Cyber Risk Advisor (CRA)

Access the ARS

Current version of the ARS:

• ARS 5.1

About the ARS

The Centers for Medicare & Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.

Introduction

This handbook defines actions that must be taken in response to a suspected breach of Personally Identifiable Information (PII) / Protected Health Information (PHI) / Federal Tax Information (FTI) at the CMS to meet federal requirements for breach response. The handbook includes roles and responsibilities, breach response deliverables and lines of communication, triggers for federal reporting requirements, and resources from HHS and other authorities.

Introduction

The Risk Management Handbook Chapter 16: System and Communications Protection (SC) focuses on how the organization must: monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and employ architectural designs, software development techniques, and systems engineering principles that promote effective information security and privacy assurance within organizational information systems.

Introduction

The Risk Management Handbook Chapter 15, System and Services Acquisition, discusses how the organization must:

Introduction

The Centers for Medicare & Medicaid Services (CMS) Risk Management Handbook (RMH) Chapter 14: Risk Assessment provides the procedures for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS). This document describes procedures that facilitate the implementation of security controls associated with the Risk Assessment (RA) family of controls. To promote consistency among all RMH Chapters, CMS intends for Chapter 14.