CMS Media Protection (MP) Handbook
What is Media Protection (MP)?
Media Protection (MP) is the safeguarding of media within an organization. The term “media” broadly refers to physical devices or writing surfaces. This includes all channels of communication with storage capabilities — everything from printed paper to digital data onto which information is recorded, stored, or printed within an information system.
What the IS2P2's new Rapid Cloud Review (RCR) requirement means for you
When the Policy team updated the IS2P2 in June 2024, one big change came from a clarification about requirements for cloud service implementation at CMS. Now, all SaaS products used at CMS that do not have FedRAMP authorization must go through a Rapid Cloud Review (RCR) process.
If your SaaS product is currently FedRAMP authorized, you don't need to do anything more — you have satisfied the new requirement.
CMS Information System Contingency Plan (ISCP) Handbook
What is an Information System Contingency Plan?
Contingency planning at the Center for Medicare and Medicaid Services (CMS) is essential for protecting the organization from potential risks and ensuring the continuity of its operations. An Information System Contingency Plan (ISCP) is the cornerstone document of contingency planning, and every CMS system must have one in place.
New IS2P2 updates: What you need to know
The ISPG Policy team regularly revisits the CMS Information Systems Security & Privacy Policy (IS2P2) to incorporate new information, update language, and keep the document up to date.
The most recent revisions came out in June 2024. We’ve called out and clearly identified the six big changes so you can quickly and easily understand what’s new and how it might affect your work.
List of updates
The IS2P2 updates address several gaps:
Introducing the CMS Guide to Federal Laws, Regulations, and Policies
Background
Many federal laws, regulations, and policies play a pivotal role in managing security and privacy within CMS. They shape governance and compliance standards and are crucial in defining how security and privacy are upheld across the organization.
Public if possible: ISPG’s commitment to customers
Why is the ISPG website (CyberGeek) open to the public?
When we set out to provide one authoritative home for CMS security and privacy information, ISPG leadership decided to make this information “public if possible”. That means instead of putting things behind a CMS login barrier by default, we go through a careful process to determine whether the information can safely be made public. If so, it is published here on our website. There are many benefits to this approach:
The CMS Information Security and Privacy Library is retired: 3 things to do now
The Information Security and Privacy Group (ISPG) has a new website — known as “CyberGeek” — that is now your first stop for security and privacy information! Visit CyberGeek at security.cms.gov to learn about the policies, programs, and tools that help keep CMS information and systems safe.
CMS Guide to Federal Laws, Regulations, and Policies
There are federal laws, regulations, and policies outside of CMS that shape how security and privacy is managed inside CMS. This page contains a comprehensive list of these external requirements, and shows how they relate to the security and privacy policies and guidance at CMS.
DISCLAIMER: