Skip to main content

Cybersecurity and Risk Assessment Program (CSRAP)

A streamlined risk-based control(s) testing methodology designed to relieve operational burden.

Contact: CSRAP Team | CSRAP@cms.hhs.gov

What is the Cybersecurity and Risk Assessment Program (CSRAP)?

The Cybersecurity and Risk Assessment Program (CSRAP) is a security and risk assessment process for FISMA systems at CMS. It uses a holistic approach to assess a system’s security capabilities to ensure that the system operates as intended and meets all security requirements.

CSRAP provides data and analytics to CMS system teams to help them optimize performance, streamline processes, and reduce risk. 

CSRAP was formerly known as the  Adaptive Capabilities Testing (ACT) Program at CMS. The name change aligns with ISPG’s strategic goal of risk-based program management. The CSRAP team is committed to partnering with customers across CMS to help them make data-driven decisions about risk management for their systems.

Why do I need a CSRAP assessment?

CSRAP is a critical component of the Authorization to Operate (ATO) process. It is used to determine overall security and privacy posture throughout the system development life cycle (SDLC). 

CSRAP is strongly recommended over the traditional Security Controls Assessment (SCA). While SCA is compliance-driven and focuses merely on checking boxes of security controls, CSRAP is data-driven and focuses on how to manage risk effectively. CSRAP fulfills the SCA requirement for ATO and gives system teams a clearer picture of their overall risk.

For detailed information about CSRAP, see the CSRAP Handbook (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).

Roles and responsibilities for CSRAP

The designated Information System Security Officer (ISSO) initiates the CSRAP process, and is supported by the Cyber Risk Advisor (CRA), the System/Business Owner, and the Application Development Organization (ADO) team. The assessment process is led by the CSRAP team. 

Every FISMA system and team has unique needs. The CSRAP team will work with your team to ensure that your assessment is completed correctly and promptly, while your team completes required paperwork and tests. 

More information about each team member's specific roles and responsibilities can be found in the CSRAP Handbook (this link requires a CMS login to access, and will automatically download the PDF handbook to your computer).

Types of CSRAP assessments

There are two types of assessments within the CSRAP process: Security Assessment (SA) and Risk Assessment (RA). The type of assessment you need is determined by a number of factors, including:

  • Whether your system is new or existing
  • Where your system is in its three-year ATO cycle
  • Whether there has been a significant change to your system

The CSRAP team, Cyber Risk Advisor (CRA), and your ISSO can work together to determine which assessment is right for your system.

Security Assessment 

For a Security Assessment, CSRAP can be further customized to your system’s needs. The categories for CSRAP Security Assessments are defined by which controls from the CMS Acceptable Risk Safeguards (ARS) are included in the assessment. The Security Assessment categories are:

  • Comprehensive Security Assessment: All ARS Controls are included in the assessment.
  • FISMA Annual Security Assessment: Specific ARS Controls are selected by the Authorization Official or agency for yearly assessment, including core controls.
  • Tailored Security Assessment: Only a specified subset of ARS Controls are included in the Security Assessment.

Risk Assessment

Risk Assessment within CSRAP provides risk-based context to system teams, helping them see the big picture so they can make better decisions for how to reduce risk. The CSRAP Risk Assessment framework has several benefits:

  • Risk-driven rather than compliance-driven: RA does not focus merely on compliance with controls, but instead emphasizes meaningful risk identification and analysis.
  • Capability-oriented rather than control-oriented: Capabilities state objectives for optimal system security, while controls are specific requirements that help meet those objectives. RA helps teams improve the overall capabilities of their systems, which results in a stronger security posture — not “just” compliance.
  • Utilizes all available risk data: RA integrates the results of Risk Information Sources (RIS), not just the results of a CSRAP assessment. RIS are sources that can reveal areas of risk — such as data collected from CSRAP Security Assessments, penetration testing, vulnerability scanning, threat analysis, and the system environment (user types, system components, etc).

What is included in a Risk Assessment?

For existing systems on the three-year ATO cycle, a stand-alone RA is strongly recommended in the first and second year after your completed ATO and corresponding Comprehensive Security Assessment. At a minimum, a Risk Assessment must include:

The CSRAP team will work with your team to determine which audits, assessments, and data will be used for your system’s unique Risk Assessment. In addition to the sources above, the RA for your system may pull data from the following sources:

What is the result of a Risk Assessment?

Following a Risk Assessment, our team will provide you with a plain-language Risk Assessment Report that quickly informs you about the system's overall health. The report focuses on high-level system security capabilities — providing the most information possible about overall system risk. This allows your team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.

The Risk Assessment Report divides risks into three categories:

  • Inherent risks
    • Inherent risks arise directly from unmitigated findings (including open POA&Ms).
    • Example: A system has two findings related to the password mechanism and three findings related to user account expiration; these might result in one risk that explains that the Identification and Authorization (I&A) mechanism is weak.
  • Residual risks
    • Residual risks arise indirectly from already mitigated findings or from some source other than technical findings.
    • Example: The system mitigated the noted I&A-related findings. Although those findings are now closed and the inherent risk has been addressed, there may be a residual risk that something is wrong with the development processes because those weaknesses should not have been present in the first place.
  • Inherited risks
    • Inherited risks exist because security controls are inherited from another system. Any open POA&M or system risk that the system inherits can affect the system’s risk posture; CSRAP considers this and informs the system of the impact its control providers have on them.
    • Example: The data center hosting the system has an open POA&M related to failure to provide adequate physical access control to the data center floor. Since the data center is a separate FISMA-accredited system, this finding cannot be closed or mitigated by the system being assessed. Therefore, the system inherits the risk associated with this POA&M from the other system.

Scheduling your CSRAP

Complete the following steps to schedule and prepare for your CSRAP assessment:

  1. Review CSRAP Handbook

    The CSRAP Handbook provides guidance for every aspect of the CSRAP process from start to finish, and tells you what to expect. Review the handbook here (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).

  2. Prepare required artifacts

    You will need your Tier 1 CSRAP Artifacts to proceed with CSRAP activities. Start gathering these artifacts as soon as possible since they take a lot of time and coordination to complete. Tier 1 Artifacts are due at least two weeks prior to the scheduled CSRAP Preliminary Discussion. The Tier 1, Tier 2, and Technical Output Artifacts lists are available in the CSRAP Handbook, and in the Preliminary Intake section of the SIGNAL Application. 

  3. Check the Available Slots in Confluence

    Visit the CMS CSRAP Confluence page (CMS Log-in Required) using the following URLs to select your preferred and secondary dates for the type of CSRAP assessment you require:
    ·      Security Assessment Schedule Available Slots
    ·      Risk Assessment Schedule Available Slots
    Email the CSRAP Team at CSRAP@cms.hhs.gov with your requested dates.

  4. Complete CSRAP intake Form

    CSRAP Team will confirm the dates via email and schedule a date for Preliminary meeting for assessment along with sending CSRAP intake form and Tier 1 document list to be completed and directly uploaded to CFACTS under Assessment Tab. 

    After "intake form" is uploaded, notify CSRAP Team so they can review that. 

  5. Prep for Preliminary Discussion Meeting

    Your team will begin formal involvement with the CSRAP team at the Preliminary Discussion Meeting. You will need to provide your completed Tier 1 Artifacts at the meeting. Those artifacts, and the CSRAP Intake Form you completed in SIGNAL, will be used to provide information about your system’s needs. The CSRAP team will make sure you are on track with the documentation and preparation needed for your CSRAP assessment.

Important due dates

Once you have met with the CSRAP Assessment Team at the Preliminary Discussion, you will begin preparing other required artifacts. Some of these need to be prepared before your system assessment can begin. Required artifacts and their due dates are summarized below. You can find more details about the artifacts in the CSRAP Handbook (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).

  • Tier 1 Artifacts: 3 weeks before Preliminary Discussion Meeting
  • Tier 2 Artifacts: 2 weeks before Assessment Kickoff Meeting
  • Technical Outputs: 2 weeks before Assessment Kickoff Meeting

Need help?

If you have questions or need assistance, contact the CSRAP team via email: CSRAP@cms.hhs.gov

You can also review the CSRAP Handbook for all details on the process. Review the handbook here (this link requires a CMS login to access, and will automatically download a PDF of the handbook to your computer).