What are the CMS Security and Privacy Handbooks?

The CMS Security and Privacy Handbooks help CMS staff and contractors to follow federal policies and standards that keep CMS information and systems safe. They provide practical guidance for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the Acceptable Risk Safeguards (ARS). 

What authority do the Handbooks have?

CMS has several levels of policy and guidance for the information security and privacy program:

Policies and standards, which are enterprise-level directives and the details for how they must be implemented. Our policies and standards are the CMS Information System Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS).

Program plans, which explain how the high-level security and privacy programs at CMS uphold the policies and standards, laying out a roadmap for all ISPG activities. Our program plans include the Privacy Program Plan and the CMS Cyber Risk Management Plan (CRMP).

Procedural handbooks, which give practical guidance about how to implement the requirements found within the policies, standards, and program plans. Our procedural handbooks are the CMS Security and Privacy Handbooks – a go-to resource for anyone who is involved with the work of keeping CMS systems and data safe.

The Handbooks are provided as reliable guidance approved by the CMS Chief Information Security Officer (CISO), who is responsible for implementing the agency-wide information security program. The Handbooks support the policies and standards that CMS uses to meet requirements from higher-level authorities such as the Department of  Health and Human Services (HHS). 

The Handbooks also provide step-by-step instructions for CMS security and privacy activities such as Privacy Impact Assessment, Cybersecurity and Risk Assessment Program (CSRAP), Threat Modeling, and more.

These Handbooks do not supersede any applicable laws, existing labor management agreements, or higher-level agency directives or other governance documents. To learn more about the authorities, directives and laws that govern the CMS security and privacy program, see the CMS Information Security and Privacy Policy (IS2P2).

Risk Management Handbook (RMH) chapters

The CMS Risk Management Handbook (RMH) chapters are a series of procedures that support CMS policies and standards, mapped to specific control families in the NIST Risk Management Framework. 

Over time, the RMH chapters will be modified and absorbed into the broader CMS Security and Privacy Handbooks for a more flexible approach to procedural guidance – not dependent on specific security controls, but still covering all the topics needed to help CMS staff and contractors follow policies, standards, and best practices.

Use the links below to access the chapters of the Risk Management Handbook. Note that some chapters may not be listed here, as the RMH is evolving.

• Are you looking for RMH Chapter 1: Access Control? See the new CMS Access Control Handbook.
   
• RMH Chapter 2: Awareness and Training
• RMH Chapter 4: Assessment and Authorization
• RMH Chapter 5: Configuration Management
   
• Are you looking for RMH Chapter 6: Contingency Planning? See the new CMS Information System Contingency Plan (ISCP) Handbook.
   
• RMH Chapter 8: Incident Response
• RMH Chapter 9: Maintenance
• RMH Chapter 10: Media Protection
   
• Are you looking for RMH Chapter 10: Media Protection? See the new CMS Media Protection Handbook.
   
• RMH Chapter 11: Physical and Environmental Protection
• RMH Chapter 12: Security and Privacy Planning
• RMH Chapter 13: Personnel Security
• RMH Chapter 14: Risk Assessment
• RMH Chapter 15: System and Services Acquisition
• RMH Chapter 16: System and Communications Protection
   
• Are you looking for RMH Chapter 19: Privacy Procedures? See the new Privacy Program Plan and the whole collection of Privacy resources here on the ISPG website.