What’s new?

CMS uses CFACTS to track governance, risk, and compliance for all FISMA systems. We have added new features to make the ATO process easier to manage in CFACTS.

Improvements include:

• ATO Document Progress View
• ATO Conditions
• Streamlined approval steps

ATO Document Progress View

The ATO Document Progress View allows you to see which of your ATO documents are completed and which are still needed. We’ve made this easier to find by putting it within the ATO Request record. 

From within the ATO Request record you can find it under the ATO Document Progress tab.

You can also find the Progress View within the ATO package: Step 5: Authorize > ATO Requests > ATO Document Progress View

ATO Conditions 

ATO Conditions allow you to see if there are any conditions that need to be met before your ATO can be approved. For example, there may be weaknesses in your system’s security posture that need to be addressed in order to mitigate risk. In that case, your CRA can collaborate with the Division of Security and Privacy Compliance (DSPC) to add appropriate Conditions in CFACTS for you to address.

Sometimes, Conditions can be used in lieu of POA&Ms, which reduces the burden of working through the POA&M process while still providing a way to identify and mitigate risks. Sometimes there will still be a need for a POA&M, but having Conditions helps reduce the overall number of POA&Ms needed.

ATO Conditions have the following statuses:

• No Conditions: The CRA has not placed any conditions on the ATO request. 
• Conditions in Place: The CRA has created conditions for the ISSO to review and remediate. This status indicates the Conditions have not yet been met.
• Conditions Met: The CRA approves the remediation. This status indicates that all conditions have been met.

Where to find it

 There are two ways to see ATO Conditions:

• Step 5: Authorize > ATO Requests > ATO Conditions
• Under the Executive Summary subtab within the ATO Request

Workflow for ATO Conditions

• When the CRA receives the ATO request, they can add Conditions to be met.
• The CRA or DPSC fills out the condition description and sets a due date. They update the status to Condition In Place.
• The ISSO is notified of the Condition via an email that is automatically generated by CFACTS.
• The ISSO reviews and remediates the Condition, then fills out information about how the Condition was remediated (they do this in the Condition section)
• The ISSO submits the Condition to the CRA for final review and resolution (when they submit there is a notification that goes to the CRA)
• The CRA resolves the condition by setting the status to Conditions Met. The CRA has the ability to edit the resolution information submitted by the ISSO.

Things to know about Conditions

Due date reminders
Conditions have due dates attached in order to keep the ATO process moving. Due dates are set by the CRA or DSPC. When a Condition is approaching its due date, a 30-day reminder is sent to the ISSO via an automated email from CFACTS.

Multiple Conditions
If there are multiple Conditions required for an ATO Package, the CRA should enter each as a separate Condition for clear tracking of multiple issues (and because each may have a different due date). 

Overdue Conditions
The CFACTS dashboards are being updated to show past due Conditions. This functionality should be available soon.

Condition extensions
Conditions requiring extensions will be reviewed on a case-by-case basis by the CRA in collaboration with DSPC. DSPC can provide an extension or to cancel a Condition if needed.

Questions or problems with Conditions
If you have a question or an issue regarding Conditions, reach out to your CRA.

Streamlined ATO approval steps 

The approval steps within the ATO Request are updated to streamline the workflow. (ATO Requests that were started prior to May 27, 2025 will be completed using the old workflow). The ATO approval steps are now simplified for these stakeholders:

• Information System Security Officer (ISSO)
• System Developer / Maintainer (SDM)
• Cyber Risk Advisor (CRA)
• Division of Security and Privacy Compliance (DSPC)
• Division of Security, Privacy Policy and Oversight (DSPPO)
• Business Owner (BO)
• CMS Chief Information Security Officer (CISO)
• CMS Chief Information Officer (CIO)

What’s changed

Here’s what is different about the new workflow:

• We have eliminated 3 steps near the beginning of the approval process: SDM Review, BO Request Approval, and Pending ATO Review.
• Instead, a notification will be sent to the SDM and the BO once the ATO package is submitted to the CRA.
• After CRA approval, the ATO package will go to DSPC, then to the ISSO and BO.

Things to know about the approval workflow

Rejections

Rejections can be made at step back to the prior step. In the case of CIO, CISO, and DSPPO, the rejections can be sent to any completed step from CRA Recommendation to the end.

Reminders
There are reminder notifications to the responsible party if an ATO Request has sat in a queue too long. At each workflow step, a Due Date is set and the notification goes out on that Due Date.