Skip to main content

CMS Risk Management Framework (RMF): Select Step

Select, tailor, and document the controls necessary to protect the CMS information system

Last reviewed: 12/5/2024

Contact: ISPG Policy Team | CISO@cms.hhs.gov

Related Resources

CMS Risk Management Framework (RMF)
National Institute of Standards and Technology (NIST)

What is the Risk Management Framework (RMF)?

The National Institute of Standards and Technology (NIST) created the RMF to provide a structured, flexible process to manage risk throughout a system’s life cycle. Using the RMF process helps CMS authorize and monitor our information systems and keep them safe.

The RMF is made up of 7 steps:

What is the Select step?

The purpose of the Select step is to select, tailor, and document the controls necessary to protect the information system and organization.

This protection should be commensurate with risk to organizational operations and assets, individuals, other organizations, and the nation.

Task S-1: Control selection

Select the controls for the system and the environment of operation, ensuring they are aligned with identified risks and organizational requirements.

Potential Inputs:

  • The security categorization input involves classifying the system based on its impact level, such as low, moderate, or high. Security categorization helps determine the appropriate level of security controls needed to protect the system and its assets.
  • The risk assessment results provide insight into the threats, vulnerabilities, and potential impacts associated with the system. These results guide the selection of controls by identifying areas of highest risk that require mitigation
  • The system element information is detailed information about the components, subsystems, or elements comprising the system. Understanding the system's architecture and functionalities is crucial for selecting controls that adequately protect all system elements.
  • The security and privacy requirements are specific measures mandated by regulations, standards, organizational policies, or contractual agreements. Control selection must align with these requirements to ensure compliance and mitigate associated risks.
  • The contractual requirements are security and privacy stipulations outlined in contracts with external parties, such as vendors or service providers. These requirements impact control selection and implementation, as failure to comply may result in contractual breaches or legal consequences.
  • The business impact analysis or criticality analysis input involves evaluating the potential impact of security incidents or disruptions on business operations. Understanding the criticality of system components helps prioritize control selection efforts and allocate resources effectively.
  • The risk management strategy is the organization's approach to identifying, assessing, and mitigating risks. The risk management strategy informs control selection decisions by providing overarching guidance on risk tolerance levels and mitigation priorities.
  • The organizational security and privacy policy is the established policies and guidelines governing security and privacy practices within the organization. These policies influence control selection by defining the organization's security objectives, requirements, and acceptable practices.
  • The approved baselines or overlays are pre-defined sets of controls or additional requirements specified by regulatory bodies or industry standards. Baselines serve as reference frameworks for control selection, providing a structured approach to addressing common security and privacy concerns.

Expected Outputs:

The primary output of Task S-1 is the selection of controls tailored to the system and its environment of operation. These controls should reflect the identified risks, security categorization, and organizational requirements, ensuring comprehensive protection for the system and its assets.

Discussion:

For each information system, the appropriate baseline of security controls is automatically allocated by CFACTS based on its defined security category. The security category must be completed before tailoring the security controls.

Control selection is not a one-time process. It should be continuously reviewed and updated. Regular monitoring of controls ensures that they remain effective in mitigating risks and addressing new threats.

It's essential to establish processes for ongoing monitoring and periodic review of control effectiveness.

For more information on the control selection process, please see the Security & Privacy Planning (PL) page.

Cybersecurity Framework: Profile

TLC Cycle Phase:

Task S-2: Control tailoring

Tailor the controls selected for the system and the environment of operation to ensure they effectively address specific mission or business needs, threats, security and privacy risks, and system characteristics.

Tailoring controls involves adjusting their implementation details, scope, or intensity based on various factors, such as mission or business functions, identified threats and vulnerabilities, system type, and risk tolerance levels.

Potential Inputs:

  • The initial control baselines are the initial set of controls selected in Task S-1 provides the foundation for tailoring efforts. These baselines serve as a starting point for customization.
  • The organization- and system-level risk assessment results findings inform the tailoring process by identifying specific threats, vulnerabilities, and risks that need to be addressed through control customization
  • The system element information is detailed information about the components, subsystems, or elements comprising the system. This information helps in understanding the system's architecture and functionalities, enabling more effective tailoring of controls
  • The system component inventory is comprehensive inventory of system components provides insight into the various assets and resources that need to be protected. This inventory guides control tailoring efforts by identifying critical components that require enhanced protection.
  • The list of security and privacy requirements as well as any specific contractual obligations, serve as guiding principles for control tailoring. Controls are customized to meet these requirements effectively.

