Risk Management and Reporting
Overview
Managing cyber risk is an ongoing part of information security and privacy at CMS. Instead of focusing solely on "compliance", we take a proactive approach by helping Business/System Owners, ISSOs, and application teams continuously evaluate and respond to security risks.
Risk management and reporting at CMS includes system assessments, real-time reporting tools, and the translating of policy requirements into concrete metrics that allow CMS components to gauge the overall security posture of their systems.
CMS Slack Channel: #cyber-risk-managementAll resources in Risk Management and Reporting
General Information
Policies and Handbooks
- CMS Acceptable Risk Safeguards (ARS)
- CMS Cyber Risk Management Plan (CRMP)
- CMS Key Management Handbook
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- Information System Contingency Plan (ISCP) Exercise Handbook
Latest articles and updates
- 6/11/2025UpdatesFrom CFACTS
CFACTS Update: New features to streamline ATO workflows
Learn about new features in CFACTS that make ATO workflows easier, including an ATO Document Progress View and ATO Conditions.
- 10/30/2024UpdatesFrom CFACTS
CFACTS UI Changes: Get a sneak peek of the new RMF layout
See the new layout in the CFACTS IMPL environment
- 9/5/2024UpdatesFrom CFACTS
CFACTS Update: Sept 2024 Enhancements
Learn about the new GTL stakeholder field, added ability to delete ISRAs, added boundary diagram instructions, ACT to CSRAP, and changes to work requests.