Skip to main content

CMS Governance, Risk, and Compliance (GRC)

Processes, tools, and tech designed to improve CMS’s security posture through risk management activities

Contact: GRC Team | GRC@cms.hhs.gov

What is GRC at CMS?

Governance, Risk, and Compliance (GRC) at CMS is a framework made up of programs, processes, tools, and technologies designed to identify and mitigate security and privacy risks to FISMA systems. GRC was created to modernize CMS’ overall approach to information system security. Instead of being focused solely on “compliance”, we are moving toward a proactive focus on continuous evaluation, identification, and management of risk. Each component of GRC plays an important role in CMS’s overall risk management strategy:

Governance – sets the tone for CMS’s decision-making processes, defining responsibilities, and establishing a framework for accountability. 

Risk management – CMS identifies, assesses, and prioritizes potential risks and then takes actions to mitigate or manage those risks. By understanding and managing risks, we can make informed decisions, protect data from threats, and enhance our ability to serve the American public.

Compliance – it’s critical that CMS follows all applicable federal policies and standards. The work that we do at ISPG ensures that CMS takes a modern approach to security and privacy through proactive, ongoing monitoring activities including Ongoing Authorization and Continuous Diagnostics and Mitigation (CDM)CFACTS is the tool where this information is accessible and stored.

Together, these three components help CMS align our risk management and compliance efforts, fostering a culture of security, transparency, and accountability.

Visit the CMS GRC Confluence page

Get more information about the specific tasks and tools the GRC Team is working to implement on behalf of ISPG.

Visit GRC on Confluence

Why is GRC important?

As CMS becomes more complex in its business practices, GRC helps us identify and manage important activities throughout the organization. With a GRC approach, we can integrate traditional management activities into a cohesive discipline that helps our employees, business processes and decisions, and technology be more effective.

GRC breaks down the barriers between CMS business units so they can work more collaboratively to achieve the strategic goals we all share. More importantly, it creates a culture in which everyone understands how to protect the CMS’ reputation and make better decisions. While cybersecurity aims to protect CMS’ systems, networks, and data from a technical standpoint, GRC uses CMS policiesfederal policies and standards, and government regulations to support how we all mitigate any threat to CMS.