Expected Outputs:

The primary output of Task S-2 is a list of tailored controls for the system and its operating environment. These tailored controls reflect adjustments made to the initial set of controls to better address the organization's specific needs and risk landscape.

Discussion:

The process for tailoring of security controls can be done in CFACTS.

The System Owner plays a key role in overseeing the tailoring process. They are responsible for understanding the system's requirements, risk landscape, and operational needs, ensuring that tailored controls effectively meet these objectives.

The Common Control Provider is responsible for implementing, assessing, and monitoring common controls across multiple systems. They contribute to tailoring efforts by adjusting common controls to suit the specific needs of the system and its environment of operation.

The Authorizing Official (AO) or Authorizing Designated Representative is responsible for providing oversight and approval of the tailored controls. They ensure that the selected controls adequately address organizational requirements and align with risk management objectives.

Please see the Security & Privacy Planning (PL) page for the CMS-specific process for tailoring the initial baseline of security controls in CFACTS.

Cybersecurity Framework: Profile

TLC Cycle Phase:

Task S-3: Control allocation

Task S-3 involves allocating security and privacy controls to the system and its environment of operation, ensuring that controls are appropriately designated as system-specific, hybrid, or common and assigned to relevant system elements.

Control allocation ensures that the selected controls are applied to the appropriate system elements to provide adequate protection against identified risks and threats. Controls may be designated as system-specific, hybrid, or common based on their applicability to the system and their potential for inheritance by other systems.

Potential Inputs:

  • The security categorization of the system is based on its potential impact on organizational operations, assets, and individuals. Security categorization helps determine the appropriate level of controls needed for the system.
  • The organization- and system-level risk assessment results provide insight into the specific threats, vulnerabilities, and risks that need to be addressed through control allocation.
  • Understanding the organizations enterprise architecture helps ensure that control allocation aligns with the overall structure and objectives of the organization's IT environment.
  • The security and privacy architectures create frameworks detailing the organization's security and privacy requirements and strategies guide control allocation efforts.
  • The list of security and privacy requirements serves as the basis for control allocation decisions, ensuring that controls are aligned with organizational objectives.

Expected Outputs:

The primary output of Task S-3 is a list of security and privacy controls allocated to the system, its elements, and the environment of operation. These allocated controls specify which controls are assigned to specific system components and how they are implemented.

Discussion:

Control allocation ensures that security and privacy controls are allocated efficiently to the system elements that require them most, optimizing resource allocation and minimizing unnecessary overhead.

By allocating controls to specific system elements, organizations can ensure that critical assets and resources are adequately protected against identified risks and threats, enhancing overall security posture.

Control allocation ensures that controls are allocated in a manner that aligns with regulatory requirements and industry standards, helping organizations maintain compliance and avoid potential penalties or fines.

Control allocation is not a one-time process but should be continuously monitored and reviewed to ensure that controls remain effective over time. Organizations should establish mechanisms for ongoing monitoring and evaluation of control effectiveness to adapt to evolving threats and risks.

The process of control allocation can be done in CFACTS. Please see Security & Privacy Planning (PL) for the CMS specific process for control allocation in CFACTS.

Cybersecurity Framework:PR.IP, Profile

TLC Cycle Phase:

Task S-4: Documentation of planned control implementations

Task S-4 involves documenting the controls selected for the system and its environment of operation in security and privacy plans. This documentation provides an overview of the security and privacy requirements for the system and outlines the intended application of each selected control in the context of the system, providing a sufficient level of detail to correctly implement the control and assess its effectiveness.

