Zero Trust Maturity Model, Version 2: now with less trust!
In April 2023, the Cybersecurity and Infrastructure Security Agency (CISA) released version two of their Zero Trust Maturity Model (ZTMM). This version incorporates feedback from experts and the community in response to their initial June 2021 draft. CISA has kept its conceptual view of a Zero Trust Architecture (ZTA), incorporating five pillars and three cross-cutting capabilities. However, it has significantly reviewed the functions that build each pillar and capability.
Evaluating Threat Modeling Methodologies
In today's increasingly digital world, cybersecurity has become an essential component of any organization's risk management strategy. Threat modeling is a key technique used by cybersecurity professionals to identify, prioritize, and mitigate potential threats and vulnerabilities in their systems and applications. There are various threat modeling methodologies used in the industry, but three of the most commonly used are STRIDE, DREAD, and PASTA.
CMS Access Control Handbook
Introduction
Access is the ability to make use of any system resource. Access Control (AC) is the process of granting or denying specific requests to:
ISPG will transition away from the Risk Management Handbook
The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS.
The new website aims to provide:
CMS Threat Modeling Handbook
Disclaimer: The information and resources in this document are driven directly at and for CMS internal teams and ADOs to help them initiate and complete threat model exercises. While you may be viewing this document as a publicly available resource to anyone, any information excluded as well as context included is meant for CMS-specific audiences.
What the transition to ARS 5.1 means for you
The Information Security and Privacy Group (ISPG) has updated the Acceptable Risk Safeguards (ARS) from ARS 5.01 to ARS 5.1. While this may seem like a major change that will impact how you manage your FISMA system, the changes are minor and should not impact your current system management practices.
CMS Cybersecurity Integration Center (CCIC) Red Team Engagements
In today's digital landscape, organizations face an ever-evolving array of cyber threats that can compromise their critical data assets. As technology advances, so do the tactics employed by malicious actors seeking to infiltrate networks, steal sensitive information, and cause damage. To counter these threats, it is crucial for organizations to assess their security posture comprehensively and proactively. This is where the Red Team Engagements come into play.
Welcome to ISPG CyberGeek
We’d like to welcome you to the brand-new CyberGeek! CyberGeek was designed by the CMS Information Security and Privacy Group (ISPG) to offer their customers a one-stop resource for information about security, privacy, and compliance. CyberGeek will:
CMS Cyber Risk Management Plan (CRMP)
Introduction
The Centers for Medicare & Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy.