Skip to main content

CMS Cyber Risk Management Plan (CRMP)

A plan that defines the overarching strategy for managing risk associated with the operation of CMS FISMA systems.

Last reviewed: 3/27/2023

Contact: CRM Team | CRMPMO@cms.hhs.gov

Related Resources

Continuous Diagnostics and Mitigation (CDM)
Ongoing Authorization (OA)
Cybersecurity and Risk Assessment Program Handbook

 Introduction

The Centers for Medicare & Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy. The CMS CRMP is primarily owned by the CMS Chief Information Security Officer (CISO) and Senior Official for Privacy (SOP), who oversee its management, evolution, and modification. This plan is regularly updated to align with changes in policy, Office of Information Technology (OIT) direction, federal requirements, and the threat landscape.

Risk Management is the process of managing risk to organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system. Risk Management includes:

  • the conduct of a risk assessment;
  • the implementation of a risk mitigation strategy; and
  • the employment of techniques and procedures for continuous monitoring the security state of the information system.

ISPG has outlined three objectives that support each of the components of risk management identified above. Together, these objectives form the overarching risk management strategy for CMS information and information systems. The risk management strategy and its associated objectives are described in detail in the Risk Management Strategy section.

 Purpose

The purpose of the CMS CRMP is to outline the CMS risk management strategy, establish objectives to support that strategy, and establishes a program that aligns the processes, data, programs, technologies, and services with the risk management strategy to accomplish the objectives.

 Risk Management Strategy

The CMS Risk Management Strategy establishes the program and supporting processes to manage risk to agency operations (including mission, functions, image, reputation), agency assets, individuals, other organizations, and the Nation. The strategy includes: assessing risk, responding to risk once determined (i.e. risk mitigation), and monitoring risk over time (i.e. continuous monitoring). To support these components of the risk management strategy CMS has identified three objectives:

  1. Develop and implement capabilities to provide ongoing awareness and visibility into the security posture of CMS information technology assets. (Relates to: Risk Assessment)
  2. Develop metrics, dashboards, and reports to inform and prioritize remediation efforts. (Relates to: Risk Mitigation
  3. Implement capabilities and tools to support continuous assessment and ongoing authorization (OA). (Relates to: Continuous Monitoring)

The ISPG maintains a pipeline of services and capabilities that support the three objectives identified above. These services and capabilities produce output (i.e. data) that is leveraged to support the CMS risk management strategy and is used to perform ongoing risk management activities. This CRMP establishes a framework to support the implementation of cybersecurity and privacy capabilities to protect CMS information and information systems. The components and services available to support each of the three components of the CMS risk management strategy are identified in the following subsections.

Risk Assessment

Risk assessment is part of risk management and incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place. Through the execution of the risk assessment organizations gain context and a comprehension of the nature of the risk which allows the level of the risk to be determined. Risk assessment is synonymous with risk analysis.

The following CMS capabilities and services provide ongoing awareness into the security posture of CMS information technology assets and support the risk assessment process:

Threat Modeling

Threat Modeling is a form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.

Vulnerability Analysis Services

CMS has implemented the following capabilities to support the identification and analysis of information system vulnerabilities:

Static Code Analysis – provides tools that analyze source code without executing the code. Static code analyzers are designed to review bodies of source code (at the programming language level) or compiled code (at the machine language level) to identify poor coding practices. Static code analyzers provide feedback to developers during the code development phase on security flaws that might be introduced into code.

Network Scanning – provides tools allowing Users to automatically determine all active devices on the local network.

Host Scanning – provides tools to automate the identification of vulnerabilities in an operating system.

Database Scanning – provides specialized tool used specifically to identify vulnerabilities in database applications.

Cybersecurity and Risk Assessment Program (CSRAP)

The Adaptive Capabilities Testing (ACT) Program is now the Cybersecurity and Risk Assessment Program (CSRAP). This change is a move toward a partnership-based methodology to align with ISPG strategies and the strategic goal of risk-based program management. This change is a holistic approach to assessing risk and will our partners make better data-driven, risk-based decisions by using analytics to help optimize performance, streamline, processes, and reduce risk. 

CSRAP is a security and risk assessment for FISMA systems at CMS. CSRAP assesses a system’s security capabilities to ensure that it operates as intended and meets the security requirements for the information system. CSRAP is a critical component of the Authorization to Operate (ATO) process and is used to determine the overall system security and privacy posture throughout the system development life cycle (SDLC). For detailed information about CSRAP, see Cybersecurity and Risk Assessment Program Handbook

Risk Mitigation

The act of mitigating a vulnerability or a threat is referred to as risk mitigation. CMS maintains a suite of dashboards and reports to display and aggregate the results of the risk assessment and continuous assessment activities to support the prioritization of mitigating/remedial actions. The following dashboards and reports support the risk mitigation process.

Ongoing Authorization (OA) Program Dashboard

The CMS Ongoing Authorization (OA) Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires).

Continuous Diagnostics and Mitigation (CDM) Dashboards

CMS maintains the following dashboards which support the CDM Vulnerability Management (VULN) and Hardware Asset Management (HWAM) capabilities:

VULN

  • Vulnerability Monitoring Dashboard – Provides vulnerability data across systems with breakdowns of Open, Reopened, and Remediated items
  • Known Exploited Vulnerabilities Dashboard – Provides key metrics associated with the BOD 22-01 requirements including the monthly CISA CVE catalog feed applied to CMS systems and vulnerabilities by data center

HWAM

  • Asset Details Dashboard – Provides comprehensive HWAM details for CMS System assets by datacenter
  • Master Device Record – Provides high level overview of CMS assets

Note: The terms ‘continuous’ and ‘ongoing’ in this context means security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk- based security decisions to adequately protect organization information.

Cyber Risk Report

The CMS Cyber Risk Report communicates cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) Systems. ISPG generates Cyber Risk Reports monthly to help Business Owners (BO) and System Owners make risk-based decisions including prioritizing risk remediation activities at the system level.

High Risk Summary

The CMS High Risk Summary is a report delivered monthly to the CMS Chief Information Officer, Chief Information Security Officer, and Office of Information Technology (OIT) management. This report aggregates risk across the entire CMS enterprise and is reviewed at the Security Operations Center (SOC) debrief.

CFACTS POA&M

Stakeholders must use CFACTS to identify, track, and manage all IT system weaknesses and associated Plans of Action and Milestones (POA&Ms) to closure for CMS information systems. The CFACTS POA&M User Guide provides detailed instructions for processing POA&M actions in the CFACTS tracking system.

Continuous Monitoring

Continuous Monitoring, which is synonymous with Information Security Continuous Monitoring (ISCM), is maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.

The Department of Health and Human Services maintains an overarching strategy for ISCM. This HHS strategy defines the assessment frequencies for each required security control. CMS complies with the HHS ISCM strategy and further defines the CMS specific assessment frequencies within the CMS Acceptable Risk Safeguards (ARS). Security controls are assessed at their defined frequencies by leveraging a variety of capabilities and services available to CMS information systems. The following CMS capabilities and services support the continuous monitoring process.

Continuous Diagnostics and Mitigation (CDM)

The CDM Program provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture by:

  • Reducing agency threat surface
  • Increasing visibility into the federal cybersecurity posture
  • Improving federal cybersecurity response capabilities
  • Streamlining Federal Information Security Modernization Act (FISMA) reporting The CDM Program delivers capabilities in four areas:
    • Asset Management | What is on the network?
    • Identity and Access Management | Who is on the network?
    • Network Security Management | What is happening on the network? How is the network protected?
    • Data Protection Management | How is data protected?

The CMS CDM program aligns with the CDM program outlined by the DHS and is currently focused on implementing the following functional areas related to the asset management capability:

  • Hardware Asset Management (HWAM)
  • Software Asset Management (SWAM)
  • Software Vulnerability Management (VUL)

Penetration Testing

Penetration Testing is security testing in which evaluators mimic real-world attacks in an attempt to identify ways to circumvent the security features of an application, system, or network. Penetration testing often involves issuing real attacks on real systems and data, using the same tools and techniques used by actual attackers. Most penetration tests involve looking for combinations of vulnerabilities on a single system or multiple systems that can be used to gain more access than could be achieved through a single vulnerability.

The CMC Cybersecurity Integration Center (CCIC) maintains penetration testing teams that performs testing on a rolling basis. A system’s ISSO can request an intake form for a penetration test via email to the Pen Test mailbox.

batCAVE

batCAVE incorporates enterprise Kubernetes and continuous integration to take software from ideation to production faster. By decreasing the time dedicated to audits and alleviating fears associated with updating production code, batCAVE will incentivize faster innovation at CMS.

