Audit and Accountability (AU) Handbook
Introduction
Audit and accountability (AU) controls at CMS ensure compliance, data security, and individual accountability.
These AU controls monitor, investigate, and document system activity, supporting event analysis, anomaly detection, and prevention of future incidents.
Framework and Compliance
CMS’s audit and accountability practices follow federal guidelines, including:
New handbook: Media Protection (MP)
Why we have an MP policy
The ISPG Policy team published the new Media Protection (MP) Handbook early in September 2024.
Media Protection exists to protect media within an organization, and the definition of media is fairly broad: all physical devices, writing surfaces, and communication channels that include storage capabilities. Whether the communication is digital or in print and on paper, the MP policy covers proper handling and governance.
CFACTS UI Changes: Get a sneak peek of the new RMF layout
This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.
We are giving a sneak peek starting on 11/1/2024 for users to check out the new changes, suggest any modifications, and become familiar with the new layout. You can see the new and improved layout in the implementation environment.
New handbook: Information System Contingency Plan (ISCP)
Goodbye RMH chapter 6, hello ISCP Handbook
Late in July 2024, the ISPG Policy team published a new handbook: the CMS Information System Contingency Plan (ISCP) Handbook.
CFACTS UI Changes: Current and new comparison
This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.
CMS Media Protection (MP) Handbook
What is Media Protection (MP)?
Media Protection (MP) is the safeguarding of media within an organization. The term “media” broadly refers to physical devices or writing surfaces. This includes all channels of communication with storage capabilities — everything from printed paper to digital data onto which information is recorded, stored, or printed within an information system.
CFACTS UI Changes: What’s changing?
This blog is part of a series of updates about the changes coming to the CFACTS application. The UI is being revised to better reflect the RMF (Risk Management Framework) process. We will be posting updates regularly to help you navigate this transition.
What the IS2P2's new Rapid Cloud Review (RCR) requirement means for you
When the Policy team updated the IS2P2 in June 2024, one big change came from a clarification about requirements for cloud service implementation at CMS. Now, all SaaS products used at CMS that do not have FedRAMP authorization must go through a Rapid Cloud Review (RCR) process.
If your SaaS product is currently FedRAMP authorized, you don't need to do anything more — you have satisfied the new requirement.
CMS Information System Contingency Plan (ISCP) Handbook
What is an Information System Contingency Plan?
Contingency planning at the Center for Medicare and Medicaid Services (CMS) is essential for protecting the organization from potential risks and ensuring the continuity of its operations. An Information System Contingency Plan (ISCP) is the cornerstone document of contingency planning, and every CMS system must have one in place.