CFACTS Cloud migration update: Job codes
The CFACTS application is migrating to AWSCloud for better performance and efficiency. The updated system is known as CFACTS-Cloud. We will be posting updates regularly to help you navigate this transition.
Do I need a new job code?
There will be new job codes for accessing CFACTS-Cloud.
The CMS Information Security and Privacy Library is retired: 3 things to do now
The Information Security and Privacy Group (ISPG) has a new website — known as “CyberGeek” — that is now your first stop for security and privacy information! Visit CyberGeek at security.cms.gov to learn about the policies, programs, and tools that help keep CMS information and systems safe.
CMS Guide to Federal Laws, Regulations, and Policies
There are federal laws, regulations, and policies outside of CMS that shape how security and privacy is managed inside CMS. This page contains a comprehensive list of these external requirements, and shows how they relate to the security and privacy policies and guidance at CMS.
DISCLAIMER:
CFACTS Update: Improvements to ATO Request workflow
Getting an Authorization to Operate (ATO) is a lot of work. The CFACTS team is dedicated to making the process smoother for ISSOs and other ATO stakeholders. We have made updates to the ATO Request workflow in CFACTS, which are summarized below.
Completing tasks in CFACTS is easy with "CFACTS How-To" videos
You may have noticed several changes in how system information and documents are stored in the CMS FISMA Continuous Tracking System (CFACTS). To help you navigate these changes, the CFACTS Team has been busy making "how-to" videos designed to help Information System Security Officers (ISSOs), System/Business Owners, and Cyber Risk Advisors (CRAs) complete tasks in CFACTS.
Getting a Pentest? Try a Threat Model first!
Introduction
As the sports saying goes, “The best defense is a good offense.” The idea is to gain a strategic advantage against an opponent by anticipating their move and forcing them to be in a defensive, reactive state. The same applies to cyber security. With the age of cloud, Agile SDLCs, and ever-increasing attack surface, it has become imperative for businesses to embrace proactive security practices to effectively safeguard their assets and
systems. Often done alone, two vital approaches are Threat Modeling and Penetration Testing.
Assessing vulnerability risks with the Exploit Prediction Scoring System (EPSS)
Part 1: History of EPSS
Proactive vulnerability management is of critical importance in helping organizations identify and address security weaknesses before they can be exploited — reducing the risk of data breaches, downtime, and reputational damage. Assessing, tracking, and remediating vulnerabilities in systems is a responsibility shared by security teams, developer teams, and business owners.
CMS Key Management Handbook
Background
This handbook aligns with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-57 series, the CMS IS2P2, and the CMS Acceptable Risk Safeguards (ARS).
Read the CMS ISSO Journal
What is the ISSO Journal?
The ISSO Journal was established to share knowledge among CMS Information System Security Officers (ISSOs) and promote ongoing role-based education. As the publication evolved over time, it now serves the entire CMS cybersecurity community with the latest insights on security and privacy topics. It provides information about cybersecurity trends and developments at CMS to support ISSOs and decision makers alike.