GTL Stakeholder field

In the stakeholder section, you can now add the government task lead (GTL) stakeholder to the authorization package.  The GTL will need the CFACTS_USER_PRD job code added in EUA before they can be added to the field in CFACTS. 

Deleting ISRAs

Previously, users could not delete duplicate or incorrect ISRA records from the authorization package and would need to create a support request ticket to have the CFACTS team delete the ISRA record. We’ve given users the ability to now go in and delete ISRA records. 

Notification emails addressed to primary ISSO

Instead of addressing emails to the ISSO on the authorization package, the notification emails are now addressed to the primary ISSO. 

ACT to CSRAP

The Adaptive Capabilities Testing (ACT) is no longer being used, instead CMS is performing testing via the Cybersecurity and Risk Assessment Program (CSRAP). This change has been made in CFACTS and reflected in the CAAT template.

Boundary diagram instructions

The boundary diagram must be copied/pasted to a word document before it can be uploaded into CFACTS. The boundary diagram instructions in the boundary section have been updated to be clearer and stand out more to the user. Additionally, we’ve added a checkbox for ISSO to confirm they have uploaded a Word document for the boundary diagram in the Authorization Package Documentation application.

Work request changes

The CFACTS application is always changing and while we welcome suggestions for improvements to the application, occasionally we receive work requests for enhancements that don’t have clear rationale or only affect one or two users. 

To remedy this, the CFACTS team has added two changes. First, we’ve added a Justification field if the work request is an enhancement. We want to know how this new enhancement will be a benefit. Here’s a few questions to get you started.

• Which stakeholders would be affected?
• What are the benefits?
• Which process is this supporting?
• What other teams are involved?

Second, after submitting the work request and the request being accepted into our body of work, the user submitting the work request will be responsible for UAT and given two weeks to test. They will receive a notification for UAT when the work request is changed to User Acceptance Testing in the Development Status field. 

Have questions?

Reach out to us on the CFACTS_Community slack channel or make an inquiry through the CFACTS Portal here. You can still email the CISO if you have questions about Policy or CAAT templates at CISO@cms.hhs.gov