Skip to main content

CMS Risk Management Framework (RMF): Monitor Step

Maintain an ongoing situational awareness about the security and privacy posture of a FISMA system

Last reviewed: 12/5/2024

Contact: ISPG Policy Team | CISO@cms.hhs.gov

Related Resources

CMS Risk Management Framework (RMF)
National Institute of Standards and Technology (NIST)

What is the Risk Management Framework (RMF)?

The National Institute of Standards and Technology (NIST) created the RMF to provide a structured, flexible process to manage risk throughout a system’s life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.

The RMF is made up of 7 steps:

What is the Monitor Step?

The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.

Organizational and System Level Monitor Tasks

Organizational level tasks are completed as part of the Information Security and Privacy Program managed by the Office of Information Technology. System level monitor tasks also take into consideration mission/business process concerns.

Task M-1 System and environment changes

Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. Also, ensure the continuous monitoring process aligns with CMS continuous monitoring strategies.

Potential Inputs:

  • Organizational continuous monitoring strategies for its systems at various levels (organization-wide, mission/business process, and system level)
  • Organizational configuration management policy and procedures
  • Guidance on how changes to system configurations are managed and controlled
  • Organizational policy and procedures for handling unauthorized system changes
  • Security and privacy plans
  • Configuration change requests and approvals
  • System design documentation
  • Security and privacy assessment reports
  • Plans of action and milestones (POA&Ms)
  • Information from automated and manual monitoring tools from across CMS

Expected Outputs:

  • Updated security and privacy plans to reflect any changes in the system or environment that affect security and privacy controls
  • Updated POA&Ms indicating the actions required to address security and privacy risks introduced by changes to the system
  • Updated security and privacy assessment reports that provide current information on the effectiveness of security and privacy controls after changes

Discussion:

CMS has established a system security and privacy plan (SSPP) program that is a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system.

To effectively address/track all identified risks/weaknesses the CMS Plan of Action and Milestone (POA&M) provides a complete guide to creating, managing, and closing a system’s POA&M.

CMS leverages the Continuous Diagnostics and Mitigation (CDM) program to aid in strengthening the cybersecurity of government networks and systems by providing automated scanning and analysis of risk. The CDM sensors automate identification of known cyber vulnerabilities, and then send that information to analytics tools to create dashboards that alert system managers about risks for remediation, report security/privacy posture to CMS and share aggregated information at the federal level.

The CMS Cybersecurity Integration Center (CCIC) uses data to address incidents through risk management and monitoring activities across CMS. Cyber Risk Reporting provides reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats. Ad hoc risk reviews are programs and tools used to monitor the system.

Finally, the CMS Cybersecurity and Risk Assessment Program (CSRAP) provides current information on the effectiveness of security and privacy controls after changes.

Some of the roles with responsibilities tied to Task M-1 include the System Owner (SO), Common Control Provider, Senior Agency Information Security Officer, Senior Agency Official for Privacy, and Security Control Assessors (SCA).

For additional information on the roles and responsibilities visit the NIST RMF roles and responsibilities crosswalk.

Cybersecurity Framework: DE.CM; ID.GV

TLC Cycle Phase:

Task M-2: Ongoing assessments

Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy. To ensure the controls remain effective over time against evolving threats and changes within the system and its environment.

Potential Inputs:

  • Organizational continuous monitoring strategy
  • System level continuous monitoring strategy (if applicable)
  • Security and privacy plans
  • Security and privacy assessment reports
  • POA&Ms
  • Information from automated and manual monitoring tools
  • Organization- and system-level risk assessment results
  • External assessment or audit results (if applicable)

Expected Outputs:

  • Updated security and privacy assessment reports to reflect the findings of the ongoing assessments, including any changes in control effectiveness and recommendations for improvement
  • List of updated POA&Ms to document the action plans for addressing identified control weaknesses, including timelines and responsibilities

Discussion:

The Cybersecurity and Risk Assessment Program (CSRAP) is available for System/Business Owners to meet the current requirements of the ATO process and the testing control requirements described in the CMS Acceptable Risk Safeguards (ARS).

CSRAP is a security and risk assessment framework that facilitates and encourages risk-based decision-making for FISMA systems at CMS. It supersedes the Adaptive Capabilities Testing (ACT) Program as the primary input to the Authority to Operate (ATO) process. 

The Risk Assessment component of the CSRAP pulls relevant data from previous and ongoing audits and assessments, as well as data available from the Continuous Diagnostics and Mitigation (CDM) program of the CMS Cybersecurity Integration Center (CCIC). CSRAP is data-driven and focuses on how to manage risk effectively and gives system teams a clearer picture of their overall risk.

To schedule an assessment, contact the CSRAP team at CSRAP@cms.hhs.gov

Some of the roles with responsibilities tied to Task M-2 include the Security Control Accessor (SCA), System Owner/Common Control Provider, Authorizing Official (AO), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).

