CMS Risk Management Framework (RMF): Monitor Step

What is the Monitor Step? 

The purpose of the Monitor step is to maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.  

Task M-1 System and Environment Changes 

Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system. Also, ensure the continuous monitoring process aligns with CMS continuous monitoring strategies. 

Potential Inputs:  

1. Organizational continuous monitoring strategies: outlines how organizations plan to conduct continuous monitoring of its systems at various levels (organization-wide, mission/business process, and system level). It enables organizations to maintain ongoing awareness of its security posture, identify emerging threats and supports informed risk management decisions. 
2.  Organizational configuration management policy and procedures: defines how organizations manage and control changes to their system configurations. This ensures security controls remain in place and promptly detect any unauthorized changes that can make the system vulnerable or compromise its security. 
3.  Organizational policy and procedures for handling unauthorized system changes:  maintains the security and privacy integrity by providing a structured framework to detect and respond to unauthorized changes. 
4.  Security and privacy plans: these plans are crucial because they serve as a living document, continuously reflecting the current security posture of the system. Allowing organizations to make informed risk management decisions by providing up-to-date information on implemented controls and necessary adjustments needed based on ongoing monitoring activities.  
5.  Configuration change requests/approvals: documents all requested and approved changes to the system. They are critical for ensuring that any modifications made to system configurations are tracked, assessed for potential security risks, and authorized by appropriate personnel.   
6.  System design documentation: provides a comprehensive overview of the system's architecture and functionalities. It is crucial for effective ongoing monitoring of security controls and identification of potential vulnerabilities by understanding how the system is built and how data flows through it. 
7.  Security and privacy assessment reports: these reports provide details of the systems previous security and privacy controls assessment findings to help identify the baseline security postures and how changes might alter risk levels. They are crucial for ensuring that the system remains adequately protected throughout its lifecycle. 
8.  Plans of action and milestones (POA&Ms): are the plans set forth to effectively track identified vulnerabilities, assign remediation responsibilities, set clear timelines, and ensures that necessary actions are taken to address security issues on an ongoing basis.  
9. Information from automated and manual monitoring tools: provides data generated by the organizations monitoring tools. The data helps to detect changes in the system and its environment creating real-time awareness of changes that could impact the security and privacy posture.  It is crucial for enabling timely corrective actions and maintaining a continuously updated risk assessment.  

Expected Outputs:  

1. Updated security and privacy plans:  reflecting any changes in the system or environment that affect the security and privacy controls.  
2. Updated POA&Ms: indicating the actions required to address security and privacy risks introduced by changes to the system.  
3. Updated security and privacy assessment reports: providing current information on the effectiveness of security and privacy controls after changes. 

Discussion:  CMS has established a system security and privacy plan (SSPP)  program that is a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system. To effectively address/track all identified risks/weaknesses the CMS Plan of Action and Milestone (POA&M) provides complete guide to creating, managing, and closing a system’s POA&M.  

CMS leverages the Continuous Diagnostics and Mitigation (CDM) program to aid in strengthening the cybersecurity of government networks and systems by providing automated scanning and analysis of risk. The CDM sensors automate identification of known cyber vulnerabilities, and then send that information to analytics tools to create dashboards that alert system managers about risks for remediation, report security/privacy posture to CMS and share aggregated information at the federal level. The  CMS Cybersecurity Integration Center (CCIC) uses data to address incidents through risk management and monitoring activities across CMS, Cyber Risk Reporting provides reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats, and Ad hoc risk reviews are programs and tools used to monitor the system. Finally, the CMS Cybersecurity and Risk Assessment Program (CSRAP) provides current information on the effectiveness of security and privacy controls after changes. 

Cybersecurity Framework: DE.CM; ID.GV 

TLC Cycle Phase: New – Initiate  

     Existing – Operate 

Task M-2 Ongoing Assessments 

Assess the controls implemented within and inherited by the system in accordance with the continuous monitoring strategy. To ensure the controls remain effective over time against evolving threats and changes within the system and its environment. 

