Cyber Risk Advisor (CRA)
Overview
Cyber Risk Advisors are involved in almost every security and privacy requirement for Authorization to Operate (ATO) at CMS. As the subject matter experts on risk management and FISMA compliance, they advise Information System Security Officers (ISSOs) on key elements of the system authorization process.
Look in CFACTS to find out who your CRA is for a particular system. Refer to the CMS IS2P2 to learn more about the CRA's role in supporting security compliance activities.
All resources in Cyber Risk Advisor (CRA)
General Information
- Authorization to Operate (ATO)
- Breach Response
- CMS CyberWorks
- CMS Information Exchange Agreement (IEA)
- CMS Information Security Advisory Board (CISAB)
- CMS Information System Risk Assessment (ISRA)
- CMS ISSO Journal
- CMS Risk Management Framework (RMF)
- CMS Security and Privacy Handbooks
- Email Encryption Requirements at CMS
- Federal Information Security Modernization Act (FISMA)
- Federal Risk and Authorization Management Program (FedRAMP)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Ongoing Authorization (OA)
- Plan of Action and Milestones (POA&M)
- Privacy Impact Assessment (PIA)
- Role Based Training (RBT)
- Security and Privacy Requirements for IT Procurements
- Security Controls Assessment (SCA)
- System Audits
- Zero Trust
Policies and Handbooks
- Access Control (AC)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- CMS Acceptable Risk Safeguards (ARS)
- CMS Breach Response Handbook
- CMS Cyber Risk Management Plan (CRMP)
- CMS Cybersecurity and Privacy Training & Awareness Handbook
- CMS Guide to Federal Laws, Regulations, and Policies
- CMS Information Systems Security & Privacy Policy (IS2P2)
- CMS Key Management Handbook
- CMS Plan of Action and Milestones (POA&M) Handbook
- CMS Privacy Impact Assessment (PIA) Handbook
- CMS Privacy Program Plan
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- Configuration Management (CM)
- HHS Policy for Rules of Behavior for Use of Information & IT Resources
- Identification and Authentication (IA)
- Incident Response (IR)
- Information System Contingency Plan (ISCP) Exercise Handbook
- Information System Contingency Plan (ISCP) Handbook
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical & Environmental Protection (PE)
- Responsible Use of AI within CMS for Cybergeek
- Risk Management Handbook Chapter 12: Security & Privacy Planning (PL)
- Risk Management Handbook Chapter 15: System & Services Acquisition
- Risk Management Handbook Chapter 2: Awareness and Training (AT)
- Risk Management Handbook Chapter 8: Incident Response (IR)
- RMH Chapter 16: System & Communications Protection
- RMH Chapter 4: Security Assessment & Authorization
- System and Services Acquisition (SA)
Latest articles and updates
- 10/1/2025UpdatesFrom Policy
System & Information Integrity RMH Retirement and the Info Guide Implementation
This blog post introduces the System & Information Integrity Informational Guide
- 9/26/2025UpdatesFrom Policy
Information & Authentication RMH Retirement and Implementation of the Info Guide
We're retiring all the ARS control family handbooks and replacing them with informational guides.
- 8/20/2025UpdatesFrom Zero Trust
Bridging the Gap: Introducing the CMS Zero Trust Forge
An introduction to a new tool to scope granular, least privilege Kion Cloud AWS IAM Policies and Roles