CMS Risk Management Framework (RMF): Monitor Step

What is the Risk Management Framework (RMF)?

The National Institute of Standards and Technology (NIST) created the RMF to provide a structured, flexible process to manage risk throughout a system’s life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.

The RMF is made up of 7 steps:

• Prepare
• Categorize
• Select
• Implement
• Assess
• Authorize
• Monitor (this step)

What is the Monitor Step? 

The purpose of the Monitor Step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.  

Monitor Step tasks

Task M-1 System and Environment Changes 

Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. Also, ensure the continuous monitoring process aligns with CMS continuous monitoring strategies. 

Potential Inputs  

• Organizational continuous monitoring strategies outline how organizations plan to conduct continuous monitoring of its systems at various levels (organization-wide, mission/business process, and system level). It enables organizations to maintain ongoing awareness of its security posture, identify emerging threats, and support informed risk management decisions.
• Organizational configuration management policy and procedures define how organizations manage and control changes to their system configurations. This ensures security controls remain in place and promptly detect any unauthorized changes that can make the system vulnerable or compromise its security.
• Organizational policy and procedures for handling unauthorized system changes maintain the security and privacy integrity by providing a structured framework to detect and respond to unauthorized changes.
• Security and privacy plans serve as a living document, continuously reflecting the current security posture of the system and allowing organizations to make informed risk management decisions by providing up-to-date information on implemented controls and necessary adjustments based on ongoing monitoring activities.
• Configuration change requests/approvals document all requested and approved changes to the system. They are critical for ensuring that modifications made to system configurations are tracked, assessed for potential security risks, and authorized by appropriate personnel. 
• System design documentation provides a comprehensive overview of the system's architecture and functionalities. It is crucial for effective ongoing monitoring of security controls and identification of potential vulnerabilities by understanding how the system is built and how data flows through it.
• Security and privacy assessment reports provide details of the system's previous security and privacy controls assessment findings to help identify the baseline security postures and how changes might alter risk levels. They ensure that the system remains adequately protected throughout its lifecycle.
• Plans of action and milestones (POA&Ms) effectively track identified vulnerabilities, assign remediation responsibilities, set clear timelines, and ensure that necessary actions are taken to address security issues on an ongoing basis.
• Information from automated and manual monitoring tools provide data generated by the organization's monitoring tools. The data helps detect changes in the system and its environment, creating real-time awareness of changes that could impact the security and privacy posture. It is key to enable timely corrective actions and maintain a continuously updated risk assessment.  

Expected Outputs 

• Updated security and privacy plans reflecting any changes in the system or environment that affect the security and privacy controls.
• Updated POA&Ms indicating the actions required to address security and privacy risks introduced by changes to the system.
• Updated security and privacy assessment reports providing current information on the effectiveness of security and privacy controls after changes. 

CMS Discussion  

CMS has established a System Security and Privacy Plan (SSPP)  program that is a living collection of information that must be updated with any changes to the system, especially when they occur in the life cycle of the FISMA system. To effectively address all identified risks and weaknesses, the CMS Plan of Action and Milestone (POA&M) provides complete guide to creating, managing, and closing a system’s POA&M.  

CMS leverages the Continuous Diagnostics and Mitigation (CDM) program to aid in strengthening the cybersecurity of government networks and systems by providing automated scanning and analysis of risk. The CDM sensors automate identification of known cyber vulnerabilities, and then send that information to analytics tools to create dashboards that alert system managers about risks for remediation, report security/privacy posture to CMS and share aggregated information at the federal level. The CMS Cybersecurity Integration Center (CCIC) uses data to address incidents through risk management and monitor activities across CMS. Cyber Risk Reporting provides reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats, and ad hoc risk reviews are programs and tools used to monitor the system. Finally, the CMS Cybersecurity and Risk Assessment Program (CSRAP) provides current information on the effectiveness of security and privacy controls after changes. 

Cybersecurity Framework: DE.CM; ID.GV

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task M-2 Ongoing Assessments 

Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy to ensure the controls remain effective against evolving threats and changes within the system and its environment. 

Potential Inputs  

• The organizational continuous monitoring strategy allows the ongoing evaluation of security controls within the system, enabling proactive identification and mitigation of emerging risks. This strategy is essential for providing a real-time view of system security posture beyond a single snapshot assessment.
• A system-level continuous monitoring strategy ensures that security controls implemented within a system remain effective over time by continuously monitoring their performance, detecting potential issues early, and allowing for timely mitigation actions. This strategy is crucial for supporting the system's ongoing authorization and risk management process.    
• Security and privacy plans provide a documented framework for continuously monitoring and evaluating the effectiveness of implemented security controls. It is vital for ensuring the system remains compliant with privacy regulations and adequately mitigates security risks throughout its lifecycle.
• Security and privacy assessment plans detail the approach for evaluating the effectiveness of the control. They document the scope of the assessment, including the security controls being addressed, the procedures, and the roles and responsibilities of the assessment team. This structures the assessment process and ensures all relevant aspects of the system are evaluated.
• Security and privacy assessment reports provide baseline findings from previous assessments and detailed information about the effectiveness of implemented security and privacy controls within a system. These reports are essential for continuous monitoring, identification of any weakness or gaps in the security controls, and informing risk-based decision-making, including authorization decisions.
• POA&Ms identify the system's known weaknesses and security deficiencies, and includes plans for addressing known deficiencies.
• Information from automated and manual monitoring tools provide data that supports real-time visibility into system operations and security status. The data is vital for detecting and responding to changes that could impact the effectiveness of security and privacy controls.
• Organization and system-level risk assessment results offer insight into the current risk posture and identify areas that exceed the organization's risk tolerance. The results are used to plan corrective actions to address the identified risks.
• External assessment or audit results provide an independent view of system security and privacy posture. This creates greater transparency and increases accountability and compliance between the organization and its customers. 

Expected Outputs 

• Updated security and privacy assessment reports reflecting the findings of the ongoing assessments, including any changes in control effectiveness and recommendations for improvement.
• Updated POA&Ms documenting the action plans for addressing identified control weaknesses, including timelines and responsibilities. For example, CMS requires POA&Ms to be updated at least monthly and to be accurate at the beginning of each month.  

CMS Discussion

The Cybersecurity and Risk Assessment Program (CSRAP) is available for System/Business Owners to meet the current requirements of the ATO process and the testing control requirements described in the CMS Acceptable Risk Safeguards (ARS).  

CSRAP is a security and risk assessment process for FISMA systems at CMS and supersedes the Adaptive Capabilities Testing (ACT) Program as the primary input to the Authority to Operate (ATO) process. The Risk Assessment component of the CSRAP pulls relevant data from previous and ongoing audits and assessments, as well as data available from the Continuous Diagnostics and Mitigation (CDM) program of the CMS Cybersecurity Integration Center (CCIC). CSRAP is data-driven and focuses on how to manage risk effectively and gives system teams a clearer picture of their overall risk. 

Cybersecurity Framework: ID.SC-4

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task M-3 Ongoing Risk Response   

Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in the POA&Ms to ensure timely and effective risk response actions and to manage risks dynamically. This reflects changes in the threat landscape, system vulnerabilities, and organizational risk tolerance. 

Potential Inputs  

• Security and privacy assessment reports provide detailed findings on the effectiveness of implemented controls and any identified vulnerabilities. They are vital for providing a comprehensive view of the system's current security posture and identifying any potential vulnerabilities or areas for improvement related to both security and privacy aspects.
• Organization and system-level risk assessment results provide ongoing information about potential threats and vulnerabilities. These results are crucial for guiding and informing the decisions regarding ongoing risk response. For example, it enables the organization to identify which risks require immediate attention and how to best respond by accepting, mitigating, transferring, or avoiding them.
• Security and privacy plans document the existing security and privacy controls and the rationale for their selection. These plans ensures that the system continues to meet the organization's security and privacy requirements throughout its lifecycle.
• POA&Ms provide documented evidence of corrections like scan results. They are crucial for remediation and mitigation efforts based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the POA&M. 

Expected Outputs 

• Mitigation actions or risk acceptance decisions documenting the chosen risk response for each identified risk, including detailed plans for mitigation actions or formal acceptance of the risk.
• Updated security and privacy assessment reports reflecting the reassessment of risks following the implementation of mitigation actions or changes in the risk environment.
• Updated POA&Ms reflecting the progress on mitigation actions, including any completed tasks and adjustments to remaining actions based on ongoing risk analysis. 

CMS Discussion 

The CMS CSRAP and CCIC teams maintain an adaptive security and privacy posture that responds effectively to new and evolving risks, ensuring CMS's operations and assets (as well as individual privacy) are adequately protected. This provides system teams with an updated security and privacy assessment posture. CMS recommends system teams not to use the security assessment report template, but encourages them to work with their assessment teams, like CSRAP, to manage the security assessments and reports required for their systems.   

The CSRAP validates POA&Ms closed since the last assessment, including any previous risk/security assessment as part of its process. 

CSRAP risk assessment reports divide risks into three categories: 

• Inherent risks: Arise directly from unmitigated findings (including open POA&Ms)
• Residual risks: Arise indirectly from already mitigated findings or from a source other than technical findings
• Inherited risks: Exist because security controls are inherited from another system 

Cybersecurity Framework: RS.AN

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task M-4 Authorization Package Updates 

Update key artifacts such as security and privacy plans, assessment reports, and POA&Ms based on the results of the continuous monitoring process to ensure that the authorization package remains current and accurately reflects the security and privacy posture of the information system throughout its lifecycle. This enables decision-makers to have the necessary information to make informed risk management decisions. 

