CMS Security and Privacy Handbooks
Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy
- #ispg-sec_privacy-policy
What are the CMS Security and Privacy Handbooks?
The CMS Security and Privacy Handbooks help CMS staff and contractors to follow federal policies and standards that keep CMS information and systems safe. They provide practical guidance for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the Acceptable Risk Safeguards (ARS).
What authority do the Handbooks have?
CMS has several levels of policy and guidance for the information security and privacy program:
Policies and standards, which are enterprise-level directives and the details for how they must be implemented. Our policies and standards are the CMS Information System Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS).
Program plans, which explain how the high-level security and privacy programs at CMS uphold the policies and standards, laying out a roadmap for all ISPG activities. Our program plans include the Privacy Program Plan and the CMS Cyber Risk Management Plan (CRMP).
Procedural handbooks, which give practical guidance about how to implement the requirements found within the policies, standards, and program plans. Our procedural handbooks are the CMS Security and Privacy Handbooks – a go-to resource for anyone who is involved with the work of keeping CMS systems and data safe.
The Handbooks are provided as reliable guidance approved by the CMS Chief Information Security Officer (CISO), who is responsible for implementing the agency-wide information security program. The Handbooks support the policies and standards that CMS uses to meet requirements from higher-level authorities such as the Department of Health and Human Services (HHS).
The Handbooks also provide step-by-step instructions for CMS security and privacy activities such as Privacy Impact Assessment, Cybersecurity and Risk Assessment Program (CSRAP), Threat Modeling, and more.
These Handbooks do not supersede any applicable laws, existing labor management agreements, or higher-level agency directives or other governance documents. To learn more about the authorities, directives and laws that govern the CMS security and privacy program, see the CMS Information Security and Privacy Policy (IS2P2).
See all Security and Privacy Handbooks
Using the Search function on the ISPG "CyberGeek" website, you can search and filter to find CMS Security and Privacy Handbooks on a variety of topics.
Risk Management Handbook (RMH) chapters
The CMS Risk Management Handbook (RMH) chapters are a series of procedures that support CMS policies and standards, mapped to specific control families in the NIST Risk Management Framework.
Over time, the RMH chapters will be modified and absorbed into the broader CMS Security and Privacy Handbooks for a more flexible approach to procedural guidance – not dependent on specific security controls, but still covering all the topics needed to help CMS staff and contractors follow policies, standards, and best practices.
Use the links below to access the chapters of the Risk Management Handbook. Note that some chapters may not be listed here, as the RMH is evolving.
- Are you looking for RMH Chapter 1: Access Control? See the new CMS Access Control Handbook.
- RMH Chapter 2: Awareness and Training
- RMH Chapter 4: Assessment and Authorization
- RMH Chapter 5: Configuration Management
- Are you looking for RMH Chapter 6: Contingency Planning? See the new CMS Information System Contingency Plan (ISCP) Handbook.
- RMH Chapter 8: Incident Response
- RMH Chapter 9: Maintenance
- Are you looking for RMH Chapter 10: Media Protection? See the new CMS Media Protection Handbook.
- RMH Chapter 11: Physical and Environmental Protection
- RMH Chapter 12: Security and Privacy Planning
- RMH Chapter 13: Personnel Security
- RMH Chapter 14: Risk Assessment
- RMH Chapter 15: System and Services Acquisition
- RMH Chapter 16: System and Communications Protection
- Are you looking for RMH Chapter 19: Privacy Procedures? See the new Privacy Program Plan and the whole collection of Privacy resources here on the ISPG website.
Related documents and resources
A guide that provides an overview of the policies, procedures, and processes needed to implement security requirements for the Access Control (AC) family
Information, tips, and tricks for writing your Privacy Impact Assessment (PIA) concisely and correctly
Procedures for handling a breach of sensitive data at CMS, including roles, responsibilities, and reporting requirements
A complete guide to creating, managing, and closing your system’s POA&M
Guidance on the management lifecycle of cryptographic keys: data used to lock or unlock functions, including authentication, authorization, and encryption
Guidance to help ISSOs in their daily work, including role descriptions, resources, points of contact, and training