Skip to main content

Policy for Work Performed Outside the US and Its Outlying Territories

This policy establishes the requirements, governance, and approval processes for work performed outside the United States and its Outlying Territories by CMS employees, contractors, and subcontractors.

Last Reviewed: 7/10/2026

Contact: OCONUS | CISO@cms.hhs.gov

Introduction

The Centers for Medicare & Medicaid Services (CMS) is entrusted with protecting sensitive information, critical assets, and national security–related systems while ensuring continuity of operations and effective mission delivery. In an increasingly globalized operating environment, CMS must balance operational flexibility with rigorous safeguards to preserve data integrity, confidentiality, and compliance with federal laws and regulations.


This policy establishes the requirements, governance, and approval processes for work performed outside the United States and its Outlying Territories by CMS employees, contractors, and subcontractors. In accordance with Homeland Security Presidential Directive-12 (HSPD-12), Personal Identity Verification (PIV) standards, and applicable acquisition, cybersecurity, privacy, and national security authorities, CMS requires formal authorization and risk-based review before permitting any activities, including data transmission or system access, to occur abroad.


The policy defines approval authorities, risk attestation requirements, and security controls applicable to both contracted and non-contracted activities conducted outside the United States and its Outlying Territories. It also establishes oversight, compliance, and enforcement mechanisms to ensure CMS maintains visibility into foreign work locations, mitigates risks associated with foreign ownership, control, or influence (FOCI), and preserves U.S. data sovereignty. By implementing this policy, CMS reinforces its commitment to safeguarding federal information systems while ensuring that any approved outside the United States and its Outlying Territories activities are demonstrably in the best interest of the Government.

Policy


To comply with the requirements of Homeland Security Presidential Directive-12 (HSPD-12) and Personal Identity Verification (PIV) of Federal Employees and Contractors, CMS must achieve appropriate security assurance for multiple CMS information systems by efficiently verifying the claimed identity of individuals performing work. The Contractor and its subcontractor(s), as well as CMS Centers and Offices, shall not perform any activities, including the transmission of data or other information, outside of the United States and its Outlying Territories without the required prior written approvals.


If work must be performed outside the United States and its Outlying Territories, the Contracting Officer (CO) or CMS Center/Office Contracting Officer Representative(COR) shall submit a written request to the Division of Strategic Information (DSI) within the Information Security and Privacy Group via international@cms.hhs.gov and CISO@cms.hhs.gov for review and disposition at least forty-five (45) calendar days prior to the work beginning. Where State law or contract terms mandate U.S.-only storage, the stricter requirement prevails.

Contracted Activities


The Contractor and its subcontractor(s) shall not perform any activities within their contract outside the United States and its Outlying Areas Territories without the prior written approval of the Contracting Officer. Their approval is dependent on the Contracting Officer receiving relevant CMS concurrence outlined in this policy as outlined in the CMS Governance Overlay.

1) Contracting Officer Review Factors The Contracting Officer will, in consultation with DSI, consider the following when determining whether to authorize performance abroad:
          a. Description of work to be completed outside the United States and its Outlying Territories including references to applicable contract terms and conditions                   (e.g., Statement of Work or Performance Work Statement)
                       • Total projected dollar value of the work
                       • Projected labor hours and duration for each individual employee
                       • Desired country/location where the work will be performed. See FAR Part 25 (Foreign Acquisitions), HHSAR Part 325 (Foreign Acquisitions),and other                             applicable laws and regulations that will be considered by the CO and DSI during the assessment
                       • Contractor and/or subcontractor plan to protect and secure CMS data, including:
                              ♦ Alignment to a Minimum Technical Safeguards for Work Performed Outside the United States and Its Outlying Territories
                              ♦ Personnel, physical, and system security terms and controls
                              ♦ CMS review and auditability of system security terms and controls
                              ♦ Foreign Ownership, Control, or Influence (FOCI) mitigation plans and controls
                              ♦ Confidentiality and privacy requirements for data protection to include Federal and State laws and regulations
                              ♦ Relevant contract terms tied to the Statement of Work
                              ♦ Corporate compliance plans and policies
                              ♦ Export control and International Traffic in Arms Regulations (ITAR) terms and controls
                              ♦ Terms and controls to detect and mitigate engagement with countries of concern and restricted entities.
                              ♦ Analysis of whether (and how) other country/location’s laws conflict with U.S. data sovereignty (e.g., data access laws)
                              ♦ Necessity of Government Furnished Equipment (GFE) or Contractor Owned/Contractor Operated (COCO) devices and secure VPN or VDI access.
                              ♦ Compliance with Executive Order 13940 (U.S. workforce protection).
                              ♦ Conformance with Section 889 of Public Law 115-232 (telecommunications/video surveillance restrictions).
          b. Whether approval is in the best interests of the Government. The Contractor’s request for authorization to perform work outside the U.S. shall include                           supplemental information to demonstrate that the performance of the work outside the U.S. satisfies all the above factors.
                       • CMS Governance Overlay In addition to Contracting Officer approval, the COR of the contracted activities must also:
                              ♦ Obtain CMS Center/Office Director approval
                              ♦ Obtain Deputy COO or higher approval if the work involves (directly or indirectly) CMS defined critical assets, national security, or sensitive CMS                                     data
                              ♦ Complete a standardized CMS risk attestation signed by both the Contractor and the sponsoring CMS Center/Office, and re-attested on at least                                     an annual basis or upon material changes
          c. For systems under an Authorization to Operate (ATO), Work Performed Outside the United States and Its Outlying Territories-related changes require security              impact analysis and ATO update/approval prior to execution
          d. CO and OAGM will maintain a compliance register, and report at least quarterly on active outside the United States and its Outlying Territories approvals,                      locations, and evidence status. At minimum the report will be distributed to the CISO, CIO, OGC, Privacy Officer, Contracting Officer, and DSI.
          e. Supplemental Conditions
                       • CMS approval may also require contract changes such as SOW/PWS revision, or addition of relevant clauses.

Non-Contracted Activities


1) CMS Centers and Offices shall not initiate any CMS-led activity outside the United States and its Outlying Territories without the required approvals, as listed on the     below CMS Risk Attestation.
          a. Standard Activities – Require prior written approval from the CMS Center/Office Director.
          b. High-Risk Activities – Activities involving CMS defined critical assets, sensitive CMS data, or national security considerations require Deputy COO or higher                   approval.
          c. Risk Attestation – All CMS Centers/Offices initiating work abroad must sign the standardized CMS risk attestation acknowledging identified risks, mitigation                 strategies, and accountability for impacts.
          d. Material changes – planned operational changes (whether by CMS, Contractor, or subcontractor) which affect terms or controls outlined in the Contracting                   Officer Review Factors will result in Contracting Officer approval prior to the changes being implemented.

Compliance and Enforcement


Activities conducted abroad without the proper approvals or attestations may be suspended. Suspension can result in immediate suspension of access, triggering payment holds, claw backs of funds paid, and termination for cause.


The sponsoring program office, in collaboration with the Contracting Officer’s Representative, and DSI, will jointly oversee compliance and enforcement.
 