Cybersecurity Framework: ID.SC-4

TLC Cycle Phase:

Task M-3: Ongoing risk response

Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in the POA&Ms. To ensure timely and effective risk response actions and to manage risks dynamically, such that it reflects changes in the threat landscape, system vulnerabilities, and organizational risk tolerance.

Potential Inputs:

  • Security and privacy assessment reports, with detailed findings on the effectiveness of implemented controls and any identified vulnerabilities
  • Organization- and system-level risk assessment results
  • Security and privacy plans documenting existing security and privacy controls and the rationale for their selection
  • POA&Ms

Expected Outputs:

  • Mitigation actions or risk acceptance decisions documenting the chosen risk response for each identified risk, including detailed plans for mitigation actions or formal acceptance of the risk
  • Updated security and privacy assessment reports reflecting the reassessment of risks following the implementation of mitigation actions or changes in the risk environment
  • Updated POA&M reflecting progress on mitigation actions, including any completed tasks and adjustments to remaining actions based on ongoing risk analysis

Discussion:

The CMS CSRAP and CCIC teams maintain an adaptive security and privacy posture that responds effectively to new and evolving risks. They ensure that CMS's operations and assets, as well as individual privacy, are adequately protected. This provides system teams with an updated security and privacy assessment posture.

CMS recommends that system teams not use the security assessment report template, and instead encourages them to work with their assessment teams like CSRAP to manage the security assessments and reports required for their systems.

The CSRAP validates PO&AMs that were closed since the last assessment including any previous risk/security assessment as part of its assessment process.

A CSRAP risk assessment report divides risks into three categories:

  • Inherent risks (risks arise directly from unmitigated findings, including open POA&Ms)
  • Residual risks (risks arise indirectly from already mitigated findings or from some source other than technical findings)
  • Inherited risks (risks exist because security controls are inherited from another system)

Some of the roles with responsibilities tied to Task M-3 include the Authorizing Official (AO), System Owner (SO), Common Control Provider, Security Control Accessor (SCA), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).

Cybersecurity Framework: RS.AN

TLC Cycle Phase:

Task M-4: Authorization package updates

Update key artifacts such as security and privacy plans, assessment reports, and POA&Ms based on the results of the continuous monitoring process to ensure that the authorization package remains current and accurately reflects the security and privacy posture of the information system throughout its lifecycle. To enable decision-makers to have the necessary information to make informed risk management decisions.

Potential Inputs:

  • Security and privacy assessment reports
  • Organization- and system-level risk assessment results
  • Security and privacy plans
  • POA&Ms with documented planned remediation activities
  • Configuration change requests or approvals
  • System design documentation with a record of approved changes to the system and its environment

Expected Outputs:

  • Updated security and privacy assessment reports incorporating the results of continuous monitoring and any reassessments of control effectiveness, to provide a current view of the system's security and privacy posture
  • Updated POA&Ms documenting the progress on remediation efforts and any changes to planned actions based on ongoing risk assessments and monitoring activities
  • Updated risk assessment results reflecting the current risk posture of the system and any changes in risk levels due to the implementation of mitigation strategies, changes in the threat landscape, or other factors
  • Updated security and privacy plans reflecting any modifications/changes to the security and privacy controls, the threat environment, or other factors affecting the security and privacy posture of the system

Discussion:

An Authorization Package is the collection of documentation put together by the Business Owner (BO) and their team as evidence that the system has been designed, built, tested, assessed, and categorized appropriately to meet CMS ATO requirements.

The CMS CSRAP team provides a plain-language security and privacy assessment report from multiple data sources that quickly informs the system team about the system's overall health. The report focuses on high-level system security capabilities providing the most information possible about overall system risk. This allows the system team to make future decisions based on risk, instead of performing compliance tasks only at set intervals.

CMS POA&M standards align with the HHS POA&M standards to ensure effective and timely remediation of critical and high vulnerabilities. After positive identification, all findings and weaknesses must be documented in a POA&M, reported to HHS, and remediated within specific timelines.

CMS has added the CMS Assessment and Audit Tracking (CAAT) and POA&M supporting guidance matrices in the CAAT supporting guidance section in the POA&M within CFACTS to make the process more efficient.

CMS considers the SSPP as a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system.

CMS ensures that information needed for oversight, management, and auditing purposes is not modified or destroyed when updating security and privacy plans, assessment reports, and POA&Ms.

Please see the ATO page for the ATO process (including stakeholders and their responsibilities) and see the CMS Information System Security Officer (ISSO) Handbook for the full list of NIST approved Authorization package documents.

For additional information please contact the CISO@cms.hhs.gov.

Some of the roles with responsibilities tied to Task M-4 include the System Owner (SO), Common Control Provider, Security Control Assessor (SCA), Authorizing Official (AO) or Authorizing Official Designated Representative (AODR), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).

Cybersecurity Framework: RS.IM

TLC Cycle Phase:

Task M-5: Security and privacy reporting

Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. To ensure that these key figures have ongoing visibility into the system’s security and privacy status, enabling them to make informed decisions about risk management, resource allocation, and strategic planning.

Potential Inputs:

  • Security and privacy assessment reports
  • List of POA&M actions planned or in progress to address identified security and privacy weaknesses
  • Organization- and system-level risk assessment results
  • Organization- and system-level continuous monitoring strategies
  • Security and privacy plans
  • Cybersecurity Framework Profile outlining CMS’s cybersecurity goals and the standards, guidelines, and practices they have chosen to achieve those goals.

Expected Outputs:

  • Security and privacy posture reports that summarize the system's security and privacy status, including the effectiveness of controls, any identified vulnerabilities, and the progress of remediation efforts. The reports should highlight changes in the security and privacy posture since the last reporting period, providing a clear and up-to-date picture of the system's risk profile.
  • List of updated POA&Ms reflecting the latest progress on remediation efforts, including any newly completed actions and adjustments to ongoing or planned activities based on recent findings or changes in the risk landscape

Discussion:

Cyber Risk Reports are provided monthly by Information Security and Privacy Group (ISPG) to communicate cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level. The Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO).

CMS also provides ISSO Reports, a specific kind of Cyber Risk Report that helps ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA&Ms, expiring Contingency Plans, and other areas where ISSOs need to take action.

CMS has established the ISSO As A Service program that provides skilled ISSOs to CMS components who can help ensure adequate information security across all CMS components and systems. Including, communicating with CMS Business Owners (BO) and senior leadership on insights about potential security risks and mitigation strategies.

Some of the roles with responsibilities tied to Task M-5 include the System Owner (SO), Common Control Provider, Senior Agency Information Security Officer (SAISO), Senior Agency Official for Privacy (SAOP), and Authorizing Official (AO).

Cybersecurity Framework: N/A

TLC Cycle Phase:

Task M-6: Ongoing authorization

Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable as defined by organizational policies and thresholds.

Potential Inputs:

  • Risk tolerance defining CMS’s acceptable level of risk
  • Security and privacy posture reports
  • POA&Ms
  • Organization- and system-level risk assessment results
  • Security and privacy plans

Expected Outputs:

  • Determination of risk: a formal decision document that articulates whether the system's risk posture is within the organization's risk tolerance
  • Ongoing authorization to operate a formal declaration that the system continues to operate within acceptable risk levels, including any conditions or restrictions
  • Ongoing authorization to use
  • Ongoing common control authorization
  • Denial of ongoing authorization to operate if applicable
    • Formal notification that the system's authorization to operate is denied due to unacceptable risk levels, including recommendations for risk mitigation or system decommissioning; denial of ongoing authorization to use, denial of ongoing common control authorization

Discussion:

CMS implements an Ongoing Authorization (OA) program that defines the scope of a particular system that can be continuously managed and monitored. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities.

This allows System and Business owners to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures.

To be eligible for OA, systems must leverage the latest control automation tools.

Additionally, all Continuous Diagnostics and Mitigation (CDM) tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL).

Some of the roles with responsibilities tied to Task M-6 include the Authorizing Official (AO), System Owner (SO), Security Control Assessor (SCA), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP).

Cybersecurity Framework: N/A

TLC Cycle Phase:

Task M-7: System disposal

Implement a system disposal strategy and execute required actions when a system is removed from operation. The goal is to mitigate any potential security and privacy risks associated with the disposal process, such as unauthorized access to sensitive data or the reuse of compromised components.

Potential Inputs:

  • Security and privacy plans important for identifying specific disposal requirements or considerations related to the controls that were in place
  • Organization- and system-level risk assessment results to highlight any potential risks that could be exacerbated by the disposal process
  • System component inventory: a detailed inventory of all system components, including hardware and software
    • System component inventory is essential for ensuring that all components are accounted for during the disposal process and that secure disposal methods are applied appropriately

Expected Outputs:

  • Disposal strategy: a document or set of documents outlining the planned approach for securely disposing of the system and its components
  • Updated system component inventory, reflecting the removal of disposed components from the organization's asset inventory
  • Updated security and privacy plans that indicate that the system has been decommissioned and is no longer in operation
  • Disposal records providing detailed records of the disposal process for each component of the system, including methods of data sanitization and the final disposition of hardware

Discussion:

At CMS, system disposal is managed by the Records and Information Management (RIM) Program within the Office of Strategic Operations and Regulatory Affairs (OSORA).

RIM leverages the Cross-Reference Tool (CRT). CRT documents CMS IT Systems’ Record schedules and retention periods and tracks those IT Systems’ statuses and records/data dispositions.

Business Owners of active CMS IT systems receive an email from the CRT Tool with the Annual Notification of Eligibility for Disposal.

Please contact the RIM Team in OSORA for further guidance at Records_Retention@cms.hhs.gov and see the CMS RIM Policy.

Some of the roles with responsibilities tied to Task M-7 include the System Owner (SO), Information Owner or Steward, System Security Officer, System Privacy Officer, Senior Accountable Official for Risk Management or Risk Executive (Function), Senior Agency Information Security Officer and Senior Agency Official for Privacy (SAOP).

Cybersecurity Framework: N/A

TLC Cycle Phase: