CMS Governance, Risk, and Compliance (GRC)
Processes, tools, and tech designed to improve CMS’s security posture through risk management activities
What is GRC at CMS?
Governance, Risk, and Compliance (GRC) at CMS is a framework made up of programs, processes, tools, and technologies designed to identify and mitigate security and privacy risks to FISMA systems. GRC was created to modernize CMS’ overall approach to information system security. Instead of being focused solely on “compliance”, we are moving toward a proactive focus on continuous evaluation, identification, and management of risk. Each component of GRC plays an important role in CMS’s overall risk management strategy:
Governance – sets the tone for CMS’s decision-making processes, defining responsibilities, and establishing a framework for accountability.
Risk management – CMS identifies, assesses, and prioritizes potential risks and then takes actions to mitigate or manage those risks. By understanding and managing risks, we can make informed decisions, protect data from threats, and enhance our ability to serve the American public.
Compliance – it’s critical that CMS follows all applicable federal policies and standards. The work that we do at ISPG ensures that CMS takes a modern approach to security and privacy through proactive, ongoing monitoring activities including Ongoing Authorization and Continuous Diagnostics and Mitigation (CDM). CFACTS is the tool where this information is accessible and stored.
Together, these three components help CMS align our risk management and compliance efforts, fostering a culture of security, transparency, and accountability.
Visit the CMS GRC Confluence page
Get more information about the specific tasks and tools the GRC Team is working to implement on behalf of ISPG.
Why is GRC important?
As CMS becomes more complex in its business practices, GRC helps us identify and manage important activities throughout the organization. With a GRC approach, we can integrate traditional management activities into a cohesive discipline that helps our employees, business processes and decisions, and technology be more effective.
GRC breaks down the barriers between CMS business units so they can work more collaboratively to achieve the strategic goals we all share. More importantly, it creates a culture in which everyone understands how to protect the CMS’ reputation and make better decisions. While cybersecurity aims to protect CMS’ systems, networks, and data from a technical standpoint, GRC uses CMS policies, federal policies and standards, and government regulations to support how we all mitigate any threat to CMS.
Related documents and resources
A comprehensive list of the federal laws, regulations, and policies that shape how information security and privacy are managed at CMS
Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities
Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems
CFACTS is a CMS database that tracks application security deficiencies and POA&Ms, and supports the ATO process
Information about programs and tools that support the continuous assessment and mitigation of potential security and privacy risks to CMS information and system
Information about CMS policies, guidance, and procedures that support security and privacy for FISMA systems