This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.

New user interface that reflects the risk management framework process

CFACTS Authorization Package is getting a facelift and will look different than the application you use today. The GRC (Governance, Risk, and Compliance) team has partnered with CFACTS to introduce new changes that will greatly benefit new users using the platform for the first time or existing users working through the application. 

These changes are part of an initiative to better reflect the risk management framework process within the application. Learn more about the new tabs coming to Authorization Package in CFACTS.

Step 0 – Prepare

According to the NIST Risk Management Framework, the prepare step purpose is to “Carry out essential activities to help prepare all levels of the organization to manage its security and privacy risks using the RMF” [1]

In CFACTS this is a new tab that will contain all the relevant information for 

• Stakeholders
• Authorization Boundary and Asset Identification
• Requirements
• Authoritative Sources
• And more

Step 1 – Categorize

The categorize step purpose is to “Inform organizational risk management processes and tasks by determining the adverse impact with respect to the loss of confidentiality, integrity, and availability of systems and the information processed, stored, and transmitted by those systems.” [2]

In CFACTS, this tab contains sections for

• Personally Identifiable Information (PII)
• Protected Health Information (PHI)
• Digital Identity Details
• SORNs
• Contingency Plan Details
• Incident Response Plan Details
• Privacy Threshold Analysis (PTA)
• Privacy Impact Analysis (PIA)
• Computer Matching Agreement
• SIA Documentation
• E-CAP
• High Value Assets (HVA)
• M-21-31 Logging
• And more

Step 2, 3 – Select and Implement

The Select purpose is to “Select, tailor, and document the controls necessary to protect the system and organization commensurate with risk.” [3] And for implementation, it’s purpose is to “Implement the controls in the security and privacy plans for the system and organization” [4]

In CFACTS, these two functions are combined into one tab: Step 2, 3 – Select and Implement. It contains

• Control Action
• Ability to select which FedRAMP Controls & Elements to inherit
• Ability to Inherit FedRAMP Controls
• It has a Count of Controls section, which details ARS 5.1 Controls, Baseline Control Elements, and more
• And reporting capabilities

Step 4 – Assess

The Assess step is to “Determine if the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.” [5]

In CFACTS, the Step 4 – Assess tab contains 

• POA&Ms
• Assessments and Assessment History
• The Authorization Package Documentation report

Step 5 – Authorize

The Authorize step purpose is to “Provide accountability by requiring a senior official to determine if the security and privacy risk based on the operation of a system or the use of common controls, is acceptable.” [6]

In CFACTS, the Step 5 – Authorize tab contains

• System Security and Privacy Plan (SSPP)
• Security Assessment Report (SAR)
• Authorization Decision
• Ongoing Authorization Details
• And more

Step 6 – Monitor

The Monitor step purpose is to “Maintain ongoing situational awareness about the security and privacy posture of the system and organization to support risk management decisions.” [7]

In CFACTS, you can find information like

• CDM Visibility
• Last VULN Scan Date
• Hardware Data Center(s)
• Hardware Host Status

Have questions?

Reach out to us on the CFACTS_Community slack channel or make an inquiry through the CFACTS Portal.

Additionally, we will be demoing changes as we move along the development process via our weekly meetings. Please reach out to Juan Corral (juan.corral@cms.hhs.gov) if you do not have an invite. We meet weekly on Fridays at 10:00AM EST to discuss current initiatives in CFACTS, hold demonstrations of upcoming enhancements, and have an open forum for any questions for the CFACTS team.

References

[1] https://csrc.nist.gov/Projects/risk-management/about-rmf/prepare-step

[2] https://csrc.nist.gov/Projects/risk-management/about-rmf/categorize-step

[3] https://csrc.nist.gov/Projects/risk-management/about-rmf/select-step

[4] https://csrc.nist.gov/Projects/risk-management/about-rmf/implement-step

[5] https://csrc.nist.gov/Projects/risk-management/about-rmf/assess-step

[6] https://csrc.nist.gov/Projects/risk-management/about-rmf/authorize-step

[7] https://csrc.nist.gov/Projects/risk-management/about-rmf/monitor-step