RM Guidelines for the Risk Assessment Control (RA)

Risk Assessment (RA) Informational Guide 

Risk Assessment is the process of evaluating an organization’s defense mechanism against potential threats by identifying vulnerabilities, estimating or analyzing the likelihood and impact of potential threats and prioritizing risks to organizational operations (i.e., mission, functions, image and reputation), organizational assets and individuals, resulting from operating its information systems and the associated processing, storage, or transmission of information by those systems.   

This program information guide provides the details for identifying, estimating and prioritizing risks to CMS operations, assets and individuals due to information systems and associated data processing. While adhering to all applicable federal laws and regulations including addressing the security requirements for Risk Assessment as recommended by NIST 800-30 Rev 1 . 

As one of the fundamental components of CMS enterprise-wide risk management process, risk assessment incorporates threat and vulnerability analyses and considers mitigations offered by security and privacy controls planned or in place to ensure CMS's resilience and sustainability as well as informing decision-makers and supporting risk responses to relevant threats, vulnerabilities, the likelihood of occurrence of impacts and the predisposing conditions. 

To begin the risk assessment process at CMS for any CMS FISMA system, see the CMS Cyber Risk Management Plan (CRMP) | CMS Information Security & Privacy Group and the Cybersecurity and Risk Assessment Program (CSRAP) | CMS Information Security & Privacy Group  for frameworks and associated processes that are designed to continuously monitor, assess and mitigate risks, while aligning with federal guidelines and best practices to support the CMS’s mission and business functions. 

Risk assessment is a critical component of the Authorization to Operate (ATO) process and CMS follow a structured approach to it, emphasizing collaboration among stakeholders to ensure effective risk management. The CSRAP process enables CMS to determine the overall security and privacy posture of the system throughout its Target Life Cycle (TLC) including the frequency and scope of the risk assessment. Then the Information System Risk Assessment (ISRA) is used to document the overall risk to a system and potential risk reduction strategies that help System/Business Owners (SO/BO) make decisions about the tools and countermeasures available to address the identified risks on an ongoing basis. 

To further address the security requirements for RA, CMS provides Security categorization guidance CMS Risk Management Framework (RMF) | CMS Information Security & Privacy Group within the RMF categorize step. To allow systems to effectively describe the potential adverse impacts on CMS operations, assets and individuals if CMS information and information systems are compromised through a loss of confidentiality, integrity and (or) availability (CIA). 

For guidance on Supply Chain Risk Assessment see the Supply Chain Risk Management (SCRM) | CMS Information Security & Privacy Group.  CMS also provides guidance on Vulnerability monitoring and scanning security requirements that can be found within the CMS Continuous Diagnostics and Mitigation (CDM) Program and within the CMS Cyber Risk Management Plan (CRMP).  

CMS provides guidance for discoverable information security requirement within the CMS Pen Test/Red Team, VAT Penetration Testing (PenTesting) | CMS Information Security & Privacy Group and within the CMS Cybersecurity Integration Center (CCIC) Red Team Engagements. The CMS Vulnerability Analysis Team provides vulnerability telemetry data generated from trend data over time and identified patterns of attack to meet the security requirements for Automated trend analysis.   

CMS has published the Access Control (AC) that stakeholders can leverage information from to satisfy the security requirements for their systems that require Privileged Access. In addition, CMS has established a Vulnerability Disclosure Policy as part of its Public Disclosure Program intended to create a reporting channel for receiving reports of vulnerabilities in CMS systems and system components.  

To effectively meet the security requirements for Risk Response, the CMS CRMP outlines the strategy for managing and responding to risks that CMS system stakeholders may use and other methodologies for the risk analysis, including a Root Cause Analysis. Based on the result of the analysis, the SO/BO and other system stakeholders may now determine if they either deem the risk "acceptable" and develop a Risk-Based Decision (RBD) to provide the justification or consider the risk "unacceptable" and create a risk mitigation strategy as part of the Corrective Action Plan (CAP).  

For better understanding on how Personally Identifiable Information (PII) is collected, used, shared and maintained within CMS while ensuring that handling conforms to applicable privacy requirements, determine the privacy risks associated with an information system or activity and evaluate ways to mitigate privacy risks see the CMS Privacy Impact Assessments (PIA) Handbook. 

CMS carries out critical analysis of its systems components, functions or services to effectively identify system components, functions, or services that requires significant protection. Criticality analysis is a key principle for supply chain risk management and informs the prioritization of protection activities. 

CMS has established a Business Process Analysis (BPA) and Business Impact Analysis (BIA) that are used to identify CMS Mission Essential Functions (MEFs) which is a critical step for developing a comprehensive Continuity Program.  

CMS responds to risk by actively identifying, assessing and mitigating potential threats through a comprehensive risk management framework, which includes continuous monitoring, ongoing authorization processes and proactive measures to address vulnerabilities across CMS systems, while prioritizing remediation efforts based on the severity of identified risks.  

For any additional information on RA, scheduling/testing at CMS please contact  CSRAP@cms.hhs.gov.