Skip to main content

System Authorization
Authorization to Operate (ATO)
Ongoing Authorization (OA)
CMS Technical Reference Architecture
All System Authorization
Key Authorization Requirements
Cybersecurity and Risk Assessment Program (CSRAP)
Penetration Testing
Information System Contingency Plan (ISCP)
ISCP Exercise (tabletop test)
Privacy Impact Assessment (PIA)
Security Impact Analysis (SIA)
Information System Risk Assessment (ISRA)
System Security and Privacy Plan (SSPP)
Continuous Diagnostics and Mitigation (CDM)
Plan of Action and Milestones (POA&M)
CMS Policies & Guidance
CMS Information Systems Security and Privacy Policy (IS2P2)
CMS Acceptable Risk Safeguards (ARS)
CMS Guidance for Security & Privacy Policies and Standards
CMS Risk Management Framework
All CMS Policies & Guidance
Federal Policies & Guidance
Federal Information Security Modernization Act (FISMA)
Federal Risk and Authorization Management Program (FedRAMP)
Zero Trust
National Institute of Standards and Technology (NIST)
All Federal Policies & Guidance
Privacy
CMS Privacy Program Plan
Computer Matching Agreement (CMA)
Information Exchange Agreement (IEA)
System of Records Notice (SORN)
Privacy Impact Assessment (PIA)
All Privacy
Application Security
CMS Hybrid Cloud
Software Bill of Materials (SBOM)
Threat Modeling
SaaS Governance
SaaS Security Posture Management (SSPM)
All Application Security
Security Operations
CMS Cybersecurity Integration Center (CCIC)
Penetration Testing
Incident Response
Breach Response
All Security Operations
Risk Management & Reporting
CMS Cyber Risk Management Plan (CRMP)
Cyber Risk Reports
Continuous Diagnostics and Mitigation (CDM)
CMS FISMA Continuous Tracking System (CFACTS)
CMS Risk Management Framework (RMF)
Security Data Lake (SDL)
All Risk Management & Reporting
Tests & Assessments
Cybersecurity and Risk Assessment Program (CSRAP)
Penetration Testing
Vulnerability Scanning
Rapid Cloud Review (RCR)
Reporting & Monitoring
SaaS Security Posture Management (SSPM)
CMS FISMA Continuous Tracking System (CFACTS)
ISSO As A Service
CMS Hybrid Cloud
Training & Awareness
ISSO Mentorship Program
ISSO Bootcamp
CMS Cybersecurity and Privacy Training & Awareness Handbook
CMS CyberWorks (annual event)
All Training & Awareness
Articles and updatesRead the latest news from CMS articles and updates
Sign up for the newsletterGet a bi-monthly digest of CyberGeek updates

woman opening a large file safe

Welcome to CMS CyberGeek

Security and privacy compliance for CMS systems

CyberGeek is a library of policies and resources for information security and privacy at the Centers for Medicare & Medicaid Services.

Learn what you'll find here and get oriented to CMS cybersecurity.

The latest information on security programs, tools, and policies.

Go-to resources for keeping CMS systems and information safe.

Explore CyberGeek topics

Application Security

Programs and tools that support information and system security in the development of applications at CMS

CMS Policies & Guidance

CMS policies, guidance, and procedures that support security and privacy for FISMA systems

Federal Policies & Guidance

Federal agencies, laws, and policies that govern security and privacy activities at CMS

Privacy

Policies and programs that support the protection of sensitive information entrusted to CMS by beneficiaries and healthcare providers

Risk Management & Reporting

Programs and tools that support the continuous assessment and mitigation of potential security and privacy risks to CMS information and systems

Security Operations

Programs and tools that ensure the security of CMS data through incident response, change management, and continuous risk assessment

System Authorization

Testing and documenting of security compliance requirements for FISMA systems at CMS, so they can be authorized to operate

Training & Awareness

Required training at CMS to ensure that federal staff and contractors have the security and privacy knowledge and skills needed for their role

DID YOU KNOW?

Announcing the CMS Zero Trust Forge

There's a new tool for supporting Privileged Access Management (PAM) and improving Zero Trust maturity for CMS systems.

Learn about the ZT Forge and how to get started

CMS CYBERSECURITY ROLES

Resources and updates
specific to your role

CMS Risk Management Framework

Prepare

The Prepare Step sets the foundation for managing security and privacy risks by establishing roles, strategies, and assessments at all organizational levels. It ensures CMS is ready to implement the RMF effectively.

Categorize

In the Categorize Step, information systems are categorized into levels (Low, Moderate, High, HVA) based on potential adverse impact in the case of incidents. This sets the foundation for selecting proper security controls.

Select

In the Select Step, security controls are selected and tailored based on the system's needs and risk profile. The controls are documented in the System Security and Privacy Plan (SSPP).

Implement

In the Implement Step, security controls to reduce risk are applied to a system and tested to ensure they function properly. The System Security and Privacy Plan (SSPP) is updated to reflect any changes.

Assess

The Assess Step checks if security and privacy controls are implemented correctly and work as intended. It includes planning, testing, and documenting results to inform risk decisions and support system authorization.

Authorize

The Authorize Step has a senior official review security assessment results to decide if a system meets requirements. Based on risk, they grant or deny Authorization to Operate (ATO).

Monitor

The Monitor Step keeps systems secure through continuous monitoring, risk response, and reporting. Stakeholders must assess controls, track changes, manage POA&Ms, and consider ongoing system authorization.