Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Published: 5/1/2024

Avoid database breaches with ISPG’s free vulnerability scanning service

by CSRAP Team

Before your next CSRAP assessment, scan your databases using Trustwave DbProtect Vulnerability Management (VM) — offered by ISPG for free!

Why is database scanning important?

CMS databases and large data stores are a prime target for attackers because of the volume of sensitive information stored on CMS systems. That includes personally identifiable information (PII), protected health information (PHI), provider and beneficiary information, and intellectual property. 

Scanning databases and large data stores helps protect the databases and mitigate risks, enhancing the overall security profile of CMS systems. This is part of the process known as Vulnerability Management (VM).

Why use DbProtect?

ISPG provides Trustwave DbProtect (external link) for use throughout CMS. Licenses for the DbProtect Vulnerability Management module are available to CMS Business Owners at no charge.

The DbProtect Vulnerability Management module helps prevent database breaches and accidental data leakage by routinely scanning databases and large data stores. It will uncover configuration errors, access control errors, and unauthorized or unusual privileged user behavior.

Trustwave DbProtect is:

  • Compatible with both on-premises and cloud-based databases

  • Free for all systems at CMS

  • Easy to request through ServiceNow or SIGNAL

When do I use DbProtect?

At CMS, the Cybersecurity Risk Assessment Program (CSRAP) strongly encourages database scanning as part of their onboarding process. Scan reports created by DbProtect can be used as a risk information source during your CSRAP assessment.

DbProtect is available even if you’re not preparing for a CSRAP assessment. Any time you’re adding a database or large data store to the system, you can use DbProtect to do it as securely as possible.

How do I get started?

To request a DbProtect scan of a database or large data store, complete the ServiceNow workflow (link requires a CMS login). It will ask you for information about the database, and the scan will be scheduled from there.

In order to access the workflow in ServiceNow and request a scan, you will need the following CMS job codes:



This workflow is also accessible on SIGNAL as a TO-01 artifact in support of a CSRAP assessment.


Questions about DbProtect or database scanning? Contact the CMS Vulnerability Assessment Team at

This post is contributed by the DbProtect team to encourage database scanning by CMS system teams and promote risk-based decision making throughout the enterprise.

About the publisher:

The CMS Cybersecurity and Risk Assessment Program (CSRAP) is a proactive, risk-based alternative to the traditional Security Controls Assessment. The CSRAP team can help you determine a customized plan for the type of assessment(s) your system needs and expedite your path to ATO.