CMS Security Automation Framework (CMS-SAF)
The CMS ISPG SAF program was discontinued in September 2023. The open-source tools and baseline validation content will still be maintained.
What is CMS Security Automation Framework (CMS-SAF)?
The CMS SAF was developed in partnership with MITRE and was designed to streamline security automation for systems and DevOps pipelines within CMS. As of September 2023, the CMS SAF program will no longer be supported.
Existing CMS-tailored Security Validation (InSpec Profile) content will still be available on GitHub, as well as the other open-source tools provided on the MITRE website:
- Baseline (to STIG or CIS) Security Validation InSpec profiles
- SAF Data Converter and Attestation tools
- Heimdall Lite and Server Security Data visualizer
- CMS-format CAAT spreadsheet export via Heimdall and SAF-CLI.
CMS-tailored Security Validation (InSpec Profile) Content
Java Runtime Environment 7 STIG
Java Runtime Environment 8 STIG
Red Hat Jboss 6.3 STIG
RSA Archer 6 SCG
AWS Foundations CIS
AWS RDS Best Practices Benchmark
AWS RDS Infrastructure CIS
AWS S3
AWS S3 Best Practices Benchmark
Google Cloud Platform CIS
Google Cloud Platform PCI-DSS 3.2.1
AWS RDS MSQL Server 2017 CIS
AWS RDS MSQL Server Instance 2014 STIG
AWS RDS Oracle Database 12c STIG
AWS RDS Oracle Database 19c CIS
AWS RDS Oracle MySQL 8 STIG
AWS RDS Oracle MySQL EE 5.7 CIS
AWS RDS PostgreSQL 10-13 STIG
AWS RDS PostgreSQL 9.x STIG
MongoDB STIG
MSQL Server 2014 Database STIG
MSQL Server 2014 Instance STIG
MSQL Server 2017 CIS
Oracle Database 12c STIG
Oracle Database 19c CIS
Oracle MySQL 8 STIG
Oracle MySQL EE 5.7 CIS
PostgreSQL 10-13 STIG
PostgreSQL 9.x STIG
Red Hat 6 STIG
Red Hat 7 STIG
Red Hat 8 STIG
Red Hat CVE Vulnerability Scan
Red Hat CVE Vulnerability Scan
Ubuntu 16.04 STIG
Windows 2012 STIG
Windows 2016 STIG
Windows 2019 STIG
Docker CE CIS
EKS Cluster CIS
EKS Node CIS
Google Kubernetes Engine CIS
K8S Cluster STIG
K8S Node STIG
Kubernetes CIS
VMWare ESXI 6.5 STIG
VMWare ESXI 6.7 STIG
VMWare VCSA 6.7 STIG
VMWare vSphere 6.7 STIG
VMWare vSphere VM 6.5 STIG
Apache 2.4 Server STIG
Apache 2.4 Site STIG
Apache Tomcat 9 STIG
IIS 8.5 Server STIG
IIS 8.5 Site STIG
NGINX
As part of the shared community, MITRE will still be available on a limited basis to advise on issues posted on CMS or MITRE GitHub repositories, as well as inquiries at saf@groups.mitre.org.
Alternatives to CMS-tailored Security Validation (InSpec Profile) Content
While CMS teams can still use existing CMS-tailored Security Validation Content, these alternatives could be considered:
- Baseline (to STIG or CIS) Security Validation InSpec profiles - these aren’t tailored to CMS ARS requirements, but can still provide the bulk of security-relevant information required to which a CMS team can analyze and respond to
- CMS-Cloud Tenable Nessus compliance scans – contact the CMS-Cloud team to order scans against EC2 instances
- AWS Security Hub’s Best Practices and CIS Foundations scan results
- CMS Team development of their own tailored overlays to MITRE’s baseline InSpec profiles
Related documents and resources
Standards for the minimum security and privacy controls required to mitigate risk for CMS information systems
Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy
Tools for developers to help harden, protect, and validate systems