Risk Management and Reporting

Information about programs and tools that support the continuous assessment and mitigation of potential security and privacy risks to CMS information and system

Contact: CRM Team | CRMPMO@cms.hhs.gov

Cyber risk management and reporting at CMS is how we help ISSOs, Business Owners, and other stakeholders identify and mitigate security and privacy risks to FISMA systems. Our approach to risk management is part of a multi-year effort to modernize CMS’ overall approach to information system security. Instead of being focused solely on “compliance”, we are moving toward a proactive focus on continuous evaluation, identification, and management of risk.

Risk management and reporting activities include the use of targeted system assessments, real-time reporting tools, and the translation of policy requirements into concrete metrics that allow CMS components to gauge the overall security posture of their systems. Cyber risk management is a nonstop process that changes over time. The resources provided on this page will help stakeholders make smart, data-based decisions throughout the system security life cycle.

CMS Slack Channel

#cyber-risk-management

CMS Cyber Risk Management Plan

The CMS Cyber Risk Management Plan (CRMP) lays the foundation for modernizing our approach to identifying and mitigating security and privacy risks to CMS FISMA systems.

Read the CRMP

Information System Security Officer (ISSO)

Data Guardian

Cyber Risk Advisor (CRA)

Business / System Owner (BO/SO)

Authorization to Operate (ATO)

Ongoing Authorization (OA)

Assessments & Audits

CMS Policies and Guidance

Federal Policies and Guidance

Application Security

Security Operations