Incident Response (IR)

Incident Response (IR)  

Understanding Incident Response at CMS  

CMS manages Incident Response (IR) through a formal Incident Response Plan (IRP) that outlines how to detect, report, respond to, and recover from cybersecurity incidents. The CMS Cybersecurity Integration Center (CCIC) is the central point for managing these activities. 

The CCIC works closely with system and business owners, Information System Security Officers (ISSOs), Cyber Risk Advisors (CRAs), and Data Guardians to detect, assess, and understand cyber threats across the agency. 

CMS continuously monitors its systems to identify threats, reports incidents to the appropriate internal and federal authorities, and takes prompt action to contain and mitigate any damage. The agency also trains staff and regularly tests its incident response capabilities to remain prepared for evolving cyber threats. 

How IR Works at CMS  

The Department of Health and Human Services (HHS) provides the  Information Systems Security and Privacy Protection (IS2P), policy framework, which safeguards data and systems from information technology (IT) threats. Based on these requirements, CMS developed the Acceptable Risk Safeguards (ARS), which define the minimum security and privacy standards for CMS and its contractors. 

In addition, CMS maintains the Information Systems Security and Privacy Policy (IS2P2), which defines the roles and responsibilities necessary to ensure compliance with both the ARS 5.1 and the HHS IS2P. 

Together, these policies establish the foundation for how CMS detects, reports, and manages cybersecurity incidents across the organization. 

Key Security Measures  

Policy and Procedures  

The CMS Incident Response Program ensures that the agency can effectively respond to security and privacy incidents. It covers preparation, detection, analysis, containment, recovery, and response. All incidents must be tracked, documented, and reported. 

A designated CMS Chief Information Security Officer (CISO) manages the development and communication of policies that align with HHS and federal requirements, including those for handling incidents involving personal information. 

Incident Response Plans (IRPs) are reviewed every 365 days and after incidents to incorporate lessons learned and strengthen security practices. The CISO, working with the CCIC Director and Business Owners, leads the incident response capability and coordinates closely with contingency planning. 

All related policies and procedures are reviewed and updated annually, or as needed, to stay current with CMS and federal standards. CMS employees and contractors complete annual Computer-Based Training (CBT) and participate in tabletop exercises to maintain proficiency and meet federal requirements. 

Incident Response Training  

CMS provides Incident Response (IR) training to help staff prevent, detect, and respond to security and privacy incidents, and to meet federal requirements under the Federal Information Security Modernization Act (FISMA). Training content is tailored to each person’s role and responsibilities, as outlined in the CMS Incident Response Plan (IRP). 

System Owners, Business Owners, and Information System Security Officers (ISSOs) receive training specific to their duties. This role-based training must be completed within one month of assuming the IR role or related responsibility. All CMS employees and contractors who regularly handle sensitive data—such as Social Security numbers or health records—complete annual incident response training as part of their general security awareness program. 

The CMS Chief Information Officer (CIO), Chief Information Security Officer (CISO), and Senior Official for Privacy (SOP) oversee a CMS-wide training program. The IS2P2 directs the CIO to maintain an incident response program that includes handling breaches involving personal, health, or tax information. The CISO and SOP ensure all required policies and procedures are followed for security and privacy incident response. 

Protection of Federal Tax Information (FTI) also requires IR training in accordance with the Internal Revenue Code. The Information Security and Privacy Group (ISPG) provides this training when users assume new roles and annually thereafter. Training content varies by role: general users learn how to recognize and report incidents, system administrators learn how to contain or resolve them, and incident responders receive more detailed instruction on forensics, reporting, and recovery. Staff must also be able to identify incidents involving personal data and coordinate with the SOP. 

All CMS Enterprise User Administration (EUA) users must complete the annual CBT, which includes incident response content, before receiving an account and then every year afterward. Users receive an annual reminder by email, and training records are tracked by user ID and completion date. 

To strengthen readiness, CMS conducts tabletop exercises that simulate real-world incidents. These exercises help staff practice how to respond and often include automated elements to create realistic conditions. Scenarios are selected through the incident response test planning process to ensure that all training remains practical and effective. 

