CMS FISMA Continuous Tracking System (CFACTS)
CFACTS is a CMS database that tracks application security deficiencies and POA&Ms, and supports the ATO process
- #cfacts_community
What is CFACTS?
CFACTS is the CMS governance, risk, and compliance tool used as a repository to manage its information systems security and privacy requirements. The CFACTS platform provides a common foundation to manage policies, controls, risks, assessments, and deficiencies across all CMS systems. The reporting capabilities allow senior-level management to have a clear view of the security posture of all applications within CMS. CFACTS also allows management to make better budget and resource decisions. Additionally, the CFACTS provides a manageable mechanism to give the Department of Health and Human Services and OMB required quarterly security posture updates as well as annual assessments.
CFACTS "How-To" videos
On-demand videos produced by the CFACTS team are designed to answer frequent questions and demonstrate how to use various features. Check out the "How-To" videos on the CFACTS video channel.
When do I use CFACTS?
CFACTS is the location where system artifacts are stored as teams pursue their system’s Authorization to Operate (ATO). As an Information System Security Officer (ISSO), System/Business Owner, or Cyber Risk Advisor (CRA), you are responsible for overall FISMA system compliance efforts as well as the ATO process. You’ll need CFACTS for the following throughout your system’s lifecycle:
Plan of Action and Milestones (POA&Ms)
Whenever a material weakness to a federal system is identified, it must be documented and tracked via an official Plan of Action and Milestones (POA&M). CFACTS is the location for all POA&M documentation. POA&Ms are created and uploaded within CFACTS using a CMS Assessment and Audit Tracking (CAAT) File. The ISSO works with the System/Business Owner and the CRA to develop realistic, attainable milestones. Team members can also use CFACTS to update their existing POA&Ms and close POA&Ms once the underlying issues have been addressed.
System Security and Privacy Plan (SSPP)
The System Security and Privacy Plan (SSPP) is the key document associated with the FISMA system security. It provides an accurate, detailed description of the FISMA system itself, its security requirements, and the controls that are in place to protect the system. The SSPP is generated/exported directly from the System's CFACTS data.
Contingency Plan (CP)
CFACTS is the place to create, upload, and review your system’s Contingency Plan (CP).
Privacy Impact Assessment (PIA)
ISPG has taken the guidance provided by the Department of Health and Human Services (HHS) and translated it into a questionnaire that can be found on CFACTS (ISPG also offers general information about PIAs, as well as more detailed information for authors). ISSOs can log in to CFACTS to complete the questionnaire with guidance from the System/Business Owner and the assigned Cyber Risk Advisor (CRA). A step-by-step guide to answering the questions required to complete the PIA can be found within the PIA & PTA Writer’s Handbook, which is written by HHS and can be found as a resource on the front page of each individual question in CFACTS.
CFACTS: uploading documentation
There are a number of things to keep in mind when uploading and storing documents and information in CFACTS. Due to the large number of documents your system requires and the number of team members that will require access, it’s important to stay organized.
Naming files
Many people may review or need access to your systems’ files in CFACTS, so it’s important to use descriptive titles when saving your files. Some important rules to consider are:
- Describe purpose of document
- Include date or version number
- Maintain latest version only
- Archive older versions
- Maintain document repositories
CFACTS document repositories
The CFACTS platform offers tabs for users to easily access specific collections of information quickly. As a CFACTS user, you’ll need to familiarize yourself with the following tabs and the information they contain:
General tab
The General tab is where you can find:
- Appendix documentation
- Documents to be included in System Security and Privacy Plan (SSPP) as Appendices at the end
- Only the filename appears in the SSPP (so be descriptive when you’re naming your file)
Security Category tab
This tab is used to:
- Determine the Security Category of the information system (FIPS 199) and Digital Identity
- Upload System of Record Notice (SORN)
- Upload Contingency Plan (CP) Details
- Complete the Privacy Impact Assessment (PIA)
- Provide details pertaining to business and system risks using the Information Security Risk Assessment (ISRA)
- Identify the Authentication Types used for the information system
- Determine if the information system is a High-Value Asset (HVA)
- If applicable, upload any Computer Matching Agreement and Security Impact Assessment (SIA) documentation
Boundary tab
The Boundary tab is used to upload and store:
- Boundary diagrams
- Contents of documents included in the System Security and Privacy Plan (SSPP)
- Additional information to be detailed in the SSPP
Authorization tab
The Authorization tab is used to upload and store:
- System Security and Privacy Plan (SSPP) attachments
- SSPP versions/miscellaneous document versions
- Security Assessment Report
- Reports and CAAT files
Controls tab
Provides an allocated controls summary that offers users:
- Overall count of control elements
- Total control elements
- Baseline control elements
- Supplemental control elements
- Baseline control elements without implementation details
- Not assessed and other than satisfied control elements
CFACTS FAQs
Section 1: general questions
1. I need help. Is there a CFACTS Helpdesk?
Yes, the CFACTS Helpdesk is accessible via e-mail; use the “ISPG Admins” e-mail link on the CFACTS CMS Welcome page to send an e-mail with your question. If that e-mail link does not work, address your question to ciso@cms.hhs.gov with the subject line “CFACTS Question.”
2. What browser(s) should I use to access CFACTS?
The CFACTS Team recommends using Google Chrome and Microsoft Edge.
3. I need access to CFACTS. How do I request access?
A user must complete the following steps to access CFACTS:
Request job codes
The user logs in to their EUA account and requests the 'CFACTS_USER_P' job code for the Production environment and/or 'CFACTS_USER_V' for the Validation environment.
Job code requests approved
The EUA First and Second Approvers must approve the user's request. The ISSO or ISSO Contractor sends an email to CISO@cms.hhs.gov for final approval to assign the user a CFACTS User Role.
System assigned
System Administrators assign the user a CFACTS role and notify the appropriate ISSO that the role has been assigned. The ISSO then assigns the user as a stakeholder to the correct system. Administrators then troubleshoot any access issues with the user if needed.
4. What is the difference between the Production and Validation environments for CFACTS?There are two environments for CFACTS: the Production environment and the Validation environment. The Production environment is used to submit artifacts and work in real-time, while the Validation environment is for testing.
5. I can successfully connect and log in to https://cfacts3.cms.cmsnet; why don’t I see any Information Systems in my profile?
Prior to being assigned a role in CFACTS and being aligned to systems, a user with full EUA access to the CFACTS Production environment will be able to log in to the site and reach the CFACTS “Landing Page” but will not have any systems assigned to them until the ISSO adds them as a stakeholder.
6. I'd like to take training on how to use CFACTS. Where is training offered?
Users can access CFACTS training through the CMS Learning Management System. There, you can access CFACTS training or search for other relevant courses (EUA login required).
7. How soon after my CFACTS training class will I be able to access my system(s) in the Production environment?
Access to CFACTS should be available within 10 business days of completing the CFACTS training. You'll need to make sure you have the EUA job code for the CFACTS production environment (CFACTS_USER_P).
8. I am a contractor. How soon can I access my system(s) in the production environment?
It will depend on how long your ISSO takes to add your account as an ISSOCS (ISSO Contractor Support) stakeholder for each system.
9. I have completed my training, but I am not able to access my system(s) when I log in to the CFACTS. Why?
Please make sure to have approved EUA job codes, 'CFACTS_USER_P' for the Production environment and/or 'CFACTS_USER_V' for the Validation environment. If you have a correct approved job code and still have difficulty accessing CFACTS, please contact the CMS Service Desk (800-562-1963).
10. I am the Primary ISSO, and I need my contractors to have access to an information system in CFACTS. What do I need to do?
Ensure your contractors complete CFACTS training and have an individual account in CFACTS. Once the contractor has an account in CFACTS, you must assign them to the information system you want them to access.
To do this, log in to CFACTS and open the Assessment & Authorization (A&A) tab at the top. Using the dashboard view of the A&A tab, find the name of the information system you want to assign the contractor to and click it to open that information system record. You can then assign the contractor to the system by entering their name into the appropriate space.
Section 2 – Role/Group/Permission Questions
1. What is the difference between the ISSO Group and the ISSO Role in CFACTS?
To access systems in CFACTS, two types of access must be obtained:
Group access: Every user account is placed in a group by the ISPG Admin, which determines how the account can be assigned to systems in CFACTS. As an example, a user account in a contractor group cannot be assigned as a business owner or CRA of a system.
Role access: A user account is assigned to specific systems in a specific stakeholder role.
In summary, a user must be assigned to a group before they can be assigned to a role. Thus, a Primary ISSO must have a user account that has been assigned to the ISSO Group in the administrative setup of CFACTS before their user account can be assigned the ISSO Role as a stakeholder for a CFACTS system.
2. What is the difference between the ISSO and ISSOCS role?
There are only two differences between the ISSO and ISSOCS (ISSO Contractor Support) roles in CFACTS:
• Only the ISSO can add users to the Stakeholders section on the General tab
• Only the ISSO can mark the Package as Approved to Begin Assessment on the Authorization tab
Other than those two differences, the ISSOCS has the same privileges as an ISSO in a CFACTS Authorization Package.
3. I am the developer and maintainer of my system; why am I not listed in the role of System Developer Maintainer (SDM)?
The stakeholder role of SDM (System Developer Maintainer) in CFACTS describes a specific CMS function that is held by a Federal employee. Contractors that do the system development and maintenance will be assigned to the stakeholder role of ISSOCS (ISSO Contractor Support) in CFACTS.
4. The links give me an error message about rights or permissions. What is wrong?
You likely have the correct job code of CFACTS_USER_P for production, but you have not been assigned to the correct group by the ISPG Admin team. All users with the correct job code can access the CFACTS Landing Page, but the default permissions of a general user will cause many of the links on the Landing Page to fail. To remedy this, you need to send an e-mail to the ISPG Admin team (ciso@cms.hhs.gov ) and request to have your account assigned to the correct group.
Section 3 – Operational/Procedural Questions
1. What POCs do I need listed in CFACTS?
The only POC/stakeholder roles that exist for any systems entered into CFACTS are:
Business Owner (BO)
Primary Information System Security Officer (ISSO)
Information System Security Officer (ISSO)
System Developer Maintainer (SDM)
ISSO Contractor Support (ISSOCS)
Chief Information Officer (CIO)
Chief Information Security Officer (CISO)
Deputy Chief Information Security Officer (DCISO)
Security Control Assessor (SCA)
Cyber Risk Advisor (CRA)
Privacy Lead (PL)
The only roles that contractors can serve are ISSOCS, ISSO, and SCA. It is important to note that only individuals with the EUA job code of CFACTS_USER_P and the assigned CFACTS role can be placed in one of the stakeholder sections for an Information System.
2. Who should I select in the Hardware Owner field in the Hardware record?
Ideally this should be the person listed as the System Developer/Maintainer in the Stakeholders section of the General tab. If the Federal employee who holds the SDM role for your system is not yet selectable (hasn’t been added to CFACTS yet), the Primary ISSO for the system is an acceptable substitute.
3. I want to look at (or print) the SSPP for my system. How do I generate the SSPP?
The SSPP can be created by clicking on the export button within the Authorization tab.
4. As a control inheritor, is there a way to select all the inheritable controls from a provider at once?
Not at this time. All control inheritance is done one by one. However, each provider— such as the Office of the Chief Information Security Officer (OCISO), data centers such as the Baltimore Data Center (BDC), or cloud service providers such as Amazon Web Services (AWS)— will be expected to provide a list of inheritable controls they will provide. If your system inherits controls from a provider, it is recommended you reach out to that provider to obtain the list of inheritable controls.
5. How are my records backed up? Will I be able to recover a specific record if I make a mistake? No, you will not be able to recover a specific record automatically. The CFACTS servers are periodically backed up, but there is no mechanism available that allows for recovery of specific records or fields; however, CFACTS maintains a history log that you may be able to use to determine previous values for specific records or fields and change the value manually.
6. For security-related documents such as the ISRA, CP, PIA, and others, how many versions do we need to maintain in CFACTS?
Each system is required to maintain the current version of all security-related documents. The SSPP (System Security and Privacy Plan) should be generated from CFACTS and uploaded as the current document annually as part of the ARS PL-02 control requirement to review and update.
7. What security assessment documents do we need to maintain in CFACTS?
The following security assessment documents need to be maintained on the Security Assessment Report (SAR) Section of the Authorization page:
- The last 3 years of Security Assessment Reports (SAR)
- The current Security Control Assessment (SCA) Test Plan
- The current CMS Assessment Audit Tracking (CAAT) Worksheet
8. What types of files are allowed to be uploaded into CFACTS?
Most of your common document file types, such as .doc, .docx, .xls, and .pdf, as well as image file types .png and .jpg, are allowed to be uploaded into CFACTS, so you should have no problem with everyday uploads. Please note, however, that only Word documents will automatically be incorporated into the SSPP as generated by CFACTS; see question 3.10 for more information.
Here is the list of allowable file extensions: .bmp, .emf, .exif, .gif, .ico, .jpg, .jpeg, .png, .tif, .tiff, .wmf, .pdf, .doc, .dot, .xls, .xlt, .xla, .ppt, .pot, .pps, .ppa, .docm, .docx, .dotm, .dotx, .potm, .potx, .ppam, .ppsm, .ppsx, .pptm, .pptx, .xlam, .xlsb, .xlsm, .xlsx, .xltm, .xltx, .css, .txt, .xml, .ai, .eps, .ps, .zip, .csv, .rtf, .mp4.
Note: CFACTS will not allow files with other extensions to be uploaded.
9. Are there limits to the file size I can upload as an attachment?
Yes, there are. At the present time, the limit is set to 100MB per file. If a file exceeds that size, you should try zipping (compressing) it before uploading it. Remember that some file types are already compressed and may not be reduced much by zipping them.
10. How do I include pictures, images, tables, or spreadsheets that I would like to display in the SSPP?
The SSPP is generated by CFACTS using a Microsoft Word Mail merge. Anything you would like to be included in the SSPP, including pictures, images, or spreadsheets, needs to be included in a Word document and uploaded under the Boundary Diagram section in CFACTS. Attachments uploaded in other sections are not currently part of the SSPP. This means you must insert pictures or images into a Word document before uploading the Word document into CFACTS, if you would like them to be automatically captured within the SSPP. For spreadsheets such as Microsoft Excel documents, one option is to convert the spreadsheet into a table in Word and upload that Word document into CFACTS. Of course, you always have the option of manually editing the SSPP to include images or embedded spreadsheets after CFACTS generates it, but please be sure to receive approval for any changes from the system CRA. Do not include any file format other than .doc or .docx under the Boundary Diagram section, as it will result in junk data showing up in SSPP when generated.
11. What is the order of uploaded documents included in the SSPP?
Word documents uploaded into CFACTS for inclusion in the SSPP will be merged into the appropriate section (for instance, in the “Boundaries Details” section) in the order they were uploaded into CFACTS. In other words, if you upload Document 1 on Monday and Document 2 on Tuesday, Document 1 will be included in the SSPP first, followed by Document 2 on a subsequent page. Due to technical limitations, you may find a blank page between multiple attachments when the SSPP is generated. To eliminate blank pages, combine all documents into a single attachment and upload under the Boundary Diagram section.
12. If I have a POA&M associated with a control marked as “Other Than Satisfied,” how do I get that control to show as “Satisfied”?
First, the POA&M should be associated with a CAAT (CMS Assessment / Audit Tracking) record for that control so that when the POA&M has been worked to completion (all Milestones completed and has been submitted for approval) and subsequently has been granted final approval by the POA&M reviewer, the POA&M will then be marked completed. Once the POA&M is in a Completed state, CFACTS will automatically override—via backend calculations—the state of the CAAT record and change the status of that control to “Satisfied.”
If there are multiple POA&Ms for a control, then all those POA&Ms should be closed for the system to automatically update the control status to “Satisfied.” Depending on the timing of the approval and the state of the Authorization Package, the ISSO or ISSOCS may need to go to the specific control record in CFACTS and click the Recalculate button at the top right of the record to force the backend calculations that will change the Overall Control Status field from “Other Than Satisfied” to “Satisfied.”
13. I have mistakenly inherited a control. How do I change the Allocation Status field from “Inherited” back to “Allocated” or “Not Applicable”?
You must delete the existing “Control to Inherit.” To do this, put the Control record into Edit mode, and you will see a delete button—a blue circle with a white X—on the right-hand side of the Control to Inherit row. Click this delete button and then choose the required Allocation Status.
