Skip to main content

CMS Risk Management Framework (RMF): Assess Step

Determine if controls are implemented correctly, operating as intended, and producing the desired outcome

Last reviewed: 12/5/2024

Contact: ISPG Policy Team | CISO@cms.hhs.gov

Related Resources

What is the Risk Management Framework (RMF)?

The National Institute of Standards and Technology (NIST) created the RMF to provide a structured, flexible process to manage risk throughout a system’s life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.

The RMF is made up of 7 steps:

What is the Assess Step?

The purpose of the Assess step is to determine if controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and CMS.   

Task A-1 ASSESSOR SELECTION   

Select the appropriate assessor or assessment team for the type of control assessment to be conducted. The assessor or assessment team must be competent and independent enough to conduct assessment of management, operational or technical controls.

Potential Inputs: 

  • Security, Privacy, and Supply Chain Risk Management (SCRM) plans are documented throughout the Life Cycle of the system, providing overviews of CMS system’s security, privacy and supply chain risk management posture. They document implemented controls, outline goals and processes required for protecting the system and its data.
  • Program management control information provides a high-level CMS governance, administrative and oversight controls which support CMS initiatives on security, privacy and SCRM organization-wide.
  • Common control documentation describes security and privacy controls that are shared or inherited, which apply to two or more systems within CMS.
  • Organizational security and privacy program plans are documents which detail CMS overall security and privacy approaches, objectives and responsibilities.
  • SCRM strategy provides CMS approach to identifying, assessing, and mitigating risks within its supply chain. This strategy is critical as it helps maintain the integrity and security of externally sourced products or services.
  • System design documentation details how each CMS system is structured and functions. This document would usually include the system architecture diagram and data flows. It informs the selection of appropriate controls by highlighting potential vulnerabilities.
  • Enterprise, security, and privacy architecture information provides high-level CMS plans on how security and privacy requirements integrate with broader CMS enterprise architecture. This ensures the needed alignment between technical solutions and CMS organizational objectives.
  • Security, Privacy, and SCRM policies and procedures applicable to the system. This documents the rules and guidelines personnel must follow to protect CMS system and information. It defines how CMS implements its security, privacy and supply chain risk management at an operational level.

It is critical to provide every bit of information about the information system and the implemented controls.

Expected Outputs: 

Selection of competent and independent assessor or assessment team responsible for conducting the control assessment - The CMS Cybersecurity and Risk Assessment Program (CRSAP) Assessment Team.

Discussion: CMS Cybersecurity and Risk Assessment Program (CSRAP) is used in the security and risk assessment of the agency’s FISMA systems. The CSRAP Assessment Team (a Third-Party Assessment Organization (3PAO), satisfies the requirement for system security assessment to be conducted by skilled and independent assessors. 

The CSRAP Assessment Team, assembled during the Planning phase of the assessment, is made up of assessors who are Subject Matter Experts (SME’s) on management, operational and technical controls. 

SME’s possess the required skills and technical expertise to evaluate the technology, devices, databases, interviews, and documentation involved in the assessment.

The CSRAP Assessment Team consists of:

  • Security Assessment Lead
  • Management and Operations (M&O) Assessor
  • Application Assessor
  • Database (DB) Assessor (unless no DBs in scope)
  • Operating System (OS) Assessor
  • Network Assessor
  • Privacy Assessor
  • Mainframe Assessor
  • Others as required

The Security Assessment Lead works with the Security and Privacy Officer (previously known as the ISSO) to determine the level of Testing Rigor for the assessment. 

The Security and Privacy Officer provides the required documentation as listed in “Potential Inputs”, including the current System Security and Privacy Plan (SSPP) and any additional information related to the system boundary that is not contained in the SSPP.

For a seamless assessment process, the CSRAP Assessment Team also works with the following key stakeholders:

  • CSRAP Government Task Lead (GTL)
  • Cyber Risk Advisor (CRA)
  • Business/System Owner
  • Security Assessment Project Manager
  • Technical Editors/Quality Assurance Analyst

Please see the Security Assessment & Authorization controls page for additional information on the assessment planning phase.

Cybersecurity Framework: N/A

TLC Cycle Phase: New – Initiate

    Existing – Operate

Task A-2 ASSESSMENT PLAN   

Develop, review, and approve plans to assess implemented controls. 

This task underscores the coordination expected from stakeholders who must agree on, and document the planned security controls assessment.