Potential Inputs:  

1. Organizational continuous monitoring strategy: allows the ongoing evaluation of security controls within the system, enabling proactive identification and mitigation of emerging risks. This strategy is essential for providing a real-time view of system security posture beyond a single snapshot assessment. 
2. System level continuous monitoring strategy: ensures that security controls implemented within a system remain effective over time by continuously monitoring their performance, detecting potential issues early, and allowing for timely mitigation actions. This strategy is crucial for supporting the system's ongoing authorization and risk management process.     
3. Security and privacy plans: provides a documented framework for continuously monitoring and evaluating the effectiveness of implemented security controls. It is vital for ensuring the system remains compliant with privacy regulations and adequately mitigates security risks throughout its lifecycle, 
4. Security and privacy assessment plans:  details the approach for assessing the effectiveness of the control. It documents the scope of the assessment, including the security controls being assessed, the assessment procedures, and the roles and responsibilities of the assessment team. Thereby, structuring the assessment process and ensuring all relevant aspects of the system are evaluated. 
5. Security and privacy assessment reports: provides baseline findings from previous assessments and detailed information about the effectiveness of implemented security and privacy controls within a system. These reports are essential for continuous monitoring, identification of any weakness or gaps in the security controls and inform risk-based decision-making including authorization decisions.  
6. POA&Ms: identifies the system's known weaknesses and security deficiencies, and includes plans for addressing known deficiencies 
7. Information from automated and manual monitoring tools: provides data that supports real-time visibility into system operations and security status. The data is vital for detecting and responding to changes that could impact the effectiveness of security and privacy controls. 
8. Organization- and system-level risk assessment results: offers insight into the current risk posture and identifies areas that exceed the organization's risk tolerance. The results are used to plan corrective actions to address the identified risks. 
9. External assessment or audit results: provides an independent view of system security and privacy posture. It creates greater transparency, increases accountability and compliance between the organization and its customers. 

Expected Outputs:  

1. Updated security and privacy assessment reports: reflects the findings of the ongoing assessments, including any changes in control effectiveness and recommendations for improvement. 
2. Updated POA&Ms: documents the action plans for addressing identified control weaknesses, including timelines and responsibilities. For example; CMS requires POA&Ms to be updated at least monthly and to be accurate at the beginning of each month.  

Discussion: Cybersecurity and Risk Assessment Program (CSRAP) is available for System/Business Owners to meet the current requirements of the ATO process and the testing control requirements described in the CMS Acceptable Risk Safeguards (ARS).  

CSRAP is a security and risk assessment process for FISMA systems at CMS and supersedes the Adaptive Capabilities Testing (ACT) Program as the primary input to the Authority to Operate (ATO) process. The Risk Assessment component of the CSRAP pulls relevant data from previous and ongoing audits and assessments, as well as data available from the Continuous Diagnostics and Mitigation (CDM) program of the CMS Cybersecurity Integration Center (CCIC). CSRAP is data-driven and focuses on how to manage risk effectively and gives system teams a clearer picture of their overall risk.  Please contact the CSRAP team at  

CSRAP@cms.hhs.gov.  

Cybersecurity Framework: ID.SC-4 

TLC Cycle Phase: New – Initiate  

     Existing – Operate 

Task M-3 Ongoing Risk Response   

Respond to risk based on the results of ongoing monitoring activities, risk assessments, and outstanding items in the POA&Ms. To ensure timely and effective risk response actions and to manage risks dynamically, such that it reflects changes in the threat landscape, system vulnerabilities, and organizational risk tolerance. 

Potential Inputs:  

1. Security and privacy assessment reports: provides detailed findings on the effectiveness of implemented controls and any identified vulnerabilities. They are vital for providing a comprehensive view of the system's current security posture and identifying any potential vulnerabilities or areas for improvement related to both security and privacy aspects. 
2. Organization- and system-level risk assessment results: provides ongoing information about potential threats and vulnerabilities. These results are crucial for guiding and informing the decisions regarding ongoing risk response. For example, it enables the organization to identify which risks requires immediate attention and how to best respond by accepting, mitigating, transferring, or avoiding them.   
3. Security and privacy plans: documents the existing security and privacy controls and the rationale for their selection. These plans ensures that the system continues to meet the organization's security and privacy requirements throughout its lifecycle. 
4. POA&Ms: provides documented evidence of correction such as scan results. They are crucial for remediation/mitigation efforts based on the results of ongoing monitoring activities, assessment of risk, and outstanding items in the POA&M. 

Expected Outputs:  

1. Mitigation actions or risk acceptance decisions: document the chosen risk response for each identified risk, including detailed plans for mitigation actions or formal acceptance of the risk.  
2. Updated security and privacy assessment reports: reflecting the reassessment of risks following the implementation of mitigation actions or changes in the risk environment. 
3. Updated POA&M: reflecting the progress on mitigation actions, including any completed tasks and adjustments to remaining actions based on ongoing risk analysis. 

Discussion: The CMS CSRAP and CCIC teams maintains an adaptive security and privacy posture that responds effectively to new and evolving risks, ensuring CMS's operations and assets, as well as individual privacy, are adequately protected. Thus, providing system teams with an updated security and privacy assessment posture. CMS recommends system teams not to use the security assessment report template but encourages them to work with their assessment teams like CSRAP to manage the security assessments and reports required for their systems.   

The CSRAP validates PO&AMs that were closed since the last assessment including any previous risk/security assessment as part of its assessment process. CSRAP risk assessment report divides risks into three categories: Inherent risks (risks arise directly from unmitigated findings (including open POA&Ms)), Residual risks (risks arise indirectly from already mitigated findings or from some source other than technical findings), and Inherited risks (risks exist because security controls are inherited from another system). 

Cybersecurity Framework: RS.AN 

TLC Cycle Phase: New – Initiate  

     Existing – Operate 

Task M-4 Authorization Package Updates 

Update key artifacts such as security and privacy plans, assessment reports, and POA&Ms based on the results of the continuous monitoring process to ensure that the authorization package remains current and accurately reflects the security and privacy posture of the information system throughout its lifecycle. To enable decision-makers to have the necessary information to make informed risk management decisions. 

Potential Inputs:  

1. Security and privacy assessment reports: contains the findings and recommendations from assessments of the systems security and privacy controls to help in identifying any changes in the effectiveness of controls. They are crucial for providing the authorizing official with necessary information to understand the current security posture of the system and make informed risk management decisions.  
2. Organization- and system-level risk assessment results:  provides a comprehensive view of potential threats and vulnerabilities across an organization's systems. They are vital for allowing decision-makers to prioritize security controls and mitigation strategies based on the identified risks and the acceptable level of risk for their operation. 
3. Security and privacy plans:   Serves as a document to continuously update and maintain the system's security and privacy posture by outlining the implemented controls, risk mitigation strategies, and ongoing monitoring activities. These plans are essential for ensuring the authorization package remains current and accurately reflects the system's security status throughout its lifecycle. 
4. POA&Ms:  document planned remediation activities for addressing known deficiencies in security and privacy controls. 
5. Configuration change requests/approvals and system design documentation:  ensures that any modifications made to a system are properly reviewed, authorized, and documented. These documentations are vital for maintaining the system's security posture by tracking any changes and ensuring they align with established security controls and risk management practices. 

Expected Outputs:  

1. Updated Security and Privacy Plans: reflecting any modifications to the security and privacy controls, changes in the threat environment, or other factors affecting the security and privacy posture of the system. 
2. Updated security and privacy assessment reports: incorporating the results of continuous monitoring and any reassessments of control effectiveness, to provide a current view of the system's security and privacy posture.  
3. Updated POA&Ms: documenting the progress on remediation efforts and any changes to planned actions based on ongoing risk assessments and monitoring activities;  
4. Updated risk assessment results: reflecting the current risk posture of the system and any changes in risk levels due to the implementation of mitigation strategies, changes in the threat landscape, or other factors. 

Discussion: An Authorization Package is the collection of documentation put together by the Business Owner (BO) and their team as evidence that the system has been designed, built, tested, assessed, and categorized appropriately to meet CMS ATO requirements.  

The CMS CSRAP team, provides a plain-language security and privacy assessment report from multiple data sources that quickly informs the system team about the system's overall health. The report focuses on high-level system security capabilities providing the most information possible about overall system risk. This allows the system team to make future decisions based on risk, instead of performing compliance tasks only at set intervals. CMS POA&M standards align with the HHS POA&M standards to ensure effective and timely remediation of critical and high vulnerabilities. After positive identification, all findings/weaknesses must be documented in a POA&M, reported to HHS, and remediated within specific timelines. CMS has added the CMS Assessment and Audit Tracking (CAAT) and POA&M supporting guidance matrixes in the CAAT supporting guidance section in the POA&M within CFACTS to make the process more efficient. CMS considers the SSPP as a living collection of information that must be updated with any changes to the system, especially when a significant change occurs in the life cycle of the FISMA system. 

