The CMS Assessment and Audit Tracking (CAAT) spreadsheet is used to track system vulnerabilities following any assessment, audit, or penetration testing. The CAAT is entered into CFACTS and used to help ISSOs start preparing a Plan of Action and Milestones (POA&M) to remediate system weaknesses. 

To make this process more efficient, the CFACTS team has made enhancements to CAAT file generation in CFACTS. ISSOs should get familiar with these new capabilities. 

What to know 

• There is a new feature to generate CAAT in CFACTS from the Select & Implement tab.
• We have added CAAT and POA&M supporting guidance matrixes in the CAAT Supporting Guidance section in the POA&M. 

What will change 

• The CAAT template is now pre-populated with controls, elements, and system names.
• The new CAAT and POA&M supporting guidance matrixes contain:
  • CFACTS Likelihood and Impact
  • ISRA to CFACTS Likelihood and Impact
  • Risk Level Recommended Remediation Times  

What you need to do 

• Use the external CAAT template found on the CFACTS Artifacts page using this link.
• Follow the supporting guidance matrixes in the POA&M section.
• Watch this video to learn how to use the new CAAT file generation. You must first access the top-level folder for CFACTS videos and type the password: CFACTS2025

Who to contact 

Post any questions or comments on the #cfacts-community channel in CMS Slack, or request support by using the CFACTS support portal. 

More CFACTS resources 

• CFACTS How-To Videos - password: CFACTS2025
• Latest CFACTS updates on the ISPG CyberGeek blog