CMS FISMA Continuous Tracking System (CFACTS)

What is CFACTS?

CFACTS stands for CMS FISMA Continuous Tracking System. It is a governance, risk, and compliance (GRC) tool for managing security and privacy requirements for information systems at the Centers for Medicare & Medicaid Services (CMS). It offers a standardized foundation tracking security controls, risks, assessments, remediation plans, and other documentation related to system authorization.

Senior-level management uses CFACTS reports to get a clear view of the security posture of all applications within CMS, aiding budget and resource decisions. CFACTS also provides a common reference for agencies such as the U.S. Department of Health and Human Services (HHS) and the Office of Management and Budget (OMB) when conducting their quarterly security posture updates and annual assessments.

Common tasks in CFACTS

If you are an Information System Security Officer (ISSO) , Business / System Owner, or Cyber Risk Advisor (CRA), you are part of the team responsible for ensuring your system complies with FISMA requirements and receives Authorization to Operate (ATO). CFACTS is the primary tool for creating, storing, and tracking artifacts related to ATO, including:

• Plan of Action and Milestones (POA&M)
• System Security and Privacy Plan (SSPP)
• Information System Contingency Plan (ISCP)
• Privacy Impact Assessment (PIA)
• Information System Risk Assessment (ISRA)
• CMS Assessment and Audit Tracking (CAAT) files

CFACTS tutorials and training

The CFACTS team provides tutorial videos, guides, and other documentation to help you make the most of the tool. (CMS login is required to access the link above.) 

Instructor-led CFACTS training (Beginner and Advanced) is also provided at CMS on a recurring basis. To find upcoming training opportunities for CFACTS, visit the Instructor-Led Training section of the CMS Learning Management System (CMS login required), or email the training team: CMSISPGTrainers@cms.hhs.gov. 

CFACTS access

When requesting access to CFACTS, it’s important to note that CFACTS uses two environments: Production and Validation. You will request two job codes to get access to each environment, but you should remember they are used for different purposes.

• The Production environment is used to submit artifacts and work in real-time. This is the live, active version of CFACTS, and the one you should use for your application tracking work.
• The Validation environment is used for testing and training. It is not the correct environment for actual record tracking.

To  request access to CFACTS, follow this process:

Request job codes

Login to your EUA account and request both job codes needed for CFACTS. You need the CFACTS_USER_PRD code for the Production environment and CFACTS_USER_IMP code for the Validation environment.

Wait for approval

The EUA First and Second Approvers must approve your requests. You may see emails in your CMS inbox about this approval process. Once final approval is granted, your user account should be created in CFACTS within 24 hours.

Receive assigned role and system

CFACTS administrators will assign you a CFACTS role based on your access needs. Then, the ISSO or ISSOCS will assign you to the correct system(s) as a stakeholder.

Start using CFACTS

Once you complete the steps above, you should have correct access to CFACTS. The timeline for getting access depends on your approvers, but it’s typically done within ten days.

Giving access to systems in CFACTS

When a new person joins the portfolio team for a CMS information system, they may need to access the system in CFACTS in order to participate in system authorization activities. In these cases, the ISSO or ISSOCS can assign the new person to the authorization packages they need to access. The Business Owner or Cyber Risk Advisor (CRA) can also do this, but it is typically done by the ISSO.

If you need to give a person access to a system’s authorization package, first have them go through the initial process to get individual access to CFACTS. 

Then, assign them to the appropriate systems using the following process:

• Log in to CFACTS
• Open the Assessment & Authorization (A&A) tab at the top
• Select the name of the information system you want to assign in the dashboard view of the A&A tab
• Assign the contractor to the system by entering their name into the appropriate stakeholder field

Groups and roles

To access systems in CFACTS, users need two types of access: Group access and Role access. Groups determine which roles a user can be assigned to. For example, a user assigned to a contractor group cannot be assigned as a system’s Business Owner or Cyber Risk Advisor.

Before an ISSO can be assigned to the ISSO Role in a CFACTS system, an administrator from the Information Security and Privacy Group (ISPG) must assign them to the ISSO Group.

Only federal employees can be assigned as ISSOs or as System Developer Maintainer (SDM). Contractors who do system development and maintenance will be assigned to the ISSOCS stakeholder role.

CFACTS troubleshooting 

Below are some suggestions for the most common issues reported by people using CFACTS. If you need additional help, you can submit a ticket to the CFACTS Help Desk (if you get a 401 error message with this link, try refreshing your browser).

Missing job codes or information systems

Make sure you have the correct, approved EUA job codes:

• CFACTS_USER_PRD for Production
• CFACTS_USER_IMP for Validation

If you are logged into CFACTS and have the correct job code, but you don’t see an information system in your profile, that system’s ISSO may need to add you as a stakeholder. Check with your ISSO.

Missing rights or permissions

A user with the correct job code can access the CFACTS landing page, but default permissions will cause many links on the page to fail.

If you click a link and get an error message about rights or permissions, you likely have the correct job code but have not yet been assigned to the correct group.

To fix this, ask your ISSO or government technical lead to confirm what your CFACTS permissions should be so they can assign you the right ones.

Access errors

If you get a 401 access error when logging into CFACTS, there are several ways you can try to fix the problem:

• Make sure your Zscaler tool is turned on. (Zscaler is the cloud-based platform used at CMS for secure internet and application access. If you need help with Zscaler, ask in the CMS Slack channel #zscaler.)
• Double-check the URL you’re using. The 401 error can appear because the URL was mistyped, or the link points to the wrong URL (for example, you may be using a link meant for a user with different permissions than yours).
• Reload the page. Sometimes closing the page and reopening it is enough to fix the 401 error.
• Clear your browser's cache. There might be invalid login information stored locally in your browser that’s causing the 401 error. Clearing the cache will remove problems in those files and give the page an opportunity to download fresh files directly from the server. Use your browser’s help menu or other documentation to find the correct procedure for clearing the cache.

Other browser-related issues

CFACTS can be accessed with any standard web browser, but the CFACTS Team recommends using Google Chrome or Microsoft Edge for the most consistent performance. 

Need help?

There are several ways to connect with the CFACTS team if you need help or wish to give feedback:

•  Submit a ticket to the CFACTS Help Desk (if you get a 401 error message with this link, try refreshing your browser).
• Join CMS Slack channel #cfacts_community and see if your question can be answered there, or has been answered already.
• Watch for e-mails in your CMS inbox  from the CFACTS team announcing upcoming meetings for the CFACTS community. We regularly hold demos, office hours, and other helpful touchpoints where you can learn about the latest updates and ask questions.