CMS also provides Security Awareness Insider Threat training to help personnel recognize and report potential insider threats. This training explains how employees and managers should report concerns through appropriate channels and follow established policies. Whether the threat is intentional or accidental, CMS addresses it carefully and in coordination with the Insider Threat Team in the Security Operations Center (SOC), which works with the Division of Strategic Information (DSI) to review, assess, and respond appropriately. 

Incident Response Testing  

CMS conducts incident response testing to ensure that its response plans remain effective and up to date. Testing occurs at least once every 365 days and follows guidelines from NIST SP 800-84. The goal is to evaluate how well CMS can respond to security incidents and to document results for continuous improvement. 

CMS uses simulated functional drills and automated test features within tabletop exercises to evaluate readiness. These are discussion-based sessions where staff meet in a classroom or small-group setting to walk through a simulated emergency scenario. A facilitator presents the scenario and guides discussion about roles, responsibilities, coordination, and decision-making. 

No real equipment is used; the focus is on reviewing the response process to ensure everyone understands what to do during an actual incident. For additional details on tabletop exercises, see NIST SP 800-84. 

CMS coordinates incident response testing with other organizational elements responsible for related plans to ensure alignment and consistency. Related plans include, but are not limited to: 

• Configuration Management Plan 
• Information System Contingency Plan 
• Patch and Vulnerability Management Plan 
• Information System Continuous Monitoring Strategy or Plan 

Incident Handling  

CMS follows NIST SP 800-61 Revision 3, which provides a structured process for handling security and privacy incidents. The goal of this process is to ensure every incident is managed consistently, efficiently, and in a way that protects systems, data, and people. 

All Incident Response Teams (IRTs) across CMS operate under the authority of the CCIC Incident Management Team (IMT), which leads and coordinates agency-wide response efforts. Each system must identify its own incident responders within its Incident Response Plan (IRP). These responders serve as the first line of defense, supported and guided by the IMT to ensure a unified and timely response. 

When a privacy breach involving personally identifiable information (PII) is suspected or confirmed, the IMT alerts the Information Security and Privacy Group (ISPG). The ISPG determines whether to convene a Breach Analysis Team (BAT), which includes members from ISPG, IMT, and relevant system stakeholders such as Business Owners. The BAT performs a formal risk assessment to evaluate potential harm to affected individuals. The Senior Official for Privacy (SOP) works with the HHS Privacy IRT to review and approve the response plan, breach notifications, and mitigation steps. This ensures that privacy incidents are handled transparently and meet all federal and legal requirements. 

Incident handling is closely linked to contingency planning so that lessons learned from each event strengthen both prevention and recovery procedures. Following a consistent, agency-wide approach ensures every incident contributes to stronger defenses and more informed decision-making. 

CMS uses a four-phase life cycle for all incident handling activities: preparation, detection and analysis, containment and recovery, and post-incident review. Each phase supports a specific purpose in protecting CMS systems and sensitive information. 

Preparation:  

Preparations are intended to ensure that all systems and personnel are ready to detect and manage incidents quickly and effectively. 

• Complete the Incident Preparation Checklist 
• Review Information System Risk Assessments (ISRA) annually  
• Conduct ISRA every three (3) years 
• Follow HHS, U.S. Government Configuration Baselines (USGCB), and National Checklist Program (NCP) baselines, ensuring systems operate with least privilege, auditing enabled, and security baselines applied. 
• Maintain network configurations that default to “deny all” and permit only approved connections. 
• Keep malware protection active and updated, scanning critical files every 12 hours and full systems every 72 hours. 
• Keep malicious code protection updated in near real-time, configured to quarantine threats and alert admins 
• Confirm that all users take annual security training through the EUA CBT 
• Keep an accurate, up-to-date inventory of every system component  

These actions reduce the likelihood of a successful attack and create a foundation for faster containment if one occurs. 

Detection and Analysis:  

The purpose of this phase is to identify incidents early and accurately so that CMS can limit their impact. 

