Goodbye RMH chapter 6, hello ISCP Handbook
Late in July 2024, the ISPG Policy team published a new handbook: the CMS Information System Contingency Plan (ISCP) Handbook.
Every CMS system must include a contingency plan (CP). It’s a fundamental part of the overall system design. The contingency plan reduces vulnerabilities and risk from a variety of possible threats, including natural disasters, terrorist attacks, and insider threat attacks. NIST has more information available.
The CMS ISCP Handbook gives ISSOs and Business Owners comprehensive guidance for creating Information System Contingency Plans so they can meet CMS requirements.
The new handbook replaces chapter 6, Contingency Planning, in the Risk Management Handbook (RMH).
ISCP vs CP: What’s the difference?
Sunsetting RMH chapter 6 helps emphasize ISPG’s focus on ISCP, rather than Contingency Planning (CP).
What’s the difference? The ISCP is a specific plan and document on the security and privacy side of a system, while CP is a broader term. CP includes the ISCP, but also the Continuity of Operations Plan (COOP). ISCP is related to policy, and COOP is related to operations.
ISPG is focusing on ISCP because that is specifically a matter of policy, which falls within our domain, rather than operations. Operations and the COOP are handled by a different group.
Information System Contingency Planning is an activity that systems teams need to go through in order to produce the ISCP document.
What’s in the ISCP Handbook?
The ISCP Handbook starts with an overview, going into more detail about what an ISCP actually is.
From there, it moves on to federal guidance for contingency planning, including links to NIST and FISMA resources.
It outlines the roles and responsibilities involved in creating an ISCP, then dives into comprehensive overviews of the Business Impact Analysis (BIA), which is a critical part of a complete ISCP.
The handbook then outlines all the steps required to create an ISCP, and concludes with a template that can be copied and pasted to guide teams through the ISCP process.
What should people do next?
ISSOs and Business Owners:
If you have not yet reviewed the new CMS ISCP Handbook, make some time to do so. Ensure that you understand the requirements and recommendations. Make sure that your systems all have appropriate ISCPs in place. If any do not, use the guidance in the handbook to update them to meet compliance.
Anyone else:
Even if the ISCP is not your specific responsibility, you can learn more about the ISCP process to help collaborate more effectively with your ISSO or Business Owner.
Questions?
If you have questions, contact us:
- On CMS Slack in #ispg-sec_privacy-policy (login required)
- Via email at CISO@cms.hhs.gov
Tell us what you think
At ISPG, we want to provide everyone at CMS with helpful information about security and privacy requirements. Please take a moment to let us know how we’re doing.
Templates and processes to help ISSOs and Business Owners meet the CMS requirements for ISCP