CMS Guide to Federal Laws, Regulations, and Policies
A comprehensive list of the federal laws, regulations, and policies that shape how information security and privacy are managed at CMS
Last reviewed: 2/16/2024
Related Resources
There are federal laws, regulations, and policies outside of CMS that shape how security and privacy is managed inside CMS. This page contains a comprehensive list of these external requirements, and shows how they relate to the security and privacy policies and guidance at CMS.
DISCLAIMER:
The laws, regulations, standards, and guidelines provided herein are considered a work in progress and are subject to continuous updates. While we strive to ensure the accuracy and relevance of the information presented, it is important to note that legislative changes, regulatory updates, or evolving standards may impact the content provided. Users are encouraged to regularly check for the latest revisions and consult official sources to ensure compliance with the most current legal and regulatory requirements. The information offered is intended for general informational purposes only and should not be construed as legal advice. Any reliance on the content provided is at the user's own risk. We reserve the right to modify, amend, or update the information without prior notice.
QUESTIONS OR COMMENTS? Check out CMS Slack channel:
Federal Laws
Laws are passed by both branches of Congress and signed by the President. Laws establish requirements or prohibitions. This list contains all federal laws that relate to information security and privacy at CMS.
FISMA
Title: Federal Information Security Modernization Act of 2014 (FISMA 2014)
Description: Federal legislation that defines a framework of guidelines and security standards to protect government information and operations
Date released: Dec 2014
Oversight responsibility: Department of Homeland Security (DHS)
Notes: FISMA 2014 amends the FISMA of 2002
The Privacy Act of 1974
Title: The Privacy Act of 1974
Description: Establishes a code of fair information practices that governs the collection, maintenance, use, and dissemination of information about individuals that is maintained in systems of records by federal agencies
Date released: Sep 1975
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
HIPAA
Title: Health Insurance Portability and Accountability Act (HIPAA) of 1996
Description: Federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge
Date released: Aug 1996
Oversight responsibility: Department of Health and Human Services (HHS)
Notes: HHS issued the Privacy Rule and the Security Rule to implement the requirement of HIPAA
E-Government Act
Title: E-Government Act of 2002
Description: Improves the management of Federal e-government services and processes involving the collection, maintenance, or dissemination of public or personal information
Date released: Dec 2002
Oversight responsibility: Office of Management and Budget (OMB)
Notes: Section 208 requires Privacy Impact Assessments (PIAs)
FedRAMP
Title: Federal Risk and Authorization Management Program (FedRAMP)
Description: A government-wide program that promotes the adoption of secure cloud services across the federal government by providing a standardized approach to security and risk assessment for cloud technologies and federal agencies
Date released: 2011
Oversight responsibility:
- Joint Authorization Board (JAB)
- Department of Defense (DoD)
- Department of Homeland Security (DHS)
- General Services Administration (GSA)
Notes:
Computer Matching and Privacy Protection Act of 1988
Title: Computer Matching and Privacy Protection Act of 1988
Description: Requires agencies engaged in computer matching activities to provide notice to individuals if their information is being disclosed to other federal and state agencies
Date released: Sep 1988
Oversight responsibility:
- Office of Management and Budget (OMB)
- Government Accountability Office (GAO)
Notes:
Section 508
Title: Section 508 of the Rehabilitation Act
Description: A federal law that requires agencies to provide individuals with disabilities equal access to electronic information and data comparable to those who do not have disabilities, unless an undue burden would be imposed on the agency
Date released: 1988
Oversight responsibility:
- Office of Management and Budget (OMB)
- U.S. Access Board
- General Services Administration (GSA)
Notes: Amended in 2000
HSPD-12
Title: Homeland Security Presidential Directive 12 (HSPD-12)
Description: A Government-wide standard for a secure and reliable form of identification issued by the Federal government to its employees and employees of Federal contractors for access to Federally-controlled facilities and Government information systems
Date released: Aug 2004
Oversight responsibility: Department of Homeland Security (DHS)
Notes:
FASCSA
Title: Federal Acquisition Supply Chain Security Act (FASCSA) of 2018
Description: To establish a Federal Acquisition Security Council and to provide executive agencies with authorities relating to mitigating supply chain risks in the procurement of information technology, and for other purposes
Date released: Dec 2018
Oversight responsibility: Government Accountability Office (GAO)
Notes:
FITARA
Title: Federal Information Technology Acquisition Reform Act (FITARA) of 2014
Description: Strengthens the role of agency Chief Information Officers (CIOs) and provided greater accountability for the delivery of IT capabilities across the Federal Government
Date released: Dec 2014
Oversight responsibility: Office of Management and Budget (OMB)
Notes: OMB M-15-14 implements
MMA of 2003
Title: Medicare Prescription Drug, Improvement, and Modernization Act (MMA) of 2003
Description: Amended section 1144 of the Social Security Act to require the Commissioner of Social Security to conduct additional outreach efforts to identify individuals entitled to benefits, or enrolled under the Medicare program under Title XVIII, who may be eligible for transitional assistance under the Medicare Prescription Drug Discount Card Program and premium and cost-sharing subsidies under the Prescription Drug Card Part D Program
Date released: Dec 2003
Oversight responsibility: Department of Health and Human Services (HHS) - Centers for MEDICARE & MEDICAID Services (CMS)
Notes:
Buy America Act
Title: Buy America Act
Description: Requires Federal agencies to procure domestic materials and products
Date released: Apr 1978
Oversight responsibility: Government Accountability Office (GAO)
Notes:
No TikTok on Government Devices Act
Title: No TikTok on Government Devices Act
Description: Requires the social media video application TikTok to be removed from the information technology of federal agencies
Date released: Dec 2022
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
FOIA
Title: Freedom of Information Act (FOIA)
Description: Provides that any person has the right to request access to federal agency records or information except to the extent the records are protected from disclosure by any of nine exemptions contained in the law or by one of three special law enforcement record exclusions
Date released: Jul 1967
Oversight responsibility: Department of Justice (DOJ)
Notes:
IG Act of 1978
Title: Inspectors General Act (IG Act) of 1978
Description: Creates Inspector General positions and offices in more than a dozen specific departments and agencies. The Act gave these inspectors general the authority to review the internal documents of their departments or offices. They were given responsibility to investigate fraud, to give policy advice (5 U.S.C. § 404; IG Act, sec. 4), to handle certain complaints by employees, and to report to the heads of their agencies and to Congress on their activities every six months
Date released: Oct 1978
Oversight responsibility: Department of Homeland Security (DHS)
Notes:
DOTGOV Act of 2020
Title: DOTGOV Online Trust in Government Act of 2020
Description: Transfers the DotGov internet domain program, as operated by the General Services Administration under title 41, Code of Federal Regulations, to DHS CISA. The Act also orders that on the date CISA begins operational administration of the DotGov internet domain program, the GSA Administrator shall rescind the requirements in part 102–173 of title 41, Code of Federal Regulations applicable to any Federal, State, local, or territorial government entity, or other publicly controlled entity, including any Tribal government recognized by the Federal Government or a State government that is registering or operating a DotGov internet domain. Finally, the DOTGOV orders that in place of the requirements in part 102–173 of title 41, Code of Federal Regulations, CISA, in consultation with the Director of Management and Budget (OMB), shall establish and publish a new set of requirements for the registration and operation of DotGov domains.
Date released: Dec 2020
Oversight responsibility: Department of Homeland Security (DHS) - Cybersecurity & Infrastructure Security Agency (CISA)
Notes: Part of the Consolidated Appropriations Act, 2021
Government Performance and Results Act (GPRA) of 1993
Title: Government Performance and Results Act (GPRA) of 1993
Description: Requires federal agencies to prepare a strategic plan covering a multiyear period and requires each agency to submit an annual performance plan and an annual performance report.
Date released: Aug 1993
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Federal Acquisition Streamlining Act (FASA) of 1994
Title: Federal Acquisition Streamlining Act (FASA) of 1994
Description: Streamlines the federal government’s acquisition system and dramatically changes the way the government performs its contracting functions. Generally, the statute seeks to: (1) increase the government’s reliance on commercial goods and services; (2) streamline the procurement process for high – volume, low – value acquisitions; (3) improve access by small businesses to government contracting opportunities; (4) improve the bid protest process; and (5) extend the Truth in Negotiations Act to civilian agencies and raise the threshold for submitting certified cost or pricing data under that Act.
Date released: Oct 1994
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Paperwork Reduction Act (PRA) of 1995
Title: Paperwork Reduction Act (PRA) of 1995
Description: Requires that agencies obtain Office of Management and Budget (OMB) approval before requesting most types of information from the public. “Information collections” include forms, interviews, and record keeping, to name a few categories.
Date released: May 1995
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Federal Financial Management Improvement Act of 1996
Title: Federal Financial Management Improvement Act of 1996
Description: Advances Federal financial management by ensuring that Federal financial management systems provide accurate, reliable, and timely financial management information to the government’s managers.
Date released: Sep 1996
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Clinger-Cohen Act of 1996
Title: Clinger-Cohen Act of 1996
Description: The IT Management Reform Act (ITMRA) and the Federal Acquisition Reform Act (FARA) together make up the Clinger-Cohen Act
Date released: Feb 1996
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Federal Records Act (FRA) (Records Management Act of 1950)
Title: Records Management Act of 1950 / Federal Records Act (FRA)
Description: Designed to ensure that institutional records of vital historical, fiscal and legal value are identified and preserved by the government, providing the public with a historical record of federal; decision-making.
Date released: Jul 1950
Oversight responsibility: National Archives and Records Administration (NARA)
Notes:
Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act (NDAA)
Title: Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act (NDAA)
Description: Prohibits the Federal Government from procuring or obtaining, or extending or renewing a contract to procure or obtain “any equipment, system, or service that uses covered telecommunications equipment or services as a substantial or essential component of any system, or as critical technology as part of any system,” on or after August 13, 2019, unless an exception applies or a waiver is granted.
Date released: Jul 2020
Oversight responsibility:
- Department of Defense (DoD)
- National Aeronautics and Space Administration (NASA)
- General Services Administration (GSA)
Notes:
FITARA Enhancement Act of 2017
Title: FITARA Enhancement Act of 2017
Description: An act to amend title 40, United States Code, to eliminate the sunset of certain provisions relating to information technology, to amend the National Defense Authorization Act for Fiscal Year 2015 to extend the sunset relating to the Federal Data Center Consolidation Initiative, and for other purposes.
Date released: Nov 2017
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Making Electronic Government Accountable by Yielding Tangible Efficiencies (MEGABYTE) Act of 2016
Title: Making Electronic Government Accountable by Yielding Tangible Efficiencies (MEGABYTE) Act of 2016
Description: Requires the Director of the Office of Management and Budget to issue a directive on the management of software licenses by the US federal government.
Date released: Jul 2016
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act
Title: Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act
Description: Requires the Secretary of Homeland Security to establish a security vulnerability disclosure policy, to establish a bug bounty program for the Department of Homeland Security, to amend title 41, United States Code, to provide for Federal acquisition supply chain security, and for other purposes.
Date released: Dec 2018
Oversight responsibility: Department of Homeland Security (DHS)
Notes:
Communications Act of 1934
Title: Communications Act of 1934
Description: Combined and organized federal regulation of telephone, telegraph, and radio communications. The Act created the Federal Communications Commission (FCC) to oversee and regulate these industries. The Act is updated periodically to add provisions governing new communications technologies, such as broadcast, cable and satellite television.
Date released: Jun 1934
Oversight responsibility: Federal Communications Commission (FCC)
Notes:
Workforce Innovation and Opportunities Act
Title: Workforce Innovation and Opportunities Act
Description: Designed to strengthen and improve our nation's public workforce system and help get Americans, including youth and those with significant barriers to employment, into high-quality jobs and careers and help employers hire and retain skilled workers.
Date released: Jul 2014
Oversight responsibility:
- Department of Labor (DOL)
- Department of Education (ED)
- Department of Health and Human Services (HHS)
Notes:
Children’s Online Privacy Protection Act (COPPA) of 1998
Title: Children’s Online Privacy Protection Act (COPPA) of 1998
Description: Imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
Date released: Apr 2020
Oversight responsibility: Federal Trade Commission (FTC)
Notes:
Government Paperwork Elimination Act of 1998
Title: Government Paperwork Elimination Act of 1998
Description: It requires Federal agencies, by October 21, 2003, to provide individuals or entities that deal with agencies the option to submit information or transact with the agency electronically, and to maintain records electronically, when practicable.
Date released: Oct 1998
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Federal Property and Administrative Services Act of 1949
Title: Federal Property and Administrative Services Act of 1949
Description: Establishes the General Services Administration (GSA). The act also provides for various Federal Standards to be published by the GSA.
Date released: Jul 1949
Oversight responsibility: General Services Administration (GSA)
Notes:
Information Quality Act
Title: Information Quality Act
Description: Requires the OMB to promulgate guidance to agencies ensuring the quality, objectivity, utility, and integrity of information (including statistical information) disseminated by Federal agencies.
Date released: Dec 2000
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Small Business Paperwork Relief Act of 2002
Title: Small Business Paperwork Relief Act of 2002
Description: Institutes a process to reduce paperwork, and introduces measures to make it easier for small businesses to comply with the law.
Date released: Jun 2002
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Cyber Security Research and Development Act of 2002
Title: Cyber Security Research and Development Act of 2002
Description: Authorizes appropriations to the National Science Foundation (NSF) and to the Secretary of Commerce for the National Institute of Standards and Technology (NIST) to establish new programs, and to increase funding for certain current programs, for computer and network security (CNS) research and development and CNS research fellowships.
Date released: Nov 2002
Oversight responsibility:
- National Science Foundation (NSF)
- National Institute of Standards and Technology (NIST)
Notes:
Implementing Recommendations of the 9/11 Commission Act of 2007
Title: Implementing Recommendations of the 9/11 Commission Act of 2007
Description: Provides for implementation of recommendations of the National Commission on Terrorist Attacks Upon the United States (9/11 Commission).
Date released: Aug 2007
Oversight responsibility: Department of Homeland Security (DHS)
Notes:
Federal Cybersecurity Workforce Assessment Act (FCWAA) of 2015
Title: Federal Cybersecurity Workforce Assessment Act (FCWAA) of 2015
Description: Requires the Secretary of Homeland Security to assess the cybersecurity workforce of the Department of Homeland Security and develop a comprehensive workforce strategy, and for other purposes.
Date released: Dec 2014
Oversight responsibility: Department of Homeland Security (DHS)
Notes:
Whistleblower Protection Act of 1989
Title: Whistleblower Protection Act of 1989
Description: Prohibits retaliation against most executive branch employees when they blow the whistle on ignificant agency wrongdoing or when they engage in protected conduct.
Date released: Apr 1989
Oversight responsibility: Office of Special Counsel
Notes:
Computer Security Act of 1987
Title: Computer Security Act of 1987
Description: Provides for a computer standards program within the National Bureau of Standards, to provide for Government-wide computer security, and to provide for the training in security matters of persons who are involved in the management, operation, and use of Federal computer systems, and for other purposes.
Date released: Jan 1988
Oversight responsibility: National Institute of Standards and Technology (NIST)
Notes:
Office of Federal Procurement Policy Act
Title: Office of Federal Procurement Policy Act
Description: The Office of Federal Procurement Policy (OFPP) was established by Congress in 1974 to provide overall direction for government-wide procurement policies, regulations and procedures and to promote economy, efficiency, and effectiveness in acquisition processes.
Date released: Aug 1974
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Federal Activities Inventory Reform (FAIR) Act
Title: Federal Activities Inventory Reform (FAIR) Act
Description: Requires federal agencies to submit to the Office of Management and Budget inventories of commercial activities performed by federal employees every year by June 30.
Date released: Oct 1998
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Budget and Accounting Act of 1921
Title: Budget and Accounting Act of 1921
Description: Provides a national budget system and an independent audit of Government accounts, and for other purposes.
Date released: Jun 1921
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Federal Managers' Financial Integrity Act
Title: Federal Managers’ Financial Integrity Act
Description: Provides the statutory basis for management’s responsibility for and assessment of accounting and administrative internal controls. Such controls include program, operational, and administrative areas, as well as accounting and financial management.
Date released: Sep 1982
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Sarbanes-Oxley Act
Title: Sarbanes-Oxley Act
Description: Contains provisions affecting corporate governance, risk management, auditing, and financial reporting of public companies, including provisions intended to deter and punish corporate accounting fraud and corruption.
Date released: Jul 2002
Oversight responsibility: Public Company Accounting Oversight Board (PCAOB)
Notes:
Digital Accountability and Transparency Act (DATA)
Title: Digital Accountability and Transparency Act (DATA)
Description: Requires federal agencies to prepare and submit standardized, accurate information about their spending.
Date released: May 2014
Oversight responsibility:
- Office of Management and Budget (OMB)
- Department of Treasury
Notes:
Electronic Signatures in Global and National Commerce (E-Sign) Act
Title: Electronic Signatures in Global and National Commerce (E-Sign) Act
Description: Facilitates the use of electronic records and signatures in interstate or foreign commerce.
Date released: Jun 2000
Oversight responsibility:
- Department of Commerce
- Federal Trade Commission (FTC)
Notes: Specifies that, in the United States, the use of an electronic signature (e-signature) is as legally valid as a traditional signature written in ink on paper.
Chief Financial Officers Act
Title: Chief Financial Officers Act
Description: Gives OMB new authority and responsibility for directing federal financial management, modernizing the government’s financial management systems, and strengthening financial reporting.
Date released: Nov 1990
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Homeland Security Act of 2002
Title: Homeland Security Act of 2002
Description: Established the Department of Homeland Security
Date released: Nov 2002
Oversight responsibility: Department of Homeland Security (DHS)
Notes:
Health Information Technology for Economic and Clinical Health (HITECH) Act
Title: HITECH Act
Description: Part of the American Recovery and Reinvestment Act of 2009 that incentivized the meaningful use of Electronic Health Records (EHRs) and strengthened the privacy and security provisions of HIPAA.
Date released: Feb 2009
Oversight responsibility:
- Department of Health and Human Services (HHS)
- Federal Trade Commission (FTC)
Notes:
Patient Protection and Affordable Care Act
Title: Patient Protection and Affordable Care Act
Description: Ensures that all Americans have access to quality, affordable health care and will create the transformation within the health care system necessary to contain costs.
Date released: Mar 2010
Oversight responsibility: Department of Health and Human Services (HHS)
Notes:
Government Performance and Results Act (GPRA) Modernization Act of 2010
Title: Government Performance and Results Act (GPRA) Modernization Act of 2010
Description: An amended version of the Government Performance and Results Act of 1993, it requires each executive agency to make its strategic plan available on its public website and to the OMB on the first Monday in February of any year following that in which the term of the President commences and to notify the President and Congress.
Date released: Jan 2011
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Genetic Information Nondiscrimination Act (GINA)
Title: Genetic Information Nondiscrimination Act (GINA)
Description: Protects individuals against discrimination based on their genetic information in health coverage and in employment.
Date released: May 2008
Oversight responsibility: Department of Health and Human Services (HHS)
Notes:
Economy Act
Title: Economy Act
Description: Authorizes agencies to enter into agreements to obtain supplies or services from another agency.
Date released: May 1933
Oversight responsibility: Federal Acquistition Regulations (FAR)
Notes:
IPERIA
Title: Improper Payments Elimination and Recovery Improvement Act (IPERIA) of 2012
Description: Provides guidance on monitoring and reporting improper payments, and requires agencies to continue their review of programs and activities annually to identify those susceptible to significant improper payments and updates the definition of significant improper payments.
Date released: Jan 2013
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Antideficiency Act (ADA)
Title: Antideficiency Act (ADA)
Description: Prohibits federal agencies from obligating or expending federal funds in advance or in excess of an appropriation, and from accepting voluntary services.
Date released: Sep 1982
Oversight responsibility: Government Accountability Offices (GAO)
Notes:
Budget Control Act of 2011
Title: Budget Control Act of 2011
Description: Amends the Balanced Budget and Emergency Deficit Control Act of 1985 (Gramm-Rudman-Hollings Act) to revise sequestration requirements for enforcement of discretionary spending limits (spending caps).
Date released: Aug 2011
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Federal Activities Inventory Reform (FAIR) Act of 1998
Title: Federal Activities Inventory Reform (FAIR) Act of 1998
Description: Requires federal agencies to submit to the Office of Management and Budget inventories of commercial activities performed by federal employees every year by June 30.
Date released: Oct 1998
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Telework Enhancement Act of 2010
Title: Telework Enhancement Act of 2010
Description: Requires the head of each executive agency to: (1) establish a policy under which eligible agency employees may be authorized to telework; (2) determine employee eligibility to participate in telework; and (3) notify all employees of their eligibility to telework.
Date released: Dec 2010
Oversight responsibility:
- Office of Personnel Management (OPM)
- Federal Emergency Management Agency (FEMA)
- General Services Administration (GSA)
- National Archives and Records Administration (NARA)
- Office of Management and Budget (OMB)
- Department of Homeland Security (DHS)
- National Institute of Standards and Technology (NIST)
Notes:
Plain Writing Act of 2010
Title: Plain Writing Act of 2010
Description: Improves the effectiveness and accountability of Federal agencies to the public by promoting clear Government communication that the public can understand and use.
Date released: Oct 2010
Oversight responsibility: Office of Management and Budget (OMB)
Notes:
Consolidated Appropriations Act of 2010
Title: Consolidated Appropriations Act of 2010
Description: An act making appropriations for the Departments of Transportation, and Housing and Urban Development, and related agencies for the fiscal year ending September 30, 2010, and for other purposes.
Date released: Dec 2009
Oversight responsibility: Multiple agencies
Notes: Many agencies oversee the guidance for this Act
American Recovery and Reinvestment Act of 2009
Title: American Recovery and Reinvestment Act of 2009
Description: Developed in response to the Great Recession, the primary objective of this federal statute was to save existing jobs and create new ones as soon as possible. Other objectives were to provide temporary relief programs for those most affected by the recession and invest in infrastructure, education, health, and renewable energy.
Date released: Feb 2009
Oversight responsibility: Multiple agencies
Notes: Many agencies oversee the guidance for this Act
Project BioShield Act of 2004
Title: Project BioShield Act of 2004
Description: Project BioShield was established to help incentivize private industry to develop vitally needed medical countermeasures by providing multi-year funding to support advanced research, clinical development, manufacture and procurement.
Date released: Jul 2004
Oversight responsibility: Department of Health and Human Services (HHS)
Notes:
Public Health Service Act
Title: Public Health Service Act
Description: Consolidates and revises the laws relating to the Public Health Service.
Date released: Jul 1944
Oversight responsibility: Department of Health and Human Services (HHS)
Notes:
Intelligence Reform and Terrorism Prevention Act of 2004
Title: Intelligence Reform and Terrorism Prevention Act of 2004
Description: Reforms the intelligence community and the intelligence and intelligence-related activities of the United States Government, and for other purposes.
Date released: Dec 2004
Oversight responsibility: Department of Homeland Security (DHS)
Notes:
Electronic Freedom of Information Act Amendments of 1996
Title: Electronic Freedom of Information Act Amendments of 1996
Description: The Freedom of Information Act (FOIA) established the public's right of access to government information, on the basis of openness and accountability. The 1996 Electronic Freedom of Information Act (e-FOIA) Amendments extended these principles to include electronic access to information.
Date released: Oct 1996
Oversight responsibility: Department of Justice (DoJ)
Notes:
Clarifying Lawful Overseas Use of Data (CLOUD) Act
Title: Clarifying Lawful Overseas Use of Data (CLOUD) Act
Description: Lifts certain restrictions under U.S. law on companies disclosing electronic data, in response to qualifying, lawful orders in investigations of serious crime, directly to a qualifying foreign government with which the United States has entered into an executive agreement governing access by the foreign government to covered data.
Date released: Jul 2022
Oversight responsibility: Department of Justice (DoJ)
Notes:
Federal Regulations
Regulations are published by executive branch agencies to clarify their interpretation of a law and how a law will be implemented. Regulations also state requirements or prohibitions. This list contains all federal regulations that relate to information security and privacy at CMS.
B.O.D. 18-01
Title: Binding Operational Directive (B.O.D) 18-01: Enhance Email and Web Security
Description: Enhances the security of federal agencies' email and web systems to protect against cyber threats. The directive outlines specific actions that federal agencies must take to improve their email and web security posture, including implementing specific security protocols, enhancing monitoring capabilities, and strengthening authentication mechanisms.
Date released: Oct 2017
Implements Law: FISMA 2014
Agency: Department of Homeland Security (DHS) - Cybersecurity & Infrastructure Security Agency (CISA)
Notes:
B.O.D. 18-02
Title: Binding Operation Directive (B.O.D.) 18-02 - Security High Value Assets (HVAs)
Description: Enhances the Department of Homeland Security's coordinated approach to securing the federal government’s HVAs from cybersecurity threats
Date released: May 2018
Implements Law: FISMA 2014
Agency: Department of Homeland Security (DHS) - Cybersecurity & Infrastructure Security Agency (CISA)
Notes:
B.O.D. 20-01
Title: Binding Operation Directive (B.O.D) 20-01: Develop and Publish a Vulnerability Disclosure Policy
Description: Requires each agency to develop and publish a vulnerability disclosure policy (VDP) and maintain supporting handling procedures.
Date released: Sep 2020
Implements Law: OMB M-20-32
Agency: Department of Homeland Security (DHS) - Cybersecurity & Infrastructure Security Agency (CISA)
Notes:
E.D. 19-01
Title: Emergency Directive (E.D.) 19-01: Mitigate DNS Infrastructure Tampering
Description: Requires agencies take near-term actions to mitigate risks from undiscovered tampering, enable agencies to prevent illegitimate DNS activity for their domains, and detect unauthorized certificates.
Date released: Jan 2019
Implements Law: Homeland Security Act of 2002
Agency: Department of Homeland Security (DHS) - Cybersecurity & Infrastructure Security Agency (CISA)
Notes:
The Privacy Rule
Title: The Privacy Rule
Description: Assures that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being
Date released: Dec 2000
Implements Law: HIPAA
Agency: Department of Health and Human Services (DHHS or HHS)
Notes: Regulation that implements HIPAA requirements
The Security Rule
Title: The Security Rule
Description: Establishes standards and safeguards for the secure handling of electronic protected health information (ePHI) by healthcare entities, aiming to ensure the confidentiality, integrity, and availability of sensitive health data
Date released: Feb 2003
Implements Law: HIPAA
Agency: Department of Health and Human Services (DHHS or HHS)
Notes: Regulation that implements HIPAA requirements
FAR
Title: Federal Acquisition Regulation (FAR)
Description: Primary regulation for use by all executive agencies in their acquisition of supplies and services with appropriated funds
Date released: April 1984
Implements Law: Competition in Contracting Act of 1984 - FAR: Title 48 of the Code of Federal Regulations (CFR).
Agency: General Services Administration (GSA), Department of Defense (DOD), & National Aeronautics and Space Administration (NASA)
Notes:
Federal Accounting Standards Advisory Board (FASAB)
Title: Federal Accounting Standards Advisory Board (FASAB)
Description: Primary regulation for use by all executive agencies in their acquisition of supplies and services with appropriated funds
Date released: Oct 1990
Implements Law: Competition in Contracting Act of 1984 - FAR: Title 48 of the Code of Federal Regulations (CFR).
Agency: Department of Treasury, Office of Management and Budget (OMB), & Government Accountability Office (GAO)
Notes:
Federal Information Processing Standards (FIPS) Publications
Federal Information Processing Standards (FIPS) are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce.
FIPS Standards can be viewed and downloaded from the NIST Computer Security Resource Center (CSRC) website here: FIPS publications
Answers to Frequently Asked Questions about FIPS can be found on the NIST website here: FIPS FAQs
This list contains all FIPS publications that relate to information security and privacy at CMS.
FIPS-202
Title: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
Status: Final
Release Date: 8/4/2015
Superseded by:
FIPS 201-3
Title: Personal Identity Verification (PIV) of Federal Employees and Contractors
Status: Final
Release Date: 1/24/2022
Superseded by:
FIPS 200
Title: Minimum Security Requirements for Federal Information and Information Systems
Status: Final
Release Date: 3/1/2006
Superseded by:
FIPS 199
Title: Standards for Security Categorization of Federal Information and Information Systems
Status: Final
Release Date: 2/1/2004
Superseded by:
FIPS 198-1
Title: The Keyed-Hash Message Authentication Code (HMAC)
Status: Final
Release Date: 7/16/2008
Superseded by:
FIPS 197
Title: Advanced Encryption Standard (AES)
Status: Final
Release Date: 5/9/2023
Superseded by:
FIPS 186-5
Title: Digital Signature Standard (DSS)
Status: Final
Release Date: 2/13/2023
Superseded by:
FIPS 180-4
Title: Secure Hash Standard (SHS)
Status: Final
Release Date: 8/4/2015
Superseded by:
FIPS 140-3
Title: Security Requirements for Cryptographic Modules
Status: Final
Release Date: 3/22/2019
Superseded by:
NIST S.P. Guidelines
FIPS Publications may reference specific NIST Special Publications (S.P.) guidelines (SP800) and/or practices (SP1800), in which that guideline or practice becomes a governance policy for CMS FISMA systems.
All NIST Special Publications (SP 500, SP800 and SP1800) can be viewed and downloaded from the NIST Computer Security Resource Center (CSRC) website here: NIST S.P. list
NIST S.P. descriptions can be found on the NIST website here: NIST S.P. descriptions
The following list consists of NIST S.P.s that are CMS FISMA governance policy by way of FIPS references.
500-267A
Title: NIST IPv6 Profile
FIPS Reference: N/A
500-267B
Title: USGv6 Profile
FIPS Reference: N/A
500-281A
Title: USGv6 Test Program Guide
FIPS Reference: N/A
500-281B
Title: USGv6 Test Methods: General Description and Validation
FIPS Reference: N/A
800-16
Title: Information Technology Security Training Requirements: a Role- and Performance-Based Model
FIPS Reference:
- FIPS 140
- FIPS 180
- FIPS 186
800-18 Rev. 1
Title: Guide for Developing Security Plans for Federal Information Systems
FIPS Reference: FIPS 200
800-30
Title: Guide for Conducting Risk Assessments
FIPS Reference:
- FIPS 199
- FIPS 200
800-34
Title: Contingency Planning Guide for Federal Information Systems
FIPS Reference: FIPS 199
800-37 Rev. 2
FIPS Reference: FIPS 201
800-38 (A-G)
Title: Recommendation for Block Cipher Modes: *
FIPS Reference: FIPS 197
800-39
Title: Managing Information Security Risk: Organization, Mission, and Information System View
FIPS Reference:
- FIPS 199
- FIPS 200
800-40
Title: Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology
FIPS Reference: N/A
800-41
Title: Guidelines on Firewalls and Firewall Policy
FIPS Reference: N/A
800-46
Title: Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
FIPS Reference: FIPS 140
800-50
Title: Building an Information Technology Security Awareness and Training Program
FIPS Reference: N/A
800-51
Title: Guide to Using Vulnerability Naming Schemes
FIPS Reference: N/A
800-52
FIPS Reference: FIPS 140
800-53 Rev. 5
Title: Security and Privacy Controls for Information Systems and Organizations
FIPS Reference:
- FIPS 200
- FIPS 201
800-53A Rev. 5
Title: Assessing Security and Privacy Controls in Information Systems and
Organizations
FIPS Reference: FIPS 199
800-56A
Title: Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography
FIPS Reference: FIPS 140
800-56B Rev. 2
Title: Recommendation for Pair-Wise Key-Establishment Using Integer Factorization Cryptography
FIPS Reference: FIPS 140
800-57 Part 1 Rev. 5
Title: Recommendation for Key Management - Part 1: General
FIPS Reference:
- FIPS 180
- FIPS 186
- FIPS 198
800-57 Part 3 Rev. 1
Title: Recommendation for Key Management, Part 3: Application-Specific Key Management Guidance
FIPS Reference: FIPS 140
800-59
Title: Guideline for Identifying an Information System as a National Security System
FIPS Reference: FIPS 201
800-60 Vol. 1 Rev. 1
Title: Guide for Mapping Types of Information and Information Systems to Security Categories
FIPS Reference: FIPS 200
800-61
Title: Computer Security Incident Handling Guide
FIPS Reference:
- FIPS 140
- FIPS 199
- FIPS 200
800-63-3
Title: Digital Identity Guidelines
FIPS Reference: FIPS 201
800-63A
Title: Digital Identity Guidelines: Enrollment and Identity Proofing
FIPS Reference: FIPS 201
800-63B
Title: Digital Identity Guidelines: Authentication and Lifecycle Management
FIPS Reference: FIPS 201
800-63C
Title: Digital Identity Guidelines: Federation and Assertions
FIPS Reference: FIPS 201
800-70
Title: National Checklist Program for IT Products: Guidelines for Checklist Users and Developers
FIPS Reference:
- FIPS 140
- FIPS 199
- FIPS 200
800-73-4
Title: Interfaces for Personal Identity Verification
FIPS Reference: FIPS 201
800-76-2
Title: Biometric Specifications for Personal Identity Verification
FIPS Reference: FIPS 201
800-78-4
Title: Cryptographic Algorithms and Key Sizes for Personal Identity Verification
FIPS Reference: FIPS 201
800-79-2
FIPS Reference:
- FIPS 140
- FIPS 199
- FIPS 200
- FIPS 201
800-81
Title: Secure Domain Name System (DNS) Deployment Guide
FIPS Reference:
- FIPS 140
- FIPS 180
- FIPS 186
- FIPS 198
800-85A-4
Title: PIV Card Application and Middleware Interface Test Guidelines (SP 800-73-4 Compliance)
FIPS Reference: FIPS 201
800-87 Rev. 2
Title: Codes for Identification of Federal and Federally-Assisted Organizations
FIPS Reference: FIPS 201
800-88
Title: Guidelines for Media Sanitization
FIPS Reference:
- FIPS 140
- FIPS 199
- FIPS 200
800-89
Title: Recommendation for Obtaining Assurances for Digital Signature
Applications
FIPS Reference: FIPS 140
800-90A Rev. 1
Title: Recommendation for Random Number Generation Using Deterministic Random Bit Generators
FIPS Reference: FIPS 140
800-94
Title: Guide to Intrusion Detection and Prevention Systems (IDPS)
FIPS Reference: FIPS 140
800-96
Title: PIV Card to Reader Interoperability Guidelines
FIPS Reference: FIPS 201
800-97
Title: Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
FIPS Reference: FIPS 140
800-102
Title: Recommendation for Digital Signature Timeliness
FIPS Reference: FIPS 140
800-107
Title: Recommendation for Applications Using Approved Hash Algorithms
FIPS Reference:
- FIPS 180
- FIPS 198
- FIPS 202
800-111
Title: Guide to Storage Encryption Technologies for End User Devices
FIPS Reference:
- FIPS 140
- FIPS 180
- FIPS 197
- FIPS 199
800-115
Title: Technical Guide to Information Security Testing and Assessment
FIPS Reference:
- FIPS 140
- FIPS 199
800-116 Rev. 1
Title: Guidelines for the Use of PIV Credentials in Facility Access
FIPS Reference: FIPS 201
800-119
Title: Guidelines for the Secure Deployment of IPv6
FIPS Reference: FIPS 199
800-122
Title: Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
FIPS Reference: FIPS 201
800-124
Title: Guidelines for Managing the Security of Mobile Devices in the Enterprise
FIPS Reference: FIPS 140
800-126
Title: The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3
FIPS Reference: N/A
800-128
Title: Guide for Security-Focused Configuration Management of Information Systems
FIPS Reference:
- FIPS 140
- FIPS 199
- FIPS 200
800-131A Rev. 2
Title: Transitioning the Use of Cryptographic Algorithms and Key Lengths
FIPS Reference: FIPS 140
800-133 Rev. 2
Title: Recommendation for Cryptographic Key Generation
FIPS Reference: FIPS 197
800-137
Title: Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
FIPS Reference:
- FIPS 199
- FIPS 200
800-140
Title: FIPS 140-3 Derived Test Requirements (DTR): CMVP Validation Authority Updates to ISO/IEC 24759
FIPS Reference: FIPS 140
800-140A
Title: CMVP Documentation Requirements: CMVP Validation Authority Updates to ISO/IEC 24759
FIPS Reference: FIPS 140
800-140B Rev. 1
FIPS Reference: FIPS 140
800-140C Rev. 2
FIPS Reference: FIPS 140
800-140D Rev. 2
FIPS Reference: FIPS 140
800-140E
FIPS Reference: FIPS 140
800-140F
FIPS Reference: FIPS 140
800-144
Title: Guidelines on Security and Privacy in Public Cloud Computing
FIPS Reference:
- FIPS 199
- FIPS 200
800-145
Title: The NIST Definition of Cloud Computing
FIPS Reference: N/A
800-152
Title: A Profile for U.S. Federal Cryptographic Key Management Systems (CKMS)
FIPS Reference:
- FIPS 140
- FIPS 180
- FIPS 186
- FIPS 197
- FIPS 198
- FIPS 199
- FIPS 200
800-153
Title: Guidelines for Securing Wireless Local Area Networks (WLANs)
FIPS Reference:
- FIPS 140
- FIPS 199
- FIPS 201
800-156
Title: Representation of PIV Chain-of-Trust for Import and Export
FIPS Reference: FIPS 201
800-157
Title: Guidelines for Derived Personal Identity Verification (PIV) Credentials
FIPS Reference: FIPS 201
800-157
Title: Guidelines for Derived Personal Identity Verification (PIV) Credentials
FIPS Reference: FIPS 201
800-163
Title: Vetting the Security of Mobile Applications
FIPS Reference: N/A
800-167
Title: Guide to Application Whitelisting
FIPS Reference: FIPS 140
800-171
Title: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
FIPS Reference:
- FIPS 199
- FIPS 200
800-175A
FIPS Reference:
- FIPS 140
- FIPS 199
- FIPS 200
- FIPS 201
800-175B
Title: Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
FIPS Reference:
- FIPS 140
- FIPS 180
- FIPS 186
- FIPS 197
- FIPS 198
- FIPS 199
- FIPS 202
800-177
Title: Trustworthy Email
FIPS Reference:
- FIPS 199
- FIPS 201
800-181
Title: Workforce Framework for Cybersecurity (NICE Framework)
FIPS Reference: N/A
800-186
Title: Recommendations for Discrete-Logarithm Based Cryptography: Elliptic Curve Domain Parameters
FIPS Reference: FIPS 186
800-207
Title: Zero Trust Architecture
FIPS Reference: FIPS 199
800-217
Title: Guidelines for the Use of Personal Identity Verification (PIV) Credentials with Federation
FIPS Reference: FIPS 201
800-219
Title: Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP)
FIPS Reference:
- FIPS 140
- FIPS 199
Executive Orders (E.O.)
An Executive Order (E.O.) is a signed, written, and published directive from the President of the United States that manages operations of the federal government. They are numbered consecutively, so executive orders may be referenced by their assigned number, or their topic. This list contains all E.O.s that relate to information security and privacy.
E.O 9397
Title: Numbering System for Federal Accounts Relating to Individual Persons
Description: Establishes a centralized numbering system for federal accounts relating to individual persons in the United States.
Date Released: November 30, 1943
Oversight Responsibility: Social Security Administration (SSA)
Notes:
E.O 11609
Title: Delegating certain functions vested in the President to other officers of the Government
Description: Grants certain, presidential authorities to the GSA without approval, ratification, or other action of the President.
Date Released: July 22, 1971
Oversight Responsibility: General Services Administration (GSA)
Notes:
E.O 13011
Title: Federal Information Technology
Description: Aimed to improve the management and utilization of IT resources across federal agencies
Date Released: July 16, 1996
Oversight Responsibility:
- General Services Administration (GSA)
- OMB
- NIST
- DHS
E.O 13381
Description: Assists in determining eligibility for access to classified national security information, while taking appropriate account of title III of Public Law 108-458
Date Released: Jun 2005
Oversight Responsibility: OMB
Notes:
E.O 13402
Title: Strengthening Federal Efforts To Protect Against Identity Theft
Description: Strengthens efforts to protect against identity theft
Date Released: May 2006
Oversight Responsibility: OMB
Notes:
E.O 13439
Title: Establishing an Interagency Working Group on Import Safety
Description: Ensures that the executive branch takes all appropriate steps to promote the safety of imported products
Date Released: Jul 2007
Oversight Responsibility: HHS
Notes:
E.O 13520
Title: Reducing Improper Payments and Eliminating Waste in Federal Programs
Description: Reduces payment errors and eliminating waste, fraud, and abuse in Federal programs
Date Released: Nov 2009
Oversight Responsibility: OMB
Notes:
E.O 13526
Title: Classified National Security Information
Description: Prescribes a uniform system for classifying, safeguarding, and declassifying national security information, including information relating to defense against transnational terrorism
Date Released: Dec 2009
Oversight Responsibility: Information Security Oversight Office
Notes:
E.O 13556
Title: Controlled Unclassified Information
Description: Establishes an open and uniform program for managing unclassified information requiring safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies
Date Released: Aug 2019
Oversight Responsibility: National Archives & Records Administration (NARA)
Notes:
E.O 13571
Title: Streamlining Service Delivery and Improving Customer Service
Description: Improves the quality of service to the public by the Federal Government
Date Released: Apr 2011
Oversight Responsibility: OMB
Notes:
E.O 13576
Title: Delivering an Efficient, Effective, and Accountable Government
Description: Aims to cut waste, streamline Government operations, and reinforce the performance and management reform gains the Obama Administration has achieved
Date Released: Jun 2011
Oversight Responsibility: OMB
Notes:
E.O 13583
Description: Promotes the Federal workplace as a model of equal opportunity, diversity, and inclusion
Date Released: Aug 2011
Oversight Responsibility:
- OPM
- OMB
- President’s Management Council (PMC)
- Equal Employment Opportunity Commission (EEOC)
Notes:
E.O 13589
Title: Promoting Efficient Spending
Description: Further promote efficient spending in the Federal Government
Date Released: Nov 2011
Oversight Responsibility: OMB
Notes:
E.O 13636
Title: Improving Critical Infrastructure Cybersecurity
Description: Designed to increase the level of core capabilities for our critical infrastructure to manage cyber risk. It does this by focusing on three key areas: (1) information sharing, (2) privacy, and (3) the adoption of cybersecurity practices.
Date Released: February 12, 2013
Oversight Responsibility:
- NIST
- DHS
Notes:
E.O 13642
Title: The President's Council on Jobs and Competitiveness
Description: Aims to strengthen the Nation's economy and ensure the competitiveness of the United States and to create jobs, opportunity, and prosperity for the American people by ensuring the availability of non partisan advice to the President from participants in and experts on the economy
Date Released: Jan 2011
Oversight Responsibility: Department of Treasury
Notes:
E.O 13681
Title: Improving the Security of Consumer Financial Transactions
Description: Improves the security of consumer financial transactions in both the private and public sectors
Date Released: October 17, 2014
Oversight Responsibility:
- Department of Treasury
- Department of Justice
- Department of Commerce
- General Services Administration (GSA)
- Social Security Administration (SSA)
- Federal Trade Commission (FTC)
- OMB
- DHS
Notes:
E.O 13719
Title: Establishment of the Federal Privacy Council
Description: The Federal Privacy Council is the principal interagency forum to improve the privacy practices of agencies and entities acting on their behalf.
Date Released: February 9, 2016
Oversight Responsibility: Federal Privacy Council (FPC)
Notes:
E.O 13800
Title: Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure
Description: Modernizes federal information technology infrastructure, working with state and local government and private sector partners to more fully secure critical infrastructure, and collaborating with foreign allies
Date Released: May 11, 2017
Oversight Responsibility: DHS
Notes:
E.O 13833
Title: Enhancing the Effectiveness of Agency Chief Information Officers
Description: Strengthens the role and responsibilities of Chief Information Officers (CIOs) within federal agencies to improve the efficiency and effectiveness of IT management
Date Released: May 15, 2018
Oversight Responsibility: OMB
Notes:
E.O 13834
Title: Efficient Federal Operations
Description: Improves the efficiency, effectiveness, and accountability of federal agencies in managing their operations and resources
Date Released: May 17, 2018
Oversight Responsibility: OMB
Notes:
E.O 13859
Title: Maintaining American Leadership in Artificial Intelligence
Description: Identifies five key lines of effort, including increasing AI research investment, unleashing Federal AI computing and data resources, setting AI technical standards, building America’s AI workforce, and engaging with international allies
Date Released: Feb 2019
Oversight Responsibility: National AI Initiative Office
Notes: To oversee and implement the U.S. national AI strategy, the White House established the National Artificial Intelligence Initiative Office in early January 2021, in accordance with the National AI Initiative Act of 2020 (still a bill as of Feb 2024)
E.O 13873
Title: Securing the Information and Communications Technology and Services Supply Chain
Description: Strengthens efforts to prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and services
Date Released: May 2019
Oversight Responsibility:
- Department of Commerce
- CISA
- ICT SCRM Task Force
Notes:
E.O 13960
Title: Promoting the Use of Trustworthy Artificial Intelligence in the Federal Government
Description: Establishes principles for the use of AI in the Federal Government, establishes a common policy for implementing the principles, directs agencies to catalogue their AI use cases
Date Released: December 3, 2020
Oversight Responsibility:
- General Services Administration (GSA)
- NIST
- OMB
Notes:
E.O 14028
Title: Improving the Nation's Cybersecurity
Description: Charges multiple agencies, including NIST, with enhancing cybersecurity through a variety of initiatives related to the security and integrity of the software supply chain
Date Released: May 2021
Oversight Responsibility: NIST
Notes:
E.O 14034
Title: Protecting Americans' Sensitive Data From Foreign Adversaries
Description: Requires government agencies to issue regulations that prohibit, or otherwise restrict, certain categories of data transactions that pose an unacceptable risk to national security.
Date Released: June 2021
Oversight Responsibility:
- OMB
- Department of Justice
Notes:
E.O 14110
Title: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence
Description: Establishes a government-wide effort to guide responsible artificial intelligence (AI) development and deployment through federal agency leadership, regulation of industry, and engagement with
international partners
Date Released: October 30, 2023
Oversight Responsibility:
- NIST
- Office of Science and Technology Policy (OSTP)
Notes:
Government Accountability Office (GAO) and GAO Accounting and Information Management Division (AIMD)
The U.S. Government Accountability Office (GAO) provides Congress, the heads of executive agencies, and the public with timely, fact-based, non-partisan information that can be used to improve government and save taxpayers billions of dollars. The GAO reports provide findings from their audits.
AIMD-10.1.13
Title: Assessing Risks and Returns: A Guide for Evaluating Federal Agencies’ IT Investment Decision-making
Date Released: February 3, 1997
Authority:
- Paperwork Reduction Act (PRA)
- Clinger-Cohen Act
- Government Performance and Results Act (GPRA)
- Chief Financial Officers Act
Notes:
GAO 04-394G
Date Released: March 1, 2004
Authority: Clinger-Cohen Act
Notes:
GAO 05-471
Title: INTERNET PROTOCOL VERSION 6 - Federal Agencies Need to Plan for Transition and Manage
Security Risks
Date Released: May 20, 2005
Authority: N/A
Notes:
GAO 13-87
Date Released: March 1, 2004
Authority: Clinger-Cohen Act
Notes:
GAO 14-413
Title: Federal Software Licenses: Better Management Needed to Achieve Significant Savings Government-Wide
Date Released: May 22, 2014
Authority: Clinger-Cohen Act
Notes:
GAO 16-469
Date Released: August 16, 2016
Authority: FITARA
Notes:
GAO 20-195G
Title: Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Program Costs
Date Released: March 12, 2020
Authority: N/A
Notes:
Federal Continuity Directives
Federal Continuity Directives (FCDs) and Presidential Policy Directives (PPDs) and are both types of directives issued by the President of the United States to guide and coordinate specific policies, programs, and activities across the federal government.
PPDs are presidential statements that set forth national policies and decisions, while FCDs are agency-level directives aimed at ensuring the continuity and resilience of government operations during emergencies and crises.
FCD-1
Title: Federal Executive Branch National Continuity Program and Requirements
Date Released: January 17, 2017
Corresponding Federal Authority: DHS
Notes:
FCD-2
Title: Federal Executive Branch Mission Essential Functions and Candidate Primary Mission Essential Functions
Identification and Submission Process
Date Released: June 13, 2017
Corresponding Federal Authority: DHS
Notes:
PPD-1
Title: Organization of the National Security Council System
Date Released: February 13, 2009
Corresponding Federal Authority: National Security Council (NSC)
Notes:
PPD-2
Title: Implementation of the National Strategy for Countering Biological Threats
Date Released: November 23, 2009
Corresponding Federal Authority: National Security Staff Executive Secretary
Notes:
PPD-40
Title: National Continuity Policy
Date Released: July 15, 2016
Corresponding Federal Authority: Federal Emergency Management Agency (FEMA)
Notes:
PPD-41
Title: United States Cyber Incident Coordination
Date Released: July 26, 2016
Corresponding Federal Authority: DHS
Notes:
OMB Circulars
OMB Circulars are a series of guidance documents issued by the Office of Management and Budget (OMB) of the United States federal government. They provide instructions, requirements, and policies for federal agencies in specific areas of financial management, budgeting, procurement, grants management, and administrative operations.
A-11
Title: Preparation, Submission, and Execution of the Budget
Date Released: 8/11/2023
Implements: GRPA
Notes:
A-19
Title: Legislative Coordination and Clearance
Date Released: 9/20/1979
Implements: Budget Control Act of 2011
Notes:
A-76
Title: Performance of Commercial Activities
Date Released: 11/14/2002
Implements:
- Federal Procurement Policy Act
- FAIR Act
- EO 11609
Notes:
A-94
Title: Guidelines and Discount Rates for Benefit-Cost Analysis of Federal Programs
Date Released: 11/9/2023
Implements: Budget and Accounting Act of 1921
Notes:
A-108
Title: Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act
Date Released: 7/1/1975
Implements:
- Privacy Act of 1974
- Paperwork Reduction Act (PRA)
- FISMA 2014
Notes:
A-123
Title: Management’s Responsibility for Internal Control
Date Released: 12/21/2004
Implements:
- Sarbanes-Oxley Act
- Federal Managers' Financial Integrity Act
Notes:
A-130
Title: Managing Information as a Strategic Resource
Date Released: 7/28/2016
Implements:
- Clinger-Cohen Act
- E-Government Act
- FISMA 2014
- FITARA
- PRA
- Privacy Act of 1974
- Digital Accountability and Transparency Act
- Electronic Signatures in Global and National Commerce Act
- Government Paperwork Elimination Act
- GPRA
- Office of Federal Procurement Policy Act
- Budget and Accounting Procedures Act
- Chief Financial Officers Act
- EO 13719
Notes:
A-136
Title: Financial Reporting Requirements
Date Released: 5/30/2024
Implements:
- Chief Financial Officers Act of 1990
- Government Management Reform Act of 1994
- Accountability of Tax Dollars Act of 2002
Notes:
OMB Memos
The Office of Management and Budget (OMB) memoranda provide Federal agencies with instructions and implementation guidance for specific management priorities or legislative requirements. They provide annual updates, such as for FISMA reporting requirements, or have longer term guidance for agency implementation.
2024
M-24-08
Date Released: 12/21/2023
Implements: Section 508 of the Rehabilitation Act
M-24-04
Title: Fiscal Year 2024 Guidance on Federal Information Security and Privacy Management Requirements
Date Released: 12/4/2023
Implements:
- FISMA
- E.O. 14028
M-24-02
Date Released: 10/25/2023
Implements: Buy America Act
2023
M-23-22
Title: Delivering a Digital-First Public Experience (digital)
Date Released: 9/22/2023
Implements: 21st Century Integrated Digital Experience Act
M-23-20
Title: Multi-Agency Research and Development Priorities for the FY 2025 Budget
Date Released: 8/17/2023
Implements: N/A
M-23-18
Title: Administration Cybersecurity Priorities for the FY 2025 Budget
Date Released: 6/27/2023
Implements: National Cybersecurity Strategy (NCS)
M-23-16
Date Released: 6/9/2023
Implements: E.O. 14028
M-23-13
Title: “No TikTok on Government Devices” Implementation Guidance
Date Released: 2/27/2023
Implements: No Tiktok on Government Devices
M-23-10
Title: The Registration and Use of .gov Domains in the Federal Government
Date Released: 2/8/2023
Implements: DOTGOV Online Trust in Government Act of 2020
M-23-07
Title: Update to Transition to Electronic Records
Date Released: 12/23/2022
Implements: N/A
M-23-02
Title: Migrating to Post-Quantum Cryptography
Date Released: 11/18/2022
Implements:
- E.O. 14028
- FISMA 2014
2022
M-22-18
Title: Enhancing the Security of the Software Supply Chain through Secure Software Development Practices
Date Released: 9/14/2022
Implements:
- FISMA 2014
- E.O. 14028
M-22-16
Title: Administration Cybersecurity Priorities for the FY 2024 Budget
Date Released: 7/22/2022
Implements: E.O. 14028
M-22-15
Title: Multi-Agency Research and Development Priorities for the FY 2024 Budget
Date Released: 7/22/2022
Implements: N/A
M-22-09
Title: Moving the U.S. Government Toward Zero Trust Cybersecurity Principles
Date Released: 1/26/2022
Implements:
- E.O. 14028
- FISMA 2014
M-22-04
Title: Promoting Accountability through Cooperation among Agencies and Inspectors General
Date Released: 12/3/2021
Implements: IG Act
M-22-01
Date Released: 10/8/2021
Implements: E.O. 14028
2021
M-21-32
Title: Multi-Agency Research and Development Priorities for the FY 2023 Budget
Date Released: 8/27/2021
Implements: N/A
M-21-31
Date Released: 8/27/2021
Implements: E.O. 14028
M-21-30
Title: Protecting Critical Software Through Enhanced Security Measures
Date Released: 8/10/2021
Implements: E.O. 14028
M-21-07
Title: Completing the Transition to Internet Protocol Version 6 (IPv6)
Date Released: 11/19/2020
Implements: FAR
M-21-06
Title: Guidance for Regulation of Artificial Intelligence Applications
Date Released: 11/17/2020
Implements: E.O. 13859
M-21-05
Title: Extension of Data Center Optimization Initiative (DCOI)
Date Released: 11/13/2020
Implements: FITARA
M-21-04
Title: Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act
Date Released: 11/12/2020
Implements: The Privacy Act of 1974
2020
M-20-32
Title: Improving Vulnerability Identification, Management, and Remediation
Date Released: 9/2/2020
Implements: FISMA
M-20-29
Title: R & D Guidance
Date Released: 8/14/2020
Implements: N/A
M-20-19
Title: Harnessing Technology to Support Mission Continuity
Date Released: 3/22/2020
Implements: N/A
M-20-04
Title: Fiscal Year 2019-2020 Guidance on Federal Information Security and Privacy Management Requirements
Date Released: 11/19/2019
Implements:
- FISMA 2014
- E.O. 14028
2019
M-19-26
Title: Update to the Trusted Internet Connections (TIC) Initiative
Date Released: 9/12/2019
Implements: N/A
M-19-21
Title: Transition of Electronic Records
Date Released: 6/28/2019
Implements: NARA
M-19-19
Title: Update to Data Center Optimization Initiative
Date Released: 6/25/2019
Implements: FITARA
M-19-18
Title: Federal Data Strategy – A Framework for Consistency
Date Released: 6/4/2019
Implements: N/A
M-19-17
Title: Enabling Mission Delivery through Improved Identity, Credential, and Access Management
Date Released: 5/21/2019
Implements: HSPD-12
M-19-10
Date Released: 2/12/2019
Implements: FOIA
M-19-03
Title: Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program
Date Released: 12/10/2018
Implements: High Value Asset (HVA) program
M-19-02
Title: Fiscal Year 2018-2019 Guidance on Federal Information Security and Privacy Management Requirements
Date Released: 10/25/2018
Implements:
- FISMA 2014
- E.O. 14028
M-19-01
Title: Request for Agency Feedback on the Federal Data Strategy
Date Released: 10/16/2018
Implements: Federal Data Strategy
2018
M-18-26
Date Released: 9/28/2018
Implements: N/A
M-18-22
Title: FY 2020 Administration Research and Development Budget Priorities
Date Released: 7/31/2018
Implements: N/A
M-18-20
Title: Appendix C to OMB Circular No. A-123, Requirements for Payment Integrity Improvement
Date Released: 6/26/2018
Implements: OMB A-123
2017
M-17-32
Title: Travel on Government-Owned Rented, Leased or Chartered Aircraft
Date Released: 9/29/2017
Implements: OMB A-126
M-17-25
Date Released: 5/19/2017
Implements: FISMA 2014
M-17-23
Date Released: 4/28/2017
Implements: EO 13777
M-17-22
Title: Comprehensive Plan for Reforming the Federal Government and Reducing the Federal Civilian Workforce
Date Released: 4/12/2017
Implements: GPRA Modernization Act of 2010
M-17-21
Title: Implementing Executive Order 13771, Titled “Reducing Regulation and Controlling Regulatory Costs”
Date Released: 4/5/2017
Implements: EO 13771
M-17-19
Title: Legislative Coordination and Clearance
Date Released: 2/28/2017
Implements: OMB A-19
M-17-15
Title: Rescission of Memoranda Relating to Identity Management
Date Released: 1/19/2017
Implements: HSPD-12
M-17-12
Title: Preparing for and Responding to a Breach of Personally Identifiable Information
Date Released: 1/3/2017
Implements: FISMA 2014
M-17-09
Title: Management of Federal High Value Assets
Date Released: 12/9/2016
Implements:
- FISMA 2014
- B.O.D. 18-02
- HHS HVA Program
M-17-04
Date Released: 11/4/2016
Implements: DATA Act
M-17-03
Title: Institutionalizing Hiring Excellence To Achieve Mission Outcomes
Date Released: 11/1/2016
Implements: President’s Management Agenda (PMA) Cross Agency Priority (CAP)
M-17-02
Title: Precision Medicine Initiative Privacy and Security
Date Released: 10/21/2016
Implements:
- FISMA 2014
- Paperwork Reduction Act
- HIPAA
- E-Government Act of 2002
- Genetic Information Nondiscrimination Act
- Privacy Act of 1974
2016
M-16-24
Title: Role and Designation of Senior Agency Officials for Privacy
Date Released: 9/15/2016
Implements:
- EO 13719
- OMB A-130
M-16-23
Title: Prioritizing Federal Investments in Promise Zones
Date Released: 9/2/2016
Implements: N/A
M-16-21
Date Released: 8/8/2016
Implements: Clinger Cohen Act
M-16-17
Date Released: 7/15/2016
Implements: OMB A-123
M-16-15
Title: Federal Cybersecurity Workforce Strategy
Date Released: 7/12/2016
Implements: N/A
M-16-14
Date Released: 7/1/2016
Implements: N/A
M-16-12
Date Released: 6/2/2016
Implements: GAO 14-413
M-16-11
Title: Improving Administrative Functions Through Shared Services
Date Released: 5/4/2016
Implements: Federal Cloud Computing Strategy - Cloud Smart
M-16-08
Title: Establishment of the Core Federal Services Council
Date Released: 3/30/2016
Implements: President’s Management Agenda (PMA) Cross Agency Priority (CAP)
M-16-04
Title: Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Civilian Government
Date Released: 10/30/2015
Implements: FISMA 2014
M-16-02
Date Released: 10/16/2015
Implements: FITARA
2015
M-15-18
Title: Fiscal Year 2017 Budget Guidance for Countering Biological Threats Resource Priorities
Date Released: 7/9/2015
Implements: PPD-2
M-15-16
Title: Multi-Agency Science and Technology Priorities for the FY 2017 Budget
Date Released: 7/9/2015
Implements: N/A
M-15-15
Title: Improving Statistical Activities through Interagency Collaboration
Date Released: 7/8/2015
Implements: Economy Act
M-15-14
Title: Management and Oversight of Federal Information Technology
Date Released: 6/10/2015
Implements: FITARA
M-15-13
Title: Policy to Require Secure Connections across Federal Websites and Web Services
Date Released: 6/8/2015
Implements: FISMA 2014
M-15-11
Title: Fiscal Year 2017 Budget Guidance
Date Released: 5/1/2015
Implements:
- DATA Act
- FITARA
M-15-09
Title: Guidance on Implementing the Federal Customer Service Awards Program
Date Released: 3/19/2015
Implements: EO 13571
M-15-07
Title: Establishment of a Diversity and Inclusion in Government Council
Date Released: 3/6/2015
Implements: EO 13583
M-15-02
Date Released: 10/20/2014
Implements: OMB A-123
2014
M-14-17
Title: Metrics for Uniform Guidance (2 C.F.R. 200
Date Released: 9/30/2014
Implements: EO 13520
M-14-16
Title: Guidance on Managing Email
Date Released: 9/15/2014
Implements: Managing Government Records Directive of 2012
M-14-15
Title: Ensuring That Employment and Training Programs Are Job-Driven
Date Released: 7/22/2014
Implements: N/A
M-14-14
Title: Fiscal Year 2016 Budget Guidance for Countering Biological Threats Resource Priorities
Date Released: 7/18/2014
Implements: PPD-2
M-14-13
Title: Fiscal Year 2016 Budget Guidance for Combating Antibiotic Resistant Bacteria Resource Priorities
Date Released: 7/18/2014
Implements: PPD-1
M-14-12
Title: Management Agenda Priorities for the FY 2016 Budget
Date Released: 7/18/2014
Implements: N/A
M-14-11
Title: Science and Technology Priorities for FY 2016 Budget
Date Released: 7/18/2014
Implements: N/A
M-14-06
Title: Guidance for Providing and Using Administrative Data for Statistical Purposes
Date Released: 3/14/2014
Implements: N/A
M-14-04
Date Released: 11/18/2013
Implements: FISMA 2014
M-14-03
Title: Enhancing the Security of Federal Information and Information Systems
Date Released: 11/1/2013
Implements: GPRA Modernization Act 0f 2010
2013
M-13-20
Title: Protecting Privacy while Reducing Improper Payments with the Do Not Pay Initiative
Date Released: 8/16/2013
Implements:
- IPERIA 2012
- Do Not Pay (DNP) Initiative
M-13-17
Title: Next Steps in the Evidence and Innovation Agenda
Date Released: 7/26/2013
Implements: N/A
M-13-16
Title: Science and Technology Priorities for the FY 2015 Budget
Date Released: 7/26/2013
Implements: N/A
M-13-13
Title: Open Data Policy – Managing Information as an Asset
Date Released: 5/9/2013
Implements: EO 13642
M-13-10
Title: Antideficiency Act Implications of Certain Online Terms of Service Agreements
Date Released: 4/4/2013
Implements: Antideficiency Act
M-13-09
Title: Fiscal Year 2013 PortfolioStat Guidance: Strengthening Federal IT Portfolio Management
Date Released: 3/27/2013
Implements: N/A
M-13-06
Date Released: 3/1/2013
Implements: Budget Control Act of 2011
M-13-02
Title: Improving Acquisition through Strategic Sourcing
Date Released: 12/5/2012
Implements: N/A
2012
M-12-20
Date Released: 9/27/2012
Implements: FISMA 2014
M-12-18
Title: Managing Government Records Directive
Date Released: 8/24/2012
Implements: Presidential Memorandum - Managing Government Records
M-12-15
Title: Science and Technology Priorities for the FY 2014 Budget
Date Released: 6/6/2012
Implements: N/A
M-12-14
Title: Use of Evidence and Evaluation in the 2014 Budget
Date Released: 5/18/2012
Implements: N/A
M-12-12
Title: Promoting Efficient Spending to Support Agency Operations
Date Released: 5/11/2012
Implements: EO 13589
M-12-11
Title: Reducing Improper Payments through the “Do Not Pay List”
Date Released: 4/12/2012
Implements: EO 13520
M-12-09
Title: Federal Activities Inventory Reform (FAIR) Act Submission for Fiscal Year 2012
Date Released: 3/26/2012
Implements:
- FAIR Act
- OMB A-76
M-12-01
Title: Creation of the Council on Financial Assistance Reform
Date Released: 10/27/2011
Implements: EO 13576
2011
M-11-33
Date Released: 9/14/2011
Implements: FISMA 2014
M-11-27
Title: Implementing the Telework Enhancement Act of 2010: Security Guidelines
Date Released: 7/15/2011
Implements: Telework Enhancement Act of 2010
M-11-26
Title: New Fast-Track Process for Collecting Service Delivery Feedback Under the Paperwork Reduction Act
Date Released: 6/15/2011
Implements: Paperwork Reduction Act
M-11-21
Date Released: 4/29/2011
Implements: Presidential Memorandum - Administrative Flexibility
M-11-16
Title: 2011 Issuance of Revised Parts I and II to Appendix C of OMB Circular A-123
Date Released: 4/14/2011
Implements: OMB A-123
M-11-15
Title: 2011 Final Guidance on Implementing the Plain Writing Act of 2010
Date Released: 4/13/2011
Implements: Plain Writing Act of 2010
M-11-11
Date Released: 2/3/2011
Implements: HSPD-12
M-11-08
Date Released: 1/3/2011
Implements: EO 13526
M-11-04
Date Released: 11/16/2010
Implements: IPERIA 2012
M-11-02
Title: Sharing Data While Protecting Privacy
Date Released: 11/3/2010
Implements: Privacy Act of 1974
M-11-01
Title: Pilot Projects for the Partnership Fund for Program Integrity Innovation
Date Released: 10/19/2010
Implements: Consolidated Appropriations Act of 2010
2010
M-10-34
Title: Updated Guidance on the American Recovery and Reinvestment Act
Date Released: 9/24/2010
Implements: American Recovery and Reinvestment Act of 2009
M-10-30
Title: Science and Technology Priorities for the FY 2012 Budget
Date Released: 7/1/2010
Implements: N/A
M-10-26
Title: Immediate Review of Financial Systems IT Projects
Date Released: 6/28/2010
Implements: OMB A-123
M-10-23
Title: Guidance for Agency Use of Third-Party Websites and Applications
Date Released: 6/25/2010
Implements: Paperwork Reduction Act
M-10-22
Title: Guidance for Online Use of Web Measurement and Customization Technologies
Date Released: 6/25/2010
Implements: OMB M-10-06
M-10-21
Title: Developing Effective Place-Based Policies for the FY 2012 Budget
Date Released: 6/21/2010
Implements: N/A
M-10-16
Title: Grants.gov – Return to Normal Operations
Date Released: 4/23/2010
Implements: American Recovery and Reinvestment Act of 2009
M-10-14
Title: Updated Guidance on the American Recovery and Reinvestment Act
Date Released: 3/22/2010
Implements: American Recovery and Reinvestment Act of 2009
M-10-13
Title: Issuance of Part III to OMB Circular A-123, Appendix C
Date Released: 3/22/2010
Implements: OMB A-123
M-10-10
Title: Federal Agency Coordination on Health Information Technology (HIT)
Date Released: 2/19/2010
Implements: HITECH
M-10-03
Date Released: 10/13/2009
Implements: American Recovery and Reinvestment Act of 2009
M-10-01
Title: Increased Emphasis on Program Evaluations
Date Released: 10/7/2009
Implements: N/A
2009
M-09-33
Title: Technical Amendments to OMB Bulletin No. 07-04, Audit Requirements for Federal Financial StatementsIncreased Emphasis on Program Evaluations
Date Released: 9/23/2009
Implements:
- OMB A-123
- OMB A-136
M-09-32
Title: Update on the Trusted Internet Connections Initiative
Date Released: 9/16/2009
Implements: Trusted Internet Connections Initiative
M-09-27
Title: Science and Technology Priorities for the FY 2011 Budget
Date Released: 8/4/2009
Implements: N/A
M-09-18
Title: Payments to State Grantees for Administrative Costs of Recovery Act Activities
Date Released: 5/11/2009
Implements: American Recovery and Reinvestment Act of 2009
M-09-17
Title: Improving Grants.gov
Date Released: 4/8/2009
Implements: American Recovery and Reinvestment Act of 2009
M-09-15
Title: Updated Implementing Guidance for the American Recovery and Reinvestment Act of 2009
Date Released: 4/3/2009
Implements: American Recovery and Reinvestment Act of 2009
M-09-14
Title: Recovery Act Implementation – Improving Grants.gov and Other Critical Systems
Date Released: 3/9/2009
Implements: American Recovery and Reinvestment Act of 2009
M-09-12
Title: Recovery Act Implementation – Improving Grants.gov and Other Critical Systems
Date Released: 3/9/2009
Implements: American Recovery and Reinvestment Act of 2009
M-09-10
Title: Initial Implementing Guidance for the American Recovery and Reinvestment Act of 2009
Date Released: 2/18/2009
Implements: American Recovery and Reinvestment Act of 2009
2008
M-08-27
Title: Guidance for Trusted Internet Connection (TIC) Compliance
Date Released: 9/30/2008
Implements: Trusted Internet Connections Initiative
M-08-25
Title: Guidance for Completing FY 2008 Financial and Performance Reports
Date Released: 8/252008
Implements: N/A
M-08-24
Title: Technical Amendments to OMB Bulletin No. 07-04, Audit Requirements for Federal Financial Statements
Date Released: 8/25/2008
Implements: OMB Bulletin No. 07-04
M-08-16
Title: Guidance for Trusted Internet Connection Statement of Capability Form (SOC)
Date Released: 4/4/2008
Implements: Trusted Internet Connections Initiative
M-08-15
Title: Tools Available for Implementing Electronic Records Management
Date Released: 3/31/2008
Implements:
- OMB A-130
- Paperwork Reduction Act
M-08-14
Title: 2008 Inventories of Commercial and Inherently Governmental Activities
Date Released: 3/26/2008
Implements:
- FAIR Act
- OMB A-76
M-08-13
Date Released: 3/11/2008
Implements: OMB A-76
M-08-11
Title: Competitive Sourcing Requirements in Division D of Public Law 110-161
Date Released: 2/20/2008
Implements: Consolidated Appropriations Act of 2010
M-08-09
Title: New FISMA Privacy Reporting Requirements for FY 2008
Date Released: 1/18/2008
Implements: FISMA 2014
M-08-05
Title: Implementation of Trusted Internet Connections (TIC)
Date Released: 11/20/2007
Implements: Trusted Internet Connections Initiative
2007
M-07-25
Title: BioShield Procurement Approval Anthrax Vaccine Adsorbed
Date Released: 9/20/2007
Implements:
- Project BioShield Act of 2004
- Public Health Service Act
M-07-24
Title: Updated Principles for Risk Analysis
Date Released: 9/19/2007
Implements: OMB Memorandum - Principles for Risk Analysis
M-07-23
Title: Requiring Agency Use of the International Trade Data System
Date Released: 9/10/2007
Implements: EO 13439
M-07-21
Title: Verifying the Employment Eligibility of Federal Employees
Date Released: 8/10/2007
Implements: HSPD-12
M-07-20
Title: FY 2007 E-Government Act Reporting Instructions
Date Released: 8/14/2007
Implements: E-Government Act of 2002
M-07-18
Title: Ensuring New Acquisitions Include Common Security Configurations
Date Released: 6/1/2007
Implements: FISMA 2014
M-07-16
Title: Safeguarding Against and Responding to the Breach of Personally Identifiable Information
Date Released: 5/22/2007
Implements: FISMA 2014
N/A
Title: Competition Framework for Human Resources Management Line of Business Migrations
Date Released: 5/18/2007
Implements: N/A
M-07-14
Title: 2007 Inventories of Commercial and Inherently Governmental Activities
Date Released: 5/3/2007
Implements:
- FAIR Act
- OMB A-76
M-07-02
Date Released: 10/31/2006
Implements: OMB A-76
2006
N/A
Title: Recommendations for Identity Theft Related Data Breach Notification
Date Released: 9/20/2006
Implements: EO 13402
M-06-25
Title: FY 2006 E-Government Act Reporting Instructions
Date Released: 8/25/2006
Implements: E-Government Act of 2002
M-06-21
Title: Reciprocal Recognition of Existing Personnel Security Clearances
Date Released: 7/17/2006
Implements: EO 12958
M-06-19
Date Released: 7/12/2006
Implements: FISMA 2014
M-06-18
Title: Acquisition of Products and Services for Implementation of HSPD-12
Date Released: 6/30/2006
Implements: HSPD-12
M-06-15
Title: Safeguarding Personally Identifiable Information
Date Released: 5/22/2006
Implements: Privacy Act of 1974
M-06-12
Date Released: 4/13/2006
Implements: FOIA
M-06-06
Date Released: 2/17/2006
Implements: HSPD-12
M-06-04
Title: Implementation of the President’s Executive Order “Improving Agency Disclosure of Information”
Date Released: 12/30/2005
Implements: FOIA
N/A
Title: Reciprocal Recognition of Existing Personnel Security Clearances
Date Released: 12/12/2005
Implements: Intelligence Reform and Terrorism Prevention Act of 2004
M-06-02
Date Released: 12/16/2005
Implements:
- Paperwork Reduction Act
- E-Government Act of 2002
2005
M-05-25
Title: SmartBUY Agreement with Oracle
Date Released: 8/25/2005
Implements: N/A
M-05-24
Date Released: 8/25/2005
Implements: HSPD-12
M-05-23
Title: Improving Information Technology (IT) Project Planning and Execution
Date Released: 8/4/2005
Implements: N/A
M-05-22
Title: Transition Planning for Internet Protocol Version 6 (IPv6)
Date Released: 8/2/2005
Implements: GAO 05-471
M-05-17
Date Released: 6/30/2005
Implements: EO 13381
M-05-16
Date Released: 6/30/2005
Implements: Section 414 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act
M-05-08
Title: Designation of Senior Agency Officials for Privacy
Date Released: 2/11/2005
Implements: Privacy Act of 1974
M-05-05
Title: Electronic Signatures: How to Mitigate the Risk of Commercial Managed Services
Date Released: 12/20/2004
Implements: N/A
M-05-04
Title: Policies for Federal Agency Public Websites
Date Released: 12/17/2004
Implements: E-Government Act of 2002
2004
N/A
Title: Section E — FY04 FISMA Reporting Template
Date Released: N/A
Implements: FISMA 2014
M-04-24
Date Released: 8/23/2004
Implements: President’s Management Agenda - Expanded Electronic Government (E-Gov) Initiative
M-04-19
Title: Information Technology (IT) Project Manager (PM) Qualification Guidance
Date Released: 7/21/2004
Implements: N/A
M-04-18
Title: Medicare Modernization Act and Federal Programs
Date Released: 7/19/2004
Implements: Medicare Prescription Drug, Improvement, and Modernization Act (MMA)
M-04-16
Title: Software Acquisition
Date Released: 7/1/2004
Implements:
- OMB A-11
- OMB A-130
M-04-15
Date Released: 6/17/2004
Implements: HSPD-12
M-04-08
Date Released: 2/25/2004
Implements: President’s Management Agenda - Expanded Electronic Government (E-Gov) Initiative
M-04-04
Title: E-Authentication Guidance
Date Released: 12/16/2003
Implements:
- E-Government Act of 2002
- Paperwork Elimination Act of 1998
2003
M-03-22
Title: OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002
Date Released: 12/16/2003
Implements: E-Government Act of 2002
M-03-18
Title: Implementation Guidance for the E-Government Act of 2002
Date Released: 8/1/2003
Implements: E-Government Act of 2002
M-03-04
Title: Determination Orders Organizing the Department of Homeland Security
Date Released: 1/7/2003
Implements: Public Law 107-296 - Establishing the Department of Homeland Security
2002
M-02-14
Date Released: 8/8/2002
Implements: N/A
M-02-11
Title: Department of Homeland Security Transition Issues
Date Released: 7/16/2002
Implements: Public Law 107-296 - Establishing the Department of Homeland Security
M-02-01
Title: Guidance for Preparing and Submitting Security Plans of Action and Milestones
Date Released: 10/17/2001
Implements: Government Information Security Reform Act
2001
M-01-28
Title: Citizen-Centered E-Government: Developing the Action Plan
Date Released: 7/18/2001
Implements: President Management Agenda - e-Government
M-01-05
Title: Guidance on Inter-Agency Sharing of Personal Data – Protecting Personal Privacy
Date Released: 12/20/2000
Implements: Computer Matching and Privacy Protection Act
2000
M-00-15
Title: OMB Guidance on Implementing the Electronic Signatures in Global and National Commerce Act
Date Released: 9/25/2000
Implements: E-Sign Act
M-00-13
Title: Privacy Policies and Data Collection on Federal Web Sites
Date Released: 6/22/2000
Implements:
- Children’s Online Privacy Protection Act
- Privacy Act
- OMB A-130
M-00-10
Title: OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act
Date Released: 4/25/2000
Implements: Paperwork Reduction Act
M-00-03
Title: Reporting Y2K Compliance of Non-mission Critical Systems
Date Released: 12/10/1999
Implements: N/A
1999
M-99-18
Title: Privacy Policies on Federal Web Sites
Date Released: 6/2/1999
Implements:
- Privacy Act
- OMB A-130
M-99-01
Title: New Statutory Language on Paperwork Reduction FY 1999 ICB
Date Released: 11/16/1998
Implements: Paperwork Reduction Act
1998
M-98-14
Title: Comprehensive Plans and Associated Funding Requirements for Achieving Year 2000 Computer Compliance
Date Released: 8/13/1998
Implements: OMB A-11
M-98-09
Title: Updated Guidance on Developing a Handbook for Individuals Seeking Access of Public Information
Date Released: 4/23/1998
Implements:
- Electronic Freedom of Information Act Amendments of 1996
- FOIA
- OMB A-130
M-98-04
Title: Annual Performance Plans Required by the Government Performance and Results Act (GPRA)
Date Released: 1/29/1998
Implements: GPRA Modernization Act of 2010
1997
M-97-15
Title: Local Telecommunications Services Policy
Date Released: 6/12/1997
Implements: Clinger-Cohen Act
M-97-09
Title: Interagency Support for Information Technology
Date Released: 3/10/1997
Implements: Clinger-Cohen Act
M-97-07
Title: Multiagency Contracts Under the Information Technology Management Reform Act of 1996
Date Released: 2/26/1997
Implements: Clinger-Cohen Act
M-97-02
Title: Funding Information Systems Investments
Date Released: 10/25/1996
Implements:
- Clinger-Cohen Act
- GPRA Modernization Act of 2010
1996
M-96-20
Title: Implementation of the Information Technology Management Reform Act of 1996
Date Released: 4/4/1996
Implements: Clinger-Cohen Act
1995
M-95-17
Title: Contingency Planning for Agency Operations in Fiscal Year 1996
Date Released: 8/17/1995
Implements: N/A
HHS Policies, Standards, Memorandum, and Guides
HHS Policies
The HHS Cybersecurity Program develops policies, standards, memoranda, guides, and standard operating procedures. They are collectively referred to as policy documents. HHS policy documents help to apply Federal legislation, OMB regulations, NIST standards, and U.S. Computer Emergency Readiness Team (US-CERT) guidelines in the context of the HHS environment, thus standardizing the implementation of information security and privacy practices across the Department.
NOTE: The HHS Polices can be found at http://intranet.hhs.gov/working-at-hhs/cybersecurity/ocio-policies and are only accessible through the HHS intranet/CMS network and cannot be accessed with a public internet connection.
Cybersecurity Awareness and Training
Doc Number: HHS-OCIO-OIS-2024-03-002
Description: Identifies the baseline requirements for providing HHS personnel with the requirements for Awareness Training and of their responsibility to help protect the confidentiality, integrity, and availability of HHS information systems and data
Effective Date: 3/2024
Corresponding CMS Publication:
- IS2P2
- ARS
- CyberGeek - Role Based Training (RBT)
- CyberGeek - Risk Management Handbook (RMH) Chapter 2: Awareness & Training (AT)
Corresponding Federal Publication:
- 5 CFR 930.301
- FIPS 200
- FISMA 2014
- HHS Policy for Information Security and Privacy Protection (IS2P)
- NIST S.P. 800-16
- NIST S.P. 800-37
- NIST S.P. 800-50
- NIST SP 800-181 rev 1
- OMB A-130
- Privacy Act of 1974
Records Management
Doc Number: HHS-OCIO-CDO-2024-02-001
Description: Establishes the principles, responsibilities, and requirements for managing HHS records
Effective Date: 2/1/2024
Corresponding CMS Publication:
- IS2P2
- ARS
- CMS Records and Information Management Program
Corresponding Federal Publication:
- 36 CFR Chapter XII Subchapter B
- 32 CFR Part 2002
- 18 U.S. Code § 641
- 18 U.S. Code § 2071
- 44 U.S. Code §§ 2901-2910
- 44 U.S. Code §§ 3101-3107
- 44 U.S. Code §§ 3106
- 44 U.S. Code §§ 3301-3324
- 44 U.S. Code § 3301
- Privacy Act of 1974
- Federal Rules of Civil Procedures
- NARA Bulletin 2010-05
- NARA Bulletin 2013-02
- NARA Bulletin 2014-02
- NARA Bulletin 2015-02
- NARA Bulletin 2023-02
- NARA Criteria for Successfully Managing Permanent Electronic Records
- NARA Guidance on Records Management Language for Contracts
- NARA Universal Electronic Records Management Requirements
- OMB Circular A-130
- OMB M-19-21
- OMB M-23-07
- HHS Policy for Litigation Holds
- HHS Policy for Rules of Behavior for Use of Information and IT Resources
- HHS Policy for Mobile Devices and Removable Media
Privacy Impact Assessments
Doc Number: HHS-OCIO-OIS-2023-09-005
Description: Set forth the minimum HHS Privacy Threshold Analysis (PTA), PIA, and Internal PIA requirements, as well as accompanying approval and publication processes
Effective Date: 9/2023
Corresponding CMS Publication:
Corresponding Federal Publication:
- E-Government Act of 2002
- FISMA 2014
- HHS Policy for Information Security and Privacy Protection (IS2P)
- NIST S.P. 800-53 Rev. 5
- NIST S.P. 800-122
- NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management v1.0
- OMB Circular A-108
- OMB Circular A-130
- OMB M-03-22
- OMB M-17-06
- OMB M-19-03
- Privacy Act of 1974
- Paperwork Reduction Act (PRA)
Litigation Holds
Doc Number: HHS-OCIO-CDO-2023-08-004
Description: Establish that HHS takes all reasonable steps to preserve potentially relevant information in the possession, custody, or control of HHS when civil litigation has commenced or when there is reasonable anticipation of litigation
Effective Date: 8/10/2023
Corresponding CMS Publication: CMS Litigation Holds and Essential Records Program
Corresponding Federal Publication:
- 36 CFR Chapter XII Subchapter B §§ 1220.30-1220.34
- 36 CFR Chapter XII Subchapter B §§ 1230.1-1230.18
- 36 CFR Chapter XII Subchapter B §§ 1236.2-1236.36
- 18 USC § 641
- 18 USC § 2071
- 44 USC §§ 2071-2120
- 44 USC §§ 2901-2912
- 44 USC §§ 3101-3107
- 44 USC §§ 3301-3314
- 44 USC §§ 3501-3583
- Privacy Act of 1974
- Duty to Disclose, Rule 26
- Producing Documents, Rule 34
- Failure to Make Disclosures or to Cooperate in Discovery, Rule 37
- Delivering Government Solutions in 21st Century
- NARA 2010-05
- NARA 2014-02
- NARA 2015-02
- NARA Criteria for Successfully Managing Permanent Electronic Records
- NARA Guidance on Records Management Language for Contracts
- OMB Circular A-130
- OMA/NARA M-23-07
- Public Law 113-187
- Universal Electronic Records Management Requirements
- NARA General Records Schedules
- General Record Schedule 6.1
- HHS Implementing Email Records Management
- HHS Rules of Behavior for Use of Information and IT Resources
- HHS Mobile Devices and Removable Media
Data Loss Prevention
Doc Number: HHS-OCIO-OIS-2022-05-003
Description: Establish comprehensive DLP requirements for HHS systems and information that are compliant with FISMA 2014, NIST S.P. 800-53, EO 14028
Effective Date: 6/16/2023
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- EO 14028
- EO 13556
- FISMA 2014
- HSS IS2P
- NARA CUI Program
- NIST S.P. 800-37
- NIST S.P. 800-122
- NIST S.P. 800-137
- NIST S.P. 800-53
- OMB Circular A-130
- OMB M-22-09
- Privacy Act of 1974
Rules of Behavior for Use of Information and IT Resources
Doc Number: HHS-OCIO-OIS-2023-02-002
Description: Defines the acceptable use of HHS information and IT resources and establishes the baseline requirements for developing Rules of Behavior that all users, including privileged users, are required to sign prior to accessing HHS information systems and resources
Effective Date: 2/9/2023
Corresponding CMS Publication:
Corresponding Federal Publication:
- FISMA 2014
- HHS IS2P
- NIST S.P. 800-18
- NIST S.P. 800-37
- NIST S.P. 800-53
- OMB Circular A-130
- Public Law § 115-232 889
- 5 USC § 552a
Common Data Use Agreement (DUA) Structure and Repository
Doc Number: HHS-OCIO-CDO-2023-01-001
Description: Defines a DUA as a document that establishes the terms and conditions under which the Data Provider will provide, and the Data Recipient will receive and use, the data covered under the Agreement, which is nonpublic, restricted HHS data shared for a limited government purpose
Effective Date: 1/23/2023
Corresponding CMS Publication:
Corresponding Federal Publication:
- 44 USC § 3520
- 44 USC § 3576
- OMB M-14-06
- OMB M-01-05
- HHS Enterprise Data Management
Encryption of Computing Devices and Information
Doc Number: HHS-OCIO-OIS-2022-12-001
Description: Establish comprehensive encryption requirements for HHS systems and information that are compliant with FISMA 2014, NIST S.P. 800-53, EO 14028, OMB M-22-09
Effective Date: 12/9/2022
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- EO 14028
- FISMA 2014
- NIST S.P. 800-53
- OMB A-130
- OMB M-15-13
- OMB M-22-09
Securing AI Technology
Doc Number: HHS-OCIO-OIS-2021-12-007
Description: Ensure secure implementation of AI technology within HHS, secure HHS networks and information, protect privacy, and address risks
Effective Date: 12/14/2021
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- EO 13859
- EO 13960
- FISMA 2014
- NIST S.P. 800-53
- NIST Privacy Framework
- NIST S.P. 800-167
- NIST S.P. 800-94
- NIST S.P. 800-37
- DHS AI Using Standards to Mitigate Risks
- HHS IS2P
Information Security and Privacy Protection (IS2P)
Doc Number: HHS-OCIO-OIS-2021-11-0006
Description: Establish comprehensive security and privacy requirements for HHS systems and information that are compliant with FISMA 2014 and NIST S.P. 800-53
Effective Date: 11/18/2021
Corresponding CMS Publication: IS2P2
Corresponding Federal Publication:
- E-Government Act of 2002
- FISMA 2014
- EO 13556
- FERPA
- Privacy Act of 1974
- FITARA
- Buy American Act
- FASCSA 2018
- Public Law 115-232 § 889
- HIPAA
- HSPD-12
- NARA
- B.O.D 18-02
- FIPS 140-2, 199, 200, 201-1
- NIST S.P. 800-111
- NIST S.P. 800-122
- NIST S.P. 800-144
- NIST S.P. 800-152
- NIST S.P. 800-171
- NIST S.P. 800-175A
- NIST S.P. 800-175B
- NIST S.P. 800-37
- NIST S.P. 800-46
- NIST S.P. 800-53
- NIST S.P. 800-79-2
- NIST S.P. 800-88
- OMB Circular A-130
- OMB Circular A-108
- OMB M-02-01
- OMB M-03-22
- OMB M-10-22
- OMB M-10-23
- OMB M-16-17
- OMB M-14-03
- OMB M-16-17
- OMB M-14-03
- OMB M-17-12
- 5 CFR § 930.301
- Public Law 113-291 Title VIII Subtitle D
- Section 508 of the Rehabilitation Act of 1973
Information Technology Portfolio Management (PfM)
Doc Number: HHS-OCIO-OES-2021-09-005
Description: Describes the Captital Planning and Investment Control (CPIC) principles and requirements, and establishes standard methodologies for conducting OAs, evaluating Investment Risks, certifying adequate Incremental Development, and successfully implementing TBM
Effective Date: 9/23/2021
Corresponding CMS Publication: CyberGeek - Risk Management Handbook Chapter 15: System & Services Acquisition
Corresponding Federal Publication:
- Government Performance and Results Act of 1993
- Federal Acquisition Streamlining Act of 1994
- Paperwork Reduction Act of 1995
- Federal Financial Management Improvement Act of 1996
- E-Government Act of 2002
- FITARA 2014
- Clinger-Cohen Act of 1996
- Policies & Priorities, Technology Business Management. CIO. GOV
- Records Management Act of 1950
- Section 508 of the Rehabilitation Act
- EO 13636
- EO 14028
- FISMA 2014
- GAO-04-394G
- AIMD-10.1.13
- GAO-13-87
- GAO Report 16-469
- OMB A-11
- OMB A-94
- OMB A-76
- OMB A-123
- OMB A-130
- OMB Federal Cloud Computing Strategy - Cloud Smart
- OMB M-97-02
- OMB M-05-23
- OMB M-15-14
- OMB M-19-03
- Federal Continuity Directive 1
- Federal Continuity Directive 2
- FIPS 140-2
- NIST S.P. 800-30
- NIST S.P. 800-37
- NIST S.P. 800-39
- NIST S.P. 800-53
- NIST S.P. 800-56A
- Section 889(a)(1)(B) of the John S. McCain National Defense Authorization Act (NDAA)
- HHS Section 508 Electronic and IT
- HHS Acquisition Regulation
- HHS OCIO Roles and Responsibilities
- HHS OCIO Enterprise Performance Life Cycle Framework Overview Document
- HHS IT Strategic Plan
- HHS IT Policy for Enterprise Architecture
- HHS Office of Acquisition Management and Policy (OAMP) Acquisition Policy Memorandum
- HHS IT Acquisition Reviews (ITAR)
- HHS IT Enterprise Performance Life Cycle
- HHS IS2P
- HHS Records Management
- HHS Enterprise Risk Management Framework
- HHS Cloud Computing and FedRamp Guidance
- HHS IT Procurements - Security and Privacy Language
- HHS Cyber Supply Chain Risk Management
- HHS High Value Asset (HVA) Program
- OCIO FITARA Approval Guidance
Transition to IPv6
Doc Number: HHS-OCIO-OES-2021-08-004
Description: Provides guidance to which HHS Operating Divisions (OpDivs) and Staff Divsions (StaffDivs) must follow to meet the requirements and milestones laid out in the OMB Memorandum 21-07, Completing the Transition to IPv6 (M-21-07)
Effective Date: 8/1/2021
Corresponding CMS Publication: N/A
Corresponding Federal Publication:
- EO 14028
- Federal Acquisition Regulation (FAR)
- NIST S.P. 500-267A
- NIST S.P. 500-267B
- NIST S.P. 500-281A
- NIST S.P. 500-281B
- NIST S.P. 800-53
- OMB A-130
- OMB M-21-07
- OMB M-05-22
- HHS IT Acquisition Reviews (ITAR)
- HHS IT Asset Management (ITAM)
- HHS IT Procurements - Security and Privacy Language
- HHS IT System Inventory Management
Implementation of DHS Directive on Vulnerability Disclosure
Doc Number: HHS-OCIO-OIS-2021-05-003
Description: Establishes the HHS compliance requirements under the DHS B.O.D 20-01
Effective Date: 5/4/2021
Corresponding CMS Publication: N/A
Corresponding Federal Publication:
- Carnegie Mellon SEI, The CERT Guide to Coordinated Vulnerable Disclosure
- B.O.D. 20-01
- DOJ A Framework for a Vulnerability Disclosure Program for Online Systems
- FISMA 2014
- HHS IS2P
- ISO/IEC 29147:2018
- NIST Framework for Improving Critical Infrastructure Cybersecurity
- NIST S.P. 800-53
- OMB A-130
- OMB M-20-32
- EO 13800
- Title 44, U.S. Code, Section 3553(b)(2) Authority and Functions of the Director and the Secretary
Implementation of Trusted Internet Connections (TIC)
Doc Number: HHS-OCIO-OIS-2021-03-002
Description: Provides the requirements to which HHS Operating Divisions (OpDivs) must adhere when implementing TICs
Effective Date: 3/17/2021
Corresponding CMS Publication: N/A
Corresponding Federal Publication:
- 6 USC 1523(b)(1)(D)
- OMB M-19-26
- Committee on National Security Systems (CNSS), Internet Engineering Task Force (IETF) RFC 4949
- DHS CISA TIC Reference Architecture Document
- DHS CISA TIC Volume 1-5
- DHS CISA TIC Interim Telework Guidance
- General Services Administration (GSA) Enterprise Infrastructure Solutions (EIS) Management and Operations Handbook
- GSA, Transition Handbook, Network, WITS 3, and GSA Regional Local Services to EIS Contracts
- National Cybersecurity Protection System (NCPS) Cloud Interface Reference Architecture
- NIST S.P. 800-37
- NIST S.P. 800-41
- NIST S.P. 800-53
- NIST S.P. 800-145
- NIST S.P. 800-152
- NIST S.P. 800-207
- HHS IS2P
- HHS Internet and Email Security
- HHS POA&M Standard
Information Technology Procurements - Security And Privacy Language
Doc Number: HHS-OCIO-OIS-2021-03-001
Description: Mandates the standard security and privacy language for information and information technology (IT) procurements throughout HHS
Effective Date: 3/3/2021
Corresponding CMS Publication:
Corresponding Federal Publication:
- Buy American Act
- FAR
- FASCSA 2018
- FISMA 2014
- OMB A-130
- Public Law 115-232 § 889
- Public Law 115-390
- U.S.C of CFR
IT System Inventory Management
Doc Number: HHS-OCIO-OES-2020-12-011
Description: Direct HHS entities (i.e., Operating Divisions [OpDiv] and Staff Divisions [StaffDiv]) to establish and maintain an enterprise-wide inventory of HHS IT systems by providing guidance and baseline standards for maintaining a comprehensive inventory of all IT systems and related information
Effective Date: 12/2020
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- Clinger-Cohen Act of 1996
- E-Government Act of 2002
- FISMA 2014
- FITARA 2014
- FITARA Enhancement Act of 2017
- MEGABYTE Act of 2016
- OMB A-11
- OMB A-130
- OMB M-15-14
- OMB M-19-03
- OMB M-17-09
- OMB M-19-01
- OMB M-19-21
- NIST S.P. 800-37
- NIST S.P. 800-137
- HHS CPIC
- HHS HVA
- HHS ITAM
- HHS Records Management
- HHS IS2P
Information Technology Asset Management (ITAM)
Doc Number: HHS-OCIO-OCPO-2020-08-008
Description: Establishes the HHS program for the management of IT and Telecommunication assets in compliance with the Cap Goal 7: Category Management - Leveraging Common Contracts and Best Practices to Drive Saving and Efficiencies, within the President’s Management Agenda (PMA); to buy common goods and services as an enterprise to eliminate redundancies, increase efficiency, and to deliver more value and savings from the government’s acquisition programs
Effective Date: 8/19/2020
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- Clinger-Cohen Act of 1996
- E-Government Act
- MEGABYTE Act of 2016
- Section 508 of the Rehabilitation Act
- FAR
- Federal Accounting Standards Advisory Board (FASAB), Statement of Federal Financial Accounting Standards (SFFAS) No. 10, Accounting for Internal Use Software
- FASAB, Federal Finacial Accounting Technical Release 16, Implementation Guidance for Internal Use Software
- GAO 14-413
- OMB A-130
- OMB M-16-12
- OMB M-15-14
- OMB M-19-13
- HHS FITARA Implementation-Revised HHS IT Governance Framework
- HHS FITAR Implementation Plan
- GAO audit recommendations of HHS’s Telecommunications inventory management and IT Strategic Planning
Vulnerability Management
Doc Number: HHS-OCIO-OIS-2020-08-009
Description: Establishes the baseline requirements for maintaining and effective vulnerability management program to implement and support activities pertaining to vulnerability scanning and remediation and to continually manage risks impacting HHS IT resources
Effective Date: 8/19/2020
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- FISMA 2014
- OMB A-130
- Section International Organization for Standardization (ISO) 27002
- NIST S.P. 800-40
- NIST S.P. 800-51
- NIST S.P. 800-53
- NIST S.P. 800-126
- NIST S.P. 800-128
- HHS IS2P
Cyber Supply Chain Risk Management (C-SCRM)
Doc Number: HHS-OCIO-OIS-2020-08-010
Description: Establishes the baseline requirements for securing the information and communications technology (ICT) products and services supply chain in order to protect HHS information systems and information from the risks involving ICT procurement supply chain
Effective Date: 8/18/2020
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- FISMA 2014
- SECURE Technology Act
- Buy American Act
- Public Law 115-232 § 889
- FASCSA 2018
- Comprehensive National Cybersecurity Initiative (CNCI)
- CISA National Risk Management Center
- OMB A-130
- FAR
- NIST S.P. 800-161
- NIST S.P. 800-37
- HHS ISP2
Section 508 Compliance and Accessibility of Information and Communications Technology (ICT)
Doc Number: HHS-OCIO-OES-2020-07-007
Description: Implement uniformity and conformity of accessibility compliance across all of HHS
Effective Date: 7/2020
Corresponding CMS Publication: IS2P2
Corresponding Federal Publication:
- Communications Act of 1934
- FAR
- FITARA
- HHS Acquisition Regulation (HHSAR)
- 36 CFR § 1193-1194
- OMB M-17-06
- OMB M-13-13
- OMB M-16-20
- OMB Memorandum, Improving the Accessibility of Government Information
- OMB Strategic Plan for Improving Management of Section 508 of the Rehabilitation Act
- Rehabilitation Act of 1973
- Workforce Innovation and Opportunities Act
Information Technology Acquisition Reviews (ITAR)
Doc Number: HHS-OCIO-OES-2020-06-006
Description: Establishes the HHS ITAR Program, which ensures HHS conducts its due diligence to manage and maintain oversight and governance over the procurement of IT therefore contributing to effective planning, budgeting, and execution of IT resources
Effective Date: 6/2020
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- Clinger-Cohen Act
- National Defense Authorization Act for Fiscal Year 2015
- EO 13833
- FAR
- HHS Acquisition Regulation (HHSAR)
- OMB A-11
- OMB A-130
- OMB M-15-14
- OMB M-16-12
- HHS FITARA Implementation-Revised HHS IT Governance Framework
- HHS FITARA HHS Implementation Plan
- HHS Memorandum for Record, HHS Chief Information Officer Delegation of Authorities to Operating Divsiion Chief Information Officers
- HHS CPIC
- HHS EPLC
- HHS Procedures, Guidance and Instructions (PGI)
- Information Technology Decision Criteria and Clause Matrix
- HHS IT Procurements - Security and Privacy language
- HHS Standard for Encryption of computing Devices and Information
- HHS Minumun Security Configuration Standards Guidance
- HHS Software Development Secure Coding Practices
- HHS Directive for Acquisition Strategy
Preparing for and Responding to a Breach
Doc Number: HHS-OCIO-PIM-2020-05-003
Description: Addresses OMB M-17-22, Preparing for and Responding to a Breach of PII, and sets forth the approach of HHS in preparing for and responding to breaches of PII in any medium or form
Effective Date: 5/2020
Corresponding CMS Publication:
Corresponding Federal Publication:
- FISMA 2014
- OMB M-17-12
- OMB M-19-03
- OMB M-20-04
- OMB M-16-14
- OMB A-130
- PPD-41
- NIST S.P. 800-34
- NIST S.P. 800-61
- NIST S.P. 800-122
- US-CERT Federal Incident Notification Guidelines
- National Cybersecurity and Communications Integration Center (NCCIC) Cyber Incident Scoring System
- Identity Protection Services (IPS) Multiple Award Blanket Purchase Agreement (BPA)
Securing Wireless Local Area Networks
Doc Number: HHS-OCIO-OIS-2020-01-001
Description: Updates the requirements and specification for securing all HHS WLANs in compliance with the NIST S.P. 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs) and the Institute of Electrical and Electronic Engineers (IEEE) 802.11 WLANs standards
Effective Date: 1/13/2020
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- NIST S.P. 800-153
- NIST S.P. 800-97
- HHS IS2P
- HHS Memorandum, Addendum to the HHS IS2P
Enterprise Data Management
Doc Number: HHS-OCIO-OIS-2020-02-002
Description: Establishes the requirements for the efficient and secure management and protection of enterprise data
Effective Date: 11/13/2019
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- FISMA 2014
- FITARA
- FIPS 199
- OMB A-130
- OMB M-13-13
- OMB M-17-12
- NIST S.P. 800-37
- HHS IS2P
Domain Name System (DNS) and DNS Security Extensions (DNSSEC) Services
Doc Number: HHS-OCIO-OIS-2019-11-011
Description: Establishes the minumum requirements for implementing the DNS and DNSEC services across the HHS and the OpDiv networks
Effective Date: 10/2019
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- OMB A-130
- DHS DNS Security Reference Architecture
- NIST S.P. 800-81
- NIST S.P. 800-53
- DHS B.O.D. 19-01
Internet and Email Security
Doc Number: HHS-OCIO-OIS-2019-10-009
Description: Establishes the minimum requirements for securing the internet and email services throughout HHS, including OpDivs
Effective Date: 10/2019
Corresponding CMS Publication:
- IS2P2
- ARS
- CyberGeek - RMH Chapter 16: System & Communications Protection
- CyberGeek - Email Encryption Requirements at CMS
Corresponding Federal Publication:
- EO 13800
- OMB M-15-13
- DHS B.O.D 19-01
- DHS B.O.D 18-01
- NIST S.P. 800-177
- NIST S.P. 800-119
- Federal Trade Commission (FTC) Bureau of Consumer Protections, Businesses Can Help Stop Phishing and Protect their Brands Using Email Authentication
- HHS Rules of Behavior (ROB)
High Value Asset (HVA) Program
Doc Number: HHS-OCIO-OES-2018-09-006
Description: Provides HHS OpDivs and StaffDivs with the policy for governance of HHS’ HVAs along with the requirements for the identification, categorization, prioritization, reporting, assessment, and the remediation of finding of HVAs
Effective Date: 8/2019
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- OMB M-16-04
- OMB M-19-02
- OMB M-19-03
- OMB M-13-13
- OMB A-123
- OMB A-130
- DHS B.O.D. 18-02
- Cybersecurity Strategy and Implementation Plan for the Federal Civilian Government (CSIP)
- Cybersecurity National Action Plan (CNAP)
- HHS IS2P
- HHS Continuity of Operation Program
- HHS IT Procurements - Security and Privacy Language
- Senior Accountable Official for Risk Management (SAORM) Designee for Department of Homeland Security B.O.D. 18-02 Securing HVAs
Mobile Devices and Removable Media
Doc Number: HHS-OCIO-OIS-2019-09-0005
Description: Protects HHS information and information systems from risks related to the use of mobile devices for government businesses and the risks of using mobile devices to access HHS information systems remotely from outside of HHS facilities
Effective Date: 8/2019
Corresponding CMS Publication:
- IS2P2
- ARS
- CyberGeek - Risk Management Handbook Chapter 5: Configuration Management (CM)
- CyberGeek - Risk Management Handbook Chapter 10: Media Protection (MP)
- CyberGeek - CMS Access Control Handbook
Corresponding Federal Publication:
- FISMA 2014
- Federal Records Act of 1950
- NIST S.P. 800-53
- NIST S.P. 800-124
- EO 13556
- OMB A-130
- HHS IS2P
- HHS Rules of Behavior for Use of HHS Information and IT Resources Policy
Software Development Secure Coding Practices
Doc Number: HHS-OCIO-OES-2019-08-005
Description: Establishes the minimum baseline secure coding practices that must be implemented to ensure secure code is “built in” in the early phases of the software development lifecycle in order to protect and secure all HHS information, IT systems, and networks
Effective Date: 8/2019
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- HIPAA
- FISMA 2014
- OMB A-130
- HHS IS2P
Mobile Applications Privacy Policy
Doc Number: HHS-OCIO-PIM-2018-09-001
Description: Sets forth HHS policy for protecting privacy in HHS Mobile Applications
Effective Date: 8/2018
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- FISMA 2014
- COPPA 1998
- Privacy Act of 1974
- OMB M-17-06
- OMB A-130
- OMB A-108
- Digital Government: Building a 21st Century Platform to Better Serve the American People
- NIST 800-53
- NIST S.P. 800-163
- NIST S.P. 800-37
- NIST S.P. 800-61
- NIST S.P. 800-122
- HHS Policy and Plan for Preparing for and Responding to Breaches of PII
- HHS Privacy Impact Assessment Guidance
- HHS IS2P
- HHS Privacy Impact Assessments (PIA)
Information Technology (IT) Policy for Enterprise Performance Life Cycle (EPLC)
Doc Number: HHS-OCIO-2008-004.002
Description: All HHS IT projects shall be managed using the HHS EPLC Framework, including life cycle phases, reviews, deliverables, activities, responsibilities, and tailoring, regardless of the specific development methodology used
Effective Date: 11/2016
Corresponding CMS Publication:
- IS2P2
- ARS
- CMS.gov - Target Life Cycle (TLC)
- CyberGeek - Risk Management Handbook Chapter 15: System & Services Acquisition
- CyberGeek - RMH Chapter 16: System & Communications Protection
Corresponding Federal Publication:
- HHS Acquisition Regulation (HHSAR)
- Federal Acquisition Certification-Program and Project Manager Program (FAC-P/PM)
- HHS IT Capital Planning and Investment Control
- HHS IRM Policy for Conducting IT Alternatives Analysis
- HHS IT Performance Management (PfM)
- HHS Enterprise Architecture (EA)
- HHS IT System Inventory Management
- HHS Records Mangement
- HHS Implementing Email Records Management
- HHS Section 508 and Accessibility of Technology and Communications Technology (ICT)
- HHS Security Policies, Standards, Charters and Training Resources
- HHS Incident Reporting, Policy and Incident Management Reference
- HHS PIA
- FITARA
- GAO Cost Estimating and Assessment Guide
- OMB M-05-23
- OMB A-11
- OMB A-127
- OMB A-130
Environmental Practices of Electronics
Doc Number: N/A
Description: Provides the framework for the implementation of sound environmental practices in the acquisition, operations and maintenance, and end-of-life management of HHS-purchased electronic products
Effective Date: 6/5/2011
Corresponding CMS Publication: CMS Property Management
Corresponding Federal Publication:
- EO 13423
- EO 13514
Electronic Stewardship
Doc Number: HHS-OCIO-2011-0002.001
Description: Provides the framework for the implementation of sound environmental practices in the acquisition, operations and maintenance, and end-of-life management of HHS-purchased electronic products
Effective Date: 6/2011
Corresponding CMS Publication: CMS Property Management
Corresponding Federal Publication:
- EO 13423
- EO 13514
Policy for FOIA Investigatory & Audit Matters
Doc Number: N/A
Description: Provides HHS staff with a policy for legal holds and to inform HHS staff about FOIA, investigatory, and audit matters that require holds on HHS records and other related documentary materials
Effective Date: 1/26/2011
Corresponding CMS Publication: CMS Freedom of Information Group
Corresponding Federal Publication:
- FOIA
- 44 U.S.C Chapter 31
- 44 U.S.C Chapter 33
- 5 U.S.C Chapter 552
- 36 CFR Chapter XII, subchapter B
- Federal Rules of Civil Procedure (FRCP)
Policy for Networks Program Designated Agency Representatives
Doc Number: HHS-OCIO-2010-0005
Description: Identifies and provides supplemental information in the establishment of titles, roles and responsibilities of Designated Agency Representatives (DARs) for the move from the FTS-2001 contract to the Networx contract and its transition program
Effective Date: 6/10/2010
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- FAR
- General Services Administration (GSA) guidelines regarding Networx contracts, policies, and procedures
- GSA DAR Guidelines for Network Services Contracts of the Office of ITS FAA
Policy for Enterprise Architecture
Doc Number: HHS-OCIO-2008-0003.001
Description: Outlines the roles and responsibilities for ensuring compliance with legislative and executive level guidance on Enterprise Architecture (EA)
Effective Date: 8/7/2008
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- GRPA 1993
- FASA V 1994
- PRA 1995
- Clinger-Cohen Act of 1996
- Government Paperwork Elimination Act of 1998
- GISRA 2000
- FISMA 2002
- E-Government Act of 2002
- EO 13011
- OMB A-11
- OMB A-109
- OMB A-123
- OMB A-127
- OMB A-130
- OMB M-00-07
- OMB M-97-02
Policy for eGov Forms
Doc Number: HHS-OCIO-2006-0003
Description: Ensures that HHS maintains accurate form content for those HHS forms that are in the E-Gov Forms Catalogue, managed by the Small Business Administration (SBA) and the General Services Administration (GSA) under the Business Gateway (BG) initiative
Effective Date: 6/7/2006
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- Federal Property and Administrative Services Act of 1949
- E-Government Act of 2002
- Section 508 Rehabilitation Act
- Paperwork Reduction Act of 1980
- Information Quality Act
- 5 U.S.C. 552a(e)(1)
- 44 U.S.C. 3508
- Small Business Paperwork Relief Act of 2002
- 36 CFR Parts 1220-1238
- 5 CFR part 1320
- OMB A-130
Policy for HHSMail Change Management
Doc Number: HHS-OCIO 2006-0002.001
Description: Establishes the policy for change management within the HHS HHSMail project
Effective Date: 3/2/2006
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- Clinger-Cohen Act
- OMB A-130
- OMB A-11
- OMB A-123
HHS Standards
HHS Standard for Plan of Action and Milestones (POAM) Management and Reporting
Doc Number: HHS-OCIO-2019-0002.001S
Description: Provides OpDivs with the baseline standards and guidelines for properly documenting and managing POA&Ms and support the OpDivs in their development and management of POA&Ms within their respective organizations
Effective Date: 6/3/2019
Corresponding CMS Publication:
Corresponding Federal Publication:
- FISMA 2014
- EO 13800
- NIST S.P. 800-53
- OMB A-130
- OMB M-14-04
- HHS IS2P
HHS Standard for System Inventory Management
Doc Number: HHS-OCIO-2018-0001.002S
Description: Provides guidance and the baseline standards for maintaining a comprehensive inventory of all systems throughout HHS and enable management to have continuous accounting of all information systems and information assets
Effective Date: 12/27/2018
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- FISMA 2014
- OMB A-130
- NIST S.P. 800-37
- NIST S.P. 800-137
- HHS IS2P
- HHS Memorandum, FY15 Cybersecurity IT Priorities
Minimum Security Configuration Standards Guidance
Doc Number: HHS-OCIO-2017-0001.001S
Description: Provides personnel involved in configuring or connecting servers, workstations, or network devices to the HHS infrastructure with minimum security configuration standards for each respective device
Effective Date: 10/5/2017
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- Cyber Security Research and Development Act of 2002
- FISMA 2014
- OMB A-130
- CNSS Instruction No. 4009
- HHS IS2P
- NIST S.P. 800-37
- NIST S.P. 800-52
- NIST S.P. 800-53
- NIST S.P. 800-60
- NIST S.P. 800-70
- NIST S.P. 800-115
- NIST S.P. 800-128
- NIST S.P. 800-152
- NIST S.P. 800-175A
- NIST S.P. 800-179
HHS Minimum Security Configuration Standards for Palo Alto Networks
Doc Number: HHS-OCIO-2017-0001-002S
Description: Provides OpDivs with specific technical configuration guidance for implementing the Palo Alto Networks Uniform Resource Locator (URL) filtering and Transport Layer Security (TLS) decryption solution
Effective Date: 5/31/2017
Corresponding CMS Publication:
Corresponding Federal Publication:
- FISMA 2014
- OMB A-130
- NIST S.P. 800-66
- HHS IS2P
HHS Memoranda
HHS Approved Physical Access and Logical Access Authentication Mechanisms
Effective Date: 3/15/2024
Corresponding CMS Publication:
Corresponding Federal Publication:
- HSPD-12
- OMB M-19-17
- OMB M-22-09
- NIST S.P. 800-63-3
- NIST S.P. 800-63A
- NIST S.P. 800-63B
- NIST S.P. 800-63C
- NIST S.P. 800-157
- NIST S.P. 800-217
- OMB A-123
Reminder of Existing HHS IT User Policies Relevant for Third-Party Generative AI Tools
Effective Date: 12/20/2023
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- 40 U.S.C § 11319(b)(1)(A)
- 40 U.S.C § 11319
- 40 U.S.C § 11315(c)(2)
- HHS Securing AI Technology
- HHS Rules of Behavior for Use of Information and IT Resources
Memorandum M-23-13 “No TikTok on Government Devices” Implementation
Effective Date: 3/31/2023
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- No TikTok on Government Devices Act
- OMB M-23-13
IS2P / NIST S.P. 800-53 Revision 5 - Compliance Timeline
Effective Date: 12/20/2022
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- NIST S.P. 800-53
- HHS IS2P
- HHS Control Catalog
Updated Department Standard Warning Banner for HHS Systems
Effective Date: 9/12/2022
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- NIST S.P. 800-53
Rescission of Outdated and Superseded Policy
Effective Date: 12/9/2021
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- HHS IS2P
- HHS Control Catalog
- HHS Minimum Security Configuration Standards Guidance
- HHS Minimum Security Configuration Standards for Palo Alto Networks
HHS Social Security Number (SSN) Reduction and Elimination
Effective Date: 6/10/2021
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- Privacy Act of 1974
- E-Government Act of 2002
- FISMA 2014
- Paperwork Reduction Act of 1995
- OMB M-17-12
- OMB M-07-16
- OMB M-03-22
- OMB A-130
- EO 9397
- NIST S.P. 800-53
- HHS Preparing for and Responding to a Breach of PII
- HHS PIA
- HHS Sensitive PII Definition and Guidance
- HHS IS2P
Complete Transition to IPv 6 Memorandum
Effective Date: 4/29/2021
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- OMB M-21-07
Roles & Repsonsibilities of OpDiv SOPs
Effective Date: 3/3/2021
Corresponding CMS Publication: IS2P2
Corresponding Federal Publication:
- FISMA 2014
- E-Government Act of 2002
- Privacy Act of 1974
- Paperwork Reduction Act
- FAR
- Implementing Recommendations of the 9/11 Commission Act of 2007
- EO 13636
- EO 9397
- NIST S.P. 800-53
- OMB A-130
- OMB M-20-04
- OMB M-16-24
- OMB M-17-12
- OMB M-10-23
- OMB M-10-22
- OMB M-07-16
- OMB M-03-22
- HHS IS2P
- HHS IT Acquisition Reviews (ITAR)
- HHS Preparing for and Responding to a Breach of PII
- HHS High Value Asset (HVA) Program
- HHS IT Procurements Security and Privacy Language
- HHS Acquisition Regulation (HHSAR)
- HHS Mobile Applications Privacy Policy
- HHS POA&M Standard
- HHS PIA
- HHS Sensitive PII Definition and Guidance
Use of Government Furnished Equipment (GFE) During Foreign Travel
Effective Date: 2/10/21
Corresponding CMS Publication: CMS Counterintelligence and Insider Threat - Foreign Travel
Corresponding Federal Publication:
- FIPS 140-2
Rescission of Security and Privacy Outdated and Superseded Policies
Effective Date: 11/25/2019
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- HHS IT Security and Privacy Incident Reporting and Response
- HHS IS2P
- HHS Minimum Security Configurations Standards Guidance
- HHS Preparing for and Responding to a Breach of PII
- HHS PIA
Sensitive PII Definition and Guidance
Effective Date: 12/4/2018
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- Paperwork Reduction Act
- OMB A-130
- HHS Preparing for and Responding to a Breach of PII
- HHS PIA
- OMB M-10-23
- OMB M-17-12
- NIST S.P. 800-122
- NIST S.P. 800-88
Addendum to the HHS IS2P
Effective Date: 5/24/2018
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication: Coming Soon
Requirement for Role-Based Training of Personnel with Significant Security Responsibilities
Effective Date: 6/28/2017
Corresponding CMS Publication:
Corresponding Federal Publication:
- FISMA 2014
- FCWAA 2015
- 5 CFR 930.301
- NIST S.P. 800-181
- NIST S.P. 800-16
- HHS IS2P
HHS Cloud Computing and Federal Risk and Authorization Management Program Guidance
Effective Date: 7/15/2016
Corresponding CMS Publication:
Corresponding Federal Publication:
- FedRAMP
- NIST S.P. 800-144
- NIST S.P. 800-137
- HHS Cloud Computing Strategy
End-of-Life Operating Systems, Software and Applications Policy
Effective Date: 5/19/2016
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- NIST S.P. 800-53
FY15 Cybersecurity IT Priorities
Effective Date: 6/1/2015
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- FISMA 2014
- FITARA
- EO 13636
- HHS Acquisition Regulation (HHSAR)
HHS Usage of Unauthorized External Information Systems to Conduct Department Business Memorandum
Effective Date: 1/8/2014
Corresponding CMS Publication: IS2P2
Corresponding Federal Publication:
- HHS IS2P
HHS Security Data Warehouse Escalation Memorandum
Effective Date: 7/15/2013
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- FISMA 2014
Policy for Monitoring Employee Use of HHS IT Resources (2013)
Effective Date: 6/26/2013
Corresponding CMS Publication: IS2P2
Corresponding Federal Publication:
- IG Act 1978
- Privacy Act of 1974
- HIPAA
- Whistleblower Protection Act
- FOIA
Determining Non-Sensitive Data on Mobile Computers/Devices
Effective Date: 1/11/2013
Corresponding CMS Publication: IS2P2
Corresponding Federal Publication:
- OMB M-06-16
Implementation of OMB M-10-22 and M-10-23
Effective Date: 12/21/2010
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- OMB M-10-22
- OMB M-10-23
- OMB M-07-16
- HHS IS2P
Resolving Security Audit Finding Disputes
Effective Date: 5/13/2010
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication:
- OMB M-08-21
Updated Departmental Standard for the Definition of Sensitive Information
Effective Date: 5/18/2009
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication: Coming Soon
Applicability of FISMA to HHS Grantees
Effective Date: 10/29/2007
Corresponding CMS Publication: IS2P2
Corresponding Federal Publication:
- FISMA 2002
- OMB M-07-19
HHS Guides, Forms, and Templates
Information Security & Privacy Certification Checklist
Effective Date: 7/1/2021
Corresponding CMS Publication:
Corresponding Federal Publication:
- Privacy Act of 1974
- NIST S.P. 800-60
- NIST S.P. 800-88
- FIPS 199
Policy Exception-Risk Based Decision Request
Effective Date: 7/10/2019
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- 44 U.S. C, Sec. 3502
- OMB A-127
- OMB A-130
- OMB M-19-03
- OMB M-17-12
HHS Guidance for Selection of e-Authentication Assurance Levels
Effective Date: 3/2019
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- EO 13681
- NIST S.P. 800-63
- NIST S.P. 800-63-3
- NIST S.P. 800-63A
- NIST S.P. 800-63B
- NIST S.P. 800-63C
- OMB M-04-04
- HHS IS2P
HHS Guidance for e-Authentication RA Template
Effective Date: 3/2019
Corresponding CMS Publication:
- IS2P2
- ARS
Corresponding Federal Publication:
- NIST S.P. 800-63
- NIST S.P. 800-63-3
- NIST S.P. 800-63A
- NIST S.P. 800-63B
- NIST S.P. 800-63C
- HHS IS2P
Charter Establishing the EPLC Change Control Board
Effective Date: N/A
Corresponding CMS Publication: CMS.gov - Target Life Cycle
Corresponding Federal Publication: N/A
Non-Disclosure Agreement
Effective Date: N/A
Corresponding CMS Publication: Coming Soon
Corresponding Federal Publication: N/A