CMS Risk Management Framework (RMF): Prepare Step

What is the Risk Management Framework (RMF)?

The National Institute of Standards and Technology (NIST) created the RMF to provide a structured, flexible process to manage risk throughout a system’s life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.

The RMF is made up of 7 steps:

• Prepare (this step)
• Categorize
• Select
• Implement
• Assess
• Authorize
• Monitor

What is the Prepare Step?

The purpose of the Prepare Step is to carry out essential activities at the organization, mission and business process, and information system levels of the organization to help prepare the organization to manage its security and privacy risks using the Risk Management Framework (RMF).

Prepare Step tasks

Task P-1 Risk Management Roles

The first task within the Prepare Step is to identify and assign individuals to specific roles associated with security and privacy risk management. Clearly defining roles and associated responsibilities provides a solid foundation for the entire risk management process, ensuring accountability and clear ownership throughout the organization.

Potential Inputs 

• Organizational security and privacy policies and procedures requirements refers to the guidelines and standard operating procedures that an organization must establish to manage security and privacy across all its systems and information. It is crucial for ensuring consistency in control implementation and compliance with regulations.
• Organizational structure and current roles focuses on identifying and assigning specific individuals within the organization to key roles responsible for managing cybersecurity risks. It is essential for defining the organizational structure for risk management activities, ensuring clear accountability and ownership throughout the RMF process.

Expected Outputs 

• Document and assign RMF roles and responsibilities for managing risk within CMS by assigning roles for privacy risk management, assessing privacy risk, and identifying stages of the information life cycle within CMS.
• Assignment of individuals to specific risk management roles by identifying and assigning individuals to key roles for executing the RMF.

CMS Discussion

The Prepare Step Task P-1 is crucial to clearly define and communicate the risk management roles and responsibilities to ensure accountability and effective risk management. It highlights the importance of having adequate resources available and a defined governance structure in place to facilitate the execution of cost-effective and consistent risk management processes across CMS. 

The main outcome is a clear list of roles and responsibilities for each area of risk management, as specified within the CMS IS2P2, Section 7, and automatically included in CFACTS to ensure proper role assignment and tracking of security tasks. The information in this section was derived from the HHS IS2P, NIST guidance and/or OMB policy requirements and narrowed down to CMS-specific needs. 

The  CMS Organizational Chart (PDF), provides the CMS organizational structure, current roles and points of contacts. 

Cybersecurity Framework: ID.AM-6; ID.GV-2

Task P-2 Risk Management Strategy

Establish a risk management strategy for the organization that includes the organizational objectives and a determination of risk tolerance.

Potential Inputs 

• Organizational objectives and risk tolerance defines the purpose, values and objectives of the organization. Risk tolerance is the level of risk the organization is willing to accept to achieve its objectives. They serve as a significant factor for developing a comprehensive Risk Management Strategy and risk-based decision making for the organization.
• Existing policies and procedures related to risk management serve as a foundational guide for developing a comprehensive risk management strategy, making informed decisions by outlining acceptable risk levels, monitoring approaches/strategies, and how the organization will assess and prioritize threats. These existing policies and procedures are essential for ensuring consistent risk management practices across the organization aligned with its overall risk tolerance. 

Expected Outputs

• A documented risk management strategy that aligns with CMS's mission, objectives, and risk tolerance defines how CMS will assess, respond to, and monitor risk. Including a statement of risk tolerance that is inclusive of information security and privacy risk (CMS ability to handle different levels of risk), the risk impact, its tolerance level (what CMS is willing to accept) and the risk review schedule to ensure its relevance.
• Strategies for addressing cybersecurity and privacy risks involves selecting and implementing best practices to protect CMS from internal and external threats. These strategies also establish a baseline for CMS's security program which allows it to continuously adapt to emerging threats and risks.

CMS Discussion

The Prepare Step Task P-2 is important because it informs risk-based decisions, which are critical for managing CMS's security and privacy risks. Developing these strategies should include senior leadership to ensure it aligns with CMS’s objectives. The strategies should be reviewed and updated regularly to reflect changes in the CMS environment or risk landscape.

CMS utilizes the Cyber risk management and reporting strategy to help ISSOs, Business Owners (BO), and other stakeholders identify and mitigate security and privacy risks to their FISMA systems. Other supporting documentations include the CMS IS2P2 Risk management and compliance section, CMS Acceptable Risk Safeguards (ARS) 5.1, the CMS Cyber Risk Management Plan (CRMP), the CMS Information System Risk Assessment (ISRA), and the CMS Cyber Security and Risk Assessment Program (CSRAP). CMS has established an Ongoing Authorization program that serves as an ongoing state of security designed to continuously monitor CMS FISMA systems to address real-time threats and allow you to make risk-based decisions. The CMS ARS provides mandatory and supplemental controls (customized/tailored by the BO) to meet CMS’s missions or business functions, threats, security and privacy risks (including supply chain risks), type of system, or risk tolerance. 

Cybersecurity Framework: ID.RM; ID.SC

Task P-3 Risk Assessment-Organization 

Assess organization-wide security and privacy risk and update the risk assessment results on an ongoing basis

Potential Inputs 

• Organizational risk management strategy outlines how organizations will identify, assess, respond to, monitor, and govern risks. The risk management strategy should include key factors such as: organization’s policies and procedures, risk tolerance, prioritize responses, track progress, monitor and review.
• Previous risk assessment results provides a historical context and baseline information about the security posture of a system. It identifies trends, prioritizes actions to reduce or mitigate risks, and evaluates the effectiveness of security controls. It is essential for making informed analysis of the current risk by comparing it with previously identified threats and vulnerabilities.   

Expected Outputs

• An organizational risk assessment report identifying critical risks to CMS outlines the various strategies used to determine and prioritize risks that could impact CMS operations, assets, and individuals.
• Recommendations for four main risk response strategies to deal with identified risks by avoiding, transferring, mitigating, and accepting the risk.
  • Avoiding - Involves eliminating the risk or its causes, or changing the plan to avoid the risk exposure. Effective for high-impact and high-probability risks.
  • Transferring - Involves shifting the risk or its consequences to a third party, such as a contractor, insurer, or partner. Effective for low-impact and high-probability risks.
  • Mitigating - Involves reducing the probability or impact of the risk by implementing preventive or corrective actions. Effective for moderate-impact and moderate-probability.
  • Accepting - Acknowledging the risk and its potential effects and being prepared to deal with them if they occur. Effective for low-impact and low-probability risks.

CMS Discussion

The Prepare Step Task P-3 is crucial for assessing CMS risk at the top level by using information derived from system level risk assessment results, results from continuous monitoring, and decisions from the risk management Strategy Step. 

CMS carries out security controls assessments and vulnerability scanning to identify and report on CMS organizational risks. The Cybersecurity Integration Center (CCIC), through Continuous Diagnostics and Mitigation (CDM), provides reporting metrics and risk analysis by ingesting scan logs and identifying risks through its Security Incident Event Management (SIEM) tool. 

CMS manages its risk assessment process through the Cybersecurity and Risk Assessment Program (CSRAP). Penetration Testing (PenTesting) and Security Controls Assessment (SCA) can also be part of the assessment process.

CMS also uses the Cyber Risk Reports to communicate cyber risk on a monthly basis, and the Tableau dashboards to view snapshots of the overall health of CMS systems. Including the CMS Information System Risk Assessment (ISRA), that are completed within the security category tab of the CMS FISMA Continuous Tracking System (CFACTS).

Cybersecurity Framework: ID.RA; ID.SC-2 

Task P-4 Organizationally Tailored Control Baselines and Cybersecurity Framework Profiles (optional)

Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles.

Potential Inputs 

• Federal cybersecurity guidelines and standards helps organizations customize their security posture based on their needs, while still adhering to broader federal cybersecurity standards. It is crucial for establishing an organizationally-tailored control baseline that meets the organization’s specific operations and risk profile.
• Risk management strategy and risk assessment results provide a comprehensive understanding of potential threats and vulnerabilities identified from the risk assessment results. It is vital for guiding how an organization will mitigate, accept, or transfer risks to achieve an acceptable level of security for their information systems.

Expected Outputs

• Tailored control baselines that are specific to CMS's risk profile and operational needs provide a list of approved or directed CMS-tailored control baselines that are specific to CMS's risk profile and operational needs.
• Cybersecurity framework profiles that align with CMS's specific mission requirements implement the NIST CSF Profiles that align with the functions, categories, and subcategories of the business requirement, risk tolerance and resources of CMS. These CSF profiles can be used to describe the current state (Profile indicates CMS cybersecurity outcomes that are currently being achieved) or the desired target state (Profile indicates the outcomes needed to achieve CMS desired cybersecurity risk management goals), of CMS specific cybersecurity activities. 

CMS Discussion

The Prepare Step Task P-4 is optional. It addresses any specific needs that CMS has in regards to risk by adding or removing controls to accommodate CMS requirements while protecting its information in accordance with the assigned risk. It encourages the use of NIST CSF profile created by CMS to help guide the tailoring process. 

CMS implements the Security & Privacy Planning taken from NIST 800-53 Rev5 and tailored into CMS environment within the Acceptable Risk Safeguards (ARS) 5.1 to define the CMS baseline of minimum information security and privacy assurance. These controls are based on internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS.

CMS also implements the Security and Privacy Handbooks that provide overall guidance on how to apply CMS policies and standards across many cybersecurity topics while considering CMS Mission and Business objectives. 

Task P-5 Common Control Identification 

Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems.

Potential Inputs

• Inventory of organization information systems provide a centralized view of all the organizations information systems and their potential security needs. This enables the identification and selection of common controls that can be applied to multiple systems.   
• Current security and privacy controls and their implementation status provide a set of standardized controls that can be inherited by multiple information systems within an organization. They are crucial for identifying common controls and assessing the current implementation status of existing controls that are operating as intended or require further development or improvement. 

Expected Outputs 

• A list of common control providers that can be used organization-wide and that are available for CMS systems to inherit.
• Documentation for each common control, describing implementation details (including inputs, expected behavior, and expected outputs) like the system security and privacy plans (or equivalent document), and the systems that can inherit these controls.

CMS Discussion

The Prepare Step Task P-5 identifies, documents, and publishes common controls to appropriate personnel. If the control is used entirely by all systems, it is a common control. If the control isn’t enough to meet the requirements, it may be supplemented by other controls and it becomes a hybrid control. If there are multiple controls, CMS specifies the common control provider and any important details about the controls provided (control providers are responsible for assessing, documenting, and/or providing implementation details for common controls).

CMS provides controls that were derived from NIST 800-53 Rev5 and HHS IS2P control baselines into the CMS Acceptable Risk Safeguard (ARS) 5.1  and made available for inheritance to CMS systems. To serve as the starting point for determining the appropriate controls and countermeasures necessary to protect CMS information systems. 

Task P-6 Impact-Level Prioritization (optional)

Prioritize organizational systems and assets based on their impact level, to aid in guiding resource allocation and risk management efforts. 

Potential Inputs

• The organization's mission and business process information helps prioritize their systems based on the potential impact a security breach could have on critical operations and business objectives. It is essential for determining which systems are most vital to the organization's mission and business functions and for the selection of security controls as higher impact systems will likely require more robust controls to mitigate risks.
• Risk assessments and impact analyses provide a structured method to identify potential threats, evaluate their impact, and determine the likelihood of occurrence if a system is compromised. These analyses are essential for enabling organizations to categorize their systems into low, moderate, or high impact levels, which then informs their decision-making regarding control selection and tailoring based on the identified risks.

Expected Outputs 

• A prioritized list of information systems and assets categorized by their impact levels (e.g., low, moderate, high) allows CMS to focus on protecting high-impact systems and assets that are critical to its mission, ensuring that the most significant risks are addressed first.
• Guidelines for allocating resources based on the prioritization help identify critical projects and tasks, and proper allocation or resources, ensuring high-priority initiatives receive the most support while considering resource availability, cost-effectiveness, and potential impact on CMS overall goals.

CMS Discussion 

The Prepare Step Task P-6 is optional and usually occurs after the Categorize Step C-1.  To successfully complete this task, CMS has to first apply the high-water mark concept in accordance with FIPS 199 and FIPS 200 that labels system impact levels as low/medium/high.

This task helps to prioritize systems. The NIST Cybersecurity Framework (CSF) profile developed for CMS can help with the prioritization process.

Impact-level prioritization enforces Security categorization that describes the potential adverse impacts to CMS operations, assets, and individuals if CMS information and information systems are compromised through a loss of confidentiality, integrity, and/or availability (CIA). CMS has synthesized and identified the information types that apply to CMS using NIST 800-60 volume 1 Rev 1 as a guide into nine (9) CMS information types. CMS prioritizes its systems that support its Mission Essential Functions (MEFs) and its Essential Supporting Activities (ESAs) while providing ARS 5.1 controls for all Low, Moderate, High and HVA systems. Based on the system's risk profile and vulnerability metrics, indicating a direct correlation with the task's goal of impact-level prioritization based on risk.

Cybersecurity Framework: ID.AM-5

Task P-7 Continuous Monitoring Strategy-Organization 

Develop and implement an organization-wide strategy for continuously monitoring control effectiveness.

Potential Inputs 

• Risk management strategy and priorities provides an outline of how an organization will continuously monitor and address identified security risks across their systems. These strategies and priorities enable organizations to monitor the security and privacy posture across their organization and the effectiveness of controls implemented within or inherited by organizational systems on an ongoing basis.
• Previous assessments and reports on control effectiveness provide a baseline understanding of the current security posture. These reports enable organizations to identify areas needing improvement, track changes over time, and make informed decisions about risk mitigation, while ensuring implemented security controls remain effective overtime.

Expected Outputs 

• A comprehensive continuous monitoring strategy that includes mechanisms for assessing control effectiveness, reporting on security and privacy posture, and responding to changes in risk.
• Plans for integrating continuous monitoring tools and processes into CMS operations.

CMS Discussion 

The Prepare Step Task P-7 is essential for establishing a plan to monitor the effectiveness of security and privacy controls. CMS complies with the HHS Information Security Continuous Monitoring (ISCM) strategy and further defines the control assessment frequencies within the CMS Acceptable Risk Safeguards (ARS).  CMS maintains an ongoing awareness of information security, vulnerabilities, and threats to support its risk management decisions. This includes continuous visibility into the actions of users, applications, and devices through a centralized log data collection. By implementing a robust Continuous Diagnosis Mitigation (CDM) Program and Security Control Assessments to determine if a system's security and privacy controls are implemented correctly and operating effectively. The CDM provides automated scanning capabilities and risk analysis to strengthen the security posture of CMS FISMA systems on an ongoing basis, that enables CMS to maintain situational awareness of its security and privacy posture, facilitating timely responses to emerging threats and vulnerabilities. CMS also uses asset inventories and vulnerability management scanning to keep tabs on both resources that employees use (e.g. laptops) and the applications and infrastructure they use as an effort to enhance its continuous monitoring program. 

Cybersecurity Framework: DE.CM; ID.SC-4

Task P-8 Risk Mission or Business Focus [AT3] [CA4] 

Identify the missions, business functions, and mission/business processes that the information system is intended to support. 

Potential Inputs 

• The organization's mission statements and business process documentation provide a clear understanding of their core purpose, goals, and operational procedures, which then informs the security controls needed to protect the information systems supporting those critical business processes. They are crucial for aligning system security requirements with the organization's primary goals and operations.
• Current and future operational requirements identify and document the primary missions and business functions an information system is designed to support, both in its current state and anticipated future needs. These requirements enable organizations to prioritize their security controls based on the criticality of their mission and business operations.

Expected Outputs 

• Documentation linking information systems to mission and business processes identify which system failures could most significantly disrupt CMS’s mission-critical operations. This allows CMS to understand how critical information systems support its core functions, enabling it to prioritize its risks based on their potential impact on achieving CMS's goals.
• A prioritized list of system requirements based on mission and business importance allows CMS to allocate resources effectively by addressing the system requirements that have the most significant impact on achieving their core objectives, essentially prioritizing the most critical functionalities to mitigate potential risks that could hinder CMS mission success.

CMS Discussion 

The RMF Prepare Step Task-8 is crucial for identifying what part of CMS’s mission/business the system intends to support and ensuring that CMS technology investments are directly tied to supporting its mission and business goals. CMS has established and continues to support the development and maintenance of Business Continuity Plans and Disaster Recovery Plans for the protection of systems and components that are tied to its Essential Support Activities (ESAs) and assure CMS can perform its Mission Essential Functions (MEFs).  For example, the CMS Continuity of Operations Plan (COOP), Emergency Relocation Group (ERG) and the Devolution Emergency Response Group (DERG) all ensure the continuation of CMS essential functions. 

CMS systems are required to have an Information System Contingency Plan (ISCP) in place to protect CMS from potential risks and ensure the continuity of its operations. Before creating or updating the ISCP, a Business Impact Analysis (BIA) must be performed. The Information System Security Officer (ISSO) works with the System/Business Owner to complete this BIA, assessing critical processes essential to system operations. Also, CMS requires its Business Owners (BO) to complete the Business Impact Analysis (BIA) every two (2) years to document the business impact of any service to CMS missions, business functions, and mission/business processes.

Cybersecurity Framework: Profile; Implementation Tiers; ID.BE

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-9 System Stakeholders

Identify stakeholders who have an interest in the design, development, implementation, assessment, operation, maintenance, or disposal of the system to ensure that their needs are considered in the system's risk management process.

Potential Inputs 

• List of systems and their functions within organizations to identify all key stakeholders involved with each system (including individuals, groups, or organizations that have an interest in or decision-making responsibility for the system throughout its lifecycle). This provides a clear understanding of how each system within the organization operates, allowing stakeholders to identify their individual roles, potential impacts on their work, and how to effectively interact with the system to achieve desired outcomes.
• Stakeholder analysis from previous projects or operational activities identifies individuals, groups, or organizations that have common interest in the system being assessed, including those who may have been impacted by similar systems in the past. This analysis provides valuable insights into the needs, expectations, and potential concerns of different groups affected by the system and allows project teams to tailor their approach, manage risks proactively, and build stronger relationships with key stakeholders by understanding their past experiences and perspectives. 

Expected Outputs

• A comprehensive list of stakeholders for each system ensures the project is effectively managed and that all parties who are impacted by or have an interest in the system are identified. Their needs and concerns can be addressed throughout the development process, which ultimately leads to a more successful system implementation.
• An engagement strategy outlining how stakeholders will be involved in the system's risk management process ensures that all relevant parties are aware of potential risks and can contribute their unique perspectives to identify and mitigate those risks. 

CMS Discussion 

The RMF Prepare Step Task P-9 is crucial for identifying stakeholders within CMS’s systems and documenting them. It ensures that stakeholders can communicate throughout the implementation of the RMF. These stakeholders could be individuals, organizations, or representatives.

The CMS IS2P2 – Roles and Responsibilities section provides descriptions for CMS personnels that are required to complete their records such as the System Security and Privacy Plan (SSPP) generated by the CMS GRC CFACTS tool. 

CMS systems are encouraged to maintain a list of stakeholders within CFACTS including any interconnecting systems and their stakeholders under the Boundary tab in CFACTS in an effort to improve stakeholder engagement in managing and documenting the risk management process of their systems. 

Cybersecurity Framework: ID.AM; ID.BE

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-10 Asset Identification 

Identify assets that require protection such as assets associated with CMS information systems, including hardware, software, data, and personnel.

Potential Inputs

• An inventory of current system assets provides a comprehensive list of all the systems and devices within an organization, allowing for accurate tracking of their location, condition, and usage. A proper inventory is essential for effective risk management, maintenance, security, and cost optimization of those assets.
• Operational requirements and documentation identify and document the specific functional needs and capabilities a system needs to effectively operate as intended. It is crucial for selecting appropriate security controls that align with the organization's operational requirements and ensures the system is designed and implemented to meet its intended purpose.

Expected Outputs 

• An updated and comprehensive asset inventory for the system provides a complete picture of all assets within a system, to improve informed decision-making regarding maintenance, security, resource allocation, and overall management of those assets. Without a detailed inventory, you cannot effectively track, monitor, or utilize your assets, which is the primary goal of asset identification.
• Categorization of assets based on their importance to CMS's mission and their sensitivity allows CMS to prioritize security efforts by allocating the most robust protections to the assets that would have the greatest impact if compromised. This can help effectively manage risk and ensure CMS mission-critical data is adequately safeguarded.

CMS Discussion 

The RMF Prepare Step Task P-10 is instrumental to identify what assets needs to be protected and documented.

The CMS Continuous Diagnosis and Mitigation (CDM) program maintains an automated authorized hardware and software inventory including FISMA tagging, mapping and asset discovery as part of its Hardware Asset Management (HWAM) and Software Asset Management (SWAM). The program is implemented in four (4) phases: What is on the network, who is on the network, what is happening on the network, and how the data is protected.

CMS system assets are identified using data analytics in Tableau and then pushed to CFACTS.

Cybersecurity Framework: ID.AM

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-11 Authorization Boundary

Determine the authorization boundary of the information system and delineate the components that are included within the system's authorization scope. Systems are encouraged to create a checklist or boundary diagram template for reporting systems/ISSOs to standardize the approach to determine and define the authorization boundary.

Potential Inputs

• System architecture and design documentation sets the boundaries of an information system, outlining what components are within the scope of security protection and what is considered outside of the system. It is crucial for establishing the authorization boundary for a system and to precisely identify which parts of the system needs to be secured and managed under a specific authorization level.
• Integration and dependency information for interconnected systems refers to the process of combining different subsystems or components into a single, unified system that functions as one. While understanding the extent to which a system's subsystems (components) are interrelated, connected, and dependent upon one another. This information is vital for ensuring that various software applications, hardware components, and network resources work together seamlessly. 

Expected Outputs 

• A clearly defined authorization boundary document ensures that all relevant security controls are implemented within the boundary. This includes any hardware, software, networks, and data that are part of the system.
• Diagrams or other visual representations of the system boundary provide a clear visual representation of the system's components, data flows, and connections to external systems. This can help identify potential security vulnerabilities and ensure that all relevant aspects of the system are considered during the authorization process.

CMS Discussion 

The RMF Prepare Step Task P-11 is crucial for determining the scope of protection for information systems and documenting the authorization boundary. The Authorization Official (AO) determines what that boundary is with input from the system owner. 

CMS implements an Ongoing Authorization (OA) program and a Federal Risk and Authorization Management Program (FedRAMP) that defines the scope of a particular system that can be continuously managed and monitored. The OA program supports FISMA authorization system boundary which can include one or more cloud offerings, while FedRAMP authorization boundary is exclusively for cloud service offerings and may include the full stack (infrastructure, platform, and software) or just parts. Defining the authorization boundaries can be identified in the Boundary tab for each system within CFACTS. 

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-12 Information Types

Identify the types of information to be processed, stored, and transmitted by the information system to determine the appropriate levels of protection.

Potential Inputs 

• Data classification and categorization policies identify and define the different types of information handled by a system. Systems are then able to identify and protect sensitive information by categorizing data based on the level of Confidentiality, Integrity and Availability (CIA) while ensuring appropriate security measures are applied to each data type. This helps to minimize the risk of data breaches and facilitates compliance with relevant regulations like GDPR and HIPAA.
• Legal and regulatory requirements impacting data identify and document all applicable laws and regulations that govern the type of data a system processes, stores, or transmits, ensuring the organization adheres to these legal mandates when handling sensitive information and mitigating potential compliance risks. These requirements are key for data classification, protection of individuals' sensitive data from misuse, breaches, and unauthorized access.

Expected Outputs 

• A list of information types categorized by sensitivity and impact allows CMS to effectively identify and protect its most critical data by applying appropriate security measures based on how sensitive the information is and what potential damage its disclosure could cause.
• Documentation of protection requirements for each information type ensures effective data protection and compliance with relevant regulations by providing a clear understanding of the specific security controls needed to safeguard different types of data. CMS is then able to tailor its security measures to the unique risks associated with each information category. 

CMS Discussion

The RMF Prepare Step Task P-12 is essential for identifying and documenting the different types of information that goes through the system.

CMS provides a watch and learn: System categorization in CFACTS guidance to help systems complete their FIPS 199 security categorization in CFACTS. The Information types are categorized based on security and privacy consideration, determined by the CMS Policy team and documented in CFACTS. The CMS Office of Strategic Operations and Regulatory Affairs (OSORA) | OSORA_Regs_Scheduling@cms.hhs.gov and the CMS Records Retention Records_Retention@cms.hhs.gov offers guidance on protection and retention of all CMS data.

Also, the National Archives and Records Administration (NARA) Controlled Unclassified Information (CUI) provides overall guidance about what information needs to be protected.

Cybersecurity Framework: ID.AM-5

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-13 Information Life Cycle 

Identify and understand all stages of the information life cycle (from creation to final disposition) for each information type processed, stored, or transmitted by the information system. Understanding the importance of the information life cycle is vital for the design and evaluation of the information systems as the controls for each stage of the information life cycle is linked to their respective CMS TLC phase.

Potential Inputs 

• Data management policies and procedures provide a clear understanding of how data flows through a system, where it is stored at each stage, and how long it needs to be retained. These policies and procedures are essential for managing data quality, security, compliance, and efficient retrieval throughout its lifecycle, from creation to disposal.
• System documentation outlining data flows and storage provide a clear understanding of all stages of the information life cycle for each type of data processed, stored, or transmitted by the system. This allows systems to carry out comprehensive assessment of security risks associated with that data throughout its lifecycle. It is crucial for determining where and how sensitive information is handled within the system to implement appropriate security controls. 

Expected Outputs 

• A detailed understanding of the information life cycle for each type of data the system handles allows CMS to effectively manage data throughout its lifecycle, ensuring proper storage, access, security, and disposal. Ultimately, this minimizes risks and optimizes data usage, and complies with relevant regulations by knowing when and how to retire outdated data.
• Identification of security and privacy controls needed at each stage of the life cycle ensures that data is protected throughout its entire existence, from creation to disposal, by addressing potential vulnerabilities specific to each phase, minimizing risk, and maximizing data integrity throughout the process. 

CMS Discussion 

The RMF Prepare Step Task P-13 is crucial for identifying all of the stages in the life cycle of all the types of information that go through the system.

The CMS Office of Strategic Operations and Regulatory Affairs (OSORA) provides guidance on CMS systems information life cycle and the Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards that must be followed by all CMS systems. This approach helps in identifying potential vulnerabilities and in ensuring that data is protected appropriately at all stages. The information life cycle task is vital for systems handling sensitive or regulated data, ensuring compliance with data protection laws and policies. 

Cybersecurity Framework: ID.AM-3; ID.AM-4

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-14 Risk Assessment - System 

Conduct a system-level risk assessment to identify, prioritize, and document risks associated with the operation and use of the system. Update the risk assessment results on an ongoing basis.

Potential Inputs 

• System documentation captures the results of a comprehensive risk assessment performed on the system, including identified threats, vulnerabilities, potential impacts, and likelihood of occurrence. This documentation is crucial for supporting risk mitigation strategies and authorization decisions.
• Previous risk assessments and relevant security and privacy incident reports provide detailed insight about past vulnerabilities, threats, and incidents. These reports allow systems to identify recurring patterns, understand the likelihood of similar events happening again, and proactively implement mitigation strategies to prevent future issues.

Expected Outputs 

• A comprehensive risk assessment report for the system, detailing identified risks, their likelihood, impact, and recommended mitigation strategies clearly outlines all identified potential risks within a system, analyzes their likelihood of occurrence and potential impact, and provides actionable mitigation strategies, enabling informed decision-making and effective risk management within an organization.
• An action plan for addressing identified risks provides a concrete roadmap for mitigating or managing potential risks, outlining specific steps, responsible parties, timelines, and necessary resources to actively address each identified risk.

CMS Discussion 

The RMF Prepare Step Task P-14 is crucial for conducting risk assessment and updating the results on an ongoing basis. CMS Risk Management and Reporting provides information on any potential security and privacy risks to CMS information and system. The CMS Cyber Risk Management Plan lays the foundation for modernizing CMS' approach to identifying and mitigating security and privacy risks associated with the operation of CMS FISMA systems. CMS implements a Cybersecurity and Risk Assessment Program (CSRAP) for CMS FISMA systems that aligns with ISPG strategies and the strategic goal of risk-based program management. The CMS Information System Risk Assessment (ISRA)  documents the overall risk to a system and potential risk reduction strategies. 

CMS has established a corrective action plan roadmap to address system weaknesses and the resources required to fix them, Plan of Action and Milestones (POA&M), that is required whenever audits reveal an area of weakness in security controls. Risk assessments at CMS are conducted and tracked within CFACTS, showcasing a direct application of this task at the system level.

Cybersecurity Framework:  ID.RA; ID.SC-2

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-15 Requirements Definitions 

Define the security and privacy requirements specific to the system and its environment of operation that are necessary to mitigate identified risks and to comply with CMS policies and federal regulations.

Potential Inputs

• A risk assessment report documents the identified threats, vulnerabilities, and potential impacts on a system that could arise during a project. This report enables systems to design and implement solutions that mitigate these risks, ultimately leading to a more robust and reliable system by addressing potential problems early on in the development process. This report is crucial for ensuring that the system operates at the acceptable security level.
• Applicable laws, regulations, and organization policies serve as the foundation for defining the security and privacy requirements for a system. These policies are vital for ensuring that organization systems operate legally, ethically, and protect customers, employees, and the environment. 

Expected Outputs 

• A documented set of security and privacy requirements for the system ensures that the system being developed is designed with robust safeguards in place to protect sensitive data, mitigate potential cyber threats, and comply with relevant privacy regulations.
• A plan for implementing the necessary controls to meet these requirements outlines the specific needs and functionalities of a system. It also actively addresses how to ensure those requirements for the system are met through implemented controls. This effectively bridges the gap between simply stating what is needed and providing a roadmap for achieving compliance and mitigating risks. 

CMS Discussion 

The RMF prepare Step Task P-15 is crucial for defining the Security/Privacy requirements for the system. CMS implements Security and Privacy Planning Controls to provide guidance on developing the System Security and Privacy Plan (SSPP) within CFACTS that relates CMS security requirements defined in the CMS IS2P2 to a set of security controls and control enhancements as outlined in the CMS ARS 5.1. The CMS Security and Privacy Language for Information and Information Technology helps guide the CISO Team and procurement personnel to determine what kind of security and privacy requirements should be written into a contract before operating in CMS environment. 

Cybersecurity Framework:  ID.GV; PR.IP

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-16 Enterprise Architecture 

Determine the placement of the system within the enterprise architecture so that the system's architecture is aligned with CMS's enterprise architecture to support efficient and secure integration and operation within the organization's IT environment.

Potential Inputs 

• The organization's enterprise architecture documentation provides a comprehensive design layout of the system's placement within the broader organizational infrastructure. This enables an informed risk assessment and security control selection process by understanding how the system interacts with other components and systems across the organization.
• Security and privacy policies and standards provide the foundation for selecting and implementing appropriate controls to address identified risks. These policies and standards are crucial for safeguarding sensitive data and operations while ensuring that an organization's systems and information are protected at an acceptable level of security and privacy.

Expected Outputs 

• Documentation confirming the system's alignment with CMS's enterprise architecture serves as a critical verification tool to demonstrate that new systems are adhering to CMS established architectural guidelines and standards, and ensuring that all CMS’s IT systems and initiatives are strategically aligned with its overall business goals.
• Identified opportunities for integration and optimization within the enterprise architecture provide a complete view of CMS's systems and processes, allowing architects to pinpoint areas where different systems can be better integrated and streamlined. It analyzes CMS’s enterprise architecture to find ways to improve its functionality by connecting systems more effectively and eliminating inefficiencies. 

CMS Discussion 

The RMF Prepare Step Task P-16 is important in ensuring the system is well placed within the enterprise architecture and running as effectively, efficiently, and cost effectively as possible while helping to minimize security and privacy risk.

The CMS Technical Reference Architecture (TRA) provides the authoritative technical architecture approach and technical reference standards for all CMS information technology (IT) systems. The infrastructure requirements needed to support and secure high-quality delivery of healthcare services to beneficiaries, providers, and business partners, including aligning CMS systems with the Federal Enterprise Architecture Framework (FEAF).

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-17 Requirements Allocation 

Allocate the defined security and privacy requirements to specific system components, processes and environment of operation to ensure comprehensive coverage across the system.

Potential Inputs

• Security and privacy requirements documentation detail the specific security and privacy requirements that need to be applied to a system and its operating environment. These requirements are crucial for providing a clear roadmap for selecting and implementing security controls.
• System design and architecture information provide insight on how a system is built or will be structured, allowing for the precise mapping of individual requirements to specific components or subsystems within the system architecture. This information ensures that each functional need is addressed by the most appropriate part of the system and facilitates efficient development and implementation of appropriate security controls based on the system's architecture and functionality.

Expected Outputs 

• A mapping of security and privacy requirements to specific system components or processes defines where and how each security and privacy requirement will be implemented within the system, to ensure every aspect of the system is addressed with appropriate security controls.
• An implementation plan detailing how each requirement will be met explains where controls will be implemented. It also helps streamline the risk management process by ensuring that requirements are not implemented on multiple systems or system elements when implementation of a common control or a system-level control on a specific system element provides the needed protection capability. 

CMS Discussion

The RMF prepare Step Task P-17 is key to allocating security requirements. It serves as a guide and informs the process of control selection and implementation for CMS systems and system elements and/or environment of operation. 

CMS implements System and Services Acquisition controls to determine information security and privacy requirements for the information system or information system service in mission/business process planning, document and allocate the resources required to protect the information system or information system service. Also, Controls for each stage of the information lifecycle are identified by their linked TLC phase, which is relevant for allocating security and privacy requirements to specific system components or processes.

Cybersecurity Framework:  ID.GV

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Task P-18 System Registration

Register the information system within CMS's IT environment to formalize its status and ensure it is recognized and managed as part of the organization's portfolio of information systems.

Potential Inputs 

• System documentation provides a comprehensive record of the system's details, allowing for proper management, accountability, coordination, and oversight throughout the RMF process, including risk assessment, control selection, and authorization decisions based on the system's characteristics and information handling practices.
• Information from previous tasks provides a comprehensive understanding of the system's characteristics, security posture, and potential risks. This information is key to enabling a more informed and thorough system registration, allowing for better management, accountability, and oversight of the system throughout its lifecycle.

Expected Outputs 

• Official registration of the system within CMS's IT portfolio documents the existence of a system within CMS, allowing for proper tracking, risk assessment, and management oversight of its security and privacy posture. Ensuring that all systems are accounted for and subject to CMS's security policies and procedures.
• Documentation acknowledging the system's registration and outlining any conditions or requirements for operation and maintenance within CMS. 

CMS Discussion

The RMF Prepare Step Task P-18 is crucial for registering the system with CMS program/management offices. It informs CMS of plans to develop the system, as well as key characteristics and security and privacy implications from using the system.

CMS implements a Security and Privacy Planning (PL) handbook that provides privacy and security requirements for use during a new Authorization to Operate (ATO) cycle for documenting system security compliance enforced by the CMS Chief Information Security Officer (CISO). CMS also implements the CMS Target Life Cycle (TLC), a governance framework that provides overall guidance for developing and maintaining IT solutions through these four phases: Initiate, Develop, Operate, and Retire, and enforced by the CMS Office of Information Technology (OIT). The CMS Technical Review Board (TRB) also provides system architecture and infrastructure requirements for all CMS systems to be complaint with as described in the Technical Reference Architecture (TRA). 

Cybersecurity Framework:  ID.GV

TLC Cycle Phase: New systems – Initiate; Existing systems – Operate

Use the discussion section to provide specific information were relevant. 

In Task P-1, CMS identifies and assigns individuals to critical roles to manage security and privacy risks, establishing accountability and aligning responsibilities with CMS’s mission and objectives. 

The main outcome is a clear list of roles and responsibilities for each area of risk management, as specified in CMS IS2P2, Section 7, and automatically included in CFACTS to ensure proper role assignment and tracking for each security task. Key roles include: 

CMS Administrator: Provides executive oversight, ensuring risk governance aligns with CMS’s mission and strategic goals.

Chief Information Officer (CIO): Directs IT and risk management strategies to meet CMS objectives and regulatory requirements.

Chief Information Security Officer (CISO): Leads the agency-wide information security program, establishing policies and procedures that reinforce CMS’s security posture and compliance.

System Level Prepare Tasks: Great information in these sections. Consider highlighting main or key actions stakeholders need to be aware of. For Example-In Task P-8 a key action could be making sure the system’s contingency and disaster recovery plans are updated/reviewed annually. 

Update Contingency Plan to Information System Contingency Plan (ISCP).

Before creating or updating the Information System Contingency Plan (ISCP), a Business Impact Analysis (BIA) must be performed. The Information System Security Officer (ISSO) works with the System/Business Owner to complete this BIA, assessing critical processes essential to system operations.