Skip to main content

CMS Risk Management Framework (RMF): Prepare Step

Outline the essential activities needed for CMS to manage its security and privacy risks

Last reviewed: 12/5/2024

Contact: ISPG Policy Team | CISO@cms.hhs.gov

Related Resources

What is the Risk Management Framework (RMF)?

The National Institute of Standards and Technology (NIST) created the RMF to provide a structured, flexible process to manage risk throughout a system’s life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.

The RMF is made up of 7 steps:

What is the Prepare Step?

The purpose of the Prepare step is to carry out essential activities at the organization, mission and business process, and information system levels of the organization to help prepare the organization to manage its security and privacy risks using the Risk Management Framework (RMF).

Task P-1 Risk Management Roles

The first task within the prepare step is to identify and assign individuals to specific roles associated with security and privacy risk management. Clearly defining roles and associated responsibilities provides a solid foundation for the entire risk management process, ensuring accountability and clear ownership throughout the organization.

Potential Inputs: 

  1. Organizational security and privacy policies and procedures Requirements: refers to the guidelines and standard operating procedures that an organization must establish to manage security and privacy across all its systems and information. It is crucial for ensuring consistency in control implementation and compliance with regulations.
  2. Organizational structure and current roles: focuses on identifying and assigning specific individuals within the organization to key roles responsible for managing cybersecurity risks. It is essential for defining the organizational structure for risk management activities, ensuring clear accountability and ownership throughout the RMF process.

Expected Outputs: 

  1. Document and assign RMF roles and responsibilities for managing risk within CMS: Assign roles for privacy risk management, assess privacy risk, and identify stages of the information life cycle within CMS.
  2. Assignment of individuals to specific risk management roles: identify and assign individuals to key roles to for executing the RMF.

Discussion: The Prepare step Task P-1 is crucial to clearly define and communicate the risk management roles and responsibilities to ensure accountability and effective risk management. It highlights the importance of having adequate resources available and a defined governance structure in place to facilitate the execution of a cost-effective and consistent risk management processes across of CMS. 

The main outcome is a clear list of roles and responsibilities for each area of risk management, as specified within the CMS IS2P2, Section 7, and automatically included in CFACTS to ensure proper role assignment and tracking of security tasks. The information in this section was derived from the HHS IS2P, NIST guidance and/or OMB policy requirements and narrowed down to CMS-specific needs. 

The  CMS Organizational Chart (PDF), provides the CMS organizational structure, current roles and points of contacts. 

Cybersecurity Framework: ID.AM-6; ID.GV-2

Task P-2 Risk Management Strategy

Establish a risk management strategy for the organization that includes the organizational objectives and a determination of risk tolerance.

Potential Inputs: 

  1. Organizational objectives and risk tolerance: defines the purpose, values and objectives of the organization. Risk tolerance is the level of risk the organization is willing to accept to achieve its objectives. They serve as a significant factor for developing a comprehensive Risk Management Strategy and risk-based decision making for the organization.
  2. Existing policies and procedures related to risk management: serves as a foundational guide for developing a comprehensive risk management strategy, making informed decisions by outlining acceptable risk levels, monitoring approaches/strategies, and how the organization will assess and prioritize threats. These existing policies and procedures are essential for ensuring consistent risk management practices across the organization aligned with its overall risk tolerance. 

Expected Outputs: 

  1. A documented risk management strategy that aligns with CMS's mission, objectives, and risk tolerance: defines how CMS will assess, respond to, and monitor risk. Including a statement of risk tolerance that is inclusive of information security and privacy risk (CMS ability to handle different level of risk), the risk impact, its tolerance level (what CMS is willing to accept) and the risk review schedule to ensure its relevance.
  2. Strategies for addressing cybersecurity and privacy risks: involves selecting and implementing best practices to protect CMS from internal and external threats. These strategies also establish a baseline for CMS's security program which allows it to continuously adapt to emerging threats and risks.

Discussion: The Prepare Step Task P-2 is important because it informs risk-based decisions, which are critical for managing CMS's security and privacy risks. Developing of these strategies should include senior leadership to ensure it aligns with CMS’s objectives. The strategies should be reviewed and updated regularly to reflect changes in CMS environment or risk landscape.

CMS utilizes the Cyber risk management and reporting strategy to help ISSOs, Business Owners (BO), and other stakeholders identify and mitigate security and privacy risks to their FISMA systems. Other supporting documentations include the CMS IS2P2 Risk management and compliance sectionCMS Acceptable Risk Safeguards (ARS) 5.1, the CMS Cyber Risk Management Plan (CRMP), the CMS Information System Risk Assessment (ISRA), and the CMS Cyber Security and Risk Assessment Program (CSRAP). CMS has established an Ongoing Authorization program that serves as an ongoing state of security designed to continuously monitor CMS FISMA systems to address real-time threats and allows you to make risk-based decisions. The CMS ARS provides mandatory and supplemental controls (customized/tailored by the BO) to meet CMS’s missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. 

Cybersecurity Framework: ID.RM; ID.SC

Task P-3 Risk Assessment-Organization 

Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis

Potential Inputs: 

  1. Organizational risk management strategy: outlines how organizations will identify, assess, respond to, monitor, and govern risksThe risk management strategy should include key factors such as; organization’s policies and procedures, risk tolerance, prioritize responses, track progress, monitor and review. It is crucial for establishing the framework for how risks will be managed at an organizational level.
  2. Previous risk assessment results: provides a historical context and baseline information about the security posture of a system. It identifies trends, prioritize actions to reduce or mitigate risks, and evaluate the effectiveness of security controls. It is essential for making informed analysis of the current risk by comparing it with previously identified threats and vulnerabilities.   

Expected Outputs: 

  1. An organizational risk assessment report identifying critical risks to CMS:   identifies the various strategies used to identify and prioritize risks that could impact CMS operations, assets and individuals.
  2. Recommendations for risk response strategies: There are four main risk response strategies to deal with identified risks by avoiding, transferring, mitigating, and accepting the risk.

Avoiding: involves eliminating the risk or its causes, or changing the plan to avoid the risk exposure. Effective for high-impact and high-probability risks.

Transferring: involves shifting the risk or its consequences to a third party, such as a contractor, insurer, or partner. Effective for low-impact and high-probability risks.

Mitigating: involves reducing the probability or impact of the risk by implementing preventive or corrective actions. Effective for moderate-impact and moderate-probability.

Accepting: acknowledging the risk and its potential effects and being prepared to deal with them if they occur. Effective for low-impact and low-probability risks.

Discussion: The Prepare Step Task P-3 is crucial for assessing CMS risk at the top level by using information derived from system level risk assessment results as well as results from continuous monitoring and what was decided during the risk management strategy step. 

CMS carries out security controls assessments and vulnerability scanning to identify and report on CMS organizational risks. The Cybersecurity Integration Center (CCIC) through Continuous Diagnostics and Mitigation (CDM) provides reporting metrics and risk analysis by ingesting scan logs and identifying risks through its Security Incident Event Management (SIEM) tool. 

CMS manages its risk assessment process through the Cybersecurity and Risk Assessment Program (CSRAP) Scheduling for an assessment can be done by visiting the CMS CSRAP confluence page using the following URLs to select your preferred and secondary dates for the type of CSRAP assessment you require: Security Assessment Schedule Available Slots and Risk Assessment Schedule Available Slots. OR CSRAP/SCA and Penetration Testing (PenTest)for both security & privacy assessment.
For additional information please email the CSRAP team at CSRAP@cms.hhs.gov with your requested dates. 

CMS also uses the Cyber Risk Reports to communicate cyber risk on a monthly basis, and the Tableau dashboards to view snapshots of the overall health of CMS systems. Including the CMS Information System Risk Assessment (ISRA), that are completed within the security category tab of the CMS FISMA Continuous Tracking System (CFACTS).

Cybersecurity Framework: ID.RA; ID.SC-2 

Task P-4 Organizationally Tailored Control Baselines and Cybersecurity Framework Profiles (optional)

Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles.

Potential Inputs: 

  1. Federal cybersecurity guidelines and standards: helps organizations customize their security posture based on their needs, while still adhering to broader federal cybersecurity standards. It is crucial for establishing an organizationally-tailored control baseline that meets the organization’s specific operations and risk profile.  s
  2. Risk management strategy and risk assessment results: provides a comprehensive understanding of potential threats and vulnerabilities identified from the risk assessment results. It is vital for guiding how an organization will mitigate, accept, or transfer risks to achieve an acceptable level of security for their information systems.

Expected Outputs: 

  1. Tailored control baselines that are specific to CMS's risk profile and operational needs: provides a list of approved or directed CMS-tailored control baselines that are specific to CMS's risk profile and operational needs.
  2. Cybersecurity framework profiles that align with CMS's specific mission requirements: implement the NIST CSF Profiles that align with the functions, categories, and subcategories of the business requirement, risk tolerance and resources of CMS. These CSF profiles can be used to describe the current state (Profile indicates CMS cybersecurity outcomes that are currently being achieved) or the desired target state (Profile indicates the outcomes needed to achieve CMS desired cybersecurity risk management goals), of CMS specific cybersecurity activities. 

Discussion:  The Prepare Step Task P-4 is optional. It addresses any specific needs that CMS has in regards to risk by adding or removing controls to accommodate CMS requirements while protection its information in accordance with the assigned risk. Also, encourages the use of NIST CSF profile created by CMS to help guide the tailoring process. 

CMS implements the Security & Privacy Planning taken from NIST 800-53 Rev5 and tailored into CMS environment within the ARS 5.1. to define CMS baseline of minimum information security and privacy assurance. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.

CMS also implements the Security and Privacy Handbooks that provides an overall guidance on how to implement CMS policies and standards across many cybersecurity topics while considering CMS Mission and Business objectives. 

