Skip to main content

CMS Information System Risk Assessment (ISRA)

Documentation of a system’s vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe

Contact: CFACTS Team | CISO@cms.hhs.gov
slack logoCMS Slack Channel
  • #cfacts_community

What is an Information System Risk Assessment (ISRA)? 

An Information System Risk Assessment (ISRA) documents the overall risk to a system and potential risk reduction strategies to help System / Business Owners make choices about the tools and countermeasures they could use to address the identified risks. 

The ISRA contains a list of threats and vulnerabilities, an evaluation of current security controls, their resulting risk levels, and any recommended safeguards to reduce risk exposure. The ISRA also supports risk management through the evaluation of risk impact upon the enterprise security model.

The ISRA maps directly to the CMS Acceptable Risk Safeguards (ARS) 5.0 Risk Assessment (RA) 3 Control. ISRAs are completed within the CMS FISMA Continuous Tracking System (CFACTS).

Work on your ISRA in CFACTS

Information about ISRA can be found in CFACTS in the Authorization Package Documentation application. You can submit your ISRA under the Security Category tab.

Take me to CFACTS

When is an ISRA required?

An ISRA is required as part of the Authorization to Operate (ATO) process. It is a living document that will need to be updated consistently to reflect the changing risk posture of your FISMA system throughout its lifecycle. You will need to complete an ISRA for your system if: 

  • It is a new system undergoing its initial ATO 
  • It is the third year of your ATO cycle 
  • There has been a major change to your system

The ISRA is also one of the Risk Information Sources (RIS) used to complete your system’s Cybersecurity and Risk Assessment Program (CSRAP) efforts. That means that the CSRAP Team uses information contained within your completed ISRA to inform their overall assessment of your system. You may need to create a new ISRA or update your system’s current ISRA to comply with CSRAP requirements. 

Who completes an ISRA? 

The ISRA is initiated by the Information System Security Officer (ISSO) or a designated team member with access to CFACTS if an ISSO is not available. The ISSO will work with the System/Business Owner to identify system risks, vulnerabilities, and/or safeguards. 

How do I complete an ISRA? 

Since the ISRA is part of the broader system authorization process, information about the ISRA can be found in the Authorization Package Documentation application in CFACTS. Once you’re in CFACTS, you can submit your ISRA under the Security Category tab.