Autogenerated text from PDF

CMS SENSITIVE INFORMATION -REQUIRES SPECIAL HANDLING Attachment 
Federally Facilitated Marketplaces (FFM) System 
II. Authorization Actions 
Failure meet the assigned due dates without prior approval invalidates this authorization 
operate. The following specific actions are completed the date(s 

indicated: 
Finding  Finding Description  Recommended Corrective Action  Risk  Due Date  
FFM has excel file with  Implement method  The presence  May 31,  
open high  macro which  for scanning uploaded  high ris} findings  2014  
finding:  executes when the  documents for system  
Macros  spreadsheet opened  malicious macros.  represents  
enabled  was uploaded for  increased risk  
uploaded files  review another  Ensure that the  the CMS  
allow code  user.  The macro only  existing equivalent  enterprise.  
execute  opened  compensating controls  Lifecycle  
automatically.  command prompt  remain place:  management  
window the local  the system  
user's machine;   The file upload  requires initial  
however, the threat  function only  testing for FISMA  
and risk potential  available for  authorization and  
limitless.  Keeping  limited period each  continuous  
macros enabled relies  year.  monitoring.  Non- the local machine   The file upload  compliance with the user who  function not  the CMS  
downloads detect  available all  Information  
and stop malicious  users, only plan  Security (IS)  
activity.  users.  4cceptable Risk  
 Files types able uploaded are  Safeguards ARS), CMS Minimum  
'  whitelisted.  Security  
Requirements  
(CMSR) without  continuous  
monitoring  
presents  
unacceptable risk.  

(CA-2). 

CMS SENSITIVE INFORMATION -REQUIRES SPECIAL HANDLING