Potential Inputs: 

  • Security, Privacy, and Supply Chain Risk Management (SCRM) plans are documented throughout the Life Cycle of the system, providing overviews of CMS system’s security, privacy and supply chain risk management posture. They document implemented controls, outline goals and processes required for protecting the system and its data.
  • Program management control information provides a high-level CMS governance, administrative and oversight controls which support CMS initiatives on security, privacy and SCRM organization-wide.
  • Common control documentation describes security and privacy controls that are shared or inherited, which apply to two or more systems within CMS.
  • Organizational security and privacy program plans are documents which detail CMS overall security and privacy approaches, objectives and responsibilities.
  • SCRM strategy provides CMS approach to identifying, assessing, and mitigating risks within its supply chain. This strategy is critical as it helps maintain the integrity and security of externally sourced products or services.
  • System design documentation details how each CMS system is structured and functions. This document would usually include the system architecture diagram and data flows. It informs the selection of appropriate controls by highlighting potential vulnerabilities.
  • Supply Chain information provides details about external parties and processes involved in delivering products and services to CMS. This would include vendors, manufacturers and the distribution channels. This information is essential to help identify and mitigate potential risks that could affect the confidentiality, integrity and availability of the system or data.
  • Enterprise, security, and privacy architecture information provides high-level CMS plans on how security and privacy requirements integrate with broader CMS enterprise architecture. This ensures the needed alignment between technical solutions and CMS organizational objectives.
  • Security, Privacy, and SCRM policies and procedures applicable to the system. This documents the rules and guidelines personnel must follow to protect CMS system and information. It defines how CMS implements its security, privacy and supply chain risk management at an operational level. 

Every document which provides a clear description of the information system and the implemented controls to be assessed is required to develop a complete security and privacy assessment plan.

Expected Outputs: 

  • Security and privacy assessment plans (SAP) approved by the Authorizing Official, which for this task usually would be the Business/System Owner.  The SAP outlines the methods, scope and criteria for evaluating how well security and privacy controls are implemented and functioning. The document provides the CMS structured approach to identifying weaknesses and verifying compliance in its information systems.

Discussion: The Security Assessment Lead develops the Security Assessment Plan (SAP) for the system being assessed, using the CSRAP Security Assessment Plan Template. The required information to complete the SAP is gathered during the Preliminary Discussion Meeting and is also contained in the:

The Security Assessment Plan (SAP) is a document which captures the approach, resources and schedule for the assessment, as it:

  • Outlines the assessment type
  • Defines the assessment scope
  • States any assumptions or limitations for the assessment
  • Defines the CSRAP Team’s requirements to adequately assess the system
  • Lists all Points of Contact (POC) for the CSRAP Assessment Team, CMS, and System Contractor personnel
  • Defines the proposed duration for the assessment.
  • Captures the level of the Testing Rigor the system is to be subjected.

Prior to being approved by the Business/System Owner or System Developer Maintainer, the SAP is submitted for review and corrections. Any information gathered at such review meetings is used to update the document.

The updated document will serve as the final Security and Privacy Assessment Plan (SAP).

Cybersecurity Framework: N/A

TLC Cycle Phase: New – Initiate

    Existing – Operate

Task A-3 CONTROL Assessments

Assess the controls in accordance with the assessment procedures described in approved Security Assessment Plan. (SAP)

Potential Inputs: 

  • Security and Privacy Assessment Plans (SAP) outline the methods, scope and criteria for evaluating how well security and privacy controls are implemented and functioning. The document provides the CMS structured approach to identifying weaknesses and verifying compliance in its information systems.
  • System Security and Privacy Plans (SSPP) document detailed descriptions of how security and privacy controls are selected, implemented and managed for each specific CMS system. It is a living document which forms the baseline for ongoing risk management and compliance efforts.
  • External assessment or audit results (if applicable). These refer to findings and recommendations from third-party reviews of security and privacy measures. The results offer additional insights or validation, often required for CMS compliance or oversight purposes. 

Expected Outputs: 

Completed control assessments and associated assessment evidence. These are the finalized results and supporting documentation from the evaluation of security, privacy or supply chain controls. They typically would include test findings, interview records, and configuration reviews, indicating whether each evaluated control is implemented correctly and performing as intended.

Discussion: In CMS, security controls assessments are carried out by the CSRAP Assessment Team using the assessment procedures specified in the SAP. The SAP also defines the scope and proposed duration for the assessment.

The designated Security and Privacy Officer (previously known as ISSO) initiates the Assessment process by filling out the Intake Form. This is done in CFACTS.

CMS FISMA Continuous Tracking System (CFACTS), is the GRC tool used by CMS to manage and track every step of the RMF, including Assessment. It replaces the Scheduling Interface for Government Navigation Alleviation (SIGNAL).

The CSRAP Assessment Team conducts the assessment as outlined in the SAP using the CMS recognized methods of Examine, Interview and Testing:

  • Examine: Used to evaluate documents - policies, procedures and system configurations.
  • Interview: Used to gather information from personnel based on their roles and responsibilities.
  • Testing: Used to verify how well hardware and software function.

The focus is to check if the controls are set up properly, working as they should, and achieving the expected results to meet the security and privacy requirements of the system and CMS. 

Any security control that is not working as it should, is termed as a finding. All findings are documented in the Security Assessment Report (SAR).

The CSRAP Assessment team recommends needed actions to reduce or eliminate identified risks from findings. If these actions are taken, the findings are deemed remediated, and then reflected with a closed status in the SAR. If no remediation action is taken, the findings are documented reflecting an open status.

CMS also uses Continuous Diagnostics and Mitigation (CDM) tools to:

  • Monitor cybersecurity risks on an ongoing basis
  • Prioritize risks based on potential impacts
  • Enable cybersecurity personnel to focus on risks with the most severe impact.

CMS has a default Testing Rigor Level of 3, which is the basic compliance verification. This could be increased depending on the type, nature and scope of assessment.

TLC Cycle Phase: New – Initiate

    Existing – Operate

Task A-4 Assessment Reports   

Prepare the assessment reports documenting the findings and recommendations from the control assessments. Upon completion of the assessment, the findings and recommendations are documented by the Assessment Team.

Potential Inputs: 

Completed control assessments and associated assessment evidence. These are the finalized results and supporting documentation from the evaluation of security, privacy or supply chain controls. They typically would include test findings, interview records, and configuration reviews, indicating whether each evaluated control is implemented correctly and performing as intended.

Expected Outputs: 

Completed security and privacy assessment reports detailing the Assessment Team’s findings and recommendations. This is the Security Assessment Report (SAR), a key document in the Authorization package, which details the strengths and weaknesses of implemented controls, highlights discovered issues and recommends actions to mitigate risks or close identified gaps.

Discussion: The Security Assessment Report (SAR) provides a comprehensive outline of the intent, execution, and results of the assessment process. The Security Assessment Lead utilizes the CSRAP Security Assessment Report Template to create a SAR and produce the applicable CAAT File.

Please see the Security Assessment & Authorization (CA) page for the CMS-specific process for developing a SAR.

Cybersecurity Framework: N/A

TLC Cycle Phase: New – Initiate

    Existing – Operate

Task A-5 Remediation Actions

Conduct initial remediation actions on the controls and reassess remediated controls.

Potential Inputs: 

  • Completed security and privacy assessment reports with findings and recommendations. This is the Security Assessment Report (SAR), a key document in the Authorization package, which details the strengths and weaknesses of implemented controls, highlights discovered issues and recommends actions to mitigate risks or close identified gaps.
  • System Security and Privacy Plans (SSPP) document detailed descriptions of how security and privacy controls are selected, implemented and managed for each specific CMS system. It is a living document which forms the baseline for ongoing risk management and compliance efforts.
  • Security and Privacy Assessment Plans (SAP) outline the methods, scope and criteria for evaluating how well security and privacy controls are implemented and functioning. The document provides the CMS structured approach to identifying weaknesses and verifying compliance in its information systems.
  • CMS ISRA and system-level risk assessment results document identified threats, vulnerabilities, and potential impacts within the system environment. These results guide CMS in prioritizing risk responses in compliance with CMS risk management policies.

Expected Outputs: 

  • Completed initial remediation actions based on the security and privacy assessment reports. The corrective actions taken by the System Team to address identified findings in the evaluated controls are documented
  • Changes to implementations reassessed by the assessment team. The corrective actions taken are again reevaluated to ensure they effectively resolved the identified weaknesses and continue to meet security and privacy requirements.
  • Updated security and privacy assessment reports capture any changes to previously identified weaknesses after corrective actions have been taken and re-revaluation completed.
  • Updated security and privacy plans including changes to the control implementations. The current security and privacy posture of the system is captured, including changes made to address previously identified vulnerabilities. This accurately describes how controls are now implemented, providing a revised baseline system documentation.

