Announcements

When the Policy team updated the IS2P2 in June 2024, one big change came from a clarification about requirements for cloud service implementation at CMS. Now, all SaaS products used at CMS that do not have FedRAMP authorization must go through a Rapid Cloud Review (RCR) process. 

If your SaaS product is currently FedRAMP authorized, you don't need to do anything more — you have satisfied the new requirement. 

The ISPG Policy team regularly revisits the CMS Information Systems Security & Privacy Policy (IS2P2) to incorporate new information, update language, and keep the document up to date.

The most recent revisions came out in June 2024. We’ve called out and clearly identified the six big changes so you can quickly and easily understand what’s new and how it might affect your work.

List of updates

The IS2P2 updates address several gaps:

​​​The ​​CFACTS application is migrating to AWSCloud for better performance and efficiency. The updated system is known as CFACTS-Cloud. We will be posting updates regularly to help you navigate this transition. 

The migration to AWS cloud is now complete, here’s what you need to know about the new link and authentication flow for this new environment. 

Background

Many federal laws, regulations, and policies play a pivotal role in managing security and privacy within CMS. They shape governance and compliance standards and are crucial in defining how security and privacy are upheld across the organization.

What is Cyber360?

In an era dominated by digital advancements, the importance of cybersecurity has skyrocketed. To meet this critical need, the Information Security and Privacy Group is excited to present the Cyber360 event series. This series, running from April through October, is designed to cover a wide range of cybersecurity topics; each month focusing on a different theme to ensure participants gain a comprehensive understanding of digital safety.

What to expect from Cyber360

April: Staying safe online 

The future of ACT (now CSRAP)

As we stand on the threshold of 2024, it's imperative to reflect on the accomplishments of the past year and anticipate the evolution of our cybersecurity efforts.

The Information Security and Privacy Group (ISPG) has a new website — known as “CyberGeek” — that is now your first stop for security and privacy information! Visit CyberGeek at security.cms.gov to learn about the policies, programs, and tools that help keep CMS information and systems safe. 

The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS that provides: 

The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS.

The new website aims to provide: 

The Information Security and Privacy Group (ISPG) has updated the Acceptable Risk Safeguards (ARS) from ARS 5.01 to ARS 5.1. While this may seem like a major change that will impact how you manage your FISMA system, the changes are minor and should not impact your current system management practices.