CFACTS Update: New features for generating CAAT files in CFACTS
The CMS Assessment and Audit Tracking (CAAT) spreadsheet is used to track system vulnerabilities following any assessment, audit, or penetration testing. The CAAT is entered into CFACTS and used to help ISSOs start preparing a Plan of Action and Milestones (POA&M) to remediate system weaknesses.
The CMS Information Security and Privacy Library is retired: 3 things to do now
The Information Security and Privacy Group (ISPG) has a new website — known as “CyberGeek” — that is now your first stop for security and privacy information! Visit CyberGeek at security.cms.gov to learn about the policies, programs, and tools that help keep CMS information and systems safe.
CMS Guide to Federal Laws, Regulations, and Policies
There are federal laws, regulations, and policies outside of CMS that shape how security and privacy is managed inside CMS. This page contains a comprehensive list of these external requirements, and shows how they relate to the security and privacy policies and guidance at CMS.
DISCLAIMER:
Cryptographic agility in the zeitgeist
Cryptographic agility, also called cryptoagility, is the ability for a system to quickly and easily change parts of their encryption mechanism(s). This encompasses changing encryption keys, key lengths, encryption algorithms used, and even changing the libraries used to perform the encryption.
CFACTS Update: Improvements to ATO Request workflow
Getting an Authorization to Operate (ATO) is a lot of work. The CFACTS team is dedicated to making the process smoother for ISSOs and other ATO stakeholders. We have made updates to the ATO Request workflow in CFACTS, which are summarized below.
Completing tasks in CFACTS is easy with "CFACTS How-To" videos
You may have noticed several changes in how system information and documents are stored in the CMS FISMA Continuous Tracking System (CFACTS). To help you navigate these changes, the CFACTS Team has been busy making "how-to" videos designed to help Information System Security Officers (ISSOs), System/Business Owners, and Cyber Risk Advisors (CRAs) complete tasks in CFACTS.
Getting a Pentest? Try a Threat Model first!
Introduction
As the sports saying goes, “The best defense is a good offense.” The idea is to gain a strategic advantage against an opponent by anticipating their move and forcing them to be in a defensive, reactive state. The same applies to cyber security. With the age of cloud, Agile SDLCs, and ever-increasing attack surface, it has become imperative for businesses to embrace proactive security practices to effectively safeguard their assets and
systems. Often done alone, two vital approaches are Threat Modeling and Penetration Testing.
Assessing vulnerability risks with the Exploit Prediction Scoring System (EPSS)
Part 1: History of EPSS
Proactive vulnerability management is of critical importance in helping organizations identify and address security weaknesses before they can be exploited — reducing the risk of data breaches, downtime, and reputational damage. Assessing, tracking, and remediating vulnerabilities in systems is a responsibility shared by security teams, developer teams, and business owners.