Published: 8/5/2020
CISO Memo: Implementing the updated HHS POA&M standard
CISO Memorandum 20:01: CMS Implementation of the HHS Plan of Action and Milestones Standard v2.0, dated June 2019
This memo is rescinded as of January 3, 2022 with the publication of ARS 5.0 and its updates to the CMS POA&M standards, which align with the HHS POA&M standards.
The original memo is provided below for historical reference only.
Purpose
This Memorandum informs stakeholders of new standards implemented through the HHS Plan of Action and Milestones Standard v2.0, dated June 6, 2019. These updates supersede any published timelines or risk categories identified within the following guidance documents:
- RMH Volume III Standard 6.2 Plan of Action and Milestones Process Guide, dated 2015
- RMH Chapter 14: Risk Assessment
- RMH Chapter 4: Security Assessment and Authorization
What’s changed
To align with the new HHS standards for Risk Categorization and Remediation Timelines, CMS has:
- Identified “Critical” as an additional Risk Category
- Updated the CFACTS tool with the “Critical” category to ensure proper reporting and management of risk
- Updated the CMS Audit/Assessment Tracking (CAAT) template with “Critical” as a selection for Impact and Likelihood
To ensure effective and timely remediation of critical and high vulnerabilities, CMS has modified the remediation timelines for system weaknesses. After positive identification, all findings/weaknesses must be documented in a POA&M, reported to HHS, and remediated within the following timelines:
Weakness risk level | Current | Updated |
Critical | (new category) | 15 days |
High | 90 days | 30 days |
Moderate | 180 days | 90 days |
Low | 365 days | 365 days |
Within the POA&M documentation, the CAAT file will state when the period of weakness begins.
Any scan findings that are identified as “false positive” will be excluded from documenting a POA&M. If a finding originates from an external source and is not automatically tracked in a compliance tool – such as the Security Governance, Risk, and Compliance (SGRC) tool – the finding must be documented in the tool before creating a POA&M. False positive, according to NIST SP 800-115, is defined as “An alert that incorrectly indicates that a vulnerability is present.”
Additional guidance
A new calculation of the weakness risk level has been updated in CFACTS. The risk level matrix is used to determine the overall weakness risk level of a weakness by looking at both the level of impact of the weakness, and likelihood that the weakness could be exploited. The Risk Level Matrix below identifies the new changes update.
Likelihood (that a threat event will occur and result in adverse impact) | Level of impact | |||
Low | Moderate | High | Critical | |
Critical | Low | Moderate | High | Critical |
High | Low | Moderate | High | Critical |
Moderate | Low | Moderate | Moderate | High |
Low | Low | Low | Low | Moderate |
In regards to opening Plan of Action & Milestones (POA&Ms), the CISO has directed ISPG test teams to deliver CMS Assessment Audit Tracking (CAAT) files with every final testing report, for immediate upload into CFACTS. In regards to audit reports, a CAAT file will be uploaded based upon the draft report because it usually takes several months before a final report is received. This change will help the agency respond faster, and secure our systems against an ever-changing threat landscape.
Next steps for ISSOs
In an effort to reduce our cyber exposure, the CISO is requesting ISSOs to take action on resolving existing POA&Ms that were in the “Delayed” status prior to June 1, 2020. These specific findings need to be remediated by having one of the following done prior to September 30, 2020:
- Closed POA&M
- Placed in “Pending Verification” (MACs only)
- Have reasonable and approved milestones with schedules documented in CFACTS
The CISO will be performing a review of Delayed findings during the month of October, and will schedule meetings with Business/System Owners that continue to post delayed POA&Ms.
Additional resources
- CMS POA&M Handbook
- HHS Plan of Action & Milestones (POA&M) Standard v2.0 (You can request a copy of this document from the CISO team by contacting them below.)
Contact
If you have questions about this guidance, contact the CISO Team.
- Email: CISO@cms.hhs.gov
- CMS Slack: #ispg-sec_privacy-policy
This memorandum does not supersede any requirements of government law, rule, or regulation.
About the publisher:
The Information Security and Privacy Policy Team (also known as CMS CISO Team) manages the policies, standards, and guidance that keep information and systems safe at CMS. Our goal is to help you understand requirements and apply them effectively in your project environments – so you can focus on delivering value to CMS beneficiaries and customers.