Potential Inputs  

• Security and privacy assessment reports contain the findings and recommendations from assessments of the systems security and privacy controls to help identify any changes in the effectiveness of controls. They are crucial for providing the authorizing official with necessary information to understand the current security posture of the system and make informed risk management decisions.
• Organization and system-level risk assessment results provide a comprehensive view of potential threats and vulnerabilities across an organization's systems. They are vital for allowing decision-makers to prioritize security controls and mitigation strategies based on the identified risks and the acceptable level of risk for their operation.
• Security and privacy plans serve as documents to continuously update and maintain the system's security and privacy posture by outlining the implemented controls, risk mitigation strategies, and ongoing monitoring activities. These plans are essential for ensuring the authorization package remains current and accurately reflects the system's security status throughout its lifecycle.
• POA&Ms document planned remediation activities for addressing known deficiencies in security and privacy controls.
• Configuration change requests/approvals and system design documentation ensure that any modifications made to a system are properly reviewed, authorized, and documented. These documentations are vital for maintaining the system's security posture by tracking any changes and ensuring they align with established security controls and risk management practices. 

Expected Outputs 

• Updated security and privacy plans reflecting any modifications to the security and privacy controls, changes in the threat environment, or other factors affecting the security and privacy posture of the system.
• Updated security and privacy assessment reports incorporating the results of continuous monitoring and any reassessments of control effectiveness, to provide a current view of the system's security and privacy posture.
• Updated POA&Ms documenting the progress on remediation efforts and any changes to planned actions based on ongoing risk assessments and monitoring activities.
• Updated risk assessment results reflecting the current risk posture of the system and any changes in risk levels due to the implementation of mitigation strategies, changes in the threat landscape, or other factors. 

CMS Discussion 

An authorization package is the collection of documentation put together by the Business Owner (BO) and their team as evidence that the system has been designed, built, tested, assessed, and categorized appropriately to meet CMS ATO requirements.  

The CMS CSRAP team provides a plain-language security and privacy assessment report from multiple data sources that quickly informs the system team about the system's overall health. The report focuses on high-level system security capabilities providing the most information possible about overall system risk. This allows the system team to make future decisions based on risk, instead of performing compliance tasks only at set intervals. CMS POA&M standards align with the HHS POA&M standards to ensure effective and timely remediation of critical and high vulnerabilities. After positive identification, all findings and weaknesses must be documented in a POA&M, reported to HHS, and remediated within specific timelines. 

CMS has added the CMS Assessment and Audit Tracking (CAAT) and POA&M supporting guidance matrixes in the CAAT supporting guidance section in the POA&M within CFACTS to make the process more efficient. CMS considers the SSPP as a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system. CMS ensures that information needed for oversight, management, and auditing purposes is not modified or destroyed when updating security and privacy plans, assessment reports, and POA&Ms. 

Read about the ATO process (including stakeholders and their responsibilities) and the CMS Information System Security Officer (ISSO) Handbook for the full list of NIST approved authorization package documents. For additional information email CISO@cms.hhs.gov. 

Cybersecurity Framework: RS.IM

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task M-5 Security and Privacy Reporting 

Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. Key figures should have ongoing visibility into the system’s security and privacy status, enabling them to make informed decisions about risk management, resource allocation, and strategic planning. 

Potential Inputs  

• Security and privacy assessment reports document the current security and privacy posture of a system, providing vital information to the authorizing official about the system's vulnerabilities and risks.
• POA&Ms provide a list of actions planned or in progress to address identified security and privacy weaknesses.
• Organization and system-level risk assessment results provide ongoing visibility into the security and privacy posture of a system to the authorizing official and other organizational stakeholders. These results enable organization officials to make informed decisions regarding risk management, resource allocation, and strategic planning based on the current risk landscape across the entire organization and individual systems.
• Organization and system-level continuous monitoring strategies maintain ongoing awareness of the security and privacy posture of an information system. These mechanisms are crucial for allowing relevant officials to proactively address potential issues and maintain compliance with security standards.
• Security and privacy plans provide the current security and privacy posture of a system to relevant organizational officials.
• The cybersecurity framework profile outlines the organization’s cybersecurity goals and the standards, guidelines, and practices they will implement from a cybersecurity framework to achieve those goals.  

Expected Outputs  

• Security and privacy posture reports that summarize the system's security and privacy status, including the effectiveness of controls, any identified vulnerabilities, and the progress of remediation efforts. The reports should highlight changes in the security and privacy posture since the last reporting period, providing a clear and up-to-date picture of the system's risk profile.
• A list of updated POA&Ms reflecting the latest progress on remediation efforts, including any newly completed actions and adjustments to ongoing or planned activities based on recent findings or changes in the risk landscape. 

