Risk Management and Reporting
Overview
Managing cyber risk is an ongoing part of information security and privacy at CMS. Instead of focusing solely on "compliance", we take a proactive approach by helping Business/System Owners, ISSOs, and application teams continuously evaluate and respond to security risks.
Risk management and reporting at CMS includes system assessments, real-time reporting tools, and the translating of policy requirements into concrete metrics that allow CMS components to gauge the overall security posture of their systems.
All resources in Risk Management and Reporting
General Information
Policies and Handbooks
- CMS Acceptable Risk Safeguards (ARS)
- CMS Cyber Risk Management Plan (CRMP)
- CMS Key Management Handbook
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- Information System Contingency Plan (ISCP) Exercise Handbook
Latest articles and updates
- 6/11/2025UpdatesFrom CFACTS
CFACTS Update: New features to streamline ATO workflows
Learn about new features in CFACTS that make ATO workflows easier, including an ATO Document Progress View and ATO Conditions.
- 10/30/2024UpdatesFrom CFACTS
CFACTS UI Changes: Get a sneak peek of the new RMF layout
See the new layout in the CFACTS IMPL environment
- 9/5/2024UpdatesFrom CFACTS
CFACTS Update: Sept 2024 Enhancements
Learn about the new GTL stakeholder field, added ability to delete ISRAs, added boundary diagram instructions, ACT to CSRAP, and changes to work requests.