Cyber Risk Advisor (CRA)

Why we have an MP policy

The ISPG Policy team published the new Media Protection (MP) Handbook early in September 2024.

Media Protection exists to protect media within an organization, and the definition of media is fairly broad: all physical devices, writing surfaces, and communication channels that include storage capabilities. Whether the communication is digital or in print and on paper, the MP policy covers proper handling and governance.

This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.

We are giving a sneak peek starting on 11/1/2024 for users to check out the new changes, suggest any modifications, and become familiar with the new layout. You can see the new and improved layout in the implementation environment.

This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.

GTL Stakeholder field

In the stakeholder section, you can now add the government task lead (GTL) stakeholder to the authorization package.  The GTL will need the CFACTS_USER_PRD job code added in EUA before they can be added to the field in CFACTS. 

Deleting ISRAs

Previously, users could not delete duplicate or incorrect ISRA records from the authorization package and would need to create a support request ticket to have the CFACTS team delete the ISRA record. We’ve given users the ability to now go in and delete ISRA records. 

This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.

When the Policy team updated the IS2P2 in June 2024, one big change came from a clarification about requirements for cloud service implementation at CMS. Now, all SaaS products used at CMS that do not have FedRAMP authorization must go through a Rapid Cloud Review (RCR) process. 

If your SaaS product is currently FedRAMP authorized, you don't need to do anything more — you have satisfied the new requirement. 

The ISPG Policy team regularly revisits the CMS Information Systems Security & Privacy Policy (IS2P2) to incorporate new information, update language, and keep the document up to date.

The most recent revisions came out in June 2024. We’ve called out and clearly identified the six big changes so you can quickly and easily understand what’s new and how it might affect your work.

List of updates

The IS2P2 updates address several gaps:

Tips for online financial security

This month, Cyber360 at CMS is focused on financial security. As we move more of our financial lives online, from banking to investing, the need for strong cybersecurity has never been greater. Here are some ways you can protect yourself and your finances.

Tap payments: A smarter way to pay