deficiencies in the controls that are identified during the assessment of the controls and the continuous monitoring process. POA&Ms are created and tracked in CFACTS, the CMS GRC tool.

CMS requires all Critical-risk deficiencies to be remediated within 15 days, while High-risk deficiencies are remediated within 30 days. Moderate-risk weaknesses must be remediated within 90 days while Low-risk deficiencies are expected to be remediated within 365 days.

Please see the CMS Plan of Action and Milestones (POA&M) Handbook for the guide to creating, managing, and closing a system's POA&M.

Cybersecurity Framework: ID.RA-6

TLC Cycle Phase: