Skip to main content

Published: 3/6/2024

CFACTS Update: New features for generating CAAT files in CFACTS

by CFACTS

Find out what’s new and watch the video demo.

The CMS Assessment and Audit Tracking (CAAT) spreadsheet is used to track system vulnerabilities following any assessment, audit, or penetration testing. The CAAT is entered into CFACTS and used to help ISSOs start preparing a Plan of Action and Milestones (POA&M) to remediate system weaknesses. 

To make this process more efficient, the CFACTS team has made enhancements to CAAT file generation in CFACTS. ISSOs should get familiar with these new capabilities. 

What to know 

  • There is a new feature to generate CAAT in CFACTS from the Controls tab. 
  • We have added CAAT and POA&M supporting guidance matrixes in the CAAT Supporting Guidance section in the POA&M. 

What will change 

  • The CAAT template is now pre-populated with controls, elements, and system names. 
  • The new CAAT and POA&M supporting guidance matrixes contain:  
    • CFACTS Likelihood and Impact  
    • ISRA to CFACTS Likelihood and Impact  
    • Risk Level Recommended Remediation Times  

What you need to do 

  • Use the external CAAT template found on the CFACTS Artifacts page using this link.  
  • Follow the supporting guidance matrixes in the POA&M section.
  • Watch the video below to learn how to use the new CAAT file generation.

Who to contact 

Post any questions or comments on the #cfacts-community channel in CMS Slack, or request support by using the CFACTS support portal

More CFACTS resources 

About the publisher:

The CMS FISMA Continuous Tracking System (CFACTS) is the database used to track system security and support the system authorization process. The CFACTS Team works on improvements to the platform and helps people use it effectively.