Information System Security Officer (ISSO)

Why we have an MP policy

The ISPG Policy team published the new Media Protection (MP) Handbook early in September 2024.

Media Protection exists to protect media within an organization, and the definition of media is fairly broad: all physical devices, writing surfaces, and communication channels that include storage capabilities. Whether the communication is digital or in print and on paper, the MP policy covers proper handling and governance.

This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.

We are giving a sneak peek starting on 11/1/2024 for users to check out the new changes, suggest any modifications, and become familiar with the new layout. You can see the new and improved layout in the implementation environment.

Goodbye RMH chapter 6, hello ISCP Handbook

Late in July 2024, the ISPG Policy team published a new handbook: the CMS Information System Contingency Plan (ISCP) Handbook.

This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.

Join in some spooky fun!

Create an original Zoom Background with the theme “Scary Security Issues” in honor of Cybersecurity Awareness Month.  Highlight a security issue or named vulnerability while also celebrating the best holiday of the year – Halloween!  Show it off at the October 22, 2024, Zero Trust Ambassadors Office Hours and be entered to win a prize!

GTL Stakeholder field

In the stakeholder section, you can now add the government task lead (GTL) stakeholder to the authorization package.  The GTL will need the CFACTS_USER_PRD job code added in EUA before they can be added to the field in CFACTS. 

Deleting ISRAs

Previously, users could not delete duplicate or incorrect ISRA records from the authorization package and would need to create a support request ticket to have the CFACTS team delete the ISRA record. We’ve given users the ability to now go in and delete ISRA records. 

This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.

When the Policy team updated the IS2P2 in June 2024, one big change came from a clarification about requirements for cloud service implementation at CMS. Now, all SaaS products used at CMS that do not have FedRAMP authorization must go through a Rapid Cloud Review (RCR) process. 

If your SaaS product is currently FedRAMP authorized, you don't need to do anything more — you have satisfied the new requirement. 

In today's cybersecurity landscape, protecting sensitive information is crucial, especially for organizations working with the Centers for Medicare & Medicaid Services (CMS). GitHub Secret Scanning has emerged as a valuable tool in this effort, not only enhancing security but also aiding in meeting various requirements within the Zero Trust Applications Pillar and the Acceptable Risk Safeguards (ARS) controls.