Purpose
This Memorandum informs CMS stakeholders of the best practices and security guidance for the use of Personally Identifiable Information / Personal Health Information (PII / PHI) and agency sensitive information when using CMS approved collaboration tools – specifically Zoom/WebEx, and Box.
What’s changed
As CMS has shifted to maximize its telework posture, the use of collaboration tools to conduct the agency’s mission has increased. To meet these increased needs, several tools have been introduced for use within the CMS environment. CMS employees and contractors must use care to ensure data is protected and secured when using these tools.
Guidance
Zoom and WebEx are video conferencing tools in use at CMS. When using CMS based (not contractor based) Zoom or WebEx tools (e.g. cms.zoomgov.com), PII, PHI, or agency sensitive information may be displayed. When displaying or discussing these types of information, everyone must:
- Ensure all members of the call are identified and known to the organizer
- Ensure all members of the call have a need to know the information being presented
- Refrain from recording (when a meeting will have PII/PHI shared on screen)
Box provides a secure way to share content and improve collaboration both within CMS and with our partners. Box has been authorized as a High FISMA categorization, which means it can support the storage of all CMS data types, inclusive of PII/PHI and agency sensitive information. Inviting collaborators through named email addresses of authorized individuals is the preferred method for this collaboration to ensure the confidentiality and integrity of the content being shared.
Contact
If you have questions about this guidance, contact the CISO Team.
- Email: CISO@cms.hhs.gov
- CMS Slack: #ispg-sec_privacy-policy
This memorandum does not supersede any requirements of government law, rule, or regulation.
CISO Memorandum 21-01: Best Practices and Guidance for the Use of Approved CMS Collaboration Tools