• Be aware of common attack vectors such as removable media, attrition, web and email activity, impersonation, or improper usage 
• Recognize the signs of an incident 
• Precursor is a sign that an incident may occur in the future 
• Indicator is a sign that an incident may have occurred or may be occurring  
• Recognize the difference between precursors (signs that an incident may occur) and indicators (evidence that an incident has occurred or is occurring). 
• Report all suspected incidents to the IMT for analysis. 
• Continuous updates of the incident in the Incident Response Reporting Template form 
• Prioritize the incident using the IR Reporting Document  
• Record ongoing updates in the Incident Response Reporting Template and prioritize incidents using the IR Reporting Document. 

Early and accurate detection allows CMS to contain incidents before they escalate. 

Containment and Recovery:  

• Choose a containment strategy based on the incident type, with input from the IMT 
• Collect and handle evidence following the CCIC Forensic, Malware and Analysis Team (FMAT) guidelines; IMT coordinates support for responders 
• Identify the source of the attack and eradicate it by removing malicious components and fixing exploited vulnerabilities. 
• Restore and secure systems with IMT coordination  

Containment and recovery protect mission-critical services and demonstrate CMS’s ability to resume operations safely. 

Post-Incident Activity:  

The final phase ensures CMS learns from every incident to strengthen future resilience. 

• Conduct a “Lessons Learned” meeting to review what happened, how it was handled, and what could be improved. 
• Update the IRP or related procedures based on findings. 
• Retain and archive evidence; the IMT coordinates with FMAT to support responders. 

Documenting lessons learned turns each incident into actionable improvements across systems, teams, and policies. 

CMS uses automated tools to support the entire incident handling process. Systems such as ServiceNow and Splunk help track incidents, correlate data, and provide real-time alerts. The CCIC reviews this information to identify trends, ensuring CMS continually improves both detection and response capabilities. 

Information Spillage  

CMS assigns the Incident Management Team (IMT) to manage all information spillage incidents. The IMT coordinates with stakeholders to contain, investigate, and resolve each event. The goal is to prevent further exposure of sensitive data, ensure appropriate cleanup, and reinforce safe handling practices. 

To prepare staff, CMS requires all users to complete annual Computer-Based Training (CBT), which includes incident response content. Users in security-related roles must also complete Role-Based Training before receiving system access and every year thereafter. Completion is tracked by user ID and account creation date, and users receive automated reminders. These requirements ensure everyone who handles CMS data understands what to do if a spill occurs. 

Users must electronically sign the Rules of Behavior (RoB). Failure to complete required training or acknowledge these rules may result in revoked access. This accountability step reinforces that protecting information is a shared responsibility. 

When a spill occurs, CMS monitors VPN access for malware or viruses. If detected, the agency first attempts remote cleaning. If remote cleanup fails, the affected user must return the device for forensic analysis and receives a temporary replacement. This ensures that contaminated systems do not endanger CMS networks. 

To contain and resolve a spill, CMS follows these steps: 

1. Contain the spill and identify affected systems. 
2. Sanitize the data using approved tools. 
3. Replace or reimage systems if sanitization fails. 

If a user is exposed to information beyond their authorized access, their manager meets with them to review applicable laws, policies, and restrictions. This conversation reinforces understanding of responsibilities and the importance of safeguarding sensitive data. 

Each step in the information spillage process supports the broader CMS mission to maintain data integrity, protect personal information, and comply with federal security and privacy standards. 

Incident Monitoring  

Incident monitoring ensures that every information system security incident at CMS is properly documented, tracked, and analyzed. This process allows CMS to identify trends, improve response strategies, and strengthen overall cybersecurity resilience. 

The Cybersecurity Integration Center (CCIC) provides agency-wide services that support this effort, including vulnerability management, security engineering, incident response, forensics, malware analysis, cyber threat intelligence, penetration testing, software assurance, and Continuous Diagnostics and Mitigation (CDM). 

The Incident Management Team (IMT) records and tracks incidents while other stakeholders—such as incident responders, Information System Security Officers (ISSOs), and system owners—supply the details needed for effective monitoring. This collaboration ensures that incident data is accurate and actionable. 

CMS uses several automated tools to collect, track, and analyze incident information. The RSA Archer/CMS FISMA Continuous Tracking System (CFACTS) SecOps Module tracks potential incidents under investigation by the CCIC Security Operations Center (SOC). The IMT manages this system, ensuring information remains up to date and that incident records are reviewed and analyzed for patterns or emerging risks. 

These insights support ongoing improvement of CMS’s cybersecurity posture by identifying where controls or training can be strengthened. 

Additional automated services include: 

• ServiceNow, which manages all privacy and security incident tickets for tracking and reporting. 
• HHS Archer, which notifies HHS of an incident. When a ServiceNow ticket is assigned to CMS IMT, a corresponding “shell” ticket is automatically created in HHS Archer. 
• The IMT updates the ServiceNow ticket as the investigation progresses, and those updates automatically populate in HHS Archer until the incident is resolved. 
• CMS RSA Archer/CFACTS SecOps Module, which supports investigation of potential incidents identified by the CCIC SOC. 

By using these integrated tools and coordinated monitoring practices, CMS maintains near real-time awareness of its security environment, ensuring faster detection, stronger response, and improved prevention of future incidents. 

Incident Reporting  

Incident reporting ensures that all potential security and privacy incidents are communicated quickly, accurately, and through the proper channels. Timely reporting allows CMS to contain threats early, reduce the risk of harm, and meet federal requirements for notification and documentation. 

To strengthen its security operations and reduce the risk of malicious activity, CMS established the Cybersecurity Integration Center (CCIC). The CCIC provides enterprise-wide situational awareness and near real-time risk management. It monitors security events across all CMS systems, identifies configuration weaknesses or vulnerabilities, and shares relevant threat intelligence—such as Indicators of Compromise (IOCs) and available security patches—with the appropriate staff. 

Within the CCIC, the Incident Management Team (IMT) supports and coordinates all responses to security incidents. All information security and privacy incidents must be reported to the CMS IT Service Helpdesk within one hour of discovery. The Helpdesk alerts the IMT when further action is needed. CMS uses automated tools to support this process, helping staff report incidents consistently and enabling accurate tracking and analysis. 

Steps for reporting: 

1. Report the suspected incident to the CMS IT Service Desk: 
2. Internal: (410) 786-2580 
3. External: (800) 562-1963 
4. Email: CMS_IT_Service@cms.hhs.gov 
5. Collect as much supporting information as possible using the Incident Response Reporting Template. Provide details such as: 
6. CMS/FISMA system(s) affected 
7. Date the breach occurred and the date discovered 
8. Type of information involved (for example, name, MBI, SSN) 
9. Number of records affected 
10. Exposure type or level (internal, contractor, external) 
11. Send the completed form to the CMS IT Service Desk. The Helpdesk will create a ServiceNow ticket and record the incident in HHS Archer, the HHS incident response system. 
12. The IMT updates the ServiceNow ticket as the investigation progresses. Updates automatically synchronize with HHS Archer until the incident is resolved. 

When reporting, it is better to err on the side of caution. If you are uncertain whether an event qualifies as an incident, report it so the IMT can assess and confirm. Early reporting ensures issues are addressed before they escalate and helps protect systems, data, and individuals. 

Incident Response Assistance  

CMS provides incident response assistance to help users handle and report security or privacy incidents quickly and correctly. This support is a core part of CMS’s overall incident response capability and ensures that no user has to manage a potential incident alone. 

The process is straightforward: 

• A user contacts the CMS IT Service Helpdesk for assistance. 
• If additional support is needed, the Helpdesk notifies the Incident Management Team (IMT). 
• The IMT reviews the situation, confirms whether an incident has occurred, and coordinates the appropriate response and mitigation steps. 

CMS also uses automated systems to make incident response information easily available and to connect users with the right resources. These systems include: 

• The CMS website and intranet (accessible from government-furnished equipment) 
• The CISO mailbox 
• The CMS IT Service Desk 
• The IMT 
• The HHS website and intranet (accessible from government-furnished equipment) 

These multiple channels ensure that users can reach help from wherever they are working, promoting quick communication and consistent action across CMS. 

Effective assistance reduces confusion, ensures incidents are handled properly, and helps protect sensitive data and systems from further risk. 

