As CMS has transitioned from ARS 3.1 to ARS 5.0, there have been many questions about the implications of the transition. What does it mean for your system? How does it impact your current controls? What steps are being taken at CMS to ensure compliance? 

Throughout 2022 and 2023, the Policy Team offered ARS Office Hours for System/Business Owners, ISSOs, CRAs, and other CMS staff to answer questions and help them through the transition. The following Frequently Asked Questions were compiled by the Policy Team and represent real questions from your fellow CMS staff members. You can use these FAQs as a tool to help you find the answers you need. If your question isn’t listed or you have specific questions about your system, reach out via Slack at #ars-feedback or #ispg-sec_privacy-policy. 

FAQs

Q: What are the different categories of controls such as the “Above Baseline,” “OCISO” and others, contained in ARS 5.0?

A: For the baselines, they are the low, moderate, high, and HVAs. The Above Baselines are the controls referred to as the non-mandatory controls in the previous versions of ARS. In future versions, the Above Baseline Controls will be referred to as the Supplemental Controls to include the entirety of the NIST Controls which do not apply to all systems. The Supplemental Controls are up for the system to decide.

The OCISO in the responsibility column is where the responsibility of control or part of the control lies. In ARS 3.1, they were the dash-one controls which were Hybrid Controls. Now they have been changed into a fully inherited OCISO Control. They are the policy-level controls written within the ISPG. The next level is the infrastructure/control, and finally, the system-level controls.

Q: What version of the ARS should people look at, the version posted on the Slack channel broken out into tabs with each family or the version on CyberGeek?

A: Both versions are valid.

Q: If there are two separate systems in production at the same time, do you maintain businesses, physical records on them separately, or just migrate together? Will Data Center and Cloud simultaneously enter into CFACTS or separately?

A: This will vary from system to system, depending on how critical it is. It would be easier to have two separate entries and know the data moved over so you can update the one as you progress.

Note: The Authorization Boundary determines what is in scope for a FISMA system boundary of assets that will be tested/assessed under an existing ATO authorized by the AO. So, to blend two different systems boundaries that can affect an existing ATO Boundary is not the approach that should be taken. If you have two (2) systems running in parallel that are under two (2) separate ATO boundaries, they will need to keep the records separate until one system is retired or removed from production. A new ATO is needed when there has been a major change.

Q: Once a new system is fully integrated over from the BDC to AWS because they're not running concurrently at the moment, and you are migrating from one environment to another, is that all you should be doing, and will those security controls change once that migration is fully integrated?

A: Once fully moved to AWS, you should be talking to AWS inherited from AWS. So, there should be zero (0) inherited from the BDC at that point.

Q: Is the ISPG trying to streamline the Hybrid controls to be fully inherited?

A: No. The controls in ARS 5.0 have only been broken down into elements, and then show where those elements lie and who is responsible for that element within the Control. This was done to help in communicating with the Compliance Team during the Test Cycles so that only the parts of the elements that you are responsible for are what will be tested. It will help in addressing the discussion of who is responsible for what if findings were made, and to make the remediation process easier.

Q: Are Project Management Controls fully inherited across the agency or are they system-specific in ARS 5.0 because there have been instances in CFACTS where these controls have been allocated to systems and this caused some confusion during the assessment phase?

A: They are now fully inherited. The entire PM Control family is inherited. And now, in ARS 5.0, the inheritance of controls is possible for services subscribed to from the CMS Cybersecurity Integration Center (CCIC), and not having to write separate implementation standards for those inherited controls.

Q: Do we have an agency-wide common control catalog that all CMS providers qualify for, which we can always reference?

A: As of right now, they are the OCISO inheritable controls in ARS 5.0. There are ongoing efforts to refine them and have a quarterly release for those minor updates. As ISPG works with different infrastructures or control providers, there will be an opportunity to appropriately update the line of the inheritance structures.

Q: Will there be a crosswalk reference for the ARS 5.0 because, during the ARS 3.1 changes, the one-page chart provided was very helpful?

