CFACTS Update: New features for generating CAAT files in CFACTS
Published: 3/6/2024
CMS Assessment and Audit Tracking (CAAT) generation is now easier and faster in CFACTS
The CMS Assessment and Audit Tracking (CAAT) spreadsheet is used to track system vulnerabilities following any assessment, audit, or penetration testing. The CAAT is entered into CFACTS and used to help ISSOs start preparing a Plan of Action and Milestones (POA&M) to remediate system weaknesses.
To make this process more efficient, the CFACTS team has made enhancements to CAAT file generation in CFACTS. ISSOs should get familiar with these new capabilities.
What to know
- There is a new feature to generate CAAT in CFACTS from the Select & Implement tab.
- We have added CAAT and POA&M supporting guidance matrixes in the CAAT Supporting Guidance section in the POA&M.
What will change
- The CAAT template is now pre-populated with controls, elements, and system names.
- The new CAAT and POA&M supporting guidance matrixes contain:
- CFACTS Likelihood and Impact
- ISRA to CFACTS Likelihood and Impact
- Risk Level Recommended Remediation Times
What you need to do
- Use the external CAAT template found on the CFACTS Artifacts page using this link.
- Follow the supporting guidance matrixes in the POA&M section.
- Watch this video to learn how to use the new CAAT file generation. You must first access the top-level folder for CFACTS videos and type the password: CFACTS2025
Who to contact
Post any questions or comments on the #cfacts-community channel in CMS Slack, or request support by using the CFACTS support portal.
More CFACTS resources
- CFACTS How-To Videos - password: CFACTS2025
- Latest CFACTS updates on the ISPG CyberGeek blog
About the publisher:
The CMS FISMA Continuous Tracking System (CFACTS) is the database used to track system security and support the system authorization process. The CFACTS Team works on improvements to the platform and helps people use it effectively.