Handbooks

Introduction

At CMS, we prioritize the security of our data, systems, and your work environment. Every person here is part of our effort to keep CMS information and beneficiary data safe. Security and privacy are everyone's job. Being aware of cyber threats is an ongoing responsibility that we all share.

There are federal laws, regulations, and policies outside of CMS that shape how security and privacy is managed inside CMS. This page contains a comprehensive list of these external requirements, and shows how they relate to the security and privacy policies and guidance at CMS.

DISCLAIMER:

Background

This handbook aligns with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-57 series, the CMS IS2P2, and the CMS Acceptable Risk Safeguards (ARS).

Introduction

Access is the ability to make use of any system resource. Access Control (AC) is the process of granting or denying specific requests to:

Disclaimer: The information and resources in this document are driven directly at and for CMS internal teams and ADOs to help them initiate and complete threat model exercises. While you may be viewing this document as a publicly available resource to anyone, any information excluded as well as context included is meant for CMS-specific audiences. 

Contingency Planning at CMS 

Contingency planning at the Center for Medicare and Medicaid Services (CMS) is essential for protecting the organization from potential risks and ensuring the continuity of its operations. An Information System Contingency Plan (ISCP) is the cornerstone document of contingency planning for information systems, and every CMS FISMA system must have one in place.

CMS Beneficiary Data Protection Initiative (BDPI)

CMS created the Beneficiary Data Protection Initiative (BDPI) in July 2015 in response to public breach events. CMS’ BDPI is managed by the Information Security Privacy Group (ISPG), Division of Security and Privacy Compliance (DSPC), and provides information security and privacy training and education for all employees and contractors. Its key principles are:

Introduction

Whenever there is an incident that has potentially compromised the security or privacy of CMS information or information systems, it is investigated by the Incident Management Team (IMT). They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected breach. 

Introduction

This handbook defines actions that must be taken in response to a suspected breach of Personally Identifiable Information (PII) / Protected Health Information (PHI) / Federal Tax Information (FTI) at the CMS to meet federal requirements for breach response. The handbook includes roles and responsibilities, breach response deliverables and lines of communication, triggers for federal reporting requirements, and resources from HHS and other authorities.

Introduction

The Risk Management Handbook Chapter 16: System and Communications Protection (SC) focuses on how the organization must: monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and employ architectural designs, software development techniques, and systems engineering principles that promote effective information security and privacy assurance within organizational information systems.