Physical & Environmental Protection (PE)
Understanding Physical and Environmental Protection (PE)
The Physical and Environmental (PE) control family explains how CMS must protect information systems by limiting who can physically access them, their equipment, and the environments where they operate. It also covers the need to protect the buildings and infrastructure that support these systems, ensure necessary utilities are available, and safeguard the systems from environmental dangers.
RM Guidelines for the Risk Assessment Control (RA)
Risk Assessment (RA) Informational Guide
Risk Assessment is the process of evaluating an organization’s defense mechanism against potential threats by identifying vulnerabilities, estimating or analyzing the likelihood and impact of potential threats and prioritizing risks to organizational operations (i.e., mission, functions, image and reputation), organizational assets and individuals, resulting from operating its information systems and the associated processing, storage, or transmission of information by those systems.
System and Information Integrity (SI)
What is System and Information Integrity (SI)
An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information. The integrity of an information system means the data within the information system is complete, trustworthy and has not been modified or accidentally altered by an unauthorized user.
CMS Cyber Risk Management Plan (CRMP)
Introduction
The Centers for Medicare & Medicaid Services (CMS) operates information technology (IT) systems that process personally identifiable information (PII) of more than 140 million Americans. The CMS Information Security and Privacy Group (ISPG) is responsible for defining the overarching strategy for managing risk associated with the operation of these information systems. This CMS Cyber Risk Management Plan (CRMP) outlines that strategy.
CMS Privacy Program Plan
Privacy program at CMS
Use and disclosure
As authorized by statute, regulation, or Executive Order, CMS conducts activities involving the collection, use, and disclosure of Protected Health Information (PHI) and Personally Identifiable Information (PII). CMS collects, uses, and discloses PII/PHI for payment and health care operations if and only if CMS can identify a statute or Executive Order that provides CMS with the authority for that action.
CMS Information Systems Security & Privacy Policy (IS2P2)
Purpose
As required under the Federal Information Security Modernization Act (FISMA) of 2014 (44 U.S.C. Chapter 35), and in compliance with the updated requirements of the National Institute of Standards and Technology's (NIST) Special Publications (SP) 800-53, Revision 5, and other federal requirements, this Policy defines the framework for protecting and controlling the confidentiality, integrity, and availability of CMS information and information systems.
HHS Policy for Rules of Behavior for Use of Information & IT Resources
1. Nature of Changes
Version 1.0: released July 2013. First issuance of policy.
Version 2.0: released December 2016. Added new statements to:
CMS Acceptable Risk Safeguards (ARS)
Access the ARS
Current version of the ARS:
About the ARS
The Centers for Medicare & Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides the standard to CMS and its contractors as to the minimum acceptable level of required security and privacy controls.