A: The Moderate 5.0 spreadsheet loaded in the ARS-Feedback channel contains those changes as well as how ARS 3.1 moderate baseline with the non-mandatory controls maps to ARS 5.0 moderate baselines and their corresponding controls.

Q: Are we saying all sessions need to be terminated after 15 minutes now, regardless of whether it's a device or an application session?

A: No, there is no set time in that control. Session Termination is defined only by the applicable Security and Privacy Plan, so if you feel your session needs to go on much longer, that should be defined in your Security and Privacy Plan, there is no actual time limit on sessions. Therefore, the business owner defines the duration and the triggers in the applicable Security and Privacy Plans.

Q: Will the parameters for the Session Termination follow the system-specific goal or what the business considers appropriate instead of just an agency-wide blanket parameter?

A: It’s to the needs of the business and staying within the Maximum Risk Tolerance of CMS.

Q: Will the policy language reflects this flexibility to accommodate it?

A: Yes.

Q: Will there be a preamble for ARS 5.0?

A: Yes, that will be on the ISPG website once completed. A PDF version containing the preamble as well as HTML format will also be created.

Q: Is the new control family for Supply Chain Risk Management replacing the Risk Management control family?

A: No, it's a brand-new control family. The Risk Management control family still exists.

Q: In some of the controls like IA-04(04), the implementation standards mention CMS-defined characteristics. Where is the CMS-defined characteristics?

A: ISPG is working on updating as many of the implementation standards based on their priorities, as well as defining the assessment objectives, and what to be examined. This will be released quarterly and the implementation standards for AU, CM, CP, IA, and IR were updated in spring 2023. More details on the schedule of release for the remaining control families will be out soon.

Q: Since the updates will cover a wide range of all things that are needed to be done in the physical, policy-wise, implementation within CFACTS as well as its operationalization. What is the plan of action by CMS at this point?

A: The first set of updates was released in April 2022. There are ongoing efforts by the ISPG and the CFACTS team to get the controls implemented correctly. The CFACTS team is also working on providing the capability to get the bulk download spreadsheet for the new control sets as soon as it's deployed into the CFACTS environment. This will give the systems the ability to write out their implementation statements in that Bulk Upload form. 

Q: Won't this time of full migration to ARS 5.0 coincide with the assessment period for most systems?

A: No because the first set of updates will be for the OCISO inheritable controls, as well as those for the control providers to ensure they're able to implement the controls correctly, and then update accordingly. There is an ongoing effort on the compliance side. The ISPG will also be working with the systems to ensure not to throw unreasonable tasks at them. There will also be proper communication, and there is work in progress on the assessment manual to guide what an assessor will be assessing a system against.

Q: Won't this full migration to ARS 5.0 create some confusion and create challenges most especially with the requirements of the two new control families?

A: You will have to work with your assessor to figure out what the controls will be assessed against. As stated earlier on, there will also be an assessment manual to serve as a guide. Also, the assessment team fully understands that you are in a transition, so there will be room for some negotiations, but effective communication will help alleviate the burden that could arise as a result of this. The ISPG is here to support in every capacity.

Q: The migration to ARS 3.1 created some issues because it coincided with the period when most systems were getting ready to submit for an ATO. Systems had to go through a special assessment to get all those controls tested before an ATO. Is that likely to happen during this migration to ARS 5.0?

A: No. This is because there is a lot more information through the automated tools from this transition as compared to the transition to ARS 3.1. Also, a reasonable number of the controls haven't changed at all. The focus, for now, is on the brand-new controls, part of the controls with new baselines as well as the withdrawn controls. The CSRAP team will be developing some methodologies for the assessment exercise. And adequate information will be communicated through the right channel.

Q: Is it accurate to assume that the ARS 5.0 controls will be updated in CFACTs as against manually going into each control to update the control implementation details for an ATO?

A: The implementation details for controls that migrate over will be there for you. However, it is always good to go in and review the controls as they're coming over.

Q: When did you start assessing systems using the ARS 5.0?

A: The cutoff date for the Control Providers was September 1, 2022, and they will not have any assessments against ARS 3.1, while all other systems won’t have any assessments against ARS 3.1 after April 1, 2023.

Q: The responsibilities of assets are mentioned in the implementation statements for AWS security controls, and we are not sure how the implementation is done on AWS. Hope this won't turn out to be some findings if we are not able to answer the details in a CT interview?

A: From a system standpoint, a system should not be getting findings based on an inherited control. All AWS findings will specifically be when they go through their CSRAP. However, if you're not sure how it's implemented, you might want to reach out to the cloud security team for additional information. You shouldn't be held accountable for the implementation details not being as specific in control that you're inheriting.

Q: The control review frequency for some of the controls is not specified. Is it because they compensating controls and we pull those in at level order?

A: Yes, if it's a supplemental control as it's not part of the baseline, we try not to put all the constraints on it, and let the system decide. It also depends on the system, and how often it’s reviewed, but it’ll still be assessed every three years except for the situation of an OA.

Q: We had a Cybersecurity and Risk Assessment Program or Security Controls Assessment (CSRAP/SCA) completed in January 2023, which was completed with ARS 3.1 standards. Will we still be in compliance since most systems wouldn't be re-tested until January 2024?

A: Yes, there will be discussions and due diligence with the assessment schedule. There will be a series of engagements with the ISSOs to understand their status with the migration efforts. This will eventually create a reasonable level of coordination with the scheduling of the assessment and understanding the migration status.

Q: Will there be some level of risk with having to balance between testing against ARS 5.0 and the compliance around it versus having a system that is coming for an ATO renewal?

A: Yes, there will be some levels of risk when making changes to the way controls are implemented for each system, and making sure they meet the assessment timeframe. Being proactive in understanding what the schedule looks like, and knowing the status will be helpful. Also, timely communication with your CRAs or someone in the ISPG will be helpful. There will also be open forums to address any concerns and work through things as they unfold.

Q: As far as the baseline scope is concerned, how does the ARS 5.0 distinguish between CSP systems, that is, those controls that will be assessed against the service provider, the controls that apply to a system that is not hosted by any cloud service provider, and the controls that are owned by CMS but residing on a service provider? How are these controls descoped?

A: The filter option available in the Responsibility Column will help with the descoping, and as the ISPG continues to work with the control providers, more updates will be done on the controls.

Q: Do we have any CMS-specific resources at this point to learn more about ARS 5.0?

A: The ARS spreadsheet is out. The moderate baseline is also out on the ARS Slack channel. The ARS spreadsheet is now color-coded with the reddish-pink cells are for the new controls to the baseline, green cells are for those removed from the baseline, and the grey cells are for the withdrawn controls. With these features, it's also possible to filter by color.

Q: Are the baselines for the ARS 5.0 moderate spreadsheet available for now FedRAMP or FISMA baselines?

A: They are FISMA moderate baselines for CMS systems. The spreadsheet is also available in the ARS feedback Slack channel.

Q: Is the ARS 5.0 published in a way where all can access the link?

A: Yes, it is in the ARS feedback Slack channel where it is pinned to the top, and it will also be posted on the CFACTS homepage.

Q: How are we addressing the “Privacy” only Control Baselines in the latest version of the ARS?

A: They are now listed as “Moderate High” instead of just “Privacy.”

Q: Will the dash-1 controls be inherited?

A: Yes, all the dash-1 controls will be fully inherited in ARS 5.0.

Q: When were the OCISO controls ready for inheritance?

A: The CFACTS transition happened at the beginning of May 2022. The OCISO controls were ready June 1, 2022. 

Q: When was IDM ready to transition into ARS 5.0?

A: By September 1, 2022.

Q: When can we submit comments for the ARS 5.0?

A: We had a public comment period in October 2021. Current comments and questions can be sent in via the ARS slack channel, #ars-feedback.

Q: What is the name of the ARS slack channel where questions and answers are posted?

A: #ars-feedback

Q: In regards to implementation details for new controls that are now required by ARS 5.0, are ISSO’s required to write new implementation statements?

A: If the implementation details are not present, yes, the implementation details will have to be written. Whoever you inherit the control from will be responsible for writing the implementation details. After ARS 5.0 is fully integrated into CFACTS, you can tailor your CFACTS view by selecting the controls you want in your package. The supplemental controls will not be there, but the baselined controls will be present. You’ll have to deselect the baselined controls not applicable to your system.

Q: When was AWS ready for ARS 5.0?

A: By September 1, 2022. 

Q: Is there a guideline for review of controls in ARS 5.0?

A: Yes, it’s in the Control review frequency and Assessment frequency columns in the ARS 5.0 document.

Q: Where are the Assessment columns in the ARS 5.0 spreadsheet?

A: Columns T and U.

Q: How does the assessment team use the review frequency in the assessment frequency column of the ARS 5.0?

A: The assessors will ask for evidence to verify the scope of the control/assessment.

Q: What kind of evidence is required by the assessment team to show the control was met?

A: Examples – audit logs, screenshots of meeting notes, screenshots of relevant meeting invites, your noted process(es) etc. The Assessment criteria columns within the ARS also states examples of what assessors look out for.

Q: For security control review performed by the assessment team, are we stating that controls are reviewed annually in addition to the annual audit or assessment?

A: Security control review is performed by the system, while the Assessment frequency is done by the assessor team. The team should be reviewing the controls based on the method described and then the assessment team will review the evidence.

Q: Where is the most updated copy of the ARS 5.0 located?

A: The most up to date version of the ARS can be found on Cybergeek here. 

Q: How can I gain access to the ARS-feedback channel in slack?

A: It’s an open channel. You can search for it using the search space in Slack.

Q: Could you clarify “systems will be encouraged to move to ARS 5.0.” Will the move be dependent upon the system’s ISSO requesting the move by April 2023 or in April 2023 the CFACT will suddenly show ARS 5.0?

A: Systems will be able to work with the CFACTS team to pick a migration date. If they have not migrated by April 2023, they will automatically be transitioned

Q: We have a GSS system, but we are the only ones inheriting from it. We also have several major applications. What timeline should we follow for ARS 5.0 implementation? I'd also like to point out that the last time we did an ARS change we were able to provide comments, when will comments from the community be due?

A: Timeline – By April 2023, your GSS and all other systems have to be fully migrated. Comments are accepted through ARS slack channel.

Q: Will there be dashboard in CFACTS for ISSO showing reminders of which controls need to be reviewed daily, weekly, monthly and quarterly?

A: This request has been placed on the action item list.

Q: In regards to AC-2(3), if an account is a moderate system, should it be disabled within 30 days or 60 days?

A: 30 days.

Q: What’s the meaning of an expired account?

A: Examples – an automatic account expiration, training incomplete so account is disabled, etc.

Q: Per ARS 5.0 PL-9, CFACTS is now the system of governance for managing and governance of IT Security for CMS IT systems. The ISSO needs to have a central dashboard where they can go to daily to monitor the review, maintenance, and governance of the CMS IT system. A subset of that would be having a dashboard for the control reviews. What other changes should the ISSO be looking out for per PL-9?

A: Yes, the dashboard will be addressed in collaboration with the CFACTS team. Regarding changes to PL-9, we tried to put a lot of the controls that come directly from ISPG has fully inherited. We’ll have more updates for the organization soon.

Q: When there is new CISO memo that provides new guidance regarding a control, are assessors made aware of it, instead of just relying on ARS standards? Typical example is the CISO memo on 90-day account review.

A: We share it with our CSRAP assessors. Going forward, we’ll be updating the ARS quarterly.

Q: This may be more of a CFACTS question, however, currently there is a spreadsheet that can be used to import the private implementation wording - is this/will this spreadsheet be updated to accommodate the ARS 5.0 controls?

A: The CFACT’s team has made a YouTube video on how to export the private implementation details in all formats. For further information, contact the CFACTS teams through their slack channel, #cfacts_community.

Q: If you didn’t pullover the ARS 5.0 controls until after the April 2023 mandate, will the controls be pulled over automatically?

A: As the time goes on, systems will be encouraged to move over to ARS 5.0. If the deadline isn’t adhered to, the new ARS 5.0 control set will be moved over and controls not implemented will be marked as “not satisfied.”

Q. Do we need to establish an SCRM team even when we don’t source for any hardware or deal with supply chain issues?

A. SR-02(01) will be provided by the ISPG (We will have our SCRM Team). Each system does not have to establish one for it will be established at the enterprise level.

Q. Are each system's ISSO required to have Anti-Counterfeit Training, SR-11(01), even when they don't deal with sourcing?

A. Yes, because it's not just only about the hardware, but a holistic approach to the supply chain through software, hardware, and services standpoints. The training will be developed by ISPG (OCISO-inheritable) and incorporated into other required training. More information to come out through the appropriate channels.

Q. How do you interpret some controls for a moderate-impact level system that says not selected during the selection of controls?

A: Those not selected controls (previously referred to as the non-mandatory controls), in future iterations, will be referred to as the supplemental controls. They are the additional controls available for selection, should there be a need for it.

Q. What are some of the methods CMS recommends to de-identify information in SI-19 for systems that use PII?

A. NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), provides the acceptable techniques for masking or de-identifying information.

Q. The ARS 5.0 has the controls and the control enhancements broken down into elements, with separately accounted for implementation standards, will that also reflect in CFACTS so that each of those private implementation standards could have its page?

A. The control elements will be on the same page as the main control. There will be fields for each of the elements where you can copy and paste the required narratives into the applicable field. It will be helpful during the assessment exercise, and when assigning who is responsible for certain parts of each of these, like the hybrid controls.

Q. Will there be a PDF version of ARS 5.0?

A. Yes, an unpublished version can be requested.

Q. For AC-01, it says review and update access control policies at least every three years, but under the review frequency, it says annually. Is that a discrepancy?

A. We got the review frequencies from HHS, but we will make sure to align and update that accordingly in the next iteration.

Q. Does each system need to have a Supply Chain Risk Management Plan, SR-02?

A. No, it's an Enterprise level control (OCISO Inheritable) that will come from the ISPG.

Q. For SI-07, do the servers on AWS need to have mandatory bootup integrity checking?

A. Yes, AWS should have done that while going through FedRAMP, and that can be fully inherited.

Q. What is the link to the training module on how to export into Excel both private implementation details and shared implementation details from CFACTS?

A. https://www.youtube.com/watch?v=zIPnJNzCS-A Video on How to Export Control Implementation Details for your Authorization Package in CFACTS.

Q. The spreadsheet with broken down controls is similar to the FedRAMP SSPP. Will CFACTS generate SSPP differently for ARS 5.0 or will it look like the FedRAMP SSPP template, and is that why it's broken down that way?

A. Yes, that way, all the information will be there, and it will be nested under the main control, then have the elements listed below it.

Q. If a system's annual assessment was scheduled for January 2023 but migrated to ARS 5.0 in April, is the system required to get another assessment by December or wait till the next assessment date in January 2024?

A. The system is required to get an assessment on the next annual assessment date.

Q. How will the quarterly updates be shown in the coming iterations?

A. ARS 5.01, ARS 5.02, ARS 5.03, ...

Q. Will there be a document that states what changes occurred in each update of the ARS 5.0?

A. There will be a changelog that lists the changes. These will be captured on the ARS page of CyberGeek.

Q. Will there be a redline version for each iteration?

A. No.

Q. Will CMS be providing authenticated proxy servers for web-based applications hosted in AWS?

A. That will be based on their capabilities versus what the control says. More inquiries can be made using CMS Cloud Security Slack Channel #cms-cloud-security-forum.

Q. Will there be more anticipated agile practices within CMS with policy development in the future?

A. Yes, there will be quarterly reviews and updates on our policies and standards.

Q. Where is the link to access all the quarterly updates on ARS?

A. You can find this information on the ARS page of CyberGeek.

Q. Is the website, security.cms.gov a public-facing one?

A. Yes, it is public-facing.

Q. How will the stakeholders know if there is a major change in ARS?

All major changes will be communicated using every forum and all known channels, and this will be done before the scheduled quarterly release dates.

Q. My question is in regards to the RA family specifically 0301, which talks about the need to identify and add supply chain. Through the ISRA can we add the supply chain risk assessment plan to the ISRA, or should it be separate or maybe you can walk me through that control? And let me know what you're thinking for what we need to do as a GSS to meet the requirements for this one.

A. For RA 301 I'll say that we have not really thought through what that looks like, I know that it's in line with the other risk assessments that are asked of systems.

Q. Does CMS have enterprise level supply chain, risk management policies and corresponding procedures and processes? This is in reference to ARS 5.0 control family supply chain, risk management.

A. I will say yes it will. Also, John Rudolph is the director of strategic information in ISPG DSI and John's group has the Charter for supply chain issues, and I know that they are working on all the issues related to supply chain and we've been working with them as far as any discussions with supply chain and ARS controls. So, I recommend reaching out to John's office for any further information as far as any official release of any publications that they have regarding supply chain.

Q. Then we should treat it as maybe like that as a risk, like a number of grits in the ISRA?

A. Yes, Yes.

Q. Can I ask about CMS Policies and Supply Chain policies?

A. Currently our policies are publicly available at https://security.cms.gov/. Supply chain policies will be added once they're approved. As Mike said, we're working with John Rudolph's team, one of the key things is the IS2P2 that is in review right now. Some of the roles and responsibilities as detailed in all the supply chain information are just being codified in that document, so we kind of need it to say, this is the person who's responsible for this and then almost immediately, will be able to get things processed and signed when it comes to the different supply chain documentation they have been working on over two years now.

Q. Where can I find the CFACTS demos?

A. One of the other things that we've been given by the CISO is that, as we are making some of the major upgrades and major changes. Doing small videos, you know and video walkthrough so, that way people will be able to see it after the fact, as well. 

Q. I have a quick question on the control AC 0213 disabling the high-risk accounts for 60 minutes. So, I just wanted to understand the high-risk accounts, can you tell me the details? If anyone can understand that, because how do you define the high-risk accounts? Is that any unauthorized account of course, it’s totally different right how we handle the situations. So, I'm trying to understand the definition of high-Risk Accounts.

A. So, if you look into the discussion and it talks about if the user poses a significant security and a privacy risk. You know this is going to be very system specific you know I may see a certain person as a security risk, you may see it something differently. I mean, and then there's going to be some that are just completely enterprise wide but you know, high risk individual could be somebody who has recently been terminated or you know, like potentially those individuals who have escalated privilege like system admin, total root level accounts that whole system kind of thing so yeah.

Q. So, if those are the training you must accept if something new come up for the whole team, do it as a mandatory training in that way we address those controls, how does is great? because these anti-counterfeiting training is with the new control for supply chain management and then, also the other one is the literacy training.

A. So, the literacy training and awareness that's still going to be handled. You know that actually both trainings I believe are being handled at the enterprise level so that's going to be coming from your CISO inheritable controls, so the literacy training and awareness is going to be part of that annual security training.

Q. On a previous call there was some discussion as to whether policies needed to be reviewed annually or every three years, what has been decided? When will this be codified in the upcoming ARS 5 update?

A. So, Policies themselves as far as the control review frequency is we do need to review them at least yearly, updated every three years. But our review is just you know, putting in there we've reviewed it, you know there's some kind of evidence, of course, but I mean we go through. For us, we review policies even more often than that so any of like the -1 controls you're already meeting that because that’s coming from us. The control review frequency and the assessment frequency for any of the other policies that maybe system level or within the US and most of those were handed down directly from HHS.

Q. In regard to that will you change the language in the control, then to say review annually, instead of three years?

A. Yes. So, we are changing the -1 controls and it's not in the version that's online, but it is in our punch list for the next one and I know I promised it this last time, but it really will be done this time around. It will say review yearly update every three years if needed.

Q. When was ARS 5.0 required for CMS?

A. September 2023 for control providers, April 1st 2023 for all other systems.

Q. Control family RA 0511, can you explain what public reporting channel is?

A: So, that happens at the OCISO level as well. The public reporting channel for vulnerability disclosure and vulnerability disclosure policy is actually run through HHS. We leverage HHS’s Vulnerability Disclosure Program – and so that's what this is making sure that we have that public place for people to report vulnerabilities and their work through ISPG out to any of the public facing systems that may receive a report.

 Q: We are reviewing SC-CMS-01 from ARS 3.1 and SC-08 from ARS 5.01. We are looking for assistance for understanding the password protection requirements for sending PII. To provide some context, we have standard FIPS 140-2 compliant encryption enabled for all emails. Do we still need to separately password protect PII attachments via Secure Zip? If so, do we have to change the Secure Zip attachment password on a regular basis? 

A: To protect sensitive data, sending PHI through email using a combination of password controls along with encryption is industry best practice. Changing the password periodically is another control you can put in place based on the sensitivity of the information being sent.

Q: For control CP-02(03), resume Missions and Business Functions, we would like to confirm the new Maximum Tolerable Downtime (MTD) timeframe requirement of 12 hours? 

A: The requirement is for "essential" systems only, i.e. "Mission Essential Function (MEF)" systems for example, and if your system BIA is a delta from that MTD = 12 hours, i.e., specifically greater than 12 hours, the direction is to make the control "not applicable".

Q: We are in the process of reviewing the ARS 5.0 supplemental controls for the CFACTS migration. Do you have any resources that will help us in figuring out what supplemental controls we should allocate?

A: We don’t have anything for now, it is really dependent on the Business owners (BO), the mission, what additional controls the ISSOs and System/Business Owner may choose to implement. That would be up and above the baseline, and remember once you implement such controls they become part of the baseline for your system. And it would be in the scope for any potential assessment and/or audit while, making sure it meets the supplemental standard prescribed.

Q: We recently reported 4 OCISO Inheritable controls that were either empty (no wording) or one said refer to control elements. Is there a date when this will be fixed? RA-2b, RA-2c, PS-2a, CA-2(1)a. Our team has 3 contracts and waiting to finalize our SSPPs, and we don’t know whether to inherit them or not. 

A: We will reach out to CFACTS team to make it visible. It is populated but not sure it got ported over. 

Q: Can you help us interpret the CM-12 and CM-12(01) - information location with examples and possible tools that can be used to fulfill?

A: I have seen a company use Device 42 to scan the environment and to identify their information types and categorize based on set parameters within their environment. So, you can look it up and see if that’s something your team could utilize.

Q: Follow up question for CM-12 (1); it sounds like it's says, use automated tools to identify information by information, type on system components to ensure controls are in place, protect organizational information and individual privacy. So, can you explain what you mean by that? Like what are we talking about like data loss prevention tools to track PII leaving the system?

A: Yes, for example; the aforementioned tool (Device 42) was also used to track PII and PHI within their environment, and then they would implement appropriate controls based on that. So, that’s pretty much the basis for why they're using that tool. So, they want to know where sensitive data is being stored, what systems within their environment are processing that data, so that they are implementing appropriate controls on those databases, on those applications as per the information that it's processing or storing. Yes, it is a function of data loss prevention tools.

Q: So, CM-12 talks more about just documenting? 

A: Yes, like the components in the system and what data they process. More like knowing what you have and where it lives.

Q: So, if the information resides in a data center like BDC or AWS Cloud will that infrastructure or data center be providing this automation tool or will that be from a system level?

A: That would depend on the environment in which your system is hosted. It's dependent and it's contextual to the system. Whatever set of controls that the hosted environment can provide to you. But from a system-specific perspective for your application, you still need to address the controls that are within your ownership, within your authorization boundary that you can implement further. You know the information under your responsibility.

Q: If we need help with controls implementation will it be best to ping on Slack or send out email to CISO@cms.hhs.gov?

A: I recommend both the CISO mailbox and Slack but I would say slack will be faster in terms of responding back to you and the mailbox is better for tracking.

Q: Previously, I had asked about criticality analysis, this is documented in RA-09 and SA-15(03). I received a response from the policy team that for SA-15(03), the control requires the criticality analysis to be performed by the developer because of their knowledge of the design of the system and its components. RA-09 requires that a criticality analysis be conducted at certain points in the

SDLC. The difference between the two controls is the requirement of developer input in the analysis for SA-15(03).

A: RA-09 is saying, a criticality analysis should be performed at certain points within the SDLC. Well, SA-15(03) is saying that the developer needs to be involved in that analysis. So, that's the difference between the two controls.

We would look into this further, but here are some useful guidance options for this issue: 

NIST for open source software

CMS Technical Reference Architecture (TRA)

CMS TRA Open Source Software Guidance 

CMS TRA Open Source Business Rules 

Q: When we say developers are we talking about developers of like the components that we use? So, for example, a lot of systems use Apache and Tomcat; are we talking about those constituent components that make up a system? Or are we talking about the developer like we are the in-house developer for an application for CMS. Do we know the scope of this control because it is not very clear?

A: The Application Development Organization (ADO) should be going through the SDLC process and having their different checkpoints. It's not the actual person on the keyboard to me I interpret it as if it’s the developer.

Q: Can you define what you mean by developers? Do you mean the ADO, like the contractor would be considered the developer?

A: Yes, the ADO. The developer of the system, system component or system service to reform a critical, because as you go up that ladder of who owns the product or the service. Then that's the person you need to go to get the information.

Q: For a control in CFACTS that shows responsibility as OCISO, but the inheritance lookup does not have OCISO as an option, what should we do? 

A: The CFACTS team responded that they should reach out to the ISSOs of the control provider to mark them as inheritable, so that they can select them for inheritance going forward. Because they're the owner of control, and they have to set that up appropriately and provide shared information details if necessary.

Q: For control IA-08(04), Can you provide additional clarification on what is meant by "NIST-issued profiles" for identity management. Is this something that is handled by the identification/authentication control providers such as IDM or EUA?

A: DHS Science & Technology's Identity, Credential, and Access Management (ICAM) is a framework of policies built into an organization’s information technology infrastructure that allows system owners to have assurance that the right person is accessing the right information at the right time for the right reason. ICAM is adaptable to first responder needs at all levels of government. It enables first responders to focus on their essential mission functions by bringing security, scalability and interoperability through embedded policies within their systems.

Also, see NIST 800-63 Rev 3.

Q:  I noticed for IA- 08(4) that control used to reference FICAM- issued profiles, and I’m not finding much clear details on what are NIST issued profiles. So, I wasn't sure if this is something that we are just inheriting from our authentication services, or is this is something we have to be concerned about at the ADO level?

A: Yes, if you are inheriting your IDM, then you will inherit the profiles the IDM and system will provide. IDManagement.gov is a collaboration between the Federal CIO Council and GSA to develop and share leading practices in protecting federal IT systems.

Q: For SC-18, can you  confirm what is meant by mobile code? The CMS discussion states that mobile code includes any program, application, or content that can be transmitted across a network (e.g., embedded in an email, document, or website) and executed on a remote system. 

A: Mobile code technologies include Java applets, JavaScript, HTML5, WebGL, and VBScript.

Review NIST SP 800-28 Guidelines on Active Content and Mobile Code.

We always refer back to the NIST glossary and use those definitions; software programs or parts of programs obtained from remote information systems, transmitted across a network, and executed on a local information system without explicit installation or execution by the recipient. Note: Some examples of software technologies that provide the mechanisms for the production and use of mobile code include Java, JavaScript, ActiveX, VBScript, etc. CISA offers guidance on securing the software supply chain. 

Additional open source software resources: 

NIST for open source software

CMS Technical Reference Architecture (TRA)

CMS TRA Open Source Software Guidance 

CMS TRA Open Source Business Rules