What are Cyber Risk Reports?

Cyber Risk Reports are provided monthly by ISPG to communicate cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level.

Who can access the reports?

The Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO). Additionally, in compliance with FISMA reporting, this data is also shared with HHS and DHS.

Contractor ISSOs and contractor Business Owners working with CMS FISMA systems can also access the reports, using a CFACTS job code. You will also need to be assigned a role and as a stakeholder to a specific FISMA package(s). Contact the CRM PMO team at CDMPMO@cms.hhs.gov to obtain the SOP for Tableau Access that will include the appropriate job codes for access.

The future of risk reporting at CMS

The CMS Cyber Risk Management Program lays the foundation to help CMS Components implement better cybersecurity capabilities – including the modernization of risk reporting. This is part of the overarching goal at CMS to align our information security and privacy activities with federal standards for a risk-based approach, which are outlined in the NIST Cybersecurity Framework and the Federal Information Security Management Act (FISMA).

The initiatives that result from this approach will help us:

• Build security into development pipelines (DevSecOps)
• Tailor system testing (such as Cybersecurity and Risk Assessment Program (CSRAP) to more specific uses
• Expedite the ATO process
• Approve and onboard more systems to Ongoing Authorization

For risk reporting, it means expanding capabilities to give CMS stakeholders accurate and actionable data about their system risks.

Cyber Risk Dashboards

As part of the modernization of risk reporting, Cyber Risk Dashboards are provided to help CMS stakeholders view reports, analyze data, and create proactive mitigation strategies. The dashboards give a snapshot of overall risk for specific systems in near-real time, including summaries of key high-risk metrics – allowing users to prioritize the most important risk mitigation activities. 

Cyber Risk Dashboards are helpful to the various CMS stakeholders who are accountable for the security and privacy of information and systems:

• Information System Security Officers (ISSO)
• Application Development Organizations (ADO)
• Data Centers
• Business Owners / System Owners (BO / SO)
• System Administrators 

Access to the reporting platform and dashboards requires a Tableau job code. You must also have a CFACTS job code as a prerequisite to accessing the reporting platform. If you need help getting these job codes, please contact the Cyber Risk Management Team: CDMPMO@cms.hhs.gov.

Cyber Risk Management (CRM) Dashboards Portal

The Cyber Risk Management (CRM) Dashboards Portal serves as the primary entry point for accessing all major dashboards within the CRM ecosystem. It presents high-level metrics and provides navigable links, enabling users to efficiently explore various aspects of cyber risk. This centralized access point is essential for stakeholders seeking a comprehensive overview of FISMA system performance and risk posture.

Vulnerability (VULN) Monitoring Dashboard

The Vulnerability Monitoring Dashboard delivers detailed insights into vulnerabilities across components, data centers, and systems. It supports the identification, tracking, and remediation of security weaknesses by presenting metrics such as open, reopened, remediated vulnerabilities, and mean time to remediate. With advanced filtering options—including system acronyms, exploit availability, and KEV status—this dashboard is instrumental in maintaining the security integrity of FISMA systems over time.

Master Device Record (MDR) Dashboard

The Master Device Record (MDR) Dashboard consolidates hardware asset management (HWAM) data and cloud asset inventories from sources such as Tenable, AWS, Qualys, CrowdStrike, and ForeScout. By unifying asset visibility, this dashboard supports accurate inventory tracking and compliance reporting, which are foundational to FISMA system audits and lifecycle management.

Known Exploited Vulnerabilities (KEV) Dashboard

The Known Exploited Vulnerabilities (KEV) Dashboard provides a focused view of vulnerabilities that are actively exploited in the wild. By surfacing these high-priority threats within CMS systems, the dashboard enables timely remediation and risk mitigation, aligning with FISMA’s emphasis on proactive vulnerability management.

Vulnerability-Related Asset Details (VRAD) Dashboard

This dashboard offers granular asset-level insights into vulnerabilities associated with specific systems. It includes metrics that support remediation planning and execution. By linking vulnerabilities directly to affected assets, it enhances traceability and accountability—key components of FISMA compliance.

Configuration Settings & Management (CSM) Dashboard

The Configuration Settings & Management (CSM) Dashboard ensures that system managers implement and maintain secure configuration baselines across all networked devices. It provides visibility into compliance status, configuration drift, and remediation activities. This capability is critical for demonstrating adherence to FISMA configuration management controls.

Software Asset Management (SWAM) Dashboard

The Software Asset Management (SWAM) Dashboard tracks software inventories across FISMA systems, offering categorized and organized views of software assets. It also enables drill-down into associated hardware data, supporting software license management, vulnerability tracking, and compliance verification.

SWAM-Related Asset Details Dashboard

This dashboard presents detailed records of hardware assets associated with specific software products. It includes metadata such as installation dates and first-seen timestamps. These insights are vital for validating software deployment and ensuring that FISMA systems maintain accurate and up-to-date asset inventories.

Security Hub (SecHub) Dashboard

The Security Hub Dashboard aggregates security findings across all cloud account IDs for a given project or system. It provides a unified view of cloud security posture, enabling stakeholders to assess and respond to risks in cloud-hosted FISMA systems with greater agility and precision.

Ongoing Authorization (OA) Program Dashboard – System Status

Ongoing Authorization (OA) is closely tied to CMS’ goals for a proactive, risk-based approach to system security. Rather than going through the traditional, compliance-focused Authorization to Operate (ATO) process, a system can be approved to operate through OA, which focuses on continuous risk identification and management. The OA Program Dashboard – System Status supports the continuous monitoring and tracking of systems undergoing Ongoing Authorization (OA) within CMS. It provides transparent metrics at the system level, helping users manage risk and maintain continuous authorization in alignment with FISMA’s continuous monitoring requirements.

Data Quality (DQ) Dashboard

The Data Quality Dashboard tracks and visualizes key performance indicators related to data accuracy, completeness, and consistency. Presented through a user-friendly interface, this dashboard supports data governance efforts that underpin reliable reporting and decision-making across FISMA systems.

Dynamic Cyber Risk Dashboard

The Dynamic Cyber Risk Dashboard offers a real-time, interactive interface that updates daily with data across multiple categories, including vulnerabilities, assets, POA&Ms, KEVs, and organizational hierarchy. As a dynamic counterpart to the Monthly Cyber Risk Reports (CRRs), it empowers users to prioritize remediation efforts and manage evolving risks within FISMA systems more effectively.

MFA (Multi-Factor Authentication) Logon Type Analysis Dashboard

This dashboard provides visibility into the usage patterns of multi-factor authentication (MFA) logon types across CMS. By tracking adoption trends and success rates, it supports the agency’s goal of increasing the use of phishing-resistant MFA methods—an essential control for securing FISMA systems.

Zero Trust – HSTS (HTTP Strict Transport Security) Dashboard

The Zero Trust – HSTS Dashboard monitors the implementation of HTTP Strict Transport Security (HSTS) across CMS.gov subdomains. It helps ensure that web services adhere to secure transport protocols, reinforcing the confidentiality and integrity of data transmitted by FISMA systems.

SaaS Governance Dashboards

The SaaS Governance Dashboards provide visibility into business SaaS applications used across CMS. These dashboards help identify applications that may process, store, or transmit CMS data, supporting risk assessments and compliance evaluations required under FISMA.

KMP (Knowledge Management Platform) Privacy Dashboard

The KMP Privacy Dashboard extracts and displays data from System of Records Notices (SORNs) published in the Federal Register since 1994. This information supports the CMS Privacy Office in making informed decisions about data use agreements, ensuring that privacy considerations are integrated into FISMA system governance.