CMS Policy & Guidance | ISPG CyberGeek

Risk Management Handbook Chapter 2: Awareness and Training (AT)

Read more about Risk Management Handbook Chapter 2: Awareness and Training (AT)

Introduction

This chapter of the Risk Management Handbook (RMH) covers the Awareness and Training (AT) family of controls. It describes procedures that help you meet the security and privacy requirements for this control family. Each procedure is labeled with the associated NIST controls using the control number from the CMS IS2P2.

CMS Privacy Impact Assessment (PIA) Handbook

Read more about CMS Privacy Impact Assessment (PIA) Handbook

What is the purpose of a Privacy Impact Assessment (PIA)?

A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied for by the public.

CMS Plan of Action and Milestones (POA&M) Handbook

Read more about CMS Plan of Action and Milestones (POA&M) Handbook

What is a POA&M?

A Plan of Action and Milestones (POA&M) is a corrective action plan that tracks system weakness and allows System Owners and ISSOs to create a plan to resolve the identified weaknesses over time. A POA&M provides details about the personnel, technology, and funding required to accomplish the elements of the plan, milestones for correcting the weaknesses, and scheduled completion dates for the milestones.

CMS Information Exchange Agreement (IEA)

Read more about CMS Information Exchange Agreement (IEA)

CISO Memo: Guidance for using collaborative tools

Read more about CISO Memo: Guidance for using collaborative tools

Purpose

This Memorandum informs CMS stakeholders of the best practices and security guidance for the use of Personally Identifiable Information / Personal Health Information (PII / PHI) and agency sensitive information when using CMS approved collaboration tools – specifically Zoom/WebEx, and Box.

CISO Memo: Implementing the updated HHS POA&M standard

Read more about CISO Memo: Implementing the updated HHS POA&M standard

This memo is rescinded as of January 3, 2022 with the publication of ARS 5.0 and its updates to the CMS POA&M standards, which align with the HHS POA&M standards.

The original memo is provided below for historical reference only.

CISO Memo: Changes to the Access Control (AC) Account Management Standard

Read more about CISO Memo: Changes to the Access Control (AC) Account Management Standard

This memo is rescinded as of January 3, 2022 with the publication of ARS 5.0 and its updates to the Access Control Family (AC)-02 Account Management Standard.

The original memo is provided below for historical reference only.

Subscribe to CMS Policy & Guidance