CMS Security and Privacy Handbooks

What are the CMS Security and Privacy Handbooks?

The CMS Security and Privacy Handbooks help CMS staff and contractors to follow federal policies and standards that keep CMS information and systems safe. They provide practical guidance for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the Acceptable Risk Safeguards (ARS). 

What authority do the Handbooks have?

CMS has several levels of policy and guidance for the information security and privacy program:

Policies and standards, which are enterprise-level directives and the details for how they must be implemented. Our policies and standards are the CMS Information System Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS).

Program plans, which explain how the high-level security and privacy programs at CMS uphold the policies and standards, laying out a roadmap for all ISPG activities. Our program plans include the Privacy Program Plan and the CMS Cyber Risk Management Plan (CRMP).

Procedural handbooks, which give practical guidance about how to implement the requirements found within the policies, standards, and program plans. Our procedural handbooks are the CMS Security and Privacy Handbooks – a go-to resource for anyone who is involved with the work of keeping CMS systems and data safe.

The Handbooks are provided as reliable guidance approved by the CMS Chief Information Security Officer (CISO), who is responsible for implementing the agency-wide information security program. The Handbooks support the policies and standards that CMS uses to meet requirements from higher-level authorities such as the Department of  Health and Human Services (HHS). 

The Handbooks also provide step-by-step instructions for CMS security and privacy activities such as Privacy Impact Assessment, Cybersecurity and Risk Assessment Program (CSRAP), Threat Modeling, and more.

These Handbooks do not supersede any applicable laws, existing labor management agreements, or higher-level agency directives or other governance documents. To learn more about the authorities, directives and laws that govern the CMS security and privacy program, see the CMS Information Security and Privacy Policy (IS2P2).

Risk Management Handbook (RMH) chapters

The CMS Risk Management Handbook (RMH) chapters are a series of procedures that support CMS policies and standards, mapped to specific control families in the NIST Risk Management Framework. 

Over time, the RMH chapters are being modified, updated, and absorbed into the new series of security and privacy guidance aligned with the control families of the ARS. The new guidance pages provide a more flexible and risk-based approach to procedural guidance – not going into detail for specific security controls, but still covering all the topics needed to help CMS staff and contractors follow policies, standards, and best practices.

Use the links below to access the chapters of the Risk Management Handbook and the new policy guidance pages that are being published as the RMH is evolving. Note that some control families may not be listed, as guidance is in the process of being developed.

• AC - Access Control (AC)
• AU - Audit and Accountability (AU)
• AT - RMH Chapter 2: Awareness and Training (AT)
• CA - RMH Chapter 4: Assessment and Authorization (CA)
• CM - Configuration Management (CM)
• CP - CMS Information System Contingency Plan (ISCP) Handbook
• IA - Identification and Authentication (IA)
• IR - RMH Chapter 8: Incident Response (IR)
• MA - Maintenance (MA)
• MP - Media Protection (MP)
• PE - Physical and Environmental Protection (PE)
• PL - RMH Chapter 12: Security and Privacy Planning (PL)
• PM - Refer to NIST SP 800-53 Rev. 5 and NIST SP 800-53A Rev. 5 for guidance on Program Management
• PS - Personnel Security (PS)
• RA - Risk Assessment (RA)
• SA - RMH Chapter 15: System and Services Acquisition (SA)
• SC - RMH Chapter 16: System and Communications Protection (SC)
• SI - System and Information Integrity (SI)