Appendix A Definitions


These definitions are intended solely for purposes of risk classification, approval authority, and governance under this policy and do not expand or alter CMS statutory authorities or investigative functions.
1) Work means all activities, tasks, services, functions, duties, and deliverables performed or provided by the Contractor, its subcontractor(s), and any CMS Centers and Offices under this contract, including but not limited to the creation, access, processing, transmission, storage, or handling of data or other information
2) Best Interest means a determination that authorizing or conducting work outside the United States and its Outlying Territories is necessary and appropriate to accomplish the CMS mission and that the associated risks to CMS programs, beneficiaries, data, systems, personnel, and public trust have been identified, assessed, and mitigated to an acceptable level, consistent with applicable law, regulation, executive order, and CMS policy.                                                                                            A best-interest determination shall be based on mission necessity, legal compliance, security, privacy data sovereignty, fiscal stewardship, and risk to government operations, and shall not be based solely on cost, convenience, or operational expediency.
3) Critical Assets means CMS information, systems, personnel, infrastructure, or operational capabilities that are essential to CMS mission performance and whose compromise, loss, misuse, degradation, or unauthorized access could reasonably be expected to result in significant harm to CMS operations, program integrity, beneficiary protections, or the interests of the United States Government.
     Critical assets include, but are not limited to:
          • Sensitive CMS data, including personally identifiable information (PII), protected health information (PHI), federal tax information (FTI), and program integrity               data
          • CMS information systems and networks, including systems operating under an Authority to Operate (ATO)
          • Personnel with privileged access, specialized technical knowledge, or decision-making authority
          • Mission-essential business processes and supporting infrastructure.
4) National Security, for purposes of this policy, means the protection of CMS programs, systems, data, and operations from foreign exploitation, influence, coercion, or compromise that could adversely affect the functioning of the United States Government, continuity of services, economic stability, or public confidence.  National security considerations include, but are not limited to, risks associated with foreign ownership, control, or influence; engagement with countries of concern or restricted entities; conflicts between foreign legal regimes and U.S. data sovereignty requirements; export control and supply-chain risks; and remote or offshore access to CMS systems or data.
5) Standard Activities means routine, authorized CMS or contractor functions performed in the normal course of business that are consistent with CMS mission requirements and applicable laws, regulations, contracts, and policies, and that do not involve CMS-defined critical assets, sensitive CMS data, or national security considerations.
When conducted outside the United States and its Outlying Territories, standard activities remain subject to prior approval and completion of the required CMS risk attestation. Activities initially classified as standard may be reclassified if changes in scope, access, location, or operating conditions materially increase risk.

 

Executive Leadership Questions & Responses

Policy for Work Performed Outside the United States and Its Outlying Territories


Intended Audience: CMS Executive Leadership, Directors, Group Directors, Division Directors, Contracting Officers, Contracting Officer Representatives, Business Owners

Purpose. This document provides consistent, executive-approved responses to anticipated questions regarding the Policy for Work Performed Outside the United States and Its Outlying Territories. It is intended to support leadership discussions following policy publication and should be used in conjunction with the Executive Briefing Deck and Executive Talking Points. 

Each response includes a concise Key Message intended to help leaders communicate consistently during meetings, briefings, and informal discussions. The Key Message is not a replacement for the full response; rather, it highlights the primary message leaders should reinforce during conversations.

 

Policy Overview

Q. Why is CMS implementing this policy?

A. CMS operates in an increasingly interconnected global environment where personnel, contractors, technology, information systems, and business processes may extend beyond U.S. jurisdiction. The revised policy establishes a consistent governance framework to help ensure cybersecurity, privacy, operational, legal, and mission considerations are evaluated before work begins outside the United States and its Outlying Territories.

Key Message: The operating environment has changed. As more CMS activities occur across international boundaries, this policy provides a consistent, risk-informed governance framework to support secure mission execution.

 

Q. Why is the policy being updated now?

A. The revised policy reflects the evolving operational, cybersecurity, privacy, and governance risk environment. It replaces the January 2021 Office of Acquisition and Grants Management (OAGM) policy, which focused primarily on contracted work performed outside the United States. The updated policy expands the governance framework to include both contracted and non-contracted CMS business activities.

Key Message: We're modernizing an existing policy. The revised policy replaces the 2021 policy and expands governance beyond contracted work to reflect how CMS operates today.

 

Policy Scope

Q. Who does this policy apply to?

A. The policy applies to CMS employees, contractors, subcontractors, and CMS Centers and Offices performing activities outside the United States and its Outlying Territories.

Key Message: The policy applies to covered CMS activities performed outside the United States and its Outlying Territories, including those involving employees, contractors, subcontractors, and CMS partners.

 

Q. What activities are covered?

A. The policy applies to CMS business activities involving personnel, information, information systems, business processes, and information and communications technology (ICT) assets performed or accessed outside the United States and its Outlying Territories.

Key Message: The policy governs where work on behalf of CMS is performed—not just who performs it—including personnel, information, systems, ICT assets, and related business processes.

 

Q. Does the policy only apply to new activities?

A. No. CMS is interested in understanding both proposed new activities and existing business arrangements occurring outside the United States and its Outlying Territories. Existing arrangements will continue while appropriate risk assessments are completed. Following those assessments, CMS will work collaboratively with affected organizations to determine whether additional actions are necessary.

Key Message: No. CMS needs visibility in both new and existing activities being performed Outside U.S. and its Outlying Territories. Existing work is not intended to stop automatically, but it should be identified, assessed, and managed through the policy’s risk-informed review process.

 

Q. Is the purpose of this policy to restrict work Outside U.S. and its Outlying Territories?

A. No. The policy is intended to enable secure mission execution by ensuring covered activities performed outside the United States are evaluated through a consistent, risk-informed governance process. The objective is informed decision-making—not unnecessarily restricting legitimate business activities.

Key Message: The goal is not to stop the mission; it's to support it through consistent, risk-informed governance.

 

Approvals and Governance

Q. What is changing operationally?

A. The revised policy introduces a more structured, transparent, and risk-informed governance process for evaluating activities occurring Outside U.S. and its Outlying Territories. Key changes include:

  • Expanded applicability for both contracted and non-contracted activities.
  • Prior written approval before covered activities begins.
  • Completion of a CMS Risk Attestation Form.
  • Submission of requests at least 45 calendar days before planned work.
  • Additional executive approvals for activities involving critical infrastructure or national security.
  • New terms and conditions addressing contractor responsibilities.
  • Periodic oversight of approved and complex requests.

Key Message: We're making the approval process more consistent, transparent, and risk-informed.

 

Q. Why is a 45-day submission period required?

A. The review process involves evaluation of cybersecurity, privacy, legal, operational, and governance considerations. Early submission provides sufficient time for coordination and helps reduce project delays later in execution.

Key Message: Early planning leads to better decisions. The 45-day review period gives CMS time to evaluate risk before work begins.

 

Q. What is the CMS Risk Attestation Form?

A. The Risk Attestation Form documents key information needed to evaluate proposed activities outside the United States and its Outlying Territories. It provides a standardized process for identifying risks, documenting mitigation strategies, and supporting informed approval decisions.

Key Message: It's a standardized way to document risks, mitigation strategies, and key information needed to support informed approval decisions.

 

Q. When should organizations engage the Information Security and Privacy Group (ISPG)?

A. Organizations are encouraged to engage their Contracting Officers and ISPG as early as possible during planning. Early coordination can clarify policy applicability, identify potential issues, and reduce rework before formal requests are submitted.

Key Message: As early as possible. Early engagement helps clarify requirements, reduce rework, and streamline the review process.

 

Existing Policy

Q. Does this replace the existing OAGM policy?

A. Yes. The revised policy replaces the January 2021 OAGM policy governing contracted work performed outside the United States and its Outlying Territories, and expands the governance framework to include both contracted and non-contracted CMS activities.

Key Message: The 2021 policy is being replaced. It expands governance to include both contracted and non-contracted activities.

 

Exemptions

Q. Are any organizations currently exempt?

A. Yes. At this time, the policy does not apply to Medicare Parts C and D plans, Affordable Care Act (ACA) plans, or certain CMS Innovation Center (CMMI) Accountable Care Organizations (ACOs), which operate under separate statutory or regulatory authorities.

These exemptions do not preclude CMS from conducting broader or targeted threat assessments if circumstances indicate potential risks to critical infrastructure or national security.

Key Message: Yes. Certain organizations operating under separate statutory or regulatory authorities are outside the policy's scope, although CMS may still assess risks when appropriate.

 

Leadership Responsibilities

Q. What should leaders communicate to their organizations?

A. Leaders should emphasize that:

  • The policy is intended to enable secure mission execution through consistent governance.
  • Organizations should engage their Contracting Officers and ISPