Skip to main content

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

CMS Security and Privacy Handbooks

Procedures to help CMS staff and contractors implement federal policies and standards for information security and privacy

Contact: CISO team |
slack logoCMS Slack Channel
  • #ispg-sec_privacy-policy

What are the CMS Security and Privacy Handbooks?

The CMS Security and Privacy Handbooks help CMS staff and contractors to follow federal policies and standards that keep CMS information and systems safe. They provide practical guidance for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the Acceptable Risk Safeguards (ARS)

What authority do the Handbooks have?

CMS has several levels of policy and guidance for the information security and privacy program:

Policies and standards, which are enterprise-level directives and the details for how they must be implemented. Our policies and standards are the CMS Information System Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS).

Program plans, which explain how the high-level security and privacy programs at CMS uphold the policies and standards, laying out a roadmap for all ISPG activities. Our program plans include the Privacy Program Plan and the CMS Cyber Risk Management Plan (CRMP).

Procedural handbooks, which give practical guidance about how to implement the requirements found within the policies, standards, and program plans. Our procedural handbooks are the CMS Security and Privacy Handbooks – a go-to resource for anyone who is involved with the work of keeping CMS systems and data safe.

The Handbooks are provided as reliable guidance approved by the CMS Chief Information Security Officer (CISO), who is responsible for implementing the agency-wide information security program. The Handbooks support the policies and standards that CMS uses to meet requirements from higher-level authorities such as the Department of  Health and Human Services (HHS). 

The Handbooks also provide step-by-step instructions for CMS security and privacy activities such as Privacy Impact Assessment, Cybersecurity and Risk Assessment Program (CSRAP), Threat Modeling, and more.

These Handbooks do not supersede any applicable laws, existing labor management agreements, or higher-level agency directives or other governance documents. To learn more about the authorities, directives and laws that govern the CMS security and privacy program, see the CMS Information Security and Privacy Policy (IS2P2).

See all Security and Privacy Handbooks

Using the Search function on the ISPG "CyberGeek" website, you can search and filter to find CMS Security and Privacy Handbooks on a variety of topics.

Go to the Handbooks

Risk Management Handbook (RMH) chapters

The CMS Risk Management Handbook (RMH) chapters are a series of procedures that support CMS policies and standards, mapped to specific control families in the NIST Risk Management Framework

Over time, the RMH chapters will be modified and absorbed into the broader CMS Security and Privacy Handbooks for a more flexible approach to procedural guidance – not dependent on specific security controls, but still covering all the topics needed to help CMS staff and contractors follow policies, standards, and best practices.

Use the links below to access the chapters of the Risk Management Handbook. Note that some chapters may not be listed here, as the RMH is evolving.