14. The SSPP is not showing details for the controls.
Only private implementation details will be shown for an allocated control. If details are entered in the Shared Implementation detail field for an allocated control, they will not be reflected within the SSPP. The information provided under the Shared Implementation detail will be reflected in the SSPP of the package that inherits this control. You only need to provide shared implementation details if you are making your control inheritable so that other authorization packages can inherit it.
15. The POA&M is marked as draft. How do I switch it to ongoing?
You cannot. After 30 calendar days, CFACTS will automatically switch the control from draft to ongoing. Please note that the date used is the date identified on the CAAT worksheet. So, for example, if you undergo an SCA and the weakness is identified on November 11th, but the file is not uploaded until December 12th, your 30 days began on November 11th.
16. Does the POA&M record have the Finding ID?
Yes. The finding ID for a CAAT record is displayed on the associated POA&M record.
17. Where do I find the latest CAAT templates?
The latest CAAT templates are available in CFACTS welcome page under CFACTS Artifact. Please contact the Division of Enterprise Architecture (DEA) at EnterpriseArchitecture@cms.hhs.gov to coordinate the name change within the master system inventory. Updating the system name within the CFACTS entry (not the entry itself) and system documentation is expected to be performed by the ISSO and supporting contractor. Completion of updates should align with any upcoming external reviews such as an ATO, ACT, audit, etc. At minimum, the update shall be made during the following periodic review of the documentation. The DEA will determine if the extent of the change requires further changes, such as a new UUID/UID to be issued. DEA will disseminate the updated inventory entry to ISPG to be updated in CFACTS.
Section 4 – Error-Related Questions
1. I tried to upload a file as additional documentation but received the error message, “No valid files were selected to be uploaded.” What does that mean?
It means the file type chosen for upload is not on the allowed list.
2. I am having trouble logging on to CFACTS and getting a 401-access error. What do I need to do?
If you are receiving a 401 error like the one shown below, there are a couple of scenarios that can cause this to happen. Check for errors in the URL. It's possible that the 401 Unauthorized error appeared because the URL was typed incorrectly or the link that was selected points to the wrong URL—one that is for authorized users only.
- If you're sure the URL is valid, visit the website's main page and look for a link that says Login or Secure Access. Enter your credentials here, and then try the page again.
- If you don't have credentials or have forgotten yours, follow the instructions provided on the website for setting up an account or resetting your password.
- Do you usually struggle to remember your passwords? Consider keeping them in a password manager so that you only have to remember one password.
- Reload the page. As simple as it might seem, closing down the page and reopening it might be enough to fix the 401 error, but only if it's caused by a misloaded page.
- Delete your browser's cache. There might be invalid login information stored locally in your browser that's disrupting the login process and throwing the 401 error. Clearing the cache will remove any problems in those files and give the page an opportunity to download fresh files directly from the server.
- If you're sure the page you're trying to reach shouldn't need authorization, the 401 Unauthorized error message may be a mistake. At that point, it's probably best to contact the website owner or other website contact and inform them of the problem.
3. How do I view and clear browsing data in Microsoft Edge? What do I need to do?
To view your browsing history in the new Microsoft Edge. Click the Edge logo, select Settings, and more Three-dot More icon > History > Manage history.
- Select Settings and more Three-dot More icon > Settings Gear-shaped Settings icon > Privacy and services.
- Under Clear browsing data, select Choose what to clear.
- Choose a time range from the Time range drop-down menu.
- Choose the types of data you want to clear. For example, you may want to remove browsing history and cookies but keep passwords and autofill form data.
- Select Clear now. You can automatically clear your browsing data when you close the browser. Select Choose what to clear every time you close the browser and choose which types of data should be cleared.
Related documents and resources
Process that identifies and mitigates privacy risks for CMS systems regarding the use of Personally Identifiable Information (PII)
A corrective action plan roadmap to address system weaknesses and the resources required to fix them
Documentation of a FISMA system’s features and security requirements, along with controls and procedures for information protection
A streamlined risk-based control(s) testing methodology designed to relieve operational burden.
Want to learn about new features and how to do tasks in CFACTS? How-To videos from CFACTS can help!
Watch the video about assigning a FIPS 199 Security Category to your system, and learn how to use CFACTS to simplify the process