Risk Management and Reporting
Overview
Managing cyber risk is an ongoing part of information security and privacy at CMS. Instead of focusing solely on "compliance", we take a proactive approach by helping Business/System Owners, ISSOs, and application teams continuously evaluate and respond to security risks.
Risk management and reporting at CMS includes system assessments, real-time reporting tools, and the translating of policy requirements into concrete metrics that allow CMS components to gauge the overall security posture of their systems.
All resources in Risk Management and Reporting
General Information
Policies and Handbooks
- CMS Acceptable Risk Safeguards (ARS)
- CMS Cyber Risk Management Plan (CRMP)
- CMS Key Management Handbook
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- Information System Contingency Plan (ISCP) Exercise Handbook
Latest articles and updates
- 2/3/2026ArticlesFrom CRM
Improving data quality in preparation for onboarding to CDM
Learn how to properly manage data quality in order to smooth the path to CDM onboarding and ensure that CMS systems and end users are protected.
- 9/29/2025ArticlesFrom SCRM
New cybersecurity guidance from CISA for Software Bill Of Materials (SBOM)
Learn about proposed updates to the minimum elements of SBOMs and how these have evolved in recent years.
- 8/7/2025ArticlesFrom SCRM
Understanding and avoiding Single Points of Failure (SPOF)
Learn about SPOFs and practical ways to avoid them through improved Supply Chain Risk Management (SCRM)