This memo is rescinded as of January 3, 2022 with the publication of ARS 5.0 and its updates to the CMS POA&M standards, which align with the HHS POA&M standards.

The original memo is provided below for historical reference only.

Purpose

This Memorandum informs stakeholders of new standards implemented through the HHS Plan of Action and Milestones Standard v2.0, dated June 6, 2019. These updates supersede any published  timelines or risk categories identified within the following guidance documents:

• RMH Volume III Standard 6.2 Plan of Action and Milestones Process Guide, dated 2015
• RMH Chapter 14: Risk Assessment
• RMH Chapter 4: Security Assessment and Authorization

What’s changed

To align with the new HHS standards for Risk Categorization and Remediation Timelines, CMS has:

• Identified “Critical” as an additional Risk  Category
• Updated the CFACTS tool with the  “Critical” category to ensure proper reporting and management of risk
• Updated the CMS Audit/Assessment Tracking (CAAT) template with “Critical” as a selection for Impact and Likelihood

To ensure effective and timely remediation of critical and high vulnerabilities, CMS has modified  the remediation timelines for system weaknesses. After positive identification, all findings/weaknesses must be documented in a POA&M, reported to HHS, and remediated within the following timelines:
 

Within the POA&M documentation, the CAAT file will state when the period of weakness begins.

Any scan findings that are identified as “false positive” will be excluded from documenting a POA&M. If a finding originates from an external source and is not automatically tracked in a compliance tool – such as the Security Governance, Risk, and Compliance (SGRC) tool – the finding must be documented in the tool before creating a POA&M. False positive, according to NIST SP 800-115, is defined as “An alert that incorrectly indicates that a vulnerability is present.”

Additional guidance

A new calculation of the weakness risk level has been updated in CFACTS. The risk level matrix is  used to determine the overall weakness risk level of a weakness by looking at both the level of impact of the weakness, and likelihood that the weakness could be exploited. The Risk Level Matrix below identifies the new changes update.

In regards to opening Plan of Action & Milestones (POA&Ms), the CISO has directed  ISPG test teams to deliver CMS Assessment Audit Tracking (CAAT) files with every final testing report, for immediate upload into CFACTS. In regards to audit reports, a CAAT file will be uploaded based upon the draft report because it usually takes several months before a final report is received. This  change will help the agency respond faster, and secure our systems against an ever-changing threat landscape.

Next steps for ISSOs

In an effort to reduce our cyber exposure, the CISO is requesting ISSOs to take action on resolving  existing POA&Ms that were in the “Delayed” status prior to June 1, 2020. These specific findings need to be remediated by having one of the following done prior to September 30, 2020:

• Closed POA&M
• Placed in “Pending Verification” (MACs only)
• Have reasonable and approved milestones with schedules documented in CFACTS

The CISO will  be performing  a review of Delayed findings during the month of October, and will  schedule meetings with Business/System Owners that continue to post delayed POA&Ms.

Additional resources

• CMS POA&M Handbook
• HHS Plan of Action & Milestones (POA&M) Standard v2.0 (You can request a copy of this document from the CISO team by contacting them below.)

Contact

If you have questions about this guidance, contact the CISO Team. 

• Email: CISO@cms.hhs.gov 
• CMS Slack: #ispg-sec_privacy-policy

This memorandum does not supersede any requirements of government law, rule, or regulation.