CMS Policy & Guidance | ISPG CyberGeek

CMS Guide to Federal Laws, Regulations, and Policies

Read more about CMS Guide to Federal Laws, Regulations, and Policies

There are federal laws, regulations, and policies outside of CMS that shape how security and privacy is managed inside CMS. This page contains a comprehensive list of these external requirements, and shows how they relate to the security and privacy policies and guidance at CMS.

DISCLAIMER:

CMS Governance, Risk, and Compliance (GRC)

Read more about CMS Governance, Risk, and Compliance (GRC)

CMS Technical Reference Architecture (TRA)

Read more about CMS Technical Reference Architecture (TRA)

CMS Key Management Handbook

Read more about CMS Key Management Handbook

Background

This handbook aligns with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-57 series, the CMS IS2P2, and the CMS Acceptable Risk Safeguards (ARS).

Template management is changing at ISPG: what you need to know

Read more about Template management is changing at ISPG: what you need to know

The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS that provides:

The 7 Tenets of Zero Trust for ISSOs and ADOs

Read more about The 7 Tenets of Zero Trust for ISSOs and ADOs

As part of their white paper on Zero Trust SP-800-207, NIST identified Seven Tenets that form the foundation of Zero Trust. The Zero Trust Workgroup at CMS has applied these tenets to CMS IT. CMS has many initiatives that support Zero Trust architecture, so engaging with those early can set your project up for a more mature Zero Trust architecture in the future and increase security now.

CMS Access Control Handbook

Read more about CMS Access Control Handbook

Introduction

Access is the ability to make use of any system resource. Access Control (AC) is the process of granting or denying specific requests to:

ISPG will transition away from the Risk Management Handbook

Read more about ISPG will transition away from the Risk Management Handbook

The new website aims to provide:

What the transition to ARS 5.1 means for you

Read more about What the transition to ARS 5.1 means for you

The Information Security and Privacy Group (ISPG) has updated the Acceptable Risk Safeguards (ARS) from ARS 5.01 to ARS 5.1. While this may seem like a major change that will impact how you manage your FISMA system, the changes are minor and should not impact your current system management practices.

Security and Privacy Requirements for IT Procurements

Read more about Security and Privacy Requirements for IT Procurements

Subscribe to CMS Policy & Guidance