CMS ensures that information needed for oversight, management, and auditing purposes is not modified or destroyed when updating security and privacy plans, assessment reports, and POA&Ms. 

Please see the ATO page for the ATO process (including stakeholders and their responsibilities) and see the CMS Information System Security Officer (ISSO) Handbook for the full list of NIST approved Authorization package documents.  

For additional information please contact the CISO@cms.hhs.gov. 

Cybersecurity Framework: RS.IM 

TLC Cycle Phase: New – Initiate  

     Existing – Operate 

Task M-5 Security and Privacy Reporting 

Report the security and privacy posture of the system to the authorizing official and other organizational officials on an ongoing basis in accordance with the organizational continuous monitoring strategy. To ensure that these key figures have ongoing visibility into the system’s security and privacy status, enabling them to make informed decisions about risk management, resource allocation, and strategic planning. 

Potential Inputs:  

1. Security and privacy assessment reports: documents the current security and privacy posture of a system, providing vital information to the authorizing official about the system's vulnerabilities and risks.  
2. POA&Ms: provides a list of actions planned or in progress to address identified security and privacy weaknesses. 
3. Organization- and system-level risk assessment results: provides ongoing visibility into the security and privacy posture of a system to the authorizing official and other key organizational stakeholders. These results enable organization officials to make informed decisions regarding risk management, resource allocation, and strategic planning based on the current risk landscape across the entire organization and individual systems.  
4. Organization- and system-level continuous monitoring strategies: maintains ongoing awareness of the security and privacy posture of an information system. These mechanisms are crucial for allowing relevant officials to proactively address potential issues and maintain compliance with security standards.   
5. security and privacy plans: provides the current security and privacy posture of a system to relevant organizational officials. 
6. Cybersecurity Framework Profile: outlines the organization’s cybersecurity goals and the standards, guidelines, and the practices they will implement from a cybersecurity framework to achieve those goals.  

Expected Outputs:  

1. Security and privacy posture: reports that summarize the system's security and privacy status, including the effectiveness of controls, any identified vulnerabilities, and the progress of remediation efforts. The reports should highlight changes in the security and privacy posture since the last reporting period, providing a clear and up-to-date picture of the system's risk profile.  
2. Generate a list of updated POA&Ms: reflecting the latest progress on remediation efforts, including any newly completed actions and adjustments to ongoing or planned activities based on recent findings or changes in the risk landscape. 

Discussion: Cyber Risk Reports are provided monthly by Information Security and Privacy Group (ISPG) to communicate cyber risk metrics in a consistent manner across all Federal Information Security Management Act (FISMA) systems. These reports help Business and System Owners make risk-based decisions and prioritize risk remediation activities at the system level. The Cyber Risk Reports are sent to all component leadership, including Business Owners (such as ISSOs and CRAs) and to CMS Senior Leadership (such as the COO, CISO, and CIO). In addition, CMS also provides the ISSO Reports that are a specific kind of Cyber Risk Report that help ISSOs identify security and privacy risks (along with ways to mitigate them) for their systems. These reports make it easier to spot things like overdue POA&Ms, expiring Contingency Plans, and other areas where ISSOs need to take action. CMS has established the ISSO As A Service program that provides skilled ISSOs to CMS components who can help ensure adequate information security across all CMS components and systems. Including, communicating with CMS Business Owners (BO) and senior leadership on insights about potential security risks and mitigation strategies.  

Cybersecurity Framework: N/A 

TLC Cycle Phase: New – Initiate  

     Existing – Operate 

Task M-6 Ongoing Authorization 

Review the security and privacy posture of the system on an ongoing basis to determine whether the risk remains acceptable as defined by organizational policies and thresholds. 

