CMS Policies and Guidance
Overview
As CMS works to improve healthcare for millions of Americans, information security and privacy policies ensure that sensitive data is protected. CMS Policies and Guidance are how CMS implements federal requirements from higher-level authorities such as HHS, FISMA, and NIST.
The policy and guidance pages found on this site are approved by the CMS Chief Information Security Officer (CISO), and are regularly reviewed to ensure accuracy. Updates or changes are posted to the blog. If you have a question about security policy at CMS, contact the ISPG Policy team.
All resources in CMS Policies and Guidance
General Information
- About
- Acronyms
- CMS Enterprise Data Encryption (CEDE)
- CMS Governance, Risk, and Compliance (GRC)
- CMS Information Exchange Agreement (IEA)
- CMS Interconnection Security Agreement (ISA)
- CMS Risk Management Framework (RMF)
- CMS Security and Privacy Handbooks
- CMS Technical Reference Architecture (TRA)
- Email Encryption Requirements at CMS
- ISSO Appointment Letter
- Password Requirements
- Rapid Cloud Review (RCR)
- Role Based Training (RBT)
- Security and Privacy Requirements for IT Procurements
- System Audits
Policies and Handbooks
- Access Control (AC)
- Audit and Accountability (AU)
- CMS Acceptable Risk Safeguards (ARS)
- CMS Cyber Risk Management Plan (CRMP)
- CMS Guide to Federal Laws, Regulations, and Policies
- CMS Information Systems Security & Privacy Policy (IS2P2)
- CMS Plan of Action and Milestones (POA&M) Handbook
- CMS Privacy Program Plan
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- Configuration Management (CM)
- Identification and Authentication (IA)
- Information System Contingency Plan (ISCP) Exercise Handbook
- Information System Contingency Plan (ISCP) Handbook
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical & Environmental Protection (PE)
- Risk Assessment (RA)
- Risk Management Handbook Chapter 12: Security & Privacy Planning (PL)
- Risk Management Handbook Chapter 15: System & Services Acquisition
- Risk Management Handbook Chapter 2: Awareness and Training (AT)
- Risk Management Handbook Chapter 8: Incident Response (IR)
- RMH Chapter 16: System & Communications Protection
- RMH Chapter 4: Security Assessment & Authorization
- System and Information Integrity (SI)
Tools and Services
Latest articles and updates
- 8/18/2025ArticlesFrom Zero Trust
Privileged Access Management (PAM) at CMS
Least-privilege is critical to securely managing privileged access to data. CMS ADOs should manage privileged access (PAM) for humans and non-humans.
- 7/16/2025UpdatesFrom Policy
CISO Memo 25-01: Updates for collaboration tools
CISO Memorandum 25-01: Updated Best Practices and Guidance for the Use of Approved CMS Collaboration Tools
- 8/29/2024UpdatesFrom SaaS Governance
What the IS2P2's new Rapid Cloud Review (RCR) requirement means for you
As of June 2024, if you're using SaaS products that are not FedRAMP authorized, you need to go through the RCR process. Here's how — and why.