CMS Risk Management Framework (RMF)
A structured yet flexible process for managing risk throughout a system’s lifecycle, used by CMS in accordance with the RMF from NIST
CMS Slack Channel- #ispg-sec_privacy-policy
What is the Risk Management Framework (RMF)?
The Risk Management Framework (RMF) from NIST provides a structured yet flexible process for managing risk throughout a system’s life cycle. It plays a key role in the steps we take at CMS to authorize and continuously monitor our information systems and keep them safe.
RMF at CMS
CMS looks to NIST as an authoritative source of best practices for information system security. We tailor the guidance from NIST (and other organizations such as HHS) to the specific needs of the CMS environment and systems.
The CMS Risk Management Framework refers to any application of the NIST RMF within the CMS environment. Everyone who is responsible for information security and privacy at any point in the system life cycle should be familiar with the RMF and its application at CMS.
The CMS Risk Management Framework (based on the NIST RMF):
- Integrates information security and privacy protections into the Enterprise Architecture, Target Life Cycle (TLC), and Technical Reference Architecture (TRA)
- Provides guidance on the selection, implementation, assessment, and monitoring of controls and the authorization of CMS information systems
- Links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function)
- Establishes responsibility and accountability for security and privacy controls deployed within CMS information systems and inherited by those systems (i.e., common controls)
RMF steps
The steps of the Risk Management Framework are used by Security and Privacy Officers and other security professionals at CMS during the system authorization process and during the ongoing activities that ensure the security of information throughout a system’s life cycle. Each step is defined by its outcomes, which provide a clear roadmap to an effective risk management strategy.
The steps of the RMF are summarized below, along with links to handbooks that will help you follow each step as implemented at CMS.
Prepare
Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF. Outcomes:
- Key risk management roles identified
- Organizational risk management strategy established, risk tolerance determined
- Organization-wide risk assessment
- Organization-wide strategy for continuous monitoring developed and implemented
- Common controls identified
Read the handbook for the Prepare step
Categorize
Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems. Outcomes:
- System characteristics documented
- Security categorization of the system and information completed
- Categorization decision reviewed/approved by authorizing official
Read the handbook for the Categorize step
Select
Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk. Outcomes:
- Control baselines selected and tailored
- Controls designated as system-specific, hybrid, or common
- Controls allocated to specific system components
- System-level continuous monitoring strategy developed
- Security and privacy plans that reflect the control selection, designation, and allocation are reviewed and approved
Read the handbook for the Select step
Implement
Implement the controls in the security and privacy plans for the system and organization. Outcomes:
- Controls specified in security and privacy plans implemented
- Security and privacy plans updated to reflect controls as implemented
Read the handbook for the Implement step
Assess
Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and organization. Outcomes:
- Assessment team selected
- Security and privacy assessment plans developed
- Assessment plans are reviewed and approved
- Control assessments conducted in accordance with assessment plans
- Security and privacy assessment reports developed
- Remediation actions to address deficiencies in controls are taken
- Security and privacy plans are updated to reflect control implemented
Read the handbook for the Assess step
Authorize
Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable. Outcomes:
- Authorization package (executive summary, system security and privacy plan, assessment report(s), plan of action and milestones)
- Risk determination rendered
- Risk responses provided
- Authorization for the system or common controls is approved or denied
Read the handbook for the Authorize step
Monitor
Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions. Outcomes:
- System and environment of operation monitored in accordance with continuous monitoring strategy
- Ongoing assessments of control effectiveness conducted in accordance with continuous monitoring strategy
- Output of continuous monitoring activities analyzed and responded to
- Process in place to report security and privacy posture to management
- Ongoing authorizations conducted using results of continuous monitoring activities
Related documents and resources
Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS
Guidance to help ISSOs in their daily work, including role descriptions, resources, points of contact, and training
CFACTS is a CMS database that tracks application security deficiencies and POA&Ms, and supports the ATO process