System Authorization
Information about the testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate
To ensure the security of data handled by government agencies, every federal information system must meet FISMA security requirements before it is allowed to operate in service to the public. System authorization is the “stamp of approval” from an Authorizing Official (AO) that verifies the system is appropriately protected to operate with minimal risk – and the authorization must be renewed periodically throughout the system’s life cycle.
At CMS, system authorization is a team effort. The Business / System Owner, ISSO, and other stakeholders must work together to test and document that the system’s security and privacy controls are working as intended. They must also identify and fix vulnerabilities on a continual basis.
The traditional approach to this process is Authorization To Operate (ATO), which is documentation-heavy and compliance-focused. CMS now encourages the use of modern programs – such as Ongoing Authorization (OA) – that focus on continuous assessment and management of risk. The resources on this page can help CMS teams find the information, tools, and services they need to ensure that their system’s controls are functioning as required by law, and to transition legacy systems and processes to OA standards.
CMS Slack Channel- #cra-help
- #security-community
FISMA requirements
The Federal Information Systems Management Act (FISMA) is the legislation that defines the framework for protecting government systems. It’s the backbone of system authorization at CMS.
Top documents and resources
Testing and documenting system security and compliance to gain approval to operate the system at CMS
Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities
CFACTS is a CMS database that tracks application security deficiencies and POA&Ms, and supports the ATO process
RMH Chapter 4 provides information about the Security Assessment & Authorization family of controls that lay the foundation for all CMS security and privacy
Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems
A plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems.
Documentation of a FISMA system’s features and security requirements, along with controls and procedures for information protection
A streamlined risk-based control(s) testing methodology designed to relieve operational burden.
Filtered view of related content using CyberGeek Search
