What is CFACTS?

CFACTS stands for CMS FISMA Continuous Tracking System. It is a governance, risk, and compliance tool. CMS uses CFACTS across all of its systems to manage information systems security and privacy requirements. It offers a common foundation to manage policies, controls, risks, assessments, and deficiencies.

Senior-level management uses CFACTS reports to get a clear view of the security posture of all applications within CMS. CFACTS also helps management make better budget and resource decisions.

CFACTS also makes it easier for the Department of Health and Human Services and OMB to manage required quarterly security posture updates and annual assessments.

When do I use CFACTS?

As teams pursue Authorization to Operate (ATO) for their system, they store the related artifacts in CFACTS.

If you are an ISSO (Information System Security Officer), System or Business Owner, or CRA (Cyber Risk Advisor), you are responsible for both overall FISMA system compliance efforts and the ATO process.

Teams use CFACTS to create, store, and update:

• POA&Ms (Plan of Action and Milestones)
• SSPPs (System Security and Privacy Plan)
• ISCPs (Information System Contingency Plans)
• PIAs (Privacy Impact Assessment)

CFACTS requirements

Browsers

As a website, CFACTS is accessible using standard web browsers. The CFACTS Team recommends using Google Chrome and Microsoft Edge.

Getting CFACTS access

CFACTS uses two environments: Production and Validation.

• The Production environment is used to submit artifacts and work in real-time. This is the live, active version of CFACTS, and the one you should use for your application tracking work.
• The Validation environment is used for testing and training. It is not the correct environment for actual record tracking.

To access CFACTS, you must go through all of the following steps.

CFACTS Training

CFACTS Training is available in the CMS Learning Management System.

Once you log in, you can access CFACTS training and other relevant courses.

You will need an EUA login.

Using CFACTS

Once you complete your training, your Production job code is approved, the role is assigned to your user account, and the ISSO has added you to systems, you should have correct access to CFACTS. The timeline depends on your approvers. It’s typical for this to be done within 10 days, if everyone involved in the process is prepared.

If you’re a contractor, you’ll have access once your ISSO adds you as an ISSOCS (ISSO Contractor Support) stakeholder for each system.

If you have questions about timing, contact the Help Desk.

CFACTS for ISSOs

Giving access to systems

If you’re an ISSO and need your contractors to have access to a CFACTS information system, have them complete their CFACTS training, and make sure they have an individual account in CFACTS.

Once the contractor has an account, you must assign them to the information systems you want them to access.

To do this:

ISSO Group vs ISSO Role

To access systems in CFACTS, users need two types of access:

1. Group access
2. Role access

A user must be assigned to a group first, before they can be assigned to a role.

Before an ISSO can be assigned to the ISSO Role in a CFACTS system, the ISPG Admin must assign them to the ISSO Group. Groups first, then Roles.

The ISPG Admin adds users to groups. Groups determine which systems a user can be assigned to in CFACTS. For example, a user assigned to a contractor group cannot be assigned as a system’s business owner or CRA.

ISSO vs ISSOCS roles

An ISSOCS has most of the same privileges as an ISSO in a CFACTS Authorization Package.

There are two differences:

• Only the ISSO can add users to the Stakeholders section on the General tab
• Only the ISSO can mark a Package as Approved to Begin Assessment on the Authorization tab

Only federal employees can be assigned as ISSOs, or as SDMs (System Developer Maintainer). Contractors who do system development and maintenance will be assigned to the ISSOCS stakeholder role.

Troubleshooting

CFACTS Help Desk

If you have problems after getting access, you can contact the CFACTS Help Desk using the CFACTS Support Portal (login required).

Missing information systems

Make sure you have the correct approved EUA job codes:

• CFACTS_USER_PRD for Production
• CFACTS_USER_IMP for Validation

If you have the correct job code and can log in, but don’t see an information system in your profile, that system’s ISSO may need to add you as a stakeholder. Check with your ISSO.

If you have the correct approved job code yet can’t access CFACTS, submit a ticket through the support portal.

Missing rights or permissions

A user with the correct job code can access the CFACTS landing page, but default permissions will cause many links on the page to fail.

If you click a link and get an error message about rights or permissions, you likely have the correct job code, but have not been assigned to the correct group.

To fix this, submit a ticket through the support portal and ask to have your account assigned to the correct group.

Recovering deleted records

You can not automatically recover a specific record.

The CFACTS servers are periodically backed up, but there is no mechanism that allows for recovery of specific records or fields.

However, CFACTS does maintain a history log. You might be able to use it to determine previous values for specific records or fields, then re-enter the values manually.

Be sure about what you’re deleting before you delete it!

Access errors

If you are trying to log in to CFACTS and getting a 401 access error, there are several ways you can try to fix the problem on your end.

• Double check the URL you’re using. The 401 error can appear because the URL was mistyped, or the link points to the wrong URL—one for authorized users only.
• Reload the page. Sometimes closing the page and reopening it is enough to fix the 401 error.
• Delete your browser's cache. There might be invalid login information stored locally in your browser that causing the 401 error. Clearing the cache will remove problems in those files and give the page an opportunity to download fresh files directly from the server.

If those options do not fix the problem, submit a ticket through the support portal or ask in the #cfacts_community channel in the CMS Slack workspace.

Clearing browsing data

If you need to clear cookies or other browsing data to troubleshoot CFACTS access, use your browser’s help menu or other documentation to find the correct procedure. Different browsers do things differently.

CFACTS FAQs

Inheriting controls

As a control inheritor, is there a way to select all the inheritable controls from a provider at once?

However, each provider— such as the Office of the Chief Information Security Officer (OCISO), data centers such as the Baltimore Data Center (BDC), or cloud service providers such as Amazon Web Services (AWS)— will be expected to provide a list of inheritable controls they will provide. A control element provider list can also be found on the CFACTS Artifacts page.

If your system inherits controls from a provider, you should reach out to that provider for their list of inheritable controls or refer to the control element provider list on the CFACTS Artifacts page.

Fixing incorrect controls

if you have incorrectly inherited a control, to switch your Allocation Status from “Inherited” back to “Allocated” or “Not Applicable,” you must delete the existing “Control to Inherit.”

To do this, put the Control record into Edit mode, and you will see a delete button—a blue circle with a white X—on the right-hand side of the Control to Inherit row.

Click this delete button and then choose the required Allocation Status.

SSPP not showing details

Only private implementation details for an allocated control will be shown in the SSPP.

If details are entered in the Shared Implementation detail field for an allocated control, they will not be reflected within the SSPP.

The information provided under the Shared Implementation detail will be reflected in the SSPP of the package that inherits this control. You only need to provide shared implementation details if you are making your control inheritable, so that other authorization packages can inherit it.