Cyber Risk Advisor (CRA)
Supporting the compliance and security of CMS FISMA systems through risk management expertise
Cyber Risk Advisors (CRAs) are involved in almost every security and privacy requirement for information systems at CMS. As the subject matter experts on risk management and compliance for CMS systems, they advise ISSOs and Business Owners on the appropriate actions to take – and what to avoid – when managing FISMA systems.
CRAs scour policy documents and procedural handbooks to extract relevant information and translate high-level policy jargon into actions that can be completed to mitigate risk on all levels. They also provide guidance for their colleagues on compliance activities like ATOs, POA&Ms, Penetration Tests, and ACT assessments.
Together, the Cyber Risk Advisors make up a team of experts who play an indispensable role in making sure CMS information and systems are secure and safe. This page contains resources useful to CRAs and to people who are looking to engage with a CRA. To see which CRAs are assigned to which CMS portfolio, see the diagram on this page (internal link requiring CMS login).
CMS Slack Channel- #cra-help
- #ispg-sec_privacy-policy
- #cyber-risk-management
Get in touch with a CRA
Visit the #cra-help channel in CMS Slack to reach the CRA team with general questions. You should contact your assigned CRA directly with specific questions related to compliance or risk management activities for your system.
Top documents and resources
Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems
The IS2P2 defines how CMS protects and controls access to its information and systems. It outlines compliance activities and defines roles and responsibilities.
Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy
Information, tips, and tricks for writing your Privacy Impact Assessment (PIA) concisely and correctly
CFACTS is a CMS database that tracks application security deficiencies and POA&Ms, and supports the ATO process
Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection
Testing and documenting system security and compliance to gain approval to operate the system at CMS
Executive Order that requires the continuous verification of system users to promote system security
Filtered view of related content using CyberGeek Search
