What are Cyber Risk Reports?

Cyber Risk Reports are provided monthly by ISPG to communicate cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level.

Who can access the reports?

The Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO). Additionally, in compliance with FISMA reporting, this data is also shared with HHS and DHS.

Contractor ISSOs and contractor Business Owners working with CMS FISMA systems can also access the reports, using this CFACTS job code: CFACTS_USER_P. You will also need to be assigned a role and as a stakeholder to a specific FISMA package(s).

ISSO Reports

ISSO Reports are a specific kind of Cyber Risk Report that help ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA&Ms, expiring Contingency Plans, and other areas where ISSOs need to take action. You can access ISSO reports from the Cyber Risk Dashboards (CMS internal link).

The future of risk reporting at CMS

The CMS Cyber Risk Management Program lays the foundation to help CMS Components implement better cybersecurity capabilities – including the modernization of risk reporting. This is part of the overarching goal at CMS to align our information security and privacy activities with federal standards for a risk-based approach, which are outlined in the NIST Cybersecurity Framework and the Federal Information Security Management Act (FISMA).

The initiatives that result from this approach will help us:

• Build security into development pipelines (DevSecOps)
• Tailor system testing (such as Cybersecurity and Risk Assessment Program (CSRAP) to more specific uses
• Expedite the ATO process 
• Approve and onboard more systems to Ongoing Authorization

For risk reporting, it means expanding capabilities to give CMS stakeholders accurate and actionable data about their system risks.

Cyber Risk Dashboards

As part of the modernization of risk reporting, Cyber Risk Dashboards are provided to help CMS stakeholders view reports, analyze data, and create proactive mitigation strategies. The dashboards give a snapshot of overall risk for specific systems in near-real time, including summaries of key high-risk metrics – allowing users to prioritize the most important risk mitigation activities. 

Cyber Risk Dashboards are helpful to the various CMS stakeholders who are accountable for the security and privacy of information and systems:

• Information System Security Officers (ISSO)
• Application Development Organizations (ADO)
• Data Centers
• Business Owners / System Owners (BO / SO)
• System Administrators 

Access to the reporting platform and dashboards requires the TABLEAU_DIR_VIEWER_PRD job code. You must also have the CFACTS job code as a prerequisite to accessing the reporting platform. If you need help getting these job codes, please contact the Cyber Risk Management Team: CRMPMO@cms.hhs.gov.

Known Exploited Vulnerabilities (KEV) Dashboard

The Known Exploited Vulnerabilities (KEV) Dashboard / Interactive Visualization displays the metrics associated with the Binding Operational Directive (BOD) 22-01. It also provides the current status for:

• Top Overdue Common Vulnerabilities and Exposures (CVEs)
• Top Products (by Overdue CVEs)
• Total Vulnerabilities (by Data Center)
• Overdue Vulnerabilities (by Due Date) 

The dashboard also includes details for specific vendor/products by CVE and the total number of vulnerabilities by CVE. 

The Known Exploited Vulnerabilities (KEV) Dashboard / List of Filters offers an alternate view of the KEV Dashboard / Interactive Visualization and shows BOD 22-01 data in a list format which users can customize by applying several dynamic filters. These filters include Data Center, BOD Due Date, Overdue CVEs, Vendor/Project, and Product.  This dashboard also offers Search by BOD Due Date and Search by CVE, making it even easier to customize the data.

High Risk Summary Dashboard

The High Risk Summary Dashboard provides current status of key high-risk metrics including Compliance, Patch and Vulnerability management, Risk Management, and Continuous Diagnostics and Mitigation (CDM) Program Visibility for agency-wide systems.

Vulnerability Dashboard

The Vulnerability Dashboard provides an overview of vulnerabilities found in the system and helps Business Owners prioritize which ones to remediate first.

Ongoing Authorization Program Dashboard

Ongoing Authorization (OA) is closely tied to CMS’ goals for a proactive, risk-based approach to system security. Rather than going through the traditional, compliance-focused Authorization to Operate (ATO) process, a system can be approved to operate through OA, which focuses on continuous risk identification and management. The Ongoing Authorization Program Dashboard helps ISSOs and other security professionals to quickly identify what parts of their system meet the requirements for OA, and what steps they need to take (either to achieve or maintain OA).