Published: 1/16/2025
Announcing a step-by-step guide to the CMS Risk Management Framework
The Risk Management Framework from NIST is a vital part of security and privacy at CMS. Here’s your guide to applying the RMF throughout the system life cycle.
What is the RMF?
The Risk Management Framework (RMF) from NIST provides a structured yet flexible process for managing risk throughout a system’s life cycle. It plays a key role in the steps we take at CMS to authorize and continuously monitor our information systems and keep them safe. The specific ways we apply these steps at CMS is known as the CMS Risk Management Framework (RMF).
The RMF is embedded in the ATO process. It is also reflected in CFACTS, the tool used at CMS for Governance, Risk, and Compliance (GRC).
Who uses the RMF?
System Security and Privacy Officers, along with their Business Owners, should be familiar with the RMF and its role in managing risk throughout the system life cycle.
Your step-by-step guide to the CMS RMF
In November 2024, the ISPG Policy Team published a series of pages on CyberGeek (security.cms.gov) that provide an overview of the CMS Risk Management Framework and detailed instructions for each RMF Step.
Main page with overview: CMS Risk Management Framework
Detailed instructions for each step in the RMF:
Why did we make this guide?
Everyone involved in security and privacy at CMS should understand the RMF and how it helps us manage risk for our information systems. But not everyone is an expert in the RMF steps and the technical application of them.
This series is excellent for System Security and Privacy Officers who are new, or still developing their knowledge of how we do things at CMS. They can use the pages to follow the RMF steps and feel confident that they are meeting NIST and FISMA standards.
The overview page is great for Business Owners or others who want a quick refresher on the RMF and how it is used at CMS.
Questions?
For policy and guidance questions regarding the CMS Risk Management Framework, contact us:
- On CMS Slack in #ispg-sec_privacy-policy
- Via email at CISO@cms.hhs.gov
Tell us what you think
At ISPG, we want to provide everyone at CMS with helpful information about security and privacy requirements. Please take a moment to let us know how we’re doing.
Give feedback about the CMS Risk Management Framework guides.
About the publisher:
The ISPG Policy Team (also known as CMS CISO Team) manages the policies, standards, and guidance that keep information and systems safe at CMS. Our goal is to help you understand requirements and apply them effectively in your project environments – so you can focus on delivering value to CMS beneficiaries and customers.
