-
Notifications
You must be signed in to change notification settings - Fork 3
/
roles.html
545 lines (478 loc) · 33.4 KB
/
roles.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<title>Planning for ATO at CMS</title>
<script src="assets/uswds-2.11.1/js/uswds-init.min.js"></script>
<link rel="stylesheet" href="assets/uswds-2.11.1/css/uswds.min.css" />
<meta http-equiv="refresh" content="10;url=https://security.cms.gov/learn/authorization-operate-ato"/>
</head>
<body>
<script src="assets/uswds-2.11.1/js/uswds.min.js"></script>
<a class="usa-skipnav" href="#main-content">Skip to main content</a>
<!--
<section class="usa-banner" aria-label="Official government website">
<div class="usa-accordion">
<header class="usa-banner__header">
<div class="usa-banner__inner">
<div class="grid-col-auto">
<img class="usa-banner__header-flag" src="assets/img/uswds-2.11.1/us_flag_small.png" alt="U.S. flag">
</div>
<div class="grid-col-fill tablet:grid-col-auto">
<p class="usa-banner__header-text">An official website of the United States government</p>
<p class="usa-banner__header-action" aria-hidden="true">Here’s how you know</p>
</div>
<button class="usa-accordion__button usa-banner__button"
aria-expanded="false" aria-controls="gov-banner">
<span class="usa-banner__button-text">Here’s how you know</span>
</button>
</div>
</header>
<div class="usa-banner__content usa-accordion__content" id="gov-banner">
<div class="grid-row grid-gap-lg">
<div class="usa-banner__guidance tablet:grid-col-6">
<img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-dot-gov.svg" role="img" alt="" aria-hidden="true">
<div class="usa-media-block__body">
<p>
<strong>
Official websites use .gov
</strong>
<br/>
A <strong>.gov</strong> website belongs to an official government organization in the United States.
</p>
</div>
</div>
<div class="usa-banner__guidance tablet:grid-col-6">
<img class="usa-banner__icon usa-media-block__img" src="assets/img/uswds-2.11.1/icon-https.svg" role="img" alt="" aria-hidden="true">
<div class="usa-media-block__body">
<p>
<strong>
Secure .gov websites use HTTPS
</strong>
<br/>
A <strong>lock</strong> (
<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-title banner-lock-description" focusable="false"><title id="banner-lock-title">Lock</title><desc id="banner-lock-description">A locked padlock</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h32v-9c0-6.075-4.925-11-11-11z"/></svg></span>
) or <strong>https://</strong> means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
</p>
</div>
</div>
</div>
</div>
</div>
</section>
-->
<div class="usa-overlay"></div>
<header class="usa-header usa-header--extended"><div class="usa-navbar">
<div class="usa-logo" id="extended-logo">
<em class="usa-logo__text"><a href="index.html" title="Home" aria-label="Home">CMS Security & Compliance Planning</a></em>
</div>
<button class="usa-menu-btn">Menu</button>
</div>
<!-- Redirection Notice -->
<section class="usa-site-alert usa-site-alert--emergency" aria-label="Site alert,">
<div class="usa-alert">
<div class="usa-alert__body">
<h3 class="usa-alert__heading">CMS ATO Notice</h3>
<p class="usa-alert__text">
CMS ATO information can now be found at <a class="usa-link" href="https://security.cms.gov">security.cms.gov</a>, along with other security and privacy resources.
</p>
<p class="usa-alert__text">
This website will be retired. You will be redirected in a moment.
