The Information Security and Privacy Group (ISPG) has updated the Acceptable Risk Safeguards (ARS) from ARS 5.01 to ARS 5.1. While this may seem like a major change that will impact how you manage your FISMA system, the changes are minor and should not impact your current system management practices.
Why was this change made?
All past and current versions of the ARS correspond with guidance from the National Institute of Standards and Technology (NIST), specifically NIST SP 800-53. Prior to ARS 5.1, ISPG chose to reword the original control text provided by NIST to meet internal CMS requirements. This led to confusion for many System/Business Owners and ISSOs as they managed their system and its controls.
As a result, we have updated the language of ARS 5.1 to match the NIST SP 800-53r5 control statements – with the addition of CMS organizationally-defined parameters. This change allows better correlation between National Institute of Standards and Technology (NIST) publications and the ARS, taking the guesswork out of deciphering what a control might mean.
Additionally, it’s important that CMS internal procedures match the goals outlined for our organization. The maturation of our security and privacy programs is a top priority, so it’s important that our control catalog is maintained in an Open Security Controls Assessment Language (OSCAL) format. This allows for more automation and integration for modern tools and services for all CMS FISMA systems.
What does this change mean for me?
Overall, this change does not impact the control requirements, only the wording of the controls. There are, however, 23 controls that have minor modifications to the elements. These modifications are:
| Control | ARS 5.01 Elements | ARS 5.1 Elements |
| AC-02(3) | a & b | a, b, c & d |
| AC-02(13) | a & b | a |
| AC-17 | a, b & c | a & b |
| AT-04 | a, b & c | a & b |
| CM-03(7) | a & b | a |
| CM-07(2) | a, b & c | a |
| CP-02 | a, b, c, d, e, f, & g | a, b, c, d, e, f, g & h |
| CP-03 | a, b, & c | a & b |
| IA-5 | a, b, c, d, e, f, g, h, i, j & k | a, b, c, d, e, f, g, h, & i |
| IR-08 | a, b, c, d, e, & f | a, b, c, d, & e |
| MP-06(3) | a, b, c & d | a |
| PL-04 | a, b, c, d, e, f & g | a, b, c & d |
| PL-08 | a, b, c & d | a, b, & c |
| PM-01 | a, b, c & d | a, b, & c |
| PS-02 | a, b, c, d & e | a, b, & c |
| PS-03 | a, b, c, d & e | a & b |
| PS-04 | a, b, c, d, e, f & g | a, b, c, d & e |
| SA-08 | a, b, & c | a |
| SA-15(3) | a | a & b |
| SC-10 | a & b | a |
| SR-04(2) | a & b | a |
| SR-5 | a & b | a |
| SR-11(2) | a & b | a |
In addition to the changes listed in the chart above, users will notice that the responsibility and implementation details columns have been removed from ARS 5.1. We found this information was leading to confusion. Systems should review the controls that are provided by their upstream control providers and determine which controls are applicable to the security and privacy of their systems. As for the implementation details section, the expectation is that systems will meet the minimum security control requirements as they make sense to the system.
What if I have questions?
If you have questions about the ARS 5.1 transition or concerns about the implementation of a control for your system, please reach out to the Policy Team on CMS Slack in the #ars-feedback channel.
A detailed explanation from the Policy Team outlining the changes System Teams will see in ARS 5.1 and their implications for FISMA Systems at CMS