CMS Guidance for Security and Privacy Policies

Understanding policies and guidance

At the Centers for Medicare & Medicaid Services (CMS), we have several kinds of policy and guidance for the Information Security and Privacy Program. Each serves a different purpose.

Policies and standards are enterprise-level directives and the requirements for how directives must be implemented. Our policies and standards are the CMS Information System Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS).

Program plans explain how the high-level security and privacy programs at CMS uphold the policies and standards. The program plans provide a strategic roadmap for all security and privacy activities. Our program plans include the Privacy Program Plan and the CMS Cyber Risk Management Plan (CRMP).

Procedural guidance is the practical advice for how to implement the requirements of the policies, standards, and program plans. Procedural guidance can be found throughout CyberGeek (security.cms.gov) in the form of informational guides, explainer pages, and other resources. 

All of the resources on CyberGeek work together to provide a holistic view of information security and privacy at CMS. All our requirements and programs are interconnected and should be viewed as part of a single, unified strategy to safeguard the data entrusted to CMS by the American people.

Authority of CyberGeek guidance information

The information on CyberGeek is provided as reliable guidance approved by the CMS Chief Information Security Officer (CISO), who is responsible for implementing the agency-wide information security program. The guidance on CyberGeek supports the policies and standards that CMS uses to meet requirements from higher-level authorities and laws such as HHS, NIST, FISMA, and HIPAA. 

The information on CyberGeek does not supersede any applicable laws, existing labor management agreements, or higher-level agency directives or other governance documents. To learn more about the authorities, directives, and laws that govern the CMS security and privacy program, see the CMS Information Security and Privacy Policy (IS2P2).

Retirement of the RMH

The CMS Risk Management Handbook (RMH) was a series of procedural guides to support cybersecurity policies and standards, mapped to specific control families in the CMS ARS. The RMH was our primary form of procedural guidance before CyberGeek was established as the authoritative resource for CMS security and privacy information.

Now, the RMH chapters are being replaced by informational guides that provide a more flexible and risk-based approach to fulfilling ARS requirements. The guides can be used by CMS Business Owners, Security and Privacy Officers, and application teams as they implement controls to safeguard CMS information and systems.

Informational guides

Use the links below to access the new latest guidance pages that are being published as the RMH is evolving.

• AC - Access Control (AC)
• AU - Audit and Accountability (AU)
• AT - RMH Chapter 2: Awareness and Training (AT)
• CA - RMH Chapter 4: Assessment and Authorization (CA)
• CM - Configuration Management (CM)
• CP - CMS Information System Contingency Plan (ISCP) Handbook
• IA - Identification and Authentication (IA)
• IR - RMH Chapter 8: Incident Response (IR)
• MA - Maintenance (MA)
• MP - Media Protection (MP)
• PE - Physical and Environmental Protection (PE)
• PL - RMH Chapter 12: Security and Privacy Planning (PL)
• PM - Refer to NIST SP 800-53 Rev. 5 and NIST SP 800-53A Rev. 5 for guidance on Program Management
• PS - Personnel Security (PS)
• RA - Risk Assessment (RA)
• SA - RMH Chapter 15: System and Services Acquisition (SA)
• SC - RMH Chapter 16: System and Communications Protection (SC)
• SI - System and Information Integrity (SI)