</p>
</div>
</div>
</section>
<!-- End Redirection Notice -->
<nav aria-label="Primary navigation" class="usa-nav">
<div class="usa-nav__inner"><button class="usa-nav__close"><img src="assets/img/uswds-2.11.1/usa-icons/close.svg" role="img" alt="close"></button>
<ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item" style="display: none">
<button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-nav-section-one"><span>CMS Rapid ATO</span></button>
<ul id="extended-nav-section-one" class="usa-nav__submenu">
<li class="usa-nav__submenu-item">
<a href="rato.html" class=""> What is CMS Rapid ATO</a>
</li>
<li class="usa-nav__submenu-item">
<a href="overview.html" class=""> Background</a></ul></li>
<li class="usa-nav__primary-item">
<button class="usa-accordion__button usa-nav__link " aria-expanded="false" aria-controls="extended-nav-section-two"><span>ATO Phases</span></button>
<ul id="extended-nav-section-two" class="usa-nav__submenu">
<!-- <li class="usa-nav__submenu-item">
<a href="#" class=""> Preparation</a>
</li>-->
<li class="usa-nav__submenu-item">
<a href="overview-phases.html" class=""> Overview</a>
</li><li class="usa-nav__submenu-item">
<a href="initiate.html" class=""> Initiate</a>
</li><li class="usa-nav__submenu-item">
<a href="develop.html" class=""> Develop and Assess</a>
</li><li class="usa-nav__submenu-item">
<a href="operate.html" class=""> Operate</a>
</li>
<li class="usa-nav__submenu-item">
<a href="retire.html" class=""> Retire</a>
</li></ul></li>
<li class="usa-nav__primary-item">
<button class="usa-accordion__button usa-nav__link usa-current" aria-expanded="false" aria-controls="extended-nav-section-three"><span>Resources</span></button>
<ul id="extended-nav-section-three" class="usa-nav__submenu">
<!-- <li class="usa-nav__submenu-item">
<a href="#" class=""> Preparation</a>
</li>-->
<li class="usa-nav__submenu-item">
<a href="types.html" class=""> Authorizations & Agreements </a>
</li>
<li class="usa-nav__submenu-item">
<a href="roles.html" class=""> Key Roles & Stakeholders</a>
</li>
<li class="usa-nav__submenu-item">
<a href="tools.html" class=""> Tools & Services </a>
</li>
</ul></li>
</ul>
</div>
</div>
</nav>
</header>
<main id="main-content">
<div class="usa-section">
<div class="grid-container">
<div class="grid-row grid-gap">
<div class="usa-layout-docs__sidenav desktop:grid-col-3">
<nav aria-label="Secondary navigation">
<ul class="usa-sidenav">
<li class="usa-sidenav__item">
<a href="types.html" class="usa-current">Key Roles
</a>
<li class="usa-sidenav__item">
<a href="#chief" class="">Chief Information Security Officer </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#cyber" class="">Cyber Risk Advisor </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#business" class="">Business Owner</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#info" class="">Information System Security Officer</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#system" class="">System Developer</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#assessor" class="">Assessor</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#other" class="usa-current">Other Stakeholders</a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#official" class="">Authorizing Official </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#pene" class="">Penetration Tester </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#program" class="">Program / Project Team </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#system" class="">System Owner </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#design" class="">Enterprise Architecture and Data Group </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
<li class="usa-sidenav__item">
<a href="#gov" class="">Governance Review Team </a><ul class="usa-sidenav__sublist">
<!--<li class="usa-sidenav__item">
<a href="">Sub-section</a>
</li>-->
</ul>
</li>
</ul>
</li>
</ul>
</nav>
</div>
<main class="usa-layout-docs__main desktop:grid-col-9 usa-prose usa-layout-docs" id="main-content">
<h1> Key Roles
</h1>
<h3 id="chief">Chief Information Security Officer (CISO)</h3>
<h4><strong>Background</strong></h4>
<p>The CISO is an agency official (federal government employee). They carry out the Chief Information Officer’s (CIO) information security responsibilities under federal requirements in conjunction with the SOP. From setting policy and guidance to approving Authorities to Operation (ATOs), the CISO drives information security at CMS. </p>
<h4><strong>Responsibilities:</strong></h4>
<ul>
<li>Define information security and privacy control requirements </li>
<li>Publish CISO Directives to augment the existing policy</li>
<li>Review any requested policy waivers and deviations and provide recommendations for risk acceptance</li>
<li>Develop and implement the policies and procedures required by the <a href="https://www.hhs.gov/hipaa/index.html">Health Insurance Portability and Accountability Act (HIPAA)</a> Security Rule </li>
<li>Delegate authority to approve system configuration deviations to the Cyber Risk Advisor (CRA) and Information System Security Officer (ISSO)</li>
<li>Ensure implementation of the Department of Health and Human Services (HHS) and CMS information security and privacy capabilities, policies, and procedures across CMS</li>
<li>Lead the investigation and resolution of information security and privacy incidents and breaches across CMS</li>
<li>Define and oversee the goals and requirements of Agency Security Operations</li>
<li>Coordinate incident response and threat information sharing with relevant parties</li>
<li>Ensure the information security continuous monitoring (ISCM) capabilities accomplishes established goals</li>
<li>Publish an Ongoing Authorization process</li>
<li>Approve ISSO appointments from the Program Executive</li>
<li>Approve the independent security control assessment deliverables</li>
<li>Coordinate with stakeholders to ensure compliance with control family requirements</li>
<li>Authorize the immediate disconnection or suspension of flagged systems until the AO orders reconnection</li>
</ul>
<h3 id="cyber">Cyber Risk Advisor (CRA)</h3>
<h4><strong>Background</strong></h4>
<p>The CRA is an agency official (federal government employee). They work with ISSOs and project teams to help ensure that projects adhere to security controls and are documented and tracked accordingly in the CMS FISMA Controls Tracking System (CFACTS). They act as the subject matter expert in all areas of the CMS Risk Management Framework (RMF).</p>
<h4><strong>Responsibilities</strong></h4>
<ul>
<li>Evaluate, maintain, and communicate the risk posture of each system to executive leadership and make risk-based recommendations to the AO</li>
<li>Help ensure that all requirements specified by the CMS ARS and the procedures and standards of the Risk Management Handbook (RMH) are implemented and enforced</li>
<li>Serve as an active participant in the System Development Life Cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs considering security, functionality, and cost</li>
<li>For each system, coordinate with the Data Guardian, Information System Owner (ISO), Business Owner, and ISSO to:</li>
<ul>
<li>Identify the types of information processed</li>
<li>Assign the appropriate security categorizations</li>
<li>Ensure that CMS has the legal authority to conduct activities involving the collection, use, and disclosure of Personally Identifiable Information (PII)/ Personal Health Information (PHI)</li>
<li>Determine the privacy impacts and manage information security and privacy risk</li>
</ul>
<li>Ensure information security and privacy testing is performed throughout the SDLC as appropriate and results are considered during the development phase of the SDLC</li>
<li>Monitor system security posture by reviewing all proposed information security and privacy artifacts to provide recommendations to the ISSO</li>
</ul>
<h3 id="business">Business Owner (BO)</h3>
<h4><strong>Background</strong></h4>
<p>The BO is a CMS official (federal government employee). They are Group Directors or Deputy Group Directors, and they encounter the ATO process when they are building or implementing a system to address their business needs. BOs are not expected to be technical or security experts, but their participation and collaboration is critical to the success of the ATO.</p>
<h4><strong>Responsibilities</strong></h4>
<p>During an ATO, the BO works closely with technical and security stakeholders—particularly the ISSO—to ensure that the data and information in their system is properly documented and managed. Working with their team, the BO’s responsibilities include, but are not limited to:</p>
<p><strong>Document and Protect PII and PHI</strong></p>
<ul>
<li>Comply with the the <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/POLICY_DL_InvestmentMgmt.pdf">CMS Policy for IT Investment Management & Governance</a></li>
<li>Coordinate with the CRA and ISSO to identify the information their system processes, and document and manage any PII and PHI</li>
<ul>
<li>Ensure that CMS has the legal authority to conduct activities involving the collection, use, and disclosure of information</li>
<li>Assign the appropriate security categorizations to the information system</li>
<li>Determine information security and privacy impacts and manage risks</li>
</ul>
<li>Work with Contracting Officers (COs) and Contracting Officer’s Representatives (CORs) to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized</li>
<li>Coordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the SOP to ensure appropriate information security and privacy contracting language from relevant sources is included into each IT contract. Relevant sources must include, but are not limited to: </li>
<ul>
<li>HHS Office of the Assistant Secretary for Financial Resources (ASFR) </li>
<li>HHS Office of Grants and Acquisition Policy and Accountability (OGAPA) </li>
<li>CMS Office of Acquisition and Grants Management (OAGM)</li>
</ul>
<li>Coordinate with the CRA, ISSO and others to ensure compliance with the CMS ARS and the Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies</li>
</ul>
<p><strong>Manage CMS Data Privacy and Security</strong></p>
<ul>
<li>Own and manage access to the information stored, processed, or transmitted in the system</li>
<li>Manage and approve all use and disclosure of data from CMS programs or systems </li>
<li>Verify that CMS programs and systems only disclose the minimum data necessary</li>
<li>Confirm adequate security and privacy controls are in place to protect CMS systems</li>
<li>Prepare Privacy Impact Assessments (PIAs) for programs or systems with the direction from the CRA</li>
<li>Support the analysis of incidents involving PII and help determine the appropriate action to make notification of privacy breaches and reporting, monitoring, tracking, and closure of incidents</li>
</ul>
<h3 id="info">Information System Security Officer (ISSO)</h3>
<h4><strong>Background</strong></h4>
<p>The ISSO is either a CMS official (federal government employee) or a Contractor (also known as an ISSO Contract Support). They are the key connection between the BO and the CMS security apparatus. They work closely with the BO, the CRA and other stakeholders to move a system through the ATO process. </p>
<h4><strong>Responsibilities</strong></h4>
<p>Before joining a project, an ISSO fills out an appointment letter, which is reviewed by the BO and signed-off by ISPG. Once an ISSO joins a project their responsibilities include, but are not limited to: </p>
<p><strong>General Duties</strong></p>
<ul>
<li>Coordinate with the Data Guardian, ISO, Business Owner, and CRA to: </li>
<ul>
<li>Identify the types of information processed </li>
<li>Complete a Privacy Impact Assessment (PIA) that includes all privacy items that will be hosted in the system</li>
<li>Ensure that CMS has the legal authority to conduct activities involving the collection, use, and disclosure of PII/PHI </li>
<li>Assign the appropriate security categorizations to the information systems</li>
<li>Determine information security and privacy impacts and manage risks</li>
</ul>
<li>Report compliance on secure protocol use in websites as defined within the CMS ARS</li>
<li>Submit recommendations to the CRA for system configuration deviations from the required baseline</li>
<li>Coordinate with the CIO, CISO, SOP, BO and others to ensure compliance with control family requirements on website usage, web measurement and customization technologies, and third-party websites and application</li>
<li>Coordinate with the System Developer and Maintainer in identifying the information security and privacy controls for the system</li>
<li>Document the controls and ensure they meet or exceed the minimal controls defined by CISO guidance </li>
</ul>
<p><strong>Safeguard Privacy</strong></p>
<ul>
<li>Coordinate with the BO, CRA and other stakeholders to meet all collection, creation, use, dissemination, retention, and maintenance requirements for sensitive information</li>
</ul>
<p><strong>Assess and Authorize</strong></p>
<ul>
<li>Maintain current system information in CFACTS (such as POCs and artifacts) to support requirements and processes</li>
<li>Coordinate with the BO, ISO, and CISO to ensure that all system requirements are implemented and enforced</li>
<li>Ensure identified anomalies and risks are addressed and remediated appropriately</li>
<li>Evaluate the impact of network and system changes</li>
</ul>
<p><strong>Duties across System Development Life Cycle</strong></p>
<p><strong>Initiation</strong></p>
<ul>
<li>Review and confirm that contracts include appropriate information security and privacy language</li>
<li>Coordinate with CMS Enterprise Architecture</li>
<li>Ensure the system is entered into CFACTS</li>
<li>Work with the BO to draft a PIA</li>
<li>Evaluate whether other privacy artifacts are required</li>
<li>Complete System Security Categorization</li>
<li>Identify system-specific, information security and privacy training needs</li>
<li>Participate in governance and project reviews</li>
</ul>
<p><strong>Concept </strong></p>
<ul>
<li>Identify and discuss risk with the Program Manager and BO</li>
<li>Identify investment needs to ensure each system meets security and privacy requirements </li>
</ul>
<p><strong>Planning</strong></p>
<ul>
<li>Develop a System Security Plan (SSP)</li>
</ul>
<h3 id="system">System Developer (Developer)</h3>
<h4><strong>Background</strong></h4>
<p>The Developer must be a CMS official (federal government employee). They are responsible for providing management and oversight to the project team developing and maintaining the system. This includes working with the team to implement the security controls needed for an ATO. They work with the ISSO, project team, CMS Security Automation Framework, and the DevSecOps support team to help project teams build successful DevSecOps platforms and <a href="https://saf.cms.gov/#/faq#security-control-associations">secure system ecosystems</a>. </p>
<h4><strong>Responsibilities</strong></h4>
<ul>
<li>Create, document, and implement information security- and privacy-related functional requirements to protect CMS information, systems, and processes, including:</li>
<ul>
<li>Ensure requirements are effectively integrated into IT products and systems</li>
<li>Ensure requirements are adequately planned and addressed in all aspects of system architecture</li>
<li>Ensure automated information security and privacy capabilities are integrated and deployed as required</li>
</ul>
<li>Coordinate with the ISSO to identify the necessary information security and privacy controls for the system</li>
<li>Follow the CMS System Development Life Cycle (SDLC) in developing and maintaining a system, including: </li>
<ul>
<li>Understand the relationships among the system's features and information security and privacy safeguards</li>
<li>Ensure all development practices comply with the CMS TRA</li>
</ul>
<li>Execute the RMF tasks listed in NIST SP 800-37 and the RMH</li>
<li>Ensure CMS systems or applications that share data for any purpose are capable of extracting data by pre-approved categories</li>
<li>Share only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected</li>
</ul>
<h3 id="assessor">Assessor</h3>
<h4><strong>Background</strong></h4>
<p>The Assessor sits on the CMS security team and is responsible for checking the compliance of systems. Assessors must be independent and impartial, which means they are free
from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems under assessment.
</p>
<h4><strong>Responsibilities</strong></h4>
<p>Assessors work with the ISSO and CRA to validate and verify that a system’s documented controls work. They use assessment cases to test the system, and the process typically involves the following steps:</p>
<ul>
<li>The ISSO notifies the CRA that an assessment is being requested, and a tentative assessment date is set</li>
<li>The CRA provides the ISSO with pricing information and instructions for using the Comprehensive Acquisitions Management System (CAMS) to pay for the assessment, and notifies the independent assessor that an assessment needs to be scheduled</li>
<li>At least six weeks prior to the assessment kick-off, the ISSO works with the BO to move funds for the assessment using the CAMS</li>
<li>The assessment begins once the funds are verified as available via the CAMS</li>
</ul>
<h1 id="other"><strong>Other Stakeholders</strong></h1>
<h3>Authorizing Official (AO)</h3>
<p>The AO is responsible for the overall impact categorization and risk acceptance. They determine if the risk of operating the system is acceptable, and if so, issue an Authority to Operate (ATO) for that system. They often designate this responsibility to one or more other people. At most federal agencies this role is performed by the Chief Information Officer (CIO).</p>
<h3 id="pene">Penetration Tester (PenTester)</h3>
<p>PenTesters test the security of a system by attempting to exploit vulnerabilities. They work with ISSOs and project teams to set and document the Rules of Engagement (RoE). They then assess the system according to those terms and issue a findings report. At CMS, this service is offered and funded by the CMS Cybersecurity Integration Center (CCIC).</p>
<h3>Program / Project Team </h3>
<p>Those who are trying to build/launch the system.</p>
<h3 id="system">System Owner </h3>
<p>The system owner is usually the product lead or tech lead of the project team. They will be named in the ATO documents and are the main contact during the evaluation process that leads up to an ATO.</p>
<h3>Enterprise Architecture and Data Group (EA)</h3>
<p>Every federal agency is required to develop Enterprise Architecture to guide information technology investments. The CMS EA Group is located in the Office of Information Technology (OIT), and it works to help document all information system architecture at the agency. This includes working with project teams to provide the documentation required for an ATO. </p>
<h3 id="gov">Governance Review Team (GRT)</h3>
<p>The Governance Review Team is a key stakeholder group during the Initiate Phase of the ATO process. It helps project teams determine if there is the need to build a new system, and to work through the IT governance process. </p>
<p>The GRT directs project teams to available resources, advises them on how to properly develop and document their business case, and analyzes potential existing solutions at CMS. Based on these discussions, the GRT makes recommendations to the Governance Review Board (GRB) about whether to move forward with developing a new system. </p>
</main>
</div>
</div>
</div>
</main>
<footer class="usa-footer usa-footer--slim">
<div class="grid-container usa-footer__return-to-top">
<!--- <a href="#">Return to top</a>-->
</div>
<div class="usa-footer__primary-section">
<div class="usa-footer__primary-container grid-row">
<div class="mobile-lg:grid-col-8">
<!-- <nav class="usa-footer__nav" aria-label="Footer navigation">
<ul class="grid-row grid-gap">
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
<li class="mobile-lg:grid-col-6 desktop:grid-col-auto usa-footer__primary-content">
<a class="usa-footer__primary-link" href="javascript:void(0);">Primary link</a>
</li>
</ul>
</nav>-->
</div>
<div class="mobile-lg:grid-col-4">
<address class="usa-footer__address">
<div class="grid-row grid-gap">
<div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
<div class="usa-footer__contact-info">
<a href="tel:1-800-555-5555"></a>
</div>
</div>
<div class="grid-col-auto mobile-lg:grid-col-12 desktop:grid-col-auto">
<div class="usa-footer__contact-info">
<a href="mailto:[email protected]"></a>
</div>
</div>
</div>
</address>
</div>
</div>
</div>
<div class="usa-footer__secondary-section">
<div class="grid-container">
<div class="usa-footer__logo grid-row grid-gap-2">
<div class="grid-col-auto">
<img class="usa-footer__logo-img" src="assets/img/uswds-2.11.1/logo-img.png" alt="">
</div>
<div class="grid-col-auto">
<p class="usa-footer__logo-heading"></p>
</div>
</div>
</div>
</div>
</footer>
</body>
</html>