Federal Policies and Guidance

Information about the federal agencies, laws, and policies that govern security and privacy activities at CMS

Contact: ISPG Policy Team | CISO@cms.hhs.gov

At ISPG, our work to protect the security and privacy of CMS end users is directly influenced by several federal sources. Laws passed by Congress, Executive Orders from the White House, and regulations from other federal agencies must be referenced regularly to ensure that we're operating effectively. These federal policies impact how we manage FISMA systems, what tools we use, how we protect personal information, and the steps we take to keep our systems compliant.

As our government continues to modernize its systems and change the way it does business, it's important for CMS staff and contractors to stay updated with the latest federal policies and guidance, provided below.

For a handy reference guide to the specific federal laws that shape security and privacy at CMS, check out the CMS Guide to Federal Laws, Regulations, and Policies -- a centralized repository you can reference anytime in your compliance-related work.

CMS Slack Channel

#ispg-sec_privacy-policy
#cms_fed_laws_policies

HHS OCIO policies

The majority of information security and privacy policies at CMS originate from the Department of Health and Human Services (HHS) Office of the Chief Information Officer (OCIO). You can access these policies at the link below if you are logged into the CMS/HHS intranet.

See security & privacy policies from HHS

Information System Security Officer (ISSO)

Data Guardian

Cyber Risk Advisor (CRA)

Business / System Owner (BO/SO)

Authorization to Operate (ATO)

Ongoing Authorization (OA)

Assessments & Audits

CMS Policies and Guidance