Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Published: 3/25/2024

Embracing Change: Transitioning from ACT to CSRAP in 2024

by CSRAP Team

Effective March 1st, 2024, Adaptive Capabilities Testing (ACT) Program part of ISPG at CMS, is now Cybersecurity and Risk Assessment Program (CSRAP).

The future of ACT (now CSRAP)

As we stand on the threshold of 2024, it's imperative to reflect on the accomplishments of the past year and anticipate the evolution of our cybersecurity efforts. The year 2023 was monumental for the Adaptive Capabilities Testing (ACT) Program at the Centers for Medicare & Medicaid Services (CMS), marked by significant achievements, including the successful implementation of Information Security Acceptable Risk Safeguards (ARS) 5.0, the introduction of new templates for assessment-related artifacts, and the completion of numerous security and risk assessments.

Why the name change?

Looking ahead, a transformative change awaits as the ACT program transitions to the Cybersecurity and Risk Assessment Program (CSRAP), effective March 1, 2024. This evolution signifies more than just a change of name; it embodies a strategic shift towards a partnership-based methodology. The rationale for this transition is grounded in aligning with the Information Security and Privacy Group's (ISPG) strategies and embracing risk-based program management as a strategic goal.

CSRAP: Your partner in Security and Risk Assessment

The inception of CSRAP heralds a holistic approach to assessing risk, placing emphasis on enabling our partners to make informed, data-driven, risk-based decisions. By leveraging analytics, the aim is to optimize performance, streamline processes, and mitigate risk, all while navigating the increasingly complex cyber threat landscape. This transition underscores the commitment to establishing a more adaptable and robust assessment program capable of confronting the security challenges of tomorrow.

This blog post aims to inform and engage CMS partners and stakeholders about the significant changes in the cybersecurity and risk assessment landscape. It underscores the importance of adaptability, partnership, and strategic foresight in ensuring the security and resilience of healthcare information systems. As we step into a new era with CSRAP, we remain committed to excellence, innovation, and the collective mission of safeguarding our digital ecosystem.

Get in touch

Contact us at CSRAP@cms.hhs.gov 

Schedule your Security and Risk Assessment

About the publisher:

The CMS Cybersecurity and Risk Assessment Program (CSRAP) is a proactive, risk-based alternative to the traditional Security Controls Assessment. The CSRAP team can help you determine a customized plan for the type of assessment(s) your system needs and expedite your path to ATO.