Key aspects of the batCAVE initiative:

  1. Reduce burden and obligations to Users
  2. Give Users the knowledge necessary to make better security decisions
  3. Incentivize behavior that strengthens the security posture of applications and CMS as a whole
  4. Increase transparency and empower distributed decision-making
  5. Measure, report, and champion the positive behavior rather than punish negative actions

CMS Security Automation Framework (SAF)

The CMS Security Automation Framework (SAF) brings together applications, techniques, libraries, and tools developed by the CMS Information Security and Privacy Group (ISPG) and the security community to streamline security automation for systems and DevOps pipelines. Benefits of using this framework include:

  • The ACT team will accept security testing data from this framework.
  • Developers can harden and run validation security early and often in their environments, using their own orchestration, functional and unit testing systems, to keep security defects as low as possible.

 Ongoing Authorization

Ongoing Authorization (OA) is the continuous evaluation of the effectiveness of security control implementations which supports risk determinations and risk acceptance decisions taken at agreed upon and documented frequencies subsequent to the initial authorization (i.e., during ops phase). OA decisions are time-driven and may also be event-driven. OA is not separate from ISCM but in fact is a subset of ISCM activities.

There are two conditions for a system to participate in OA:

  • The system must have been granted an initial Authority to Operate (ATO) and must be in the operational phase.
  • A robust ISCM program is in place that monitors all implemented controls:
    • At the appropriate frequencies,
    • With the appropriate degree of rigor, and
    • In accordance with the organization’s ISCM strategy.

Time Driven Triggers – controls are assessed at a discrete frequency as defined by the organization’s ISCM strategy. At CMS the assessment frequencies for each security control are defined within the CMS ARS 5.0.

Event Driven Triggers – are defined by the organization. Examples include:

  • Increase in defects from ISCM
  • Change in risk assessment findings
  • New threat/vulnerability information
  • Significant changes

CMS OA Initiative

CMS is transitioning from the traditional static (i.e. point in time) authorization process to ongoing authorization which will enable a dynamic near real-time understanding of security and privacy risks and will facilitate the prioritization of mitigating and remedial actions. With the implementation of a robust Cyber Risk Management Program, supported by the strategy defined within this plan, systems participating in the OA program would remain in perpetual state of authorization as long as the risks to the system do not exceed the thresholds established in the CMS Ongoing Authorization Framework.

Currently, the CMS OA program is by invitation only and Business Owners and ISSOs will be notified by email if their system has been selected to participate in the program. To be selected for ongoing authorization systems must meet the following requirements:

  • Have been granted initial ATO;
  • Be fully OIT AWS cloud hosted - no hybrids;
  • Have Security Hub enabled;
  • Key CDM data feeds must be integrated into CDM architecture (currently HWAM and VUL);
  • Data needs to be integrated into requisite reporting mechanisms and made visible; and
  • Meet OA metrics baseline requirements.

Once placed into the OA program, systems are tracked against defined metrics each with an establish risk tolerance (i.e. threshold). Systems that comply with the requirements of the OA program as long as each metric remains below the established threshold. The CMS OA Program Dashboard displays the results of the data collected for the defined OA metrics. The OA Program Dashboard alerts when the defined risk tolerance for an established metric has been exceeded (i.e. OA trigger fires). Each OA trigger has been assigned a severity level which corresponds to a unique workflow which dictates how the system should respond to the trigger. The CMS Ongoing Authorization Program Guide provides more detailed information on the OA Framework including the metrics, trigger, severity levels, and workflows.

CMS Risk Management Program - Implementing the Strategy

The CMS Risk Management Program aligns the processes, data, technologies, capabilities, and services to effectively manage risk across the enterprise and implement the strategy defined in this plan. This program enables a shift to data-driven risk management enabling prioritized investments in cybersecurity by focusing mitigating/remedial efforts where they will reduce the most risk. In addition, a shift to continuous monitoring by leveraging the services and capabilities identified in this plan will enable a near-real time assessment of risk across the lifecycle of a system and will allow CMS to combat a dynamic threat environment.

To support the Risk Management Program CMS has implemented data storage using an Enterprise Data Warehouse. The Data Warehouse aggregates relevant security data into repositories that provides consumers the tools to access security data and provide the means to understand their data in a security context. Refer to Figure 1 to overview of the CMS Risk Management Program.

Authoritative Sources and References

Federal agencies must proactively manage risk through implementing effective security and privacy capabilities mandated in Office of Management and Budget (OMB) Circulars and Memoranda as well as National Institute of Standards and Technology (NIST) publications, Emergency Directives (ED), Binding Operational Directives (BOD), and the NIST Cyber Security Framework (CSF). This Plan incorporates guidance from authoritative sources and initiatives including: