Skip to main content

System Authorization
Authorization to Operate (ATO)
Ongoing Authorization (OA)
CMS Technical Reference Architecture
All System Authorization
Key Authorization Requirements
Cybersecurity and Risk Assessment Program (CSRAP)
Penetration Testing
Information System Contingency Plan (ISCP)
ISCP Exercise (tabletop test)
Privacy Impact Assessment (PIA)
Security Impact Analysis (SIA)
Information System Risk Assessment (ISRA)
System Security and Privacy Plan (SSPP)
Continuous Diagnostics and Mitigation (CDM)
Plan of Action and Milestones (POA&M)
CMS Policies & Guidance
CMS Information Systems Security and Privacy Policy (IS2P2)
CMS Acceptable Risk Safeguards (ARS)
CMS Guidance for Security & Privacy Policies and Standards
CMS Risk Management Framework
All CMS Policies & Guidance
Federal Policies & Guidance
Federal Information Security Modernization Act (FISMA)
Federal Risk and Authorization Management Program (FedRAMP)
Zero Trust
National Institute of Standards and Technology (NIST)
All Federal Policies & Guidance
Privacy
CMS Privacy Program Plan
Computer Matching Agreement (CMA)
Information Exchange Agreement (IEA)
System of Records Notice (SORN)
Privacy Impact Assessment (PIA)
All Privacy
Application Security
CMS Hybrid Cloud
Software Bill of Materials (SBOM)
Threat Modeling
SaaS Governance
SaaS Security Posture Management (SSPM)
All Application Security
Security Operations
CMS Cybersecurity Integration Center (CCIC)
Penetration Testing
Incident Response
Breach Response
All Security Operations
Risk Management & Reporting
CMS Cyber Risk Management Plan (CRMP)
Cyber Risk Reports
Continuous Diagnostics and Mitigation (CDM)
CMS FISMA Continuous Tracking System (CFACTS)
CMS Risk Management Framework (RMF)
Security Data Lake (SDL)
All Risk Management & Reporting
Tests & Assessments
Cybersecurity and Risk Assessment Program (CSRAP)
Penetration Testing
Vulnerability Scanning
Rapid Cloud Review (RCR)
Reporting & Monitoring
SaaS Security Posture Management (SSPM)
CMS FISMA Continuous Tracking System (CFACTS)
ISSO As A Service
CMS Hybrid Cloud
Training & Awareness
ISSO Mentorship Program
ISSO Bootcamp
CMS Cybersecurity and Privacy Training & Awareness Handbook
CMS CyberWorks (annual event)
All Training & Awareness
Articles and updatesRead the latest news from CMS articles and updates
Sign up for the newsletterGet a bi-monthly digest of CyberGeek updates

CMS Privacy Impact Assessments

Contact: CMS Privacy Office | privacy@cms.hhs.gov

List of all Privacy Impact Assessments for CMS information systems that require a PIA to comply with the E-Government Act

PIA

Titles II and III of the E-Government Act of 2002 require that agencies evaluate systems that collect personally identifiable information (PII) and determine whether the privacy of that PII is adequately protected. Agencies perform this evaluation through a Privacy Impact Assessment (PIA).

Policy from the U.S. Department of Health and Human Services (HHS) states that operating divisions (OPDIVs) are responsible for completing and maintaining PIAs on all systems. Upon completion of each assessment, agencies are required to make that PIA publicly available.

As an OPDIV of HHS, CMS provides the Privacy Impact Assessments for all CMS information systems that require a PIA. They are listed below.

A-C

D-I

J-P

Q-Z

TPWA

The TPWA Privacy Impact Assessment (PIA) is a tool to evaluate how a CMS Operating Division (OpDiv) is collecting/receiving Personally Identifiable Information (PII) through its use of a Third Party Website or Application (TPWA) — any web-based technology that is not exclusively controlled by a government entity.

The TPWA PIA helps the OpDiv identify risks and communicate this information to the public. TPWA PIA questions are based on the specific risks and compliance requirements for TPWAs as outlined by the OMB Memorandum 10-23.

Both PIAs and TPWA PIAs require approval from the U.S. Department of Health and Human Services (HHS). As an OpDiv of HHS, CMS publishes its TPWA PIAs below.

A-C

D-I

J-P

Q-Z