CMS Interconnection Security Agreement (ISA)
Defining the relationship between CMS information systems and external systems
- #ispg-privacy-agreement-consults
What is an Interconnection Security Agreement (ISA)?
An Interconnection Security Agreement (ISA) is a document that defines the security-related aspects of an intended connection between an agency system and an external system. The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit.
In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations and listing appropriate courses of action in the event of a security incident or breach. ISAs also authorize mutual permission to connect both parties and establish a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.
ISAs are typically preceded by a formal Memorandum of Understanding (MOU) that defines high-level roles and responsibilities for the management of the planned cross-domain connection.
Federal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks. All CMS ISAs are based on the National Institute of Standards and Technology (NIST) Security Guide for Interconnecting Information Technology Systems Special Publication (SP) 800-47 Rev. 1.
Interconnection Security Agreement (ISA) Template
ISAs require the use of the Interconnection Security Agreement (ISA) Template. The template is provided below -- your team may copy the information from this page and substitute the information relevant to your specific system and connection needs.
This CMS and <Insert Non-CMS Organization Name> ISA Review Log is maintained to record the annual reviews. The CMS and <Insert Non-CMS Organization Name> ISA Review Log is provided below.
ISA review log
Date of Review | Initials of Reviewer | Name of Reviewer | Organization of Reviewer | ISA Version |
---|---|---|---|---|
<insert Date of the review> | <insert Initials of the reviewer> | <insert Staff name of the reviewer> | <insert staff reviewer's organization> | <insert ISA Version reviewed> |
Purpose
The purpose of this Interconnection Security Agreement (ISA) is to establish procedures for mutual cooperation and coordination between the Centers for Medicare & Medicaid Services (CMS) and <Insert Non-CMS Organization Name> hereafter referenced as the “Non-CMS Organization,” regarding the development, management, operation, and security of a connection between CMS’ <Insert CMS' Network Name & Acronym>, hereafter known as the CMS Network, and the Non-CMS Organization’s network. This ISA is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of CMS information as well as the information that is owned by the external organization that has a network interconnection with CMS. This ISA ensures the adequate security of CMS information being accessed and provides that all network access satisfies the mission requirements of both CMS and Non-CMS Organizations, hereafter known as “both parties.”
- “Information” is defined as “any knowledge that can be communicated or documentary material, regardless of its physical form or characteristics, that is owned by, produced by or for, or is under the control of the United States Government.” (Executive Order 12958)
- “Network interconnection” is defined as “the direct connection of two or more IT networks for the purpose of sharing data and other information resources.” (This is based on the definition of system interconnection in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)
- “Adequate security” is defined as “a level of security that is commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information.” (Office of Management and Budget (OMB) Circular A-130)
Federal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks. This ISA is based on the National Institute of Standards and Technology (NIST) Security Guide for Interconnecting Information Technology Systems (Special Publication (SP) 800-47). NIST SP 800-47 states: “A system approved by an ISA for interconnection with one organization’s system shall meet the protection requirements equal to, or greater than, those implemented by the other organization’s system.” The guidelines establish information security (IS) measures that shall be taken to protect the connected systems and shared data. CMS IT managers and IS personnel shall comply with NIST SP 800-47 or any successor document in managing the process of interconnecting information systems and networks.
The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit. In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations, and listing appropriate recourses. It also authorizes
mutual permission to connect both parties and establishes a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks. Through this ISA, both parties shall minimize the susceptibility of their connected systems and networks to IS risks and aid in mitigation and recovery from IS incidents.
CMS Background
CMS
As an agency of the Department of Health and Human Services (DHHS), CMS administers the Medicare, Medicaid, and State Children’s Health Insurance Program (SCHIP) programs. Its mission is to ensure effective, up-to-date healthcare coverage and to promote quality care for beneficiaries.
CMS Information Security Program
The CMS IS Program helps CMS accomplish its mission by ensuring the CIA of CMS information resources. The CMS IS Program has developed policies, standards, procedures, and guidelines that ensure the adequate protection of agency information and comply with Federal laws and regulations. CMS monitors the security of its network twenty-four (24) hours a day, seven (7) days a week, i.e., 24/7, through a variety of administrative, operational, and technical processes. Training initiatives are continuously updated to ensure that managers, users, and technical personnel know they are responsible for the adequate security of their information systems.
CMS Roles and Responsibilities
CMS Chief Information Officer (CIO)
The CMS CIO is responsible for the overall implementation and administration of the CMS Information Security Program.
CMS Chief Information Security Officer (CISO)
The CMS CISO supports the CIO in implementing the CMS IS Program. The CMS CISO directs, coordinates, and evaluates the IS policy of CMS.
CMS Information System Security Officer (ISSO)
The CMS ISSO is the liaison for IS within their assigned portfolio of systems. ISSOs implement standard IS policies and collaborate across CMS concerning the CIA of information resources. Although the ISSOs report directly to their own management, as part of their IS responsibilities, the ISSOs have responsibilities to the CMS CISO and, thus, to the CMS CIO. In their IS role, ISSOs take direction from the CMS CIO or the CMS CISO when action is required to protect CMS assets from potential vulnerabilities and threats. The CMS CISO and ISSOs will work with Non-CMS Organizations to enhance IS measures.
CMS Business Owners (BO)
The CMS Business Owner (BO) is responsible for the management and oversight of the <Insert CMS information system name & acronym> hereafter known as the CMS information system that requires the interconnection with the Non-CMS Organization. The BO serves as the primary point of contact (POC) for the Non-CMS Organization on matters related to <Insert CMS information system name & acronym>.
Non-CMS Organization
<Insert background information about Organization B, including a brief description of the organization and its mission>
IT Security Program
<Insert a brief description of the Organization IS program>
Roles and Responsibilities
<Insert a brief description of each role and associated responsibilities of the Non-CMS Organization that are equivalent to the CMS roles and responsible for implementing IT and IS policies, procedures, and tools that support CIA.>
(ROLE)
<Insert roles and responsibilities>
(ROLE)
<Insert roles and responsibilities>
(ROLE)
<Insert roles and responsibilities>
Scope
The scope of this ISA is based on the following, but not limited to the:
- Interconnection between CMS information system and the Non-CMS Organization.
- Existing and future users including employees from both parties; contractors and subcontractors at any tier; and other federally and non-federally-funded users managing, engineering, accessing, or utilizing the Non-CMS Organization Network.
- Related network components belonging to both parties, such as hosts, routers, and switches; IT devices that assist in managing security such as firewalls, intrusion detection systems (IDS), and vulnerability scanning tools; desktop workstations; servers; and major applications (MA) that are associated with the network connection between both parties.
Authority
By interconnecting with the CMS network and CMS information system, Non-CMS Organization agrees to be bound by this ISA and the use of CMS Network and CMS information system in compliance with this ISA.
The authority for this ISA is based on the following, but not limited to the:
- Federal Information Security Management Act of 2002 (FISMA);
- OMB Circular A-130, Appendix III, Security of Federal Automated Information Systems;
- 18 United States Code U.S.C. 641 Criminal Code: Public Money, Property or Records;
- 18 U.S.C. 1905 Criminal Code: Disclosure of Confidential Information;
- Privacy Act of 1974, 5 U.S.C. § 552a; and
- Health Insurance Portability and Accountability Act (HIPAA) of 1996 P.L. 104-191 (only if there is an exchange of PHI)
This ISA is also in compliance with DHHS policies and CMS policies. These sites may be updated periodically. Where new policies and guidance affect the content of this ISA, the ISA will continue to be in effect and will be updated at its next periodic review.
- A “major application” is an application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. (OMB A-130)
Statement of Requirements
The expected benefit of the interconnection is <Insert Business Expectation>
General Information/Data Description
<Insert a description of the information and data that will be made available, exchanged, or passed one-way only by the interconnection of the two systems / networks>
Services Offered
CMS shall:
- Provide 24/7 operation of the CMS IT Service Desk (1-800-562-1963, 410-786-2580 or mailto:cms_it_service.desk@cms.hhs.gov) for the Non-CMS Organization Point of Contact (POC) to communicate any security issues; and
- Provide installation, configuration, and maintenance of CMS edge router(s) with interfaces to multiple CMS core and edge routers.
The Non-CMS Organization shall:
<Insert Non-CMS Organization IT Help Desk information regarding operating times, process, and contact information>
System Descriptions
CMS System
Name: CMS
Function: <Insert CMS’ System Function>
Location: <Insert CMS physical site location>
Description of data, including Sensitivity or Classification level: <Insert description>
Describe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH. Refer to the CMS Information Security Levels document on |
Information Category | Level | |
Security Level | <Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.> | <Insert HIGH, MODERATE or LOW.> |
Overall Security Level Designation: <Insert highest level from the table above>
Non-CMS Organization System
Name: <Insert Organization B’s System>
Function: <Insert Organization B’s System Function>
Location: <Insert Organization B’s Physical Site Location>
Description of data, including Sensitivity or Classification level: <Insert description>
Describe and document the information handled by the system and the overall system security level as LOW, MODERATE or HIGH. Refer to the NIST FIPS 199. For additional guidance, refer to CMS Risk Management Handbook Chapter 12 Security and Privacy Planning. |
Information Category | Level | |
Security Level | <Select and enter the Information Category from the System Security Level referenced above. Insert all entites that are applicable.> | <Insert HIGH, MODERATE or LOW.> |
Overall Security Level Designation: <Insert highest level from the table above>
Topological Diagram
Appendix A of this ISA must include a topological drawing that illustrates the interconnectivity between both systems, including all components (e.g., firewalls, routers, switches, hubs, servers, encryption devices, computer workstations, and storage location for receiving system). Both parties shall notify each other of any requirements such as additional router connections or increases in volume associated with this ISA.
Security Responsibilities
Both parties shall maintain a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information contained on the system with the highest sensitivity levels.
Communication/Information Security Points of Contact
Both parties shall:
- Designate a technical lead for their respective network and provide POC information to facilitate direct contacts between technical leads to support the management and operation of the interconnection;
- Maintain open lines of communication between POCs at both the managerial and technical levels to ensure the successful management and operation of the interconnection; and
- Inform their counterpart promptly of any change in technical POCs and interconnections.
CMS shall:
- Inform their counterpart promptly of any change in technical POC and interconnection;
- Identify a CMS ISSO to serve as a liaison between both parties and assist the Non-CMS Organization in ensuring that its IS controls meet or exceed CMS requirements.
Non-CMS Organization shall designate an IS POC the equivalent of the CMS ISSO, who shall act on behalf of the Non-CMS Organization and communicate all IS issues involving the Non-CMS Organization to CMS via the CMS ISSO.
Responsible Parties
Appendix B is a list of the responsible parties and contacts for each system. It is the responsibility of each respective approving authority to ensure the timely updating of Appendix B and for the notification of such changes to the alternate party within 30 days of any personnel change. Updating Appendix B does not require the re-signing of this ISA by either party.
Personnel/User Security
User Community
Both parties shall:
- Ensure that all employees, contractors, and other authorized users with access to the CMS Network and the Non-CMS Organization and the data sent and received from either organization are not security risks and meet the requirements of the Office of Management and Budget (OMB) at and the HHS Office of Security and Drug Testing, Personnel Security/Suitability Handbook, dated February 1, 2005.
- Enforce the following IS best practices:
- Least Privilege: Only authorizing access to the minimal amount of resources required for a function;
- Separation of Duties: A basic control that prevents or detects errors and irregularities by assigning responsibility for initiating transactions, recording transactions and custody of assets to separate individuals; and
- Role-Based Security: Access controls to perform certain operations ('permissions') are assigned to specific roles.
Commitment to Protect Sensitive Information
Both parties shall not release, publish, or disclose information to unauthorized personnel, and shall protect such information in accordance with provisions of the laws cited in Section 5 and any other pertinent laws and regulations governing the adequate safeguard of the agency.
The Non-CMS Organization shall:
- Ensure that each of the Non-CMS Organization contractor employee signs form CMS R-0235, CMS Data Use Agreement.
- Ensure that outsourced operations where non-CMS personnel may have access to information, CMS systems, and network components shall also comply with the security required by Federal Acquisition Regulation (FAR) clause 52.239-1, Privacy or Security Safeguards and CMS IS policies, standards, and procedures.
Training and Awareness
Both parties shall have all users, including employees, contractors, and other authorized users complete the CMS IS awareness training upon enactment of this ISA and then annually thereafter at: https://www.cms.gov/cbt/.
Personnel Changes/De-registration
Both parties shall:
- Provide notification to their respective BOs of the separation or long-term absence of their network owner or technical lead.
- Provide notification to their respective BO of any changes in the ISSO or POC information.
- Provide notification to the CMS Access Administrator (CAA) of changes to user profiles, including users who resign or change job responsibilities. list of current CAA
Policies
Both parties shall adhere to all DHHS and CMS IS policies, procedures, and guidelines on the ISPG website.
Rules of Behavior
Both parties shall ensure that all users with access to the CMS Network, the CMS information system, the Non-CMS Organization network and any data received from the other organization shall adhere to all current HHS Rules of Behavior (RoB) (For Use of Technology Resources and Information).
Security Documentation
Both parties shall ensure that security is planned for, documented, and integrated into the System Life-Cycle from the IT system’s initiation to the system’s disposal. For guidance, see the CMS Security and Privacy Handbooks.
CMS shall review the CMS System Security Plan (SSPP) for CMS information system and the CMS network annually and update when a major modification as required by the CMS SSP Procedures.