CMS Discussion 

Cyber Risk Reports are provided monthly by the Information Security and Privacy Group (ISPG) to communicate cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level. The Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO). 

In addition, CMS also provides the ISSO Reports, which are a specific kind of Cyber Risk Report, that help ISSOs identify security and privacy risks and ways to mitigate them for their systems. These reports make it easier to spot things like overdue POA&Ms, expiring Contingency Plans, and other areas where ISSOs need to take action. CMS has established the ISSO As A Service program that provides skilled ISSOs to CMS components who can help ensure adequate information security across all CMS components and systems, including communicating with CMS Business Owners (BO) and senior leadership on insights about potential security risks and mitigation strategies.  

Cybersecurity Framework: N/A

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task M-6 Ongoing Authorization 

Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable as defined by organizational policies and thresholds. 

Potential Inputs  

• Risk tolerance defines the organization's acceptable level of risk and is crucial for the AO to determine whether the system's risk posture aligns with organizational risk tolerance.
• Security and privacy posture reports provide a current overview of the security and privacy posture of the system, including the effectiveness of controls. It is crucial for determining whether the risk remains acceptable as defined by organizational policies and thresholds.
• POA&Ms allow the AO to evaluate the progress towards mitigating vulnerabilities and improving the system's posture.
• Organization and system-level risk assessment results provide ongoing visibility into the security and privacy posture of a system. These results inform the AO's decisions by highlighting changes in risk exposure while ensuring that the current risk level remains acceptable according to organizational risk tolerance.
• Security and privacy plans provide an outline of the ongoing security and privacy controls implemented and mitigation strategies to address identified risks and protect sensitive information within the system. Overall, they help the AO assess whether the controls are adequate and effective in managing risk. 

Expected Outputs 

• Determination of risk: A formal decision document that articulates whether the system's risk posture is within the organization's risk tolerance.
• Ongoing authorization to operate: A formal declaration that the system continues to operate within acceptable risk levels, including any conditions or restrictions.
• Denial of ongoing authorization: A formal notification that the system's authorization to operate is denied due to unacceptable risk levels. Includes recommendations for risk mitigation or system decommissioning.  

CMS Discussion 

CMS implements an Ongoing Authorization (OA) program that defines the scope of a particular system that can be continuously managed and monitored. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities. This allows System/Business owners to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures. To be eligible for OA, systems must leverage the latest control automation tools. Additionally, all Continuous Diagnostics and Mitigation (CDM) tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL). 

Some of the roles with responsibilities tied to Task M-6 include: Authorizing Official (AO), System Owner (SO), Security Control Assessor (SCA), Senior Agency Information Security Officer (SAISO), and Senior Agency Official for Privacy (SAOP). 

Cybersecurity Framework: N/A

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task M-7 System Disposal 

Implement a system disposal strategy and execute required actions when a system is removed from operation. The goal is to mitigate any potential security and privacy risks associated with the disposal process, such as unauthorized access to sensitive data or reusing compromised components. 

Potential Inputs  

• Security and privacy plans identify specific disposal requirements and considerations related to the controls implemented on system. They are key to ensuring that proper data protection and privacy measures are taken during system decommissioning or disposal, especially when handling sensitive information.
• Organization and system-level risk assessment results from a comprehensive risk analysis conducted at both the organizational and individual system levels. Essential for highlighting any potential risks that could be exacerbated by the disposal process.
• System component inventory of all system components, including hardware and software to ensure that all components are accounted for during the disposal process and that secure disposal methods are applied appropriately. 

Expected Outputs  

• Disposal strategy document or set of documents outlining the planned approach for securely disposing of the system and its components.
• Updated system component inventory reflecting the removal of disposed components from the organization's asset inventory.
• Updated security and privacy plans indicating that the system has been decommissioned and is no longer in operation.
• Disposal records providing details of the disposal process for each component of the system, including methods of data sanitization and the final disposition of hardware.  

CMS Discussion 

At CMS, system disposals are managed by the Records and Information Management (RIM) Program within the Office of Strategic Operations and Regulatory Affairs (OSORA). RIM leverages the Cross-Reference Tool (CRT) which documents CMS IT Systems’ Record schedules and retention periods and tracks those IT Systems’ statuses and records/data dispositions. Business Owners of active CMS IT systems receive an email from the CRT Tool with the Annual Notification of Eligibility for Disposal.  

Contact the RIM Team in OSORA for further guidance at Records_Retention@cms.hhs.gov and see the CMS RIM Policy (requires login). 

Some of the roles with responsibilities tied to Task M-7 include: System Owner (SO), Information Owner or Steward, System Security Officer, System Privacy Officer, Senior Accountable Official for Risk Management or Risk Executive (Function), Senior Agency Information Security Officer, and Senior Agency Official for Privacy (SAOP). 

Cybersecurity Framework: N/A

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate