Business / System Owner
Resources to help CMS Business and System Owners meet security and privacy requirements for their FISMA systems
As a Business or System Owner (BO/SO) at CMS, you’re focused on the value and functionality of the system(s) that you are responsible for. These systems contain sensitive data – much of it essential to the delivery of critical health services to the American public – so it’s also important that you ensure the safety of that data through compliance activities and a commitment to security and privacy best practices.
In your role as a BO/SO, you work with ISSOs, CRAs, Data Guardians, and other team members to make sure your system is compliant with policies and standards from CMS, HHS, NIST, OMB, and other regulatory bodies. This includes assessing privacy requirements, ensuring that system controls meet ARS standards, and making risk-based decisions to improve the overall security posture of your system.
Business and System Owners are a critical part of FISMA system function and safety at CMS. Our goal is to connect you quickly to the people and resources that can assist you – not only in achieving compliance, but also in promoting a security-first culture at CMS.
CMS Slack Channel- #security-community
- #cyber-risk-management
System Authorization (ATO)
Before a system can operate at CMS, the Business Owner and other stakeholders must test and document the system’s security, to demonstrate its compliance with federal requirements. This can be through a traditional ATO or a newer approach like Ongoing Authorization.
Top documents and resources
Testing and documenting system security and compliance to gain approval to operate the system at CMS
FISMA is federal legislation that defines a framework of guidelines and security standards to protect government information and operations
ISPG program that provides skilled Information System Security Officers (ISSOs) to CMS components in need of professional security and privacy support
A streamlined risk-based control(s) testing methodology designed to relieve operational burden.
Notice provided to the public regarding records maintained by CMS and how those records will be used
Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities
Automated scanning and risk analysis to strengthen the security posture of CMS FISMA systems
Reports and dashboards to help stakeholders of CMS FISMA systems identify risk-reduction activities and protect sensitive data from cyber threats
Business Owners and Privacy Advisors working together to determine the terms of sharing PII with other federal or state agencies
Filtered view of related content using CyberGeek Search
