Risk Management Handbook Chapter 5: Configuration Management (CM)
Introduction
This Handbook outlines procedures to help CMS staff and contractors implement the Configuration Management family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on how to implement CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks.
RMH Chapter 4: Security Assessment & Authorization
Introduction
This chapter of the Risk Management Handbook (RMH) covers the Security Assessment and Authorization family of controls. It describes procedures that help you meet the security and privacy requirements for this control family. Each procedure is labeled with the associated NIST controls using the control number from the CMS ARS.
Risk Management Handbook Chapter 2: Awareness and Training (AT)
Introduction
This chapter of the Risk Management Handbook (RMH) covers the Awareness and Training (AT) family of controls. It describes procedures that help you meet the security and privacy requirements for this control family. Each procedure is labeled with the associated NIST controls using the control number from the CMS IS2P2.
CMS Privacy Impact Assessment (PIA) Handbook
What is the purpose of a Privacy Impact Assessment (PIA)?
A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information (PII) is collected, used, shared, and maintained. The purpose of a PIA is to demonstrate that system owners have consciously incorporated privacy protections within their systems for information supplied for by the public.
CMS Plan of Action and Milestones (POA&M) Handbook
What is a POA&M?
A Plan of Action and Milestones (POA&M) is a corrective action plan that tracks system weakness and allows System Owners and ISSOs to create a plan to resolve the identified weaknesses over time. A POA&M provides details about the personnel, technology, and funding required to accomplish the elements of the plan, milestones for correcting the weaknesses, and scheduled completion dates for the milestones.