CRM Strengthening Operational Excellence and CMS Security Posture Through Targeted Automation

The Cyber Risk Management Program Management Office (CRM PMO) and the Reporting & Data Integration (RDI) teams continue to advance operational efficiency and governance by strategically leveraging Microsoft automation capabilities—particularly Power Automate—within the CMS environment. Recent automation initiatives, including the Monthly Cyber Risk Report (CRR) Distribution Automation and the Automated Generation of CRM PMO Mailing and Distribution Lists, have delivered measurable improvements in accuracy, compliance, and process reliability.

Use Case 1: RDI – Monthly CRR Distribution Automation

Historically, the manual distribution of the Cyber Risk Report (CRR) required approximately 90 minutes per cycle and introduced operational risks, including limited insight into data quality and dependencies across ISPG, DIR, and CRM. To address these challenges, RDI deployed an automated CRR distribution workflow using Power Automate, ensuring consistent, timely dissemination to internal stakeholders. This workflow also provides a scalable framework to support future CRR enhancements planned for FY26.

Demonstrated Improvements

• Processing time reduced from roughly 90 minutes to under 5 minutes per distribution cycle.
• Improved accuracy and transparency of reporting metrics through automated validation steps.
• Enhanced stakeholder engagement is enabled by more timely, predictable communications.
• Increased operational velocity through the removal of repetitive manual tasks.
• Cost optimization achieved by redirecting contractor resources to high-value workstreams.

Use Case 2: CRM PMO – Automated Mailing/Distribution List Governance

In parallel, the CRM PMO implemented automation to reinforce email governance and ensure compliance with HHS and CMS email-sharing policies.

Automated Identification of Undeliverable and Invalid Contractor Email Addresses

Using Power Automate, CRM PMO created a workflow that scans bounce‑back messages stored in the “Undeliverable Emails” mailbox subfolder and compiles a dynamic list of invalid contractor email addresses. This prevents continued distribution to inactive or incorrect email accounts and reduces compliance risk.

Automation of the CFACTS Dashboard User Distribution Report

The CRM PMO also automated the process for generating the CFACTS Dashboard User Distribution Report—historically a manual task conducted every 5–6 weeks. The new workflow:

• Activates automatically upon receipt of the updated CFACTS User Distribution List,
• Saves source files directly to SharePoint, and
• Extracts active and inactive external accounts for streamlined EUA distribution reporting.

This automation minimizes manual coordination, increases data reliability, and ensures that distribution lists include only authorized and validated recipients.

Looking Ahead

CRM PMO and RDI’s automation initiatives demonstrate how structured, well-designed workflows can:

• Improve data integrity across reporting pipelines,
• Strengthen compliance with HHS and CMS email distribution policies,
• Reduce manual workload for CMS and contractor staff,
• Increase transparency and consistency in stakeholder communications, and

• Establish a scalable automation foundation for future fiscal years.

   

These efforts directly support CMS’s mission by enhancing operational resilience and improving the organization’s overall security posture, consistent with the continuous improvement strategy outlined in CRM PMO documentation and demonstrations.