The Non-CMS Organization shall:
- Maintain an SSPP on the Non-CMS Organization’s network and update whenever there is a major modification. The SSPP shall be compliant with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18 Guide for Developing Security Plans for IT Systems.
- Make accessible to CMS all IS program documents from the Non-CMS Organization.
Network Security
Network Management
Both parties shall:
- Ensure that this interconnection is completely isolated from the Internet.
- Ensure that this interconnection is completely isolated from all other customer / business processes.
Material Network Changes
Both parties shall:
- Submit to the CMS CIO any proposed changes to either network or the interconnecting medium accompanied by a valid business justification;
- Renegotiate this ISA before any changes are implemented;
- Report planned technical changes to the network architecture that affect the interconnection through the CMS BO to the Office of Information Technology (OIT), Infrastructure User Services Group (IUSG);
- Conduct a risk assessment based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation;
- Conduct a Security Impact Analysis (SIA) based on the new network architecture and modify and re-sign this ISA within one (1) month prior to implementation; and
- Notify the respective BOs and OIT, IUSG (through the CMS BO) when access is no longer required.
New Interconnections
Both parties shall prohibit new interconnections unless expressly agreed upon in a modification to this ISA and signed by both parties.
Network Inventory
Non-CMS Organization shall maintain and make available to CMS upon request a list of all Non-CMS Organization subnets connected to CMS’ network and periodically update the information including information on each owner, physical location, IP address, host’s name, hardware, operating system version, and applications.
Firewall Management
- Configure the CMS network perimeter firewall in accordance with OIT, IUSG.
- Block all network traffic incoming from the Internet to CMS unless it is explicitly permitted.
- Install a firewall between the perimeter (demarcation point) of the Non-CMS Organization’s network and CMS’ network if deemed necessary by OIT, IUSG.
The Non-CMS Organization shall:
- Maintain responsibility for configuring all Non-CMS Organization network perimeter firewalls with a policy at least as stringent as OIT, IUSG.
- Provide to OIT, IUSG through the CMS BO a list of Non-CMS Organization authorized web (HTTP), FTP and SMTP servers (identified individually as HTTP, FTP, and/or SMTP) on the Non-CMS Organization’s network.
Incident Prevention, Detection, and Response
Incident Handling
Both parties shall:
- Handle and report incidents in accordance with the CMS RMH Chapter 8 Incident Handling
- Notify their designated technical counterparts immediately by telephone or e-mail when a security incident is detected, so that the other party may take steps to determine whether its network has been compromised and to take appropriate security precautions.
Vulnerability Scanning
Both parties shall:
- Disseminate intrusion detection alerts to respective BO counterparts for all subnets within the scope of this ISA;
- Report to both the CMS BO and the Non-CMS Organization’s BO any security incident that either organization subnets within the scope of this ISA; and
- Block inbound and outbound access for any CMS or Non-CMS Organization information systems on the subnets within the scope of this ISA that are the source of unauthorized access attempts, or the subject of any security events, until the risk is remediated.
Disasters and Other Contingencies
Both parties shall immediately notify their designated counterparts as defined in the information system contingency plan in the event of a disaster or other contingency that disrupts the normal operation of one or both of the connected networks.
Modifications
If any personnel changes occur involving the POCs listed in this ISA, the terms of this ISA shall remain in full force and effect, unless formally modified by both parties. Any modifications that change the security posture to this ISA shall be in writing and agreed upon and approved in writing by either parties or their designees.
Compliance
Non-compliance with the terms of this ISA by either party may lead to termination of the interconnection. CMS may block network access for the Non-CMS Organization if the Non-CMS Organization does not implement reasonable precautions to prevent the risk of security incidents spreading to CMS’ network. CMS is authorized to audit the security of Non-CMS Organization’s Network periodically by requesting that Non-CMS Organization provide documentation of compliance with the security requirements in this ISA (see Section 20, RECORDS). The Non-CMS Organization shall provide CMS access to its IT resources impacted by this ISA for the purposes of audits.
Cost Considerations
Both parties agree to be responsible for their own systems and costs of the interconnecting mechanism and/or media. No financial commitments to reimburse the other party shall be made without the written concurrence of both parties. Modifications to either system that are necessary to support the interconnection are the responsibility of the respective system/network owners’ organization. This ISA does not authorize, require, nor preclude any transfer of funds without the agreement of both parties.
Timeline
This ISA shall become effective upon the signature of the parties involved and remain in effect until terminated by either party. This ISA is subject to annual review and must be reauthorized when significant changes (that can affect the security state of the information system) are implemented that impact that validity of the agreement as an effective enforcement of security requirements. . If one or both of the parties wish to terminate this agreement, they may do so upon thirty (30) days written notice or in an event of a security incident or suspected incident CMS has the right to immediately terminate the connection.
Order of Precedence
In the event of an inconsistency between the terms and conditions of this ISA and the terms and conditions of any other agreement, memorandum of understanding, or acquisition between CMS and Non-CMS Organization, the terms and conditions of this ISA shall have precedence.
Confidentiality
Subject to applicable statutes and regulations, including the Freedom of Information Act, the parties agree that the terms and conditions (any proprietary information) of this ISA shall not be disclosed to any third party outside of the Government without the prior written consent of the other party.
Survival
The parties’ rights and obligations shall survive expiration or termination of this ISA.
Records
The Non-CMS Organization shall maintain all records that it may create in the normal course of its business in connection with activity under this ISA for the term of this ISA and for at least three (3) years after the date this ISA terminates or expires. Such records shall be made available to CMS to ensure compliance with the terms and conditions of this ISA. The records shall be made available during regular business hours at the Non-CMS Organization offices, and CMS’ review shall not interfere unreasonably with the Non-CMS Organization business activities.
Severability
If any term or condition of this ISA becomes inoperative or unenforceable for any reason, such circumstances shall not have the effect of rendering the term or condition in question inoperative or unenforceable in any other case or circumstances, or of rendering any other term or condition contained in this ISA to be invalid, inoperative, or unenforceable to any extent whatsoever. The invalidity of a term or condition of this ISA shall not affect the remaining terms and conditions of this ISA.
CMS does not warrant that Non-CMS Organization interconnection to the CMS’ network under this ISA will meet Non-CMS Organization requirements, expectations, or even the stated expected benefit of Non-CMS Organization interconnection to the CMS (see Provision 6, Statement of Requirements). Non-CMS Organization bears the entire risk regarding the quality and performance of its interconnection with the CMS, and Non-CMS Organization exclusive remedy is to terminate this ISA in accordance with the terms and conditions herein.
CMS EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE WITH REGARD TO NON-CMS ORGANIZATION’S INTERCONNECTION TO THE CMS.
Limitation of Liability
UNDER NO CIRCUMSTANCES AND UNDER NO LEGAL THEORY, WHETHER TORT (INCLUDING NEGLIGENCE), CONTRACT, OR OTHERWISE, SHALL CMS BE LIABLE TO NON-CMS ORGANIZATION OR ANY OTHER PERSON FOR ANY INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES OF ANY CHARACTER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF GOODWILL, WORK STOPPAGE, COMPUTER FAILURE OR MALFUNCTION, OR ANY AND ALL OTHER COMMERCIAL DAMAGES OR LOSSES, EVEN IF SUCH PARTY SHALL HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.
Force Majeure
Non-CMS Organization failure to comply with any term or condition of this ISA as a result of conditions beyond its fault, negligence, or reasonable control (such as, but not limited to, war, strikes, floods, governmental restrictions, riots, fire, other natural disasters or similar causes beyond Non-CMS Organization control) shall not be deemed a breach of this ISA.
Signatures
Both parties agree to work together to ensure the joint security of the connected networks and the data they store, process, and transmit, as specified in this ISA. Each party certifies that its respective network is designed, managed, and operated in compliance with all relevant federal laws, regulations, and policies.
We agree to the terms and conditions of this ISA.
Director, OIT Project Manager (equivalent)
_______________________________ ________________________________
(Name) (Name)
_______________________________ ________________________________
(Signature) (Date) (Signature) (Date)
CMS Chief Information Security Officer Chief Information Security Officer (equivalent)
_______________________________ ________________________________
(Name) (Name)
_______________________________ ________________________________
(Signature) (Date) (Signature) (Date)
CMS ISSO ISSO (equivalent)
_______________________________ ______________________________
(Name) (Name)
_______________________________ ________________________________
(Signature) (Date) (Signature) (Date)
CMS Business Owner Business Owner (equivalent)
_______________________________ ________________________________
(Name) (Name)
_______________________________ ________________________________
(Signature) (Date) (Signature) (Date)
CMS Project Officer
_______________________________
(Name)
_______________________________
(Title)
_______________________________
(Signature) (Date)
Related documents and resources
An agreement between CMS and partner entities that wish to share data between systems to achieve a common goal
Defining how Protected Health Information (PHI) will be disclosed to organizations requesting data from CMS
Information about NIST and how the agency's policies and guidance relate to security and privacy at CMS