Potential Inputs:

  • Security Categorization: The classification of the system based on its potential impact on organizational operations, assets, and individuals. Security categorization helps determine the appropriate level of controls needed for the system.
  • Organization- and System-Level Risk Assessment Results: Risk assessment findings provide insight into the specific threats, vulnerabilities, and risks that need to be addressed through control implementation.
  • System Element Information: Details about the system's components, architecture, and operational characteristics. This information helps determine which controls are necessary and how they should be implemented.
  • System Component Inventory: A comprehensive inventory of system components and assets. This inventory helps ensure that all components are adequately protected by the selected controls.
  • Business Impact or Criticality Analysis: Analysis of the system's importance to organizational operations and the potential impact of security incidents. This analysis helps prioritize controls and allocate resources effectively.
  • List of Security and Privacy Requirements: The organization's security and privacy requirements serve as the basis for selecting and implementing controls. These requirements ensure that controls are aligned with organizational objectives and compliance requirements.

Expected Outputs:

The primary output of Task S-4 are the security and privacy plans for the system. These plans provide an overview of the security and privacy requirements, as well as the controls selected to satisfy these requirements.

Discussion:

The System Security and privacy plan (SSPP) for the system are located in CFACTS.

The SSPP is completed by the System/Business Owner, who will secure the appropriate information related to the system’s security and privacy controls.

The Common Control Provider is responsible for implementing, assessing, and monitoring common controls that are inherited by organizational systems. They collaborate with the System Owner to ensure that common controls are appropriately documented in the security and privacy plans.

Directions on how to complete the SSPP are located in the SSPP page.

Cybersecurity Framework:Profile

TLC Cycle Phase:

Task S-5: System-level continuous monitoring strategy

Task S-5 involves developing and implementing a system-level strategy for monitoring control effectiveness. This strategy supplements the organizational continuous monitoring strategy and ensures ongoing assessment of controls post-implementation.

Potential Inputs:

  • Organizational Risk Management Strategy: The organization's risk management strategy provides guidance on the identification, assessment, and mitigation of risks. It informs the development of the continuous monitoring strategy to ensure that control effectiveness is monitored in alignment with organizational risk priorities.
  • Organizational Continuous Monitoring Strategy: The organizational continuous monitoring strategy outlines the approach for monitoring control effectiveness across the organization. The system-level strategy supplements and aligns with this overarching strategy.
  • Organization- and System-Level Risk Assessment Results: Risk assessment findings inform the development of the continuous monitoring strategy by identifying relevant threats, vulnerabilities, and risks that need to be monitored post-implementation.
  • Security and Privacy Plans: The security and privacy plans for the system provide details about the selected controls and their intended application. These plans serve as a basis for determining the criteria for monitoring control effectiveness.

Expected Outputs:

The primary output of Task S-5 is a continuous monitoring strategy for the system, including time-based triggers for ongoing authorization.

This strategy outlines the criteria for determining the frequency with which controls are monitored post-implementation and the plan for the ongoing assessment of those controls.

Discussion:

At CMS, Continuous Diagnostics and Mitigation (CDM) helps strengthen the cybersecurity of government networks and systems by providing automated scanning and analysis of risk. CDM tools are used at CMS to support the overarching Cyber Risk Management Program, which focuses on proactive, risk-based decision making.

For more information on CDM efforts at CMS, please see the CDM page.

Cybersecurity Framework:ID.GV; DE.CM

TLC Cycle Phase:

Task S-6: Plan review and approval

Task S-6 involves reviewing and approving the security and privacy plans for the system and its environment of operation. This ensures that the plans are complete, consistent, and satisfy the stated security and privacy requirements for the system.

Potential Inputs:

  • The security and privacy plans for the system serve as the primary input for Task S-6. These plans outline the selected controls and their intended application to meet security and privacy requirements.
  • The organization- and system-level risk assessment results provide context for reviewing the security and privacy plans. They help ensure that the selected controls effectively mitigate identified risks and vulnerabilities.

Expected Outputs:

The primary output of Task S-6 is the approval of the security and privacy plans by the authorizing official or designated representative. This approval signifies that the plans are acceptable and can proceed to the next phase of the RMF process.

Discussion:

Every information system operated by or on behalf of the U.S. federal government is required to meet FISMA standards, which includes an Authorization to Operate (ATO) signed by an Authorizing Official (AO) or Authorizing Official Designated Representative.

This means that before a system can be deployed into production at CMS, the Business Owner and other stakeholders must go through the process of testing and documenting the system’s security to demonstrate its compliance with federal requirements.

The System Security and privacy plans for the system are reviewed and approved in CFACTS.

Cybersecurity Framework:N/A

TLC Cycle Phase: