CMS Access Control Handbook
Introduction
Access is the ability to make use of any system resource. Access Control (AC) is the process of granting or denying specific requests to:
ISPG will transition away from the Risk Management Handbook
The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS.
The new website aims to provide:
Welcome to ISPG CyberGeek
We’d like to welcome you to the brand-new CyberGeek! CyberGeek was designed by the CMS Information Security and Privacy Group (ISPG) to offer their customers a one-stop resource for information about security, privacy, and compliance. CyberGeek will:
CMS Cyber Risk Management Plan (CRMP)
Introduction
The Centers for Medicare & Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy.
Executive Order on Improving the Nation’s Cybersecurity: What it means for you
What is the Executive Order?
The Executive Order on Improving the Nation's Cybersecurity (Executive Order 14028) is an important step forward in protecting Americans from cyber threats. The order, signed by President Biden on May 11, 2021, focuses on strengthening the cybersecurity of the federal government, critical infrastructure, and the private sector.
Zero Trust: what you need to know
Zero Trust is a cybersecurity model that offers protection for CMS systems, employees and beneficiaries through continuous validation at every stage of a digital interaction.
As CMS continues to modernize its systems and practices, the agency is implementing Zero Trust and its strong authentication methods, network segmentation, threat prevention, and “least access” policies to benefit everyone.
CMS Privacy Program Plan
Privacy program at CMS
Use and disclosure
As authorized by statute, regulation, or Executive Order, CMS conducts activities involving the collection, use, and disclosure of Protected Health Information (PHI) and Personally Identifiable Information (PII). CMS collects, uses, and discloses PII/PHI for payment and health care operations if and only if CMS can identify a statute or Executive Order that provides CMS with the authority for that action.
Transition from ARS 3.1 to 5.0: what you need to know
As CMS has transitioned from ARS 3.1 to ARS 5.0, there have been many questions about the implications of the transition. What does it mean for your system? How does it impact your current controls? What steps are being taken at CMS to ensure compliance?
ISPG’s response to the new National Cybersecurity Strategy for 2023
What is the National Cybersecurity Strategy?
The Biden-Harris Administration released a National Cybersecurity Strategy in March 2023, which outlines their vision for a secure and resilient digital environment for the United States.