Cybersecurity and Risk Assessment Program (CSRAP)
A streamlined risk-based control(s) testing methodology designed to relieve operational burden.
CMS Slack Channel- #ACT-Escalations
- #signal-application-servicedesk
What is the Cybersecurity and Risk Assessment Program (CSRAP)?
The Cybersecurity and Risk Assessment Program (CSRAP) is a security and risk assessment process for FISMA systems at CMS. It uses a holistic approach to assess a system’s security capabilities to ensure that the system operates as intended and meets all security requirements.
CSRAP provides data and analytics to CMS system teams to help them optimize performance, streamline processes, and reduce risk.
CSRAP was formerly known as the Adaptive Capabilities Testing (ACT) Program at CMS. The name change aligns with ISPG’s strategic goal of risk-based program management. The CSRAP team is committed to partnering with customers across CMS to help them make data-driven decisions about risk management for their systems.
Why do I need a CSRAP assessment?
CSRAP is a critical component of the Authorization to Operate (ATO) process. It is used to determine overall security and privacy posture throughout the system development life cycle (SDLC).
CSRAP is strongly recommended over the traditional Security Controls Assessment (SCA). While SCA is compliance-driven and focuses merely on checking boxes of security controls, CSRAP is data-driven and focuses on how to manage risk effectively. CSRAP fulfills the SCA requirement for ATO and gives system teams a clearer picture of their overall risk.
For detailed information about CSRAP, see the CSRAP Handbook (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).
Schedule your CSRAP using SIGNAL
SIGNAL is a tool provided by ISPG to make it easy to schedule services like CSRAP. You will need a CMS login to access.
Roles and responsibilities for CSRAP
The designated Information System Security Officer (ISSO) initiates the CSRAP process, and is supported by the Cyber Risk Advisor (CRA), the System/Business Owner, and the Application Development Organization (ADO) team. The assessment process is led by the CSRAP team.
Every FISMA system and team has unique needs. The CSRAP team will work with your team to ensure that your assessment is completed correctly and promptly, while your team completes required paperwork and tests.
More information about each team member's specific roles and responsibilities can be found in the CSRAP Handbook (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).
Types of CSRAP assessments
There are two types of assessments within the CSRAP process: Security Assessment (SA) and Risk Assessment (RA). The type of assessment you need is determined by a number of factors, including:
- Whether your system is new or existing
- Where your system is in its three-year ATO cycle
- Whether there has been a significant change to your system
The CSRAP team, Cyber Risk Advisor (CRA), and your ISSO can work together to determine which assessment is right for your system.
Security Assessment
For a Security Assessment, CSRAP can be further customized to your system’s needs. The categories for CSRAP Security Assessments are defined by which controls from the CMS Acceptable Risk Safeguards (ARS) are included in the assessment. The Security Assessment categories are:
- Comprehensive Security Assessment: All ARS Controls are included in the assessment.
- FISMA Annual Security Assessment: Specific ARS Controls are selected by the Authorization Official or agency for yearly assessment, including core controls.
- Tailored Security Assessment: Only a specified subset of ARS Controls are included in the Security Assessment.
Risk Assessment
Risk Assessment within CSRAP provides risk-based context to system teams, helping them see the big picture so they can make better decisions for how to reduce risk. The CSRAP Risk Assessment framework has several benefits:
- Risk-driven rather than compliance-driven: RA does not focus merely on compliance with controls, but instead emphasizes meaningful risk identification and analysis.
- Capability-oriented rather than control-oriented: Capabilities state objectives for optimal system security, while controls are specific requirements that help meet those objectives. RA helps teams improve the overall capabilities of their systems, which results in a stronger security posture — not “just” compliance.
- Utilizes all available risk data: RA integrates the results of Risk Information Sources (RIS), not just the results of a CSRAP assessment. RIS are sources that can reveal areas of risk — such as data collected from CSRAP Security Assessments, penetration testing, vulnerability scanning, threat analysis, and the system environment (user types, system components, etc).
What is included in a Risk Assessment?
For existing systems on the three-year ATO cycle, a stand-alone RA is strongly recommended in the first and second year after your completed ATO and corresponding Comprehensive Security Assessment. At a minimum, a Risk Assessment must include:
- Previous Security Assessment and/or Risk Assessment
- Penetration Testing
- Vulnerability Scanning
- Validation of POA&Ms closed since the last assessment
The CSRAP team will work with your team to determine which audits, assessments, and data will be used for your system’s unique Risk Assessment. In addition to the sources above, the RA for your system may pull data from the following sources:
- A123 audit
- Data from Continuous Diagnostics and Mitigation (CDM) reports
- Information System Risk Assessment (ISRA)
- Inherited POA&Ms
- Risk Vulnerability Assessment (RVA)
- Security Controls Assessment
- Self-Assessment
- Technical Review Board (TRB)
- Vulnerability Testing
What is the result of a Risk Assessment?
Following a Risk Assessment, our team will provide you with a plain-language Risk Assessment Report that quickly informs you about the system's overall health. The report focuses on high-level system security capabilities — providing the most information possible about overall system risk. This allows your team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.
The Risk Assessment Report divides risks into three categories:
- Inherent risks
- Inherent risks arise directly from unmitigated findings (including open POA&Ms).
- Example: A system has two findings related to the password mechanism and three findings related to user account expiration; these might result in one risk that explains that the Identification and Authorization (I&A) mechanism is weak.
- Residual risks
- Residual risks arise indirectly from already mitigated findings or from some source other than technical findings.
- Example: The system mitigated the noted I&A-related findings. Although those findings are now closed and the inherent risk has been addressed, there may be a residual risk that something is wrong with the development processes because those weaknesses should not have been present in the first place.
- Inherited risks
- Inherited risks exist because security controls are inherited from another system. Any open POA&M or system risk that the system inherits can affect the system’s risk posture; CSRAP considers this and informs the system of the impact its control providers have on them.
- Example: The data center hosting the system has an open POA&M related to failure to provide adequate physical access control to the data center floor. Since the data center is a separate FISMA-accredited system, this finding cannot be closed or mitigated by the system being assessed. Therefore, the system inherits the risk associated with this POA&M from the other system.
Scheduling your CSRAP
Complete the following steps to schedule and prepare for your CSRAP assessment:
Review CSRAP Handbook
The CSRAP Handbook provides guidance for every aspect of the CSRAP process from start to finish, and tells you what to expect. Review the handbook here (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).
Prepare required artifacts
You will need your Tier 1 CSRAP Artifacts to proceed with CSRAP activities. Start gathering these artifacts as soon as possible since they take a lot of time and coordination to complete. Tier 1 Artifacts are due at least two weeks prior to the scheduled CSRAP Preliminary Discussion. The Tier 1, Tier 2, and Technical Output Artifacts lists are available in the CSRAP Handbook, and in the Preliminary Intake section of the SIGNAL Application.
Access the SIGNAL app
SIGNAL is an application that simplifies scheduling for ISPG’s core security and privacy services, including CSRAP. Your system's ISSO or ISSO-as-a-Service will complete the required information within SIGNAL and serve as your system's point of contact for the CSRAP team. Access SIGNAL here (CMS login required).
If you need help using SIGNAL, you can get step-by-step instructions from the SIGNAL User Guide here (CMS login required).
Complete CSRAP intake
Within SIGNAL, the ISSO completes the intake process for CSRAP. This does NOT automatically confirm that your CSRAP is scheduled.
The CSRAP Assessment Team will notify the ISSO one they have reviewed and approved the submitted form.
Prep for Preliminary Discussion Meeting
Your team will begin formal involvement with the CSRAP team at the Preliminary Discussion Meeting. You will need to provide your completed Tier 1 Artifacts at the meeting. Those artifacts, and the CSRAP Intake Form you completed in SIGNAL, will be used to provide information about your system’s needs. The CSRAP team will make sure you are on track with the documentation and preparation needed for your CSRAP assessment.
Important due dates
Once you have met with the CSRAP Assessment Team at the Preliminary Discussion, you will begin preparing other required artifacts. Some of these need to be prepared before your system assessment can begin. Required artifacts and their due dates are summarized below. You can find more details about the artifacts in the CSRAP Handbook (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).
- Tier 1 Artifacts: 3 weeks before Preliminary Discussion Meeting
- Tier 2 Artifacts: 2 weeks before Assessment Kickoff Meeting
- Technical Outputs: 2 weeks before Assessment Kickoff Meeting
Need help?
If you have questions or need assistance, contact the CSRAP team via email: CSRAP@cms.hhs.gov
You can also review the CSRAP Handbook for all details on the process. Review the handbook here (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).
Related documents and resources
Before your next CSRAP assessment, scan your databases using Trustwave DbProtect Vulnerability Management (VM) — offered by ISPG for free!
RMH Chapter 14 identifies the policies and standards for the Risk Management family of controls
Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection
Documentation of a system’s vulnerabilities, security controls, risk levels, and recommended safeguards for keeping information safe
Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems
Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy