CMS Key Management Handbook
Background
The management and security of cryptographic keys is essential for keeping CMS’s information systems safe and secure. Cryptographic keys help protect sensitive information by ensuring it remains confidential, integrity intact, and available when needed. This guide is designed to help CMS follow best practices for key management, making sure our systems are well-protected and meet important security standards.
Read the CMS ISSO Journal
What is the ISSO Journal?
The ISSO Journal was established to share knowledge among CMS Information System Security Officers (ISSOs) and promote ongoing role-based education. As the publication evolved over time, it now serves the entire CMS cybersecurity community with the latest insights on security and privacy topics. It provides information about cybersecurity trends and developments at CMS to support ISSOs and decision makers alike.
Watch and Learn: System Categorization in CFACTS
Each new CMS FISMA system must define its security categorization based on the Federal Information Processing Standards Publication 199 (FIPS 199). Each system must be reviewed in the following categories:
- Confidentiality
- Integrity
- Availability
During review, each category is assigned a rating of low, moderate, or high impact. The most severe rating from any category becomes the system's overall security categorization.
Template management is changing at ISPG: what you need to know
The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS that provides:
The 7 Tenets of Zero Trust for ISSOs and ADOs
As part of their white paper on Zero Trust SP-800-207, NIST identified Seven Tenets that form the foundation of Zero Trust. The Zero Trust Workgroup at CMS has applied these tenets to CMS IT. CMS has many initiatives that support Zero Trust architecture, so engaging with those early can set your project up for a more mature Zero Trust architecture in the future and increase security now.
Zero Trust Maturity Model, Version 2: now with less trust!
In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released version two of their Zero Trust Maturity Model (ZTMM). This version incorporates feedback from experts and the community in response to their initial June 2021 draft. CISA has kept its conceptual view of a Zero Trust Architecture (ZTA), incorporating five pillars and three cross-cutting capabilities. However, it has significantly reviewed the functions that build each pillar and capability.
Evaluating Threat Modeling Methodologies
In today's increasingly digital world, cybersecurity has become an essential component of any organization's risk management strategy. Threat modeling is a key technique used by cybersecurity professionals to identify, prioritize, and mitigate potential threats and vulnerabilities in their systems and applications. There are various threat modeling methodologies used in the industry, but three of the most commonly used are STRIDE, DREAD, and PASTA.
CMS Access Control Handbook
Introduction
Access is the ability to make use of any system resource. Access Control (AC) is the process of granting or denying specific requests to:
ISPG will transition away from the Risk Management Handbook
The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS.
The new website aims to provide:
CMS Threat Modeling Handbook
Disclaimer: The information and resources in this document are driven directly at and for CMS internal teams and ADOs to help them initiate and complete threat model exercises. While you may be viewing this document as a publicly available resource to anyone, any information excluded as well as context included is meant for CMS-specific audiences.