Risk Management & Reporting

Getting an Authorization to Operate (ATO) is a lot of work. The CFACTS team is dedicated to making the process smoother for ISSOs and other ATO stakeholders. We have made updates to the ATO Request workflow in CFACTS, which are summarized below. 

You may have noticed several changes in how system information and documents are stored in the CMS FISMA Continuous Tracking System (CFACTS). To help you navigate these changes, the CFACTS Team has been busy making "how-to" videos designed to help Information System Security Officers (ISSOs), System/Business Owners, and Cyber Risk Advisors (CRAs) complete tasks in CFACTS. 

Part 1: History of EPSS

Proactive vulnerability management is of critical importance in helping organizations identify and address security weaknesses before they can be exploited — reducing the risk of data breaches, downtime, and reputational damage. Assessing, tracking, and remediating vulnerabilities in systems is a responsibility shared by security teams, developer teams, and business owners.

Each new CMS FISMA system must define its security categorization based on the Federal Information Processing Standards Publication 199 (FIPS 199). Each system must be reviewed in the following categories: 

• Confidentiality
• Integrity
• Availability 

During review, each category is assigned a rating of low, moderate, or high impact. The most severe rating from any category becomes the system's overall security categorization. 

Navigating the vast digital ocean of today's ever-changing information technology can feel akin to leading a fleet of ships to a faraway destination. In a large government organization, the challenge is managing this fleet to safely journey through a sea teeming with potential cyber threats. The Centers for Medicare and Medicaid Services (CMS) has been charting a course for the last decade and has become adept at ensuring safe passage for its FISMA systems.