Skip to main content
system-authorization

System Authorization

Information about the testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate

Contact: CISO Team | CISO@cms.hhs.gov

To ensure the security of data handled by government agencies, every federal information system must meet FISMA security requirements before it is allowed to operate in service to the public. System authorization is the “stamp of approval” from an Authorizing Official (AO) that verifies the system is appropriately protected to operate with minimal risk – and the authorization must be renewed periodically throughout the system’s life cycle.

At CMS, system authorization is a team effort. The Business / System Owner, ISSO, and other stakeholders must work together to test and document that the system’s security and privacy controls are working as intended. They must also identify and fix vulnerabilities on a continual basis.

The traditional approach to this process is Authorization To Operate (ATO), which is documentation-heavy and compliance-focused. CMS now encourages the use of modern programs – such as Ongoing Authorization (OA) – that focus on continuous assessment and management of risk. The resources on this page can help CMS teams find the information, tools, and services they need to ensure that their system’s controls are functioning as required by law, and to transition legacy systems and processes to OA standards.

slack logoCMS Slack Channel
  • #cra-help
  • #security-community

FISMA requirements

The Federal Information Systems Management Act (FISMA) is the legislation that defines the framework for protecting government systems. It’s the backbone of system authorization at CMS.

See FISMA compliance overview

Top documents and resources

See all resources

Filtered view of related content using CyberGeek Search