CMS Cyber Risk Management Plan (CRMP)
Introduction
The Centers for Medicare & Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy.
CMS Privacy Program Plan
Privacy program at CMS
Use and disclosure
As authorized by statute, regulation, or Executive Order, CMS conducts activities involving the collection, use, and disclosure of Protected Health Information (PHI) and Personally Identifiable Information (PII). CMS collects, uses, and discloses PII/PHI for payment and health care operations if and only if CMS can identify a statute or Executive Order that provides CMS with the authority for that action.
CMS Information Systems Security & Privacy Policy (IS2P2)
Purpose
As required under the Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. Chapter 35), and in compliance with the updated requirements of the National Institute of Standards and Technology's (NIST) Special Publications (SP) 800-53, Revision 5, and other federal requirements, this Policy defines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems.
HHS Policy for Rules of Behavior for Use of Information & IT Resources
1. Nature of Changes
Version 1.0: released July 2013. First issuance of policy.
Version 2.0: released December 2016. Added new statements to:
CMS Acceptable Risk Safeguards (ARS)
Access the ARS
Current version of the ARS:
About the ARS
The Centers for Medicare & Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.