Discussion:  Guided by the recommendations made by the CSRAP Assessment Team, the security controls found to be non-compliant (Findings) are remediated by the System’s Team. These remediated controls are again reassessed by the Assessment Team.

It must be noted that the CSRAP Assessment Team does not take remediation action. It is the responsibility of the System’s team to undertake any needed remediation action.

The Security Assessment Report (SAR) describes the deficiencies in the implemented controls that could not be resolved during the development of the system (Initiate phase of the TLC) or that were discovered post-development, (during the Operate phase of the TLC). 

Such findings may be High- or Critical-risk findings that require immediate remediation efforts. 

Scenario: A finding showing that multi-factor authentication (MFA) is not enforced for remote users accessing CMS systems is deemed a critical risk. It means that a user only needs a username and password to log in.

If an attacker obtains a user’s login credentials, they could gain direct access to sensitive information and internal systems. This could potentially lead to data breaches, identity theft and widespread compromise of CMS network.

Such a critical finding would require immediate remediation actions, such as:

  1. Enable Multi-Factor Authentication (MFA) - The System’s Team must immediately implement MFA for all access points, ensuring that users provide an additional form of authentication (one-time passcode, biometrics) in addition to their password.
  2. Temporarily Limit Remote Access – Until MFA is fully deployed, restrict remote access to only essential personnel and monitor all login attempts closely for unusual activity.
  3. Password Policy Review – Strengthen password policies to include complex requirements and encourage users to update passwords to further reduce risk.
  4. Security Awareness Training – Conduct training to remind employees and contractors about best practices for securing their accounts, particularly when accessing systems remotely.

In cases where remediation actions are immediately affected by the System’s Team during the assessment period, a reassessment of the remediated findings by the CSRAP Assessment Team is conducted. If no further findings are discovered, then the status is closed, otherwise it is recorded as open.

The Security Assessment Report is then updated with the reassessment findings and recommendations by the CSRAP Assessment Team. However the original assessment result is not changed.

Cybersecurity Framework: Profile

TLC Cycle Phase: New – Initiate

    Existing – Operate

Task A-6 PLAN OF ACTION AND MILESTONES   

Prepare the plan of action and milestones based on the findings and recommendations of the assessment reports.

Potential Inputs: 

  • Updated security and privacy assessment reports capture any changes to previously identified weaknesses after corrective actions have been taken and re-revaluation completed.
  • Updated security and privacy plans including changes to the control implementations. The current security and privacy posture of the system is captured, including changes made to address previously identified vulnerabilities. This accurately describes how controls are now implemented, providing a revised baseline system documentation.
  • CMS ISRA and system-level risk assessment results document identified threats, vulnerabilities, and potential impacts within the system environment. These results guide CMS in prioritizing risk responses in compliance with CMS risk management policies.
  • CMS risk management strategy and risk tolerance. The risk management strategy describes how CMS identifies, evaluates and monitors risk over time to ensure overall security and compliance, while its risk tolerance defines the acceptable level of risk CMS is willing to assume in order to achieve its mission and objectives. 

Expected Outputs:

 A Plan of Action and Milestones (POA&M) detailing the findings from the security and privacy assessment reports that are to be remediated. This key document in the Authorization package ensures a structured follow-up and resolution of identified findings as it captures assigned responsibilities, and target completion dates in compliance with CMS policies.

Discussion: The Plan of Action and Milestones (POA&M) describes the actions that are planned to correct deficiencies in the controls that are identified during the assessment of the controls and the continuous monitoring process. 

POA&Ms are created and tracked in CFACTS - the CMS GRC tool.

CMS policy requires all findings/weaknesses to be documented in a POA&M and reported to the Department of Health and Human Services (HHS). It also stipulates the following remediation timelines:

  • Critical-risk deficiencies must be remediated within 15 days
  • High-risk deficiencies must be remediated within 30 days.
  • Moderate-risk weaknesses should be remediated within 90 days
  • Low-risk deficiencies are expected to be remediated within 365 days

Please see the CMS Plan of Action and Milestones (POA&M) Handbook for the guide to creating, managing, and closing a system's POA&M.

Cybersecurity Framework: ID.RA-6

TLC Cycle Phase: New – Initiate

    Existing – Operate