Risk Management and Reporting
Overview
Managing cyber risk is an ongoing part of information security and privacy at CMS. Instead of focusing solely on "compliance", we take a proactive approach by helping Business/System Owners, ISSOs, and application teams continuously evaluate and respond to security risks.
Risk management and reporting at CMS includes system assessments, real-time reporting tools, and the translating of policy requirements into concrete metrics that allow CMS components to gauge the overall security posture of their systems.
All resources in Risk Management and Reporting
General Information
Policies and Handbooks
- CMS Acceptable Risk Safeguards (ARS)
- CMS Cyber Risk Management Plan (CRMP)
- CMS Key Management Handbook
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- Information System Contingency Plan (ISCP) Exercise Handbook
Latest articles and updates
- 3/11/2026UpdatesFrom CRM
Advancing Security Operations and Data Visibility Across CMS: Key Takeaways from
CRC forum shares updates on CMS cybersecurity efforts, highlighting platform improvements, visibility gains, and user‑driven enhancements across the enterprise.
- 3/11/2026UpdatesFrom CRM
What You Need to Know About the CrowdStrike and Tenable One Enterprise Rollout
CMS boosts cybersecurity with CrowdStrike EDR and Tenable One, improving threat detection, visibility, and alignment with federal requirements.
- 3/11/2026ArticlesFrom CRM
CRM Automation Strengthening Operational Excellence and CMS Security Posture
CRM PMO and RDI enhance Cyber Risk Management Operations by automating key workflows, improving data integrity, compliance, and operational efficiency.