-
Notifications
You must be signed in to change notification settings - Fork 3
/
initiate.html
459 lines (385 loc) · 26 KB
/
initiate.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>Planning for ATO at CMS</title>
<script src="assets/uswds-2.11.1/js/uswds-init.min.js"></script>
<link rel="stylesheet" href="assets/uswds-2.11.1/css/uswds.min.css" />
<meta http-equiv="refresh" content="10;url=https://security.cms.gov/learn/authorization-operate-ato"/>
</head>
<body>
<script src="assets/uswds-2.11.1/js/uswds.min.js"></script>
<a class="usa-skipnav" href="#main-content">Skip to main content</a>
<!--
<section class="usa-banner" aria-label="Official government website">
<div class="usa-accordion">
<header class="usa-banner__header">
<div class="usa-banner__inner">
<div class="grid-col-auto">
<img class="usa-banner__header-flag" src="assets/img/uswds-2.11.1/us_flag_small.png" alt="U.S. flag">
</div>
<div class="grid-col-fill tablet:grid-col-auto">
<p class="usa-banner__header-text">An official website of the United States government</p>
<p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p>
</div>
<button class="usa-accordion__button usa-banner__button"
aria-expanded="false" aria-controls="gov-banner">
<span class="usa-banner__button-text">Here’s how you know</span>
</button>
</div>
</header>
<div class="usa-banner__content usa-accordion__content" id="gov-banner">
<div class="grid-row grid-gap-lg">
<div class="usa-banner__guidance tablet:grid-col-6">
<img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-dot-gov.svg" role="img" alt="" aria-hidden="true">
<div class="usa-media-block__body">
<p>
<strong>
Official websites use .gov
</strong>
<br/>
A <strong>.gov</strong> website belongs to an official government organization in the United States.
</p>
</div>
</div>
<div class="usa-banner__guidance tablet:grid-col-6">
<img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-https.svg" role="img" alt="" aria-hidden="true">
<div class="usa-media-block__body">
<p>
<strong>
Secure .gov websites use HTTPS
</strong>
<br/>
A <strong>lock</strong> (
<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description" focusable="false"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h32v-9c0-6.075-4.925-11-11-11z"/></svg></span>
) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
</p>
</div>
</div>
</div>
</div>
</div>
</section>
-->
<div class="usa-overlay"></div>
<header class="usa-header usa-header--extended"><div class="usa-navbar">
<div class="usa-logo" id="extended-logo">
<em class="usa-logo__text"><a href="index.html" title="Home" aria-label="Home">CMS Security & Compliance Planning</a></em>
</div>
<button class="usa-menu-btn">Menu</button>
</div>
<!-- Redirection Notice -->
<section class="usa-site-alert usa-site-alert--emergency" aria-label="Site alert,">
<div class="usa-alert">
<div class="usa-alert__body">
<h3 class="usa-alert__heading">CMS ATO Notice</h3>
<p class="usa-alert__text">
CMS ATO information can now be found at <a class="usa-link" href="https://security.cms.gov">security.cms.gov</a>, along with other security and privacy resources.
</p>
<p class="usa-alert__text">
This website will be retired. You will be redirected in a moment.
</p>
</div>
</div>
</section>
<!-- End Redirection Notice -->
<nav aria-label="Primary navigation" class="usa-nav">
<div class="usa-nav__inner"><button class="usa-nav__close"><img src="assets/img/uswds-2.11.1/usa-icons/close.svg" role="img" alt="close"></button>
<ul class="usa-nav__primary usa-accordion">
<li class="usa-nav__primary-item" style="display: none">
<button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-nav-section-one"><span>CMS Rapid ATO</span></button>
<ul id="extended-nav-section-one" class="usa-nav__submenu">
<li class="usa-nav__submenu-item">
<a href="rato.html" class=""> What is CMS Rapid ATO</a>
</li>
<li class="usa-nav__submenu-item">
<a href="overview.html" class=""> Background</a></ul></li>
<li class="usa-nav__primary-item">
<button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="extended-nav-section-two"><span>ATO Phases</span></button>
<ul id="extended-nav-section-two" class="usa-nav__submenu">
<!-- <li class="usa-nav__submenu-item">
<a href="#" class=""> Preparation</a>
</li>-->
<li class="usa-nav__submenu-item">
<a href="overview-phases.html" class=""> Overview</a>
</li><li class="usa-nav__submenu-item">
<a href="initiate.html" class=""> Initiate</a>
</li><li class="usa-nav__submenu-item">
<a href="develop.html" class=""> Develop and Assess</a>
</li><li class="usa-nav__submenu-item">
<a href="operate.html" class=""> Operate</a>
</li>
<li class="usa-nav__submenu-item">
<a href="retire.html" class=""> Retire</a>
</li></ul></li>
<li class="usa-nav__primary-item">
<button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="extended-nav-section-three"><span>Resources</span></button>
<ul id="extended-nav-section-three" class="usa-nav__submenu">
<!-- <li class="usa-nav__submenu-item">
<a href="#" class=""> Preparation</a>
</li>-->
<li class="usa-nav__submenu-item">
<a href="types.html" class=""> Authorizations & Agreements </a>
</li>
<li class="usa-nav__submenu-item">
<a href="roles.html" class=""> Key Roles & Stakeholders</a>
</li>
<li class="usa-nav__submenu-item">
<a href="tools.html" class=""> Tools & Services </a>
</li>
</ul></li></ul>
</div>
</nav>
</header>
<main id="main-content">
<div class="usa-section">
<div class="grid-container">
<div class="grid-row grid-gap">
<div class="usa-layout-docs__sidenav desktop:grid-col-3">
<nav aria-label="Secondary navigation">
<ul class="usa-sidenav">
<li class="usa-sidenav__item">
<a href="types.html" class="usa-current">Initiate</a>
<li class="usa-sidenav__item">
<a href="#idea" class="">New System Idea</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#start" class="">Getting Started</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#host" class="">Hosting</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#app" class="">Appendix A</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#intake" class="">EASi Intake Form</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#review" class="">Governance Review Team</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#board" class="">Governance Review Board</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#enterprise" class=""> Enterprise Architecture Activities</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#auth" class=""> Authorization Package</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#cat" class=""> Categorize System Security</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
<li class="usa-sidenav__item">
<a href="#bound" class=""> Boundary Documentation</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
</ul>
</nav>
</div>
<main class="usa-layout-docs__main desktop:grid-col-9 usa-prose usa-layout-docs" id="main-content">
<h1>Initiate</h1>
<h3><strong>Overview</strong></h3>
<p>The Initiate phase documents the general business need that the system intends to address, and provides Business Owners (BO) with available, CMS-validated solutions. If there is not an existing solution at CMS and a new one has to be implemented, a Life Cyle ID is assigned to the project and the Security Assessment and Authorization process begins.</p>
<p>To develop, document, and evaluate potential options for development, this process relies heavily on these key personnel: </p>
<ul>
<li>Business Owner</li>
<li>Enterprise Architecture (EA) team </li>
<li>Office of Information Technology (OIT) Navigators</li>
<li>Subject Matter Experts (SMEs)</li>
<li>Governance Review Team (GRT) </li>
<li>Representatives from Security, Privacy, and Accessibility (for consultation)</li>
</ul>
<br>
<img src="imgs/Initiate.png"/>
<h3><strong>Before You Get Started</strong></h3>
<p>The governance process exists to help Business Owners find out if a solution already exists at CMS before starting a new ATO. Cloud Computing, i.e.: Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Infrastructure-as-a-Service (IaaS) solutions should be considered, and a determination made if existing CMS/Department of Health and Human Services (HHS) vehicles can be leveraged. If a solution exists, there is no reason to spend time, effort and money recreating the wheel. </p>
<h3 id="idea"><strong>Initiate a New System Idea</strong></h3><strong><br /></strong>All new business needs and material changes to existing systems must complete the Initiate phase. During this period, business needs must be documented, and alternative solutions considered. </p>
<p>The Business Owner will collaborate with knowledgeable stakeholders about CMS infrastructure and existing assets to define and document the general business need or enhancement, and explore and document solution options. These stakeholders often include:</p>
<ul>
<li>Information Security and Privacy Group (ISPG)</li>
<li>Office of Acquisition and Grants Management (OAGM)</li>
<li>Governance Review Team (GRT)</li>
<li>Governance Review Board (GRB)</li>
<li>Enterprise Architecture (EA) Team</li>
<li>Technical Review Board (TRB)</li>
<li>Office of Financial Management (OFM)</li>
<li>Various Subject Matter Experts (SMEs)</li>
</ul>
<h3 id="start"><strong>Getting Started</strong></h3>
<p>If no solution exists, they will move forward with the governance process for a new system, receive a Life Cycle ID, and then follow the ATO process. The governance team can help the Business Owner with basic funding and contracting needs. ISPG leadership assigns a Cyber Risk Advisor (CRA) based on the CMS component organization the system will fall under, and the BO assigns an Information System Security Officer (ISSO). ISPG also assigns a Privacy SME to each project to support privacy related considerations.</p>
<h3 id="host"><strong>Hosting</strong></h3>
<p>It is important to determine the primary hosting location for the solution. Hosting the solution within CMS—for example, CMS Cloud Services—instead of using vendor provided hosting locations is much preferred. Leveraging CMS hosting allows the team access to a significant amount of services from CMS. This saves time and money on compliance, so they don't have to worry about reducing cost on implementation to stay on budget. This should be the primary goal at this point in the process.</p>
<h3 id="app"><strong>Appendix A</strong></h3>
<p>Appendix A is required to ensure that the contract includes security measures. The Business Owner, Privacy SME and CRA complete Appendix A and send it to OAGM to provision the contract.</p>
<h3 id="easi"><strong>Complete EASi Intake Form</strong></h3>
<p>If you decide to create a new solution at CMS, the <a href="https://impl.easi.cms.gov/">Easy Access to System Information (EASi)</a> system is the first step. EASi automates the governance process and helps connect you and your contract to funding at CMS, starting with an intake form. </p>
<p>The Business Owner starts an intake form in EASi to start the governance process and get a <strong>Life Cycle ID</strong> for their system. This is required for every CMS system, and key to securing funding for a new project. </p>
<h3 id="gov"><strong>Consult with Governance Review Team</strong></h3>
<p>Submitting the intake form engages the GRT, who works with the Business Owner, the EA team, and SMEs to create a business case for their system. The resulting case includes pros, cons, and alternative options. If the Business Owner decides to move forward with the ATO, this iterative, collaborative process should result in a strong business case to present to the GRB. </p>
<h3 id="review"><strong>Present to the Governance Review Board</strong></h3>
<p>Once they have settled on a direction for their system, the Business Owner and/or their Navigator present their case. The presentation is reviewed by relevant SMEs followed by the GRB itself, which issues an assessment and provides one or more options for the Business Owner to pursue. </p>
<h3 id="enterprise"><strong>Complete Enterprise Architecture Activities</strong></h3>
<p>Once the Business Owner selects their chosen path forward, they will work with EA to complete a Core System Information Form. EA will then issue a User Identification (UID) number, which allows the project to be entered into the CMS FISMA Controls Tracking System (CFACTS). The Life Cycle ID and UID numbers will remain associated with the project for the duration of its life cycle. </p>
<h3 id="auth"><strong>Create an Authorization Package</strong></h3>
<p>CFACTS is a Government Risk and Compliance (GRC) tool used to track and manage the security and compliance of all CMS systems. Upon receipt of the UID number from EA, ISPG enters the system into CFACTS. To access CFACTS, each user will need the CFACTS_USER_P job code from CMS. </p>
<p>Going forward, the Business Owner and their team will work together with various stakeholders to complete the required ATO documentation in CFACTS. The specific documents required are based on many factors and vary from system to system, <strong>but all projects should expect to provide the following Tier 1 Documentation:</strong></p>
<ul>
<li>System Security Plan (SSP)</li>
<li>Information Security Risk Assessment (ISRA)</li>
<li>Privacy Impact Assessment (PIA)</li>
<li>Contingency Plan (CP)</li>
<li>Contingency Plan Table Top Exercise (CPTT)</li>
</ul>
<p><strong>Additional documentation that is often required includes:</strong></p>
<ul>
<li>Project management personnel and policies</li>
<li>Security and privacy documentation</li>
<li>Risk assessment and abatement</li>
<li>Contingency plans</li>
<li>Architecture diagrams</li>
<li>Hardware and software inventories</li>
<li>Vulnerability scanning documentation</li>
<li>Open Plan of Action & Milestones (PO&AMs)</li>
<li>ISSO Appointment Letter</li>
<li>TRB Letter</li>
<li>Configuration Management</li>
<li>Baseline security configurations</li>
<li>Configuration compliance audits policies</li>
<li>Maintenance and update policies</li>
<li>Compliance monitoring tool output</li>
<li>Malware protection</li>
<li>User ID conventions, group membership, and information system accounts for each component</li>
<li>Audit documentation</li>
<li>System procedures manual</li>
<li>Job descriptions and personnel policies</li>
<li>Physical access and remote work policies</li>
<li>Data Use and Service Level Agreements</li>
<li>Source code</li>
<li>And others </li>
</ul>
<p>Templates and more information is available in the <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library">CMS Information Security Library.</a></p>
<p>As you might imagine, collecting and entering all required information in CFACTS can take much time and resources. To avoid delays in your development process, it is important to start collecting your system documentation as soon as possible.</p>
<h3 id="cat"><strong>Categorize System Security</strong></h3>
<p>During the documentation process, the team will add all required information into CFACTS and work together to categorize the system. Every information system that has an ATO must be classified into one of three levels of potential impact to organizations and individuals should there be a breach of security.</p>
<p><strong>At the end of this process, the system will be categorized as either High, Moderate, or Low risk</strong> according to the <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf">Federal Information Processing Standards (FIPS) Publication 199</a>. This will determine the required controls. In particular, they will determine whether it should be classified as a High Value Asset (HVA) System. HVAs require additional security measures due to their unique risks.</p>
<p>For reference, CMS has a <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/Tool-System-Categorization-Worksheet">FIPS 199 categorization tool</a> in the <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Information-Security-Library">Information Security and Privacy Library. </a></p>
<h4 id="bound"><strong>Boundary Documentation</strong></h4>
<p>In addition to risk level, the system architecture, components and boundary are documented in CFACTS. The boundary separates what is part of the system from what is not. It is documented through network diagrams, hardware and software inventories, and narrative explanation. </p>
<p>Including an exemplary boundary diagram will facilitate the assessment of your system and expedite the ATO process. This includes what you’re directly responsible for building and maintaining and what your system is connected to and utilizing that someone else is responsible for building and maintaining. A good boundary diagram should:</p>
<ol>
<li>Include CMS shared services and how they connect to your system</li>
<li>Show proxy - URL Filtering and whitelisting outbound traffic</li>
<li>Separate S3 buckets for each Subnet</li>
<li>Display zonal VRF between VDCs and AWS</li>
<li>Include API Consumers internal access path(s)</li>
<li>Depict all AWS Services being used</li>
</ol>
<p>If the project team has questions or wants to discuss their specific design, they should email <a href="mailto:[email protected]">[email protected]</a>. </p>
<h4><strong>Control Baseline</strong></h4>
<p>Based on the impact categorization from the information provided, the system is assigned a baseline of controls—Low, Moderate or High. These controls follow the <a href="https://www.cms.gov/Regulations-and-Guidance/Guidance/Manuals/Downloads/117_Systems_Security_MAC_ARS.pdf">CMS Acceptable Risk Safeguard (ARS) standard publication</a>. The ISSO and project team will provide implementation details for each control in CFACTS. This often includes some back-and-forth between the development team, the ISSO and the CRA as the artifacts are reviewed and accepted.</p>
</main>
</div>
</div>
</div>
</main>
<footer class="usa-footer usa-footer--slim">
<div class="grid-container usa-footer__return-to-top">
<!--- <a href="#">Return to top</a>-->
</div>
<div class="usa-footer__primary-section">
<div class="usa-footer__primary-container grid-row">
<div class="mobile-lg:grid-col-8">
<!-- <nav class="usa-footer__nav" aria-label="Footer navigation">
<ul class="grid-row grid-gap">
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
</ul>
</nav>-->
</div>
<div class="mobile-lg:grid-col-4">
<address class="usa-footer__address">
<div class="grid-row grid-gap">
<div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
<div class="usa-footer__contact-info">
<a href="tel:1-800-555-5555"></a>
</div>
</div>
<div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
<div class="usa-footer__contact-info">
<a href="mailto:[email protected]"></a>
</div>
</div>
</div>
</address>
</div>
</div>
</div>
<div class="usa-footer__secondary-section">
<div class="grid-container">
<div class="usa-footer__logo grid-row grid-gap-2">
<div class="grid-col-auto">
<img class="usa-footer__logo-img" src="assets/img/uswds-2.11.1/logo-img.png" alt="">
</div>
<div class="grid-col-auto">
<p class="usa-footer__logo-heading"></p>
</div>
</div>
</div>
</div>
</footer>
</body>
</html>