Incident Response Plan  

The CMS Incident Response Plan (IRP) provides a clear roadmap for managing cybersecurity and privacy incidents across the organization. The purpose of the plan is to ensure that CMS can respond quickly, effectively, and consistently to protect systems, data, and individuals. 

The IRP is tailored to the agency’s specific mission, size, structure, and functions. In addition to the enterprise-wide plan, each information system must maintain its own IRP that aligns with the CMS-wide plan and defines system-specific procedures for handling incidents. This alignment ensures that all systems follow consistent standards while allowing flexibility for their unique operational needs. 

The IRP outlines required resources, management support, and procedural steps needed to coordinate a complete and effective response. CMS’s incident response policy is established in the Information Systems Security and Privacy Policy (IS2P2), which provides the governing framework for all incident response activities. 

The IRP is reviewed and approved annually by the appropriate Business Owner and shared with key stakeholders, including the CMS Chief Information Officer (CIO), Chief Information Security Officer (CISO), Information System Security Officer (ISSO), the Office of Inspector General’s Computer Crime Unit, Incident Response Team members, the PII Breach Response Team, and Operations Centers. Any updates are communicated promptly to all stakeholders to maintain consistent understanding and implementation. 

The CCIC IMT developed and maintains the IRP to guide CMS’s overall incident response efforts. Regular review and communication of this plan help ensure that CMS remains prepared for evolving threats and can continuously strengthen its response capability. 

Summary of Incident Response at CMS  

CMS’s Incident Response (IR) program provides a comprehensive framework for detecting, reporting, responding to, and recovering from cybersecurity and privacy incidents. The program’s purpose is to protect CMS systems, sensitive data, and the individuals whose information the agency manages. 

The program is led by the Cybersecurity Integration Center (CCIC) and its Incident Management Team (IMT). Together, they operate under federal and HHS policies—specifically the Information Systems Security and Privacy Policy (IS2P2) and Acceptable Risk Safeguards (ARS 5.1)—to ensure a consistent and coordinated agency-wide approach to incident management. 

CMS maintains a formal Incident Response Plan (IRP) that is reviewed and updated annually. Each information system must also maintain its own plan aligned with the enterprise IRP. These plans define clear roles, responsibilities, and procedures so that every team can act quickly and confidently when an incident occurs. 

Incident handling follows a structured four-phase process: 

• Preparation – ensuring systems and staff are ready to respond 
• Detection and Analysis – identifying and assessing potential incidents 
• Containment and Recovery – limiting damage and restoring operations 
• Post-Incident Activities – capturing lessons learned to improve future readiness 

CMS supports its IR program with automated tools such as ServiceNow, RSA Archer/CFACTS, and Splunk. These systems enable real-time monitoring, reporting, and coordination across teams and provide visibility into potential threats and response activities. 

All employees and contractors receive annual role-based training and participate in tabletop exercises to maintain proficiency and readiness. Incidents must be reported to the CMS IT Service Helpdesk within one hour of discovery. The IMT provides ongoing assistance and ensures that every incident is documented, analyzed, and resolved according to CMS and federal standards. 

Through this structured, coordinated approach, CMS strengthens its ability to manage threats, reduce risks, and safeguard both mission-critical systems and the people they serve. 

Global Changes Across the Document 

• Reduced sentence length throughout for clarity and flow. 
• Replaced bureaucratic or compound phrasing (e.g., “by developing and maintaining” → “through a formal plan”). 
• Converted passive voice to active where appropriate, without altering meaning. 
• Broke up long paragraphs for readability while keeping all content in its original sequence. 
• Standardized terms (e.g., always “incident response” rather than alternating “IR” and “incident handling” in narrative text). 
• Ensured each section ends with a sentence that reinforces why the activity matters or connects it back to CMS’s purpose. 

Overall Edit Scope 

• 100% of original content retained. 
• Approx. 15–20% reduction in word count (mostly filler or redundant phrasing). 
• Tone adjusted from bureaucratic to professional and direct. 
• Reading level changed from roughly grade 17–18 (dense technical text) to around grade 13–14 (standard for federal manuals that must still meet plain-language guidance).