CMS security risk