Potential Inputs:  

1. Risk tolerance: defines the organization's acceptable level of risk and is crucial for the AO to determine whether the system's risk posture aligns with organizational risk tolerance.  
2. Security and privacy posture reports: provides an up-to-date overview of the security and privacy posture of the system, including the effectiveness of controls. It is crucial for determining whether the risk remains acceptable as defined by organizational policies and thresholds. 
3. POA&Ms: allows the AO to evaluate the progress towards mitigating vulnerabilities and improving the system's posture.  
4. Organization- and system-level risk assessment results: provides ongoing visibility into the security and privacy posture of a system. These results inform the AO's decisions by highlighting changes in risk exposure while ensuring that the current risk level remains acceptable according to organizational risk tolerance.  
5. Security and privacy plans: provides an outline of the ongoing security and privacy controls implemented and mitigation strategies to address identified risks and protect sensitive information within the system.  Overall, it helps the AO to assess whether the controls are adequate and effective in managing risk. 

Expected Outputs:  

1. A determination of risk: a formal decision document that articulates whether the system's risk posture is within the organization's risk tolerance. 
2. Ongoing authorization to operate: a formal declaration that the system continues to operate within acceptable risk levels, including any conditions or restrictions.   
3. Denial of ongoing authorization:  a formal notification that the system's authorization to operate is denied due to unacceptable risk levels. Also includes recommendations for risk mitigation or system decommissioning.  

Discussion: CMS implements an Ongoing Authorization (OA) program that defines the scope of a particular system that can be continuously managed and monitored. With ongoing authorization, system controls are constantly evaluated and tested to spot vulnerabilities. This allows System/Business owners to make risk-based decisions quickly and confidently and engage in remediation efforts to minimize ongoing exposures. To be eligible for OA, systems must leverage the latest control automation tools, including the latest control automation tools. Additionally, all Continuous Diagnostics and Mitigation (CDM) tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL). 

Some of the roles with responsibilities tied to Task M-6 includes; Authorizing Official (AO), System Owner (SO), Security Control Assessor (SCA), Senior Agency Information Security Officer (SAISO) and Senior Agency Official for Privacy (SAOP). 

Cybersecurity Framework: N/A 

TLC Cycle Phase: New – Initiate  

     Existing – Operate 

Task M-7 System Disposal 

Implement a system disposal strategy and execute required actions when a system is removed from operation. The goal is to mitigate any potential security and privacy risks associated with the disposal process, such as unauthorized access to sensitive data or the reuse of compromised components. 

Potential Inputs:  

1. Security and privacy plans: identifies specific disposal requirements and considerations related to the controls implemented on system.  It is crucial for ensuring that proper data protection and privacy measures are taken during system decommissioning or disposal, especially when handling sensitive information.  
2. Organization- and system-level risk assessment results: findings from a comprehensive risk analysis conducted at both the organizational and individual system levels. It is crucial for highlighting any potential risks that could be exacerbated by the disposal process. 
3. System component inventory: a detailed inventory of all system components, including hardware and software. System component inventory is essential for ensuring that all components are accounted for during the disposal process and that secure disposal methods are applied appropriately. 

Expected Outputs:  

1. Disposal strategy a document or set of documents: outlining the planned approach for securely disposing of the system and its components. 
2.  Updated system component inventory: reflecting the removal of disposed components from the organization's asset inventory.  
3. Updated security and privacy plans: should be updated to indicate that the system has been decommissioned and is no longer in operation. 
4. Disposal records: provides detailed records of the disposal process for each component of the system, including methods of data sanitization and the final disposition of hardware.  

Discussion: At CMS system disposal is managed by the Records and Information Management (RIM) Program within the Office of Strategic Operations and Regulatory Affairs (OSORA). RIM leverages the Cross-Reference Tool (CRT). CRT documents CMS IT Systems’ Record schedules and retention periods and tracks those IT Systems’ statuses and records/data dispositions. Business Owners of active CMS IT systems receive an email from the CRT Tool with the Annual Notification of Eligibility for Disposal.  

Please contact the RIM Team in OSORA for further guidance at Records_Retention@cms.hhs.gov and see the CMS RIM Policy.  

Some of the roles with responsibilities tied to Task M-7 includes; System Owner (SO), Information Owner or Steward, System Security Officer, System Privacy Officer, Senior Accountable Official for Risk Management or Risk Executive (Function), Senior Agency Information Security Officer and Senior Agency Official for Privacy (SAOP). 

Cybersecurity Framework: N/A 

TLC Cycle Phase: New – Initiate  

     Existing – Operate