CMS Information Systems Security & Privacy Policy (IS2P2)
Purpose
As required under the Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. Chapter 35), and in compliance with the updated requirements of the National Institute of Standards and Technology's (NIST) Special Publications (SP) 800-53, Revision 5, and other federal requirements, this Policy defines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems.
HHS Policy for Rules of Behavior for Use of Information & IT Resources
1. Nature of Changes
Version 1.0: released July 2013. First issuance of policy.
Version 2.0: released December 2016. Added new statements to:
CMS Acceptable Risk Safeguards (ARS)
Access the ARS
Current version of the ARS:
About the ARS
The Centers for Medicare & Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.
RMH Chapter 16: System & Communications Protection
Introduction
The Risk Management Handbook Chapter 16: System and Communications Protection (SC) focuses on how the organization must: monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and employ architectural designs, software development techniques, and systems engineering principles that promote effective information security and privacy assurance within organizational information systems.