What are the security and privacy requirements for IT procurements at CMS?

When buying new information technology (IT) products or services, CMS must ensure the products or services meet the standards for security and privacy set forth by federal authorities. These standards help government agencies protect all of their assets from security threats and privacy risks, especially when the assets will be managed by third-party organizations.

The IT procurement process at CMS intersects with other processes related to developing and operating information systems – such as the Target Life Cycle (TLC) for system life cycle governance and Authorization to Operate (ATO) for documenting system security compliance. However, for acquisition personnel and their stakeholders, there are a few key steps to follow at CMS to ensure that federal standards for security and privacy are written into every IT contract:

1. Complete “Appendix A”
   Formally, this is the Information Security Certification Checklist – but is known throughout CMS as “Appendix A”. This is a checklist that identifies whether the procurement requires information security, involves Personally Identifiable Information (PII), or is subject to the Privacy Act. This checklist is for internal use at CMS and is completed whenever there is a new Request for Proposal (RFP), Request for Quote (RFQ), or other procurement document. More specific information – including how to complete Appendix A – can be found below.  
    
2. Identify security and privacy needs
   Working with the CISO Team and referring to information in the completed Appendix A, the procurement stakeholders determine what kind of security and privacy requirements will need to be written into the contract. This ensures the contract contains baseline language for security and privacy so the product or service will meet federal standards.
    
3. Add security language into contract
   Once the details of security and privacy needs have been determined, procurement personnel use the CMS Security and Privacy Language for Information and Information Technology Procurements document to copy and paste the appropriate language needed for the contract. This helps potential contractors and service providers understand the security and privacy requirements from the beginning – avoiding future security risks and unnecessary contract modifications.

Continue reading to learn more about security and privacy requirements for IT procurements here at CMS. 

Information System Certification Checklist (Appendix A)

This checklist is included as the first appendix in the CMS Security and Privacy Language for Information and Information Technology Procurements – which is why it’s known colloquially as “Appendix A”. This checklist and other parts of the Security and Privacy Language document are adapted by CMS from the authoritative version published by HHS.

The purpose of the Appendix A checklist is to determine if the procurement:

• Requires information security
• Involves personally identifiable information (PII)
• Is subject to the Privacy Act

Once completed, the checklist helps the CISO Team and procurement personnel determine what kind of security and privacy requirements should be written into a contract. The checklist is for internal use only – it’s not included in the package of documents submitted to a potential contractor. Appendix A is completed anytime there is a Request for Proposal (RFP), Request for Quote (RFQ), or other procurement document.

How to complete Appendix A

The Information Security Certification Checklist (Appendix A) includes Part A and Part B. Part A should be completed in coordination with the ISSO, System Owner, and Program/Project Manager, then signed by the CMS Chief Information Security Officer (CISO) or designee. Part B should be completed by the requiring activity in coordination with the Privacy Advisor, Data Owner and Program/Project Manager, then signed by the CMS Senior Official for Privacy (SOP) or designee. 

Through this collaboration, the CISO Team and privacy advisors help the procurement stakeholders determine what kind of security and privacy requirements will need to be written into the contract. This ensures the contract contains baseline language for security and privacy so the acquired product or service meets federal standards. 

Security and Privacy Language for IT Procurements

HHS provides a policy document that contains standardized language to be used in every IT procurement, ensuring that the proper security and privacy considerations are written into every contract. This language aligns with and supplements federal acquisition guidance such as the Federal Acquisition Regulation (FAR) and the HHS Acquisition Regulation (HHSAR).

The adaptation of this document used at CMS is the CMS Security and Privacy Language for Information and Information Technology Procurements. It aligns with the NIST SP 800-53 catalog of controls, the CMS IS2P2, and the CMS ARS. It is used by Contracting Officers (CO), Contracting Officer Representatives (COR), and any other personnel responsible for drafting acquisition documents, such as contracts or solicitations.

How is the Security and Privacy Language used at CMS?

Including the appropriate security and privacy language in every CMS contract is a team effort. As part of the procurement process, the requiring activity representative and contracting office coordinate with the CMS Information System Security Officer (ISSO), Senior Official for Privacy (SOP), System Owner, and/or the Chief Information Security Officer (CISO). They work together to make sure the acquisition documentation contains detailed language that will:

• Help contractors and service providers understand the information security requirements they will need to follow if they are awarded a contract with CMS
   
• Prepare contractors and service providers to be compliant with federal security and privacy requirements, avoiding unnecessary future contract modifications
   
• Ensure consistency of standards and compliance across all IT procurements, supporting a stronger overall security posture for CMS information and systems

In what situations does the Security and Privacy Language apply?

The Security and Privacy Language for IT Procurements used at CMS:

• DOES apply to all information and IT procurements
• MAY apply to acquisitions that are subject to HIPAA and HITECH
• DOES apply to all contractors and subcontractors

The Security and Privacy Language DOES NOT apply to Grants, Cooperative Agreements, or National Security Systems.

Types of acquisitions

The Security and Privacy Language document is set up to help procurement personnel copy and paste the appropriate template language into their contracts. Each section of the document contains template language for a specific acquisition type. These are the types of acquisitions:

• Procurements requiring information security and/or physical access
• Procurements involving personally identifiable information (PII) or records of individuals
• Procurements involving government-owned/contractor-operated (GOCO), or contractor-owned/contractor-operated (COCO) systems
• Procurements involving cloud services
• Other procurement types, such as:
  • Hardware
  • Non-commercial and open source software
  • Information technology application design, development or support
  • Physical access only to government-controlled facilities

To determine which of these acquisition types (and corresponding security and privacy language) is applicable, the procurement stakeholders fill out Appendix A and receive guidance from the CISO Team and privacy advisors.

Submission of contract package

Procurement personnel submit the contract package to the CMS Office of Acquisitions and Grants Management (OAGM) to provision the contract after all the security and privacy requirements have been taken into consideration. By adhering to federal standards for including baseline security and privacy language in every contract, CMS ensures that any new products or services we acquire will operate securely and keep sensitive information safe.