Task P-5 Common Control Identification 

Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems.

Potential Inputs: 

  1. Inventory of organization information systems: provides a centralized view of all the organizations information systems and their potential security needs. This enables the identification and selection of common controls that can be applied to multiple systems.   
  2. Current security and privacy controls and their implementation status: provides a set of standardized controls that can be inherited by multiple information systems within an organization. It is crucial for identifying common controls and the assessment of the current implementation status of existing controls; that are in place and operating effectively as intended or requires further development or improvement. 

Expected Outputs: 

  1. A list of common controls that can be used organization-wide: provides a list of common control providers and common controls available for CMS systems to inherit.
  2. Documentation for each common control, including implementation details and the systems that can inherit these controls: provides a description of the common control implementation (including inputs, expected behavior, and expected outputs) such as the system security and privacy plans (or equivalent document).

Discussion: The Prepare Step Task P-5, identifies, document, and publish to appropriate personnel what the common controls are. If the control is used entirely by all systems, it is a common control. If the control isn’t enough to meet the requirements, then it may be supplemented by other controls. Thus, making it a hybrid control. If there are multiple controls then CMS specifies the common control provider and any important details about controls provided (the control providers are responsible for assessing, documenting and/or providing implementation details for common controls).

CMS provides controls that were derived from NIST 800-53 Rev5 and HHS IS2P control baselines into theCMS Acceptable Risk Safeguard (ARS) 5.1  and made available for inheritance to CMS systems. To serve as the starting point for determining the appropriate controls and countermeasures necessary to protect CMS information systems. 

Task P-6 Impact-Level Prioritization (optional)

Prioritize organizational systems and assets based on their impact level, to aid in guiding resource allocation and risk management efforts. 

Potential Inputs: 

  1. Organization's mission and business process information: helps prioritize the organization's systems based on the potential impact a security breach could have on critical operations and business objectives. It is essential for determining which systems are most vital to the organization's mission and business functions and for the selection of security controls as higher impact systems will likely require more robust controls to mitigate risks.
  2. Risk assessments and impact analyses: provides a structured method to identify potential threats, evaluate their impact, and determine the likelihood of occurrence if a system is compromised. These analyses are essential for enabling organizations to categorize their systems into low, moderate, or high impact levels, which then informs their decision-making regarding control selection and tailoring based on the identified risks.

Expected Outputs: 

  1. A prioritized list of information systems and assets categorized by their impact levels (e.g., low, moderate, high): allows CMS to focus on protecting high-impact systems and assets that are critical to its mission, ensuring that the most significant risks are addressed first.
  2. Guidelines for allocating resources based on the prioritization: provides key guidelines to clearly identify critical projects and tasks, proper allocation or resources ensuring high-priority initiatives receive the most support while considering resource availability, cost-effectiveness, and potential impact on CMS overall goals.

Discussion: The Prepare Step Task P-6, is optional and usually occurs after the Categorize step C-1.  To successfully complete this task CMS has to first apply the high-water mark concept in accordance with FIPS 199 and FIPS 200 that labels system impact levels as low/medium/high.

This task helps to prioritize systems, including the NIST CSF profile developed for CMS can help with the prioritization process. 

Impact-level prioritization enforces Security categorization that describes the potential adverse impacts to CMS operations, assets, and individuals if CMS information and information systems are compromised through a loss of confidentiality, integrity, and/or availability (CIA). CMS has synthesized and identified the information types that apply to CMS using NIST 800-60 volume 1 Rev 1 as a guide into nine (9) CMS information types. CMS prioritizes its systems that support its Mission Essential Functions (MEFs) and its Essential Supporting Activities (ESAs) while providing ARS 5.1 controls for all Low, Moderate, High and HVA systems. Based on the system's risk profile and vulnerability metrics, indicating a direct correlation with the task's goal of impact-level prioritization based on risk.

Cybersecurity Framework: ID.AM-5

Task P-7 Continuous Monitoring Strategy-Organization 

Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.

Potential Inputs: 

  1. Risk management strategy and priorities: provides an outline of how an organization will continuously monitor and address identified security risks across their systems, these strategies and priorities enable organizations to monitor the security and privacy posture across their organization and the effectiveness of controls implemented within or inherited by organizational systems on an ongoing basis.
  2. Previous assessments and reports on control effectiveness: provides a baseline understanding of the current security posture. These reports enable organizations to identify areas needing improvement, track changes over time, and make informed decisions about risk mitigation, while ensuring implemented security controls remain effective overtime.

Expected Outputs: 

  1. A comprehensive continuous monitoring strategy that includes mechanisms for assessing control effectiveness, reporting on security and privacy posture, and responding to changes in risk.
  2. Plans for integrating continuous monitoring tools and processes into CMS operations.

Discussion: The Prepare Step task p-7, essential for establishing a plan to monitor the effectiveness of security and privacy controls. 

CMS complies with the HHS Information Security Continuous Monitoring (ISCM) strategy and further defines the control assessment frequencies within the CMS Acceptable Risk Safeguards (ARS).  CMS maintains an ongoing awareness of information security, vulnerabilities, and threats to support its risk management decisions. This includes continuous visibility into the actions of users, applications, and devices through a centralized log data collection. By implementing a robust continuous monitoring program Continuous Diagnosis Mitigation (CDM) Program and Security Control Assessmentsto determine if a system's security and privacy controls are implemented correctly and operating effectively. The CDM provides automated scanning capabilities and risk analysis to strengthen the security posture of CMS FISMA systems on an ongoing basis, that enables CMS to maintain situational awareness of its security and privacy posture, facilitating timely responses to emerging threats and vulnerabilities. CMS also uses asset inventories and vulnerability management scanning to keep tabs on both resources that employees use (e.g. laptops) and the applications and infrastructure they use as an effort to enhance its continuous monitoring program. 

Cybersecurity Framework: DE.CM; ID.SC-4 

Task P-8 Risk Mission or Business Focus[AT3] [CA4] 

Identify the missions, business functions, and mission/business processes that the information system is intended to support. To ensure is provides adequate support to the organization objectives. 

Potential Inputs: 

  1. Organization's mission statements and business process documentation: provides a clear understanding of the organization's core purpose, goals, and operational procedures, which then informs the security controls needed to protect the information systems supporting those critical business processes. They are crucial for aligning system security requirements with the organization's primary goals and operations.
  2. Current and future operational requirements: identifies and documents the primary missions and business functions an information system is designed to support, both in its current state and anticipated future needs. These requirements enable organizations to prioritize their security controls based on the criticality of their mission and business operations.

Expected Outputs: 

  1. Documentation linking information systems to mission and business processes: identifies which system failures could most significantly disrupt CMS’s mission-critical operations. Allowing, CMS to understand how critical information systems support its core functions, enabling it to prioritize its risks based on their potential impact on achieving CMS's goals.
  2. Prioritized list of system requirements based on mission and business importance: allows CMS to allocate resources effectively by addressing the system requirements that have the most significant impact on achieving their core objectives, essentially prioritizing the most critical functionalities to mitigate potential risks that could hinder CMS mission success.

Discussion:  The RMF Prepare Step, Task-8; is crucial for identifying what part of CMS’s mission/business that the system intends to support. Including ensuring that CMS technology investments are directly tied to supporting its mission and business goals. CMS has established and continues to support the development and maintenance of Business Continuity Plans and Disaster Recovery Plans for the protection of systems and components that are tied to its Essential Support Activities (ESAs) and, assure CMS’ can perform its Mission Essential Functions (MEFs).  For example; the CMS Continuity of Operations Plan (COOP), Emergency Relocation Group (ERG) and the Devolution Emergency Response Group (DERG) all ensures the continuation of CMS essential functions. 

CMS systems are required to have an Information System Contingency Plan (ISCP) in place to protect CMS from potential risks and ensure the continuity of its operations. Before creating or updating the ISCP, a Business Impact Analysis (BIA) must be performed. The Information System Security Officer (ISSO) works with the System/Business Owner to complete this BIA, assessing critical processes essential to system operations.  Also, CMS requires its Business Owners (BO) to complete the Business Impact Analysis (BIA) every two (2) years to document the business impact of any service to CMS missions, business functions, and mission/business processes.

Cybersecurity Framework: Profile; Implementation Tiers; ID.BE

TLC Cycle Phase: New – Initiate 

    Existing – Operate

Task P-9 System Stakeholders

Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system. To ensure that their needs are considered in the system's risk management process.

Potential Inputs: 

  1. List of systems and their functions within organizations: identifies all key stakeholders involved with each system, which includes individuals, groups, or organizations that have an interest in or decision-making responsibility for the system throughout its lifecycle. Providing a clear understanding of how each system within the organization operates, allowing them to identify their individual roles, potential impacts on their work, and how to effectively interact with the system to achieve desired outcomes. Such as System Owners (SO)
  2. Stakeholder analysis from previous projects or operational activities: identifies individuals, groups, or organizations that have common interest in the system being assessed, including those who may have been impacted by similar systems in the past. This analysis provides valuable insights into the needs, expectations, and potential concerns of different groups affected by the system. Allowing project teams to tailor their approach, manage risks proactively, and build stronger relationships with key stakeholders by understanding their past experiences and perspectives. 

Expected Outputs:

  1.  A comprehensive list of stakeholders for each system: ensures the project is effectively managed such that all parties who are impacted by or have an interest in the system are identified. Allowing for their needs and concerns to be addressed throughout the development process, which ultimately leads to a more successful system implementation.
  2. Engagement strategy outlining how stakeholders will be involved in the system's risk management process: ensures that all relevant parties are aware of potential risks, can contribute their unique perspectives to identify and mitigate those risks. 

Discussion: The RMF Prepare Step Task P-9; is crucial for identifying stakeholders within CMS’s systems and document them. It ensures that stakeholders can communicate throughout the implementation of the RMF. These stakeholders could be individuals, organizations, or representatives.

The CMS IS2P2 –Roles and Responsibilities section provides descriptions for CMS personnels that are required to complete their records such as the System Security and Privacy Plan (SSPP) generated by the CMS GRC CFACTS tool (CFACTS). 

CMS systems are encouraged to maintain a list of stakeholders within CFACTS including any interconnecting systems and their stakeholders under the Boundary tab in CFACTS as an effort to improve stakeholder engagement in managing and documenting the risk management process of their systems. 

Cybersecurity Framework: ID.AM; ID.BE

TLC Cycle Phase: New – Initiate 

    Existing – Operate

Task P-10 Asset Identification 

Identify assets that require protection such as assets associated with CMS information systems, including hardware, software, data, and personnel,

Potential Inputs: 

  1. Inventory of current system assets: provides a comprehensive list of all the systems and devices within an organization, allowing for accurate tracking of their location, condition, and usage. It is essential for effective risk management, maintenance, security, and cost optimization of those assets. Therefore, without a proper inventory, organizations can't effectively identify and manage all their assets.
  2. Operational requirements and documentation: identifies and documents the specific functional needs and capabilities a system must have to effectively operate as intended. It is crucial for selecting appropriate security controls that align with the organizations operational requirements and ensures the system is designed and implemented to meet its intended purpose.

Expected Outputs: 

  1. An updated and comprehensive asset inventory for the system: provides a complete picture of all assets within a system, allowing for informed decision-making regarding maintenance, security, resource allocation, and overall management of those assets. Essentially, without a detailed inventory, you cannot effectively track, monitor, or utilize your assets which is the primary goal of asset identification.
  2. Categorization of assets based on their importance to CMS's mission and their sensitivity: allows CMS to prioritize security efforts by allocating the most robust protections to the assets that would have the greatest impact if compromised. This can help in effectively managing risk and ensuring CMS mission-critical data is adequately safeguarded.

Discussion: The RMF Prepare Step Task P-10, is crucial for identifying what assets needs to be protected and documented.

The CMS Continuous Diagnosis and Mitigation (CDM) program maintains an automated authorized hardware and software inventory including FISMA tagging, mapping and asset discovery as part of its Hardware Asset Management (HWAM) and Software Asset Management (SWAM). The program is implemented in four (4) phases to address; What is on the network, who is on the network, what is happening on the network, and how is the data protected.

CMS system assets are identified using data analytics in Tableau and then pushed to CFACTS.

Cybersecurity Framework: ID.AM

TLC Cycle Phase: New – Initiate 

    Existing – Operate

Task P-11 Authorization Boundary

Determine the authorization boundary of the information system, clearly delineating the components that are included within the system's authorization scope. In order, to standardize the approach to determine and define the authorization boundary systems are encouraged to create a checklist or boundary diagram template for reporting systems/ISSOs. 

Potential Inputs: 

  1. System architecture and design documentation: defines the boundaries of an information system, outlining what components are within the scope of security protection and what is considered outside of the system. It is crucial for establishing the authorization boundary for a system and to precisely identify which parts of the system needs to be secured and managed under a specific authorization level.
  2. Integration and dependency information for interconnected systems: refers to the process of combining different subsystems or components into a single, unified system that functions as one. While understanding the extent to which a system's subsystems (components) are interrelated, connected, and dependent upon one another. This information is vital for ensuring that various software applications, hardware components, and network resources work together seamlessly. 

Expected Outputs: 

  1. A clearly defined authorization boundary document: ensures that all relevant security controls are implemented within the boundary. This includes any hardware, software, networks, and data that are part of the system.
  2. Diagrams or other visual representations of the system boundary: provide a clear visual representation of the system's components, data flows, and connections to external systems. Which can help identify potential security vulnerabilities, and ensure that all relevant aspects of the system are considered during the authorization process.

Discussion: The RMF Prepare Step Task P-11; is crucial for determining the scope of protection for information systems and documenting the authorization boundary. The Authorization Official (AO) determines what that boundary is with input from the system owner. 

CMS implements an Ongoing Authorization (OA) program and a Federal Risk and Authorization Management Program (FedRAMP) that defines the scope of a particular system that can be continuously managed and monitored. The OA program supports FISMA authorization system boundary which can include one or more cloud offerings while FedRAMP authorization boundary is exclusively for cloud service offering and may include the full stack (infrastructure, platform, and software) or just parts. Defining the authorization boundaries can be identified in the Boundary tab for each system within CFACTS. 

TLC Cycle Phase: New – Initiate

    Existing – Operate

Task P-12 Information Types

Identify the types of information to be processed, stored, and transmitted by the information system to determine the appropriate levels of protection.

Potential Inputs: 

  1. Data classification and categorization policies: identifies and defines the different types of information handled by a system. This allows systems to identify and protect sensitive information by categorizing data based on the level of Confidentiality, Integrity and Availability (CIA) while ensuring appropriate security measures are applied to each data type. This helps to minimize the risk of data breaches and facilitates compliance with relevant regulations like GDPR and HIPAA.
  2. Legal and regulatory requirements impacting data: identifies and documents all applicable laws and regulations that govern the type of data a system processes, stores, or transmits, ensuring the organization adheres to these legal mandates when handling sensitive information and mitigating potential compliance risks. These requirements are curial for data classification, protection of individuals' sensitive data from misuse, breaches, and unauthorized access.

Expected Outputs: 

  1. A list of information types categorized by sensitivity and impact: allows CMS to effectively identify and protect its most critical data by applying appropriate security measures based on how sensitive the information is and what potential damage its disclosure could cause.
  2. Documentation of protection requirements for each information type: ensures effective data protection and compliance with relevant regulations by providing a clear understanding of the specific security controls needed to safeguard different types of data. Allowing CMS to tailor its security measures to the unique risks associated with each information category. 

Discussion: The RMF Prepare Step Task P-12; is crucial for identifying and documenting the different types of information that goes through the system.

CMS provides a watch and learn: System categorization in CFACTS guidance to help systems complete their FIPS 199 security categorization in CFACTS. TheInformation types are categorized based on security and privacy consideration, determined by the CMS Policy team and documented in CFACTS. The CMS Office of Strategic Operations and Regulatory Affairs (OSORA) | OSORA_Regs_Scheduling@cms.hhs.gov and the CMS Records Retention Records_Retention@cms.hhs.gov offers guidance on protection and retention of all CMS data.

Also, the NARA CUI provides overall guidance to what information needs to be protected.

Cybersecurity Framework: ID.AM-5

TLC Cycle Phase: New – Initiate 

                               Existing – Operate 

Task P-13 Information Life Cycle 

Identify and understand all stages of the information life cycle (from creation to its final disposition) for each information type processed, stored, or transmitted by the information system. Understanding the importance of the information life cycle is vital for the design and evaluation of the information systems as the controls for each stage of the information life cycle is linked to their respective CMS TLC phase.

Potential Inputs: 

  1. Data management policies and procedures: provides a clear understanding of how data flows through a system, where it is stored at each stage, and how long it needs to be retained. These policies and procedures are essential for managing data quality, security, compliance, and efficient retrieval throughout its lifecycle, from creation to disposal.
  2. System documentation outlining data flows and storage: provides a clear understanding of all stages of the information life cycle for each type of data processed, stored, or transmitted by the system. This allows systems to carryout comprehensive assessment of security risks associated with that data throughout its lifecycle. It is crucial for determining where and how sensitive information is handled within the system to implement appropriate security controls. 

Expected Outputs: 

  1. A detailed understanding of the information life cycle for each type of data the system handles: allows CMS to effectively manage data throughout its lifecycle, ensuring proper storage, access, security, and disposal. Ultimately minimizing risks, while optimizing data usage, and complying with relevant regulations by knowing when and how to retire outdated data.
  2. Identification of security and privacy controls needed at each stage of the life cycle: ensures that data is protected throughout its entire existence, from creation to disposal, by addressing potential vulnerabilities specific to each phase, minimizing risk and maximizing data integrity throughout the process. 

  Discussion: The RMF Prepare Step Task P-13; is crucial for identifying all of the stages in the life cycle of all the types of information that go through the system.

The CMS Office of Strategic Operations and Regulatory Affairs (OSORA) provides guidance on CMS systems information life cycle and the  Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. This approach helps in identifying potential vulnerabilities and in ensuring that data is protected appropriately at all stages. The information life cycle task is vital for systems handling sensitive or regulated data, ensuring compliance with data protection laws and policies. 

Cybersecurity Framework: ID.AM-3; ID.AM-4

TLC Cycle Phase: New – Initiate 

                               Existing – Operate

Task P-14 Risk Assessment- System 

Conduct a system-level risk assessment to identify, prioritize, and document risks associated with the operation and use of the system. Update the risk assessment results on an ongoing basis.

Potential Inputs: 

  1. System documentation: captures the results of a comprehensive risk assessment performed on the system, including identified threats, vulnerabilities, potential impacts, and likelihood of occurrence. This documentation is crucial for supporting risk mitigation strategies and authorization decisions.
  2. Previous risk assessments and relevant security and privacy incident reports: provides detail insight about past vulnerabilities, threats, and incidents. These reports allow systems to identify recurring patterns, understand the likelihood of similar events happening again, and proactively implement mitigation strategies to prevent future issues.

Expected Outputs: 

  1. A comprehensive risk assessment report for the system, detailing identified risks, their likelihood, impact, and recommended mitigation strategies: clearly outlines all identified potential risks within a system, analyzes their likelihood of occurrence and potential impact, and provides actionable mitigation strategies, enabling informed decision-making and effective risk management within an organization.
  2. An action plan for addressing identified risks: provides a concrete roadmap for mitigating or managing potential risks, outlining specific steps, responsible parties, timelines, and necessary resources to actively address each identified risk.

Discussion: The RMF Prepare Step Task P-14; is crucial for conducting risk assessment and updating the results on an ongoing basis. 

 CMS Risk Management and Reporting provides information on any potential security and privacy risks to CMS information and system. The CMS Cyber Risk Management Plan lays the foundation for modernizing CMS approach to identifying and mitigating security and privacy risks associated with the operation of CMS FISMA systems. CMS implements CSRAP a security and risk assessment program for CMS FISMA systems that aligns with ISPG strategies and the strategic goal of risk-based program management. The CMS ISRA documents the overall risk to a system and potential risk reduction strategies. 

CMS has established a corrective action plan roadmap to address system weaknesses and the resources required to fix them a Plan of Action and Milestones (POA&M) that is required is whenever audits reveal an area of weakness in security controls. Risk assessments at CMS are conducted and tracked within CFACTS, showcasing a direct application of this task at the system level.

Cybersecurity Framework: ID.RA; ID.SC-2

TLC Cycle Phase: New – Initiate 

                               Existing – Operate

Task P-15 Requirements Definitions 

Define the security and privacy requirements specific to the system and its environment of operation that are necessary to mitigate identified risks and to comply with CMS policies and federal regulations.

Potential Inputs: 

  1. Risk assessment report: documents the identified threats, vulnerabilities, and potential impacts on a system that could arise during a project. This report enables systems to design and implement solutions that mitigate these risks, ultimately leading to a more robust and reliable system by addressing potential problems early on in the development process. This report is crucial for ensuring that the system operates at the acceptable security level.
  2. Applicable laws, regulations, and organization policies: Serves as the foundation for defining the security and privacy requirements for a system. These policies are vital for ensuring that organization systems operate legally, ethically, and protect customers, employees, and the environment. 

Expected Outputs: 

  1. A documented set of security and privacy requirements for the system: ensures that the system being developed is designed with robust safeguards in place to protect sensitive data, mitigate potential cyber threats, and comply with relevant privacy regulations.
  2. A plan for implementing the necessary controls to meet these requirements: outlines the specific needs and functionalities of a system. Also, actively addresses how to ensure those requirements for the system are met through implemented controls. This effectively bridge the gap between simply stating what is needed and providing a roadmap for achieving compliance and mitigating risks. 

Discussion: The RMF prepare Step Task P-15; is crucial for defining the Security/Privacy requirements for the system. 

CMS implements Security and Privacy Planning Controls to provide guidance on developing the SSPP within CFACTS that relates CMS security requirements defined in the CMS IS2P2 to a set of security controls and control enhancements as outlined in the CMS ARS 5.1. The CMS Security and Privacy Language for Information and Information Technology helps guide the CISO Team and procurement personnel to determine what kind of security and privacy requirements should be written into a contract before operating in CMS environment. 

Cybersecurity Framework: ID.GV; PR.IP  

TLC Cycle Phase: New – Initiate 

                               Existing – Operate

Task P-16 Enterprise Architecture 

Determine the placement of the system within the enterprise architecture such that the system's architecture is aligned with CMS's enterprise architecture to support efficient and secure integration and operation within the organization's IT environment.

Potential Inputs: 

  1. Organization's enterprise architecture documentation: provides a comprehensive design layout of the system's placement within the broader organizational infrastructure. This enables, informed risk assessment and security control selection process by understanding how the system interacts with other components and systems across the organization.
  2. Security and privacy policies and standards: provides the foundation for selecting and implementing appropriate controls to address identified risks. These policies and standards are crucial for safeguarding sensitive data and operations while ensuring that an organization's systems and information are protected at an acceptable level of security and privacy.

Expected Outputs: 

  1. Documentation confirming the system's alignment with CMS's enterprise architecture: serves as a critical verification tool to demonstrate that new systems are adhering to the CMS established architectural guidelines and standards. By ensuring that all CMS’s IT systems and initiatives are strategically aligned with its overall business goals,
  2. Identified opportunities for integration and optimization within the enterprise architecture: provides a complete view of CMS's systems and processes, allowing architects to pinpoint areas where different systems can be better integrated and streamlined. It analyzes CMS’s enterprise architecture to find ways to improve its functionality by connecting systems more effectively and eliminating inefficiencies. 

Discussion: The RMF Prepare Step Task P-16; is crucial for ensuring the system is well placed within the enterprise architecture, ensures the system is running as effectively, efficiently, and cost effectively as possible while helping to minimize security and privacy risk.

The CMS TRA provides the authoritative technical architecture approach and technical reference standards for all CMS information technology (IT) systems. The infrastructure requirements needed to support and secure high-quality delivery of healthcare services to beneficiaries, providers, and business partners, including aligning CMS systems with the Federal Enterprise Architecture Framework (FEAF).

TLC Cycle Phase: New – Initiate 

                               Existing – Operate

Task P-17 Requirements Allocation 

Allocate the defined security and privacy requirements to specific system components, processes and environment of operation to ensure comprehensive coverage across the system.

Potential Inputs: 

  1. Security and privacy requirements documentation: documents the specific security and privacy requirements that need to be applied to a system and its operating environment. These requirements are crucial for providing a clear roadmap for selecting and implementing of security controls.
  2. System design and architecture information: provides detailed insight of how a system is built or will be structured, allowing for the precise mapping of individual requirements to specific components or subsystems within the system architecture. This information ensures that each functional need is addressed by the most appropriate part of the system and facilitates efficient development and implementation of appropriate security controls based on the system's architecture and functionality.

Expected Outputs: 

  1. A mapping of security and privacy requirements to specific system components or processes: defines where and how each security and privacy requirement will be implemented within the system, ensuring that every aspect of the system is addressed with appropriate security controls.
  2. An implementation plan detailing how each requirement will be met: identifies where controls will be implemented. Also helps to streamline the risk management process by ensuring that requirements are not implemented on multiple systems or system elements when implementation of a common control or a system-level control on a specific system element provides the needed protection capability. 

Discussion: The RMF prepare Step Task P-17; is crucial for allocating security requirements, serves as a guide and informs the process of control selection and implementation for CMS systems and system elements, and/or environment of operation. 

CMS implements System and Services Acquisition controls to determine information security and privacy requirements for the information system or information system service in mission/business process planning, document and allocate the resources required to protect the information system or information system service. Also, Controls for each stage of the information lifecycle are identified by their linked TLC phase, which is relevant for allocating security and privacy requirements to specific system components or processes.

Cybersecurity Framework: ID.GV  

TLC Cycle Phase: New – Initiate 

                               Existing – Operate

Task P-18 System Registration

Register the information system within CMS's IT environment to formalize its status and ensure it is recognized and managed as part of the organization's portfolio of information systems.

Potential Inputs: 

  1. System documentation: provides a comprehensive record of the system's details, allowing for proper management, accountability, coordination, and oversight throughout the RMF process, including risk assessment, control selection, and authorization decisions based on the system's characteristics and information handling practices.
  2. Information from previous tasks: provides a comprehensive understanding of the system's characteristics, security posture, and potential risks. The information from previous tasks is crucial for enabling a more informed and thorough system registration, allowing for better management, accountability, and oversight of the system throughout its lifecycle.

Expected Outputs: 

  1. Official registration of the system within CMS's IT portfolio: documents the existence of a system within CMS, allowing for proper tracking, risk assessment, and management oversight of its security and privacy posture. Ensuring that all systems are accounted for and subject to CMS's security policies and procedures.
  2. Documentation acknowledging the system's registration and outlining any conditions or requirements for operation and maintenance within CMS. 

Discussion: The RMF Prepare Step Task P-18; is crucial for registering the system with CMS program/management offices. It informs CMS of plans to develop the system; as well as key characteristics; and security and privacy implications from using the system.

CMS implements a Security and Privacy Planning (PL) handbook that provides privacy and security requirements for use during new Authorization to Operate (ATO) cycle for documenting system security compliance enforced by the CMS Chief Information Security Officer (CISO). CMS also implements the CMS TLC a governance framework that provides over all guidance for developing and maintaining IT solutions through these four phases; Initiate, Develop, Operate, and Retire enforced by the CMS Office of Information Technology (OIT). The CMS Technical Review Board (TRB) also provides system architecture and infrastructure requirements for all CMS systems to be complaint with as described in the TRA. 

Cybersecurity Framework: ID.GV

TLC Cycle Phase: New – Initiate 

                               Existing – Operate

 Use the discussion section to provide specific information were relevant. 

In Task P-1, CMS identifies and assigns individuals to critical roles to manage security and privacy risks, establishing accountability and aligning responsibilities with CMS’s mission and objectives. 

The main outcome is a clear list of roles and responsibilities for each area of risk management, as specified in CMS IS2P2, Section 7, and automatically included in CFACTS to ensure proper role assignment and tracking for each security task. Key roles include: 

CMS Administrator: Provides executive oversight, ensuring risk governance aligns with CMS’s mission and strategic goals.

Chief Information Officer (CIO): Directs IT and risk management strategies to meet CMS objectives and regulatory requirements.

Chief Information Security Officer (CISO): Leads the agency-wide information security program, establishing policies and procedures that reinforce CMS’s security posture and compliance.

System Level Prepare Tasks: Great information in these sections. Consider highlighting main or key actions stakeholders need to be aware of. For Example-In Task P-8 a key action could be making sure the system’s contingency and disaster recovery plans are updated/reviewed annually. 

Update Contingency Plan to Information System Contingency Plan (ISCP).

Before creating or updating the Information System Contingency Plan (ISCP), a Business Impact Analysis (BIA) must be performed. The Information System Security Officer (ISSO) works with the System/Business Owner to complete this BIA, assessing critical processes essential to system operations.