Published: 9/5/2024
CFACTS Update: Sept 2024 Enhancements
Learn about the new GTL stakeholder field, added ability to delete ISRAs, added boundary diagram instructions, ACT to CSRAP, and changes to work requests.
GTL Stakeholder field
In the stakeholder section, you can now add the government task lead (GTL) stakeholder to the authorization package. The GTL will need the CFACTS_USER_PRD job code added in EUA before they can be added to the field in CFACTS.
Deleting ISRAs
Previously, users could not delete duplicate or incorrect ISRA records from the authorization package and would need to create a support request ticket to have the CFACTS team delete the ISRA record. We’ve given users the ability to now go in and delete ISRA records.
Notification emails addressed to primary ISSO
Instead of addressing emails to the ISSO on the authorization package, the notification emails are now addressed to the primary ISSO.
ACT to CSRAP
The Adaptive Capabilities Testing (ACT) is no longer being used, instead CMS is performing testing via the Cybersecurity and Risk Assessment Program (CSRAP). This change has been made in CFACTS and reflected in the CAAT template.
Boundary diagram instructions
The boundary diagram must be copied/pasted to a word document before it can be uploaded into CFACTS. The boundary diagram instructions in the boundary section have been updated to be clearer and stand out more to the user. Additionally, we’ve added a checkbox for ISSO to confirm they have uploaded a Word document for the boundary diagram in the Authorization Package Documentation application.
Work request changes
The CFACTS application is always changing and while we welcome suggestions for improvements to the application, occasionally we receive work requests for enhancements that don’t have clear rationale or only affect one or two users.
To remedy this, the CFACTS team has added two changes. First, we’ve added a Justification field if the work request is an enhancement. We want to know how this new enhancement will be a benefit. Here’s a few questions to get you started.
- Which stakeholders would be affected?
- What are the benefits?
- Which process is this supporting?
- What other teams are involved?
Second, after submitting the work request and the request being accepted into our body of work, the user submitting the work request will be responsible for UAT and given two weeks to test. They will receive a notification for UAT when the work request is changed to User Acceptance Testing in the Development Status field.
Have questions?
Reach out to us on the CFACTS_Community slack channel or make an inquiry through the CFACTS Portal here. You can still email the CISO if you have questions about Policy or CAAT templates at CISO@cms.hhs.gov
About the publisher:
The CMS FISMA Continuous Tracking System (CFACTS) is the database used to track system security and support the system authorization process. The CFACTS Team works on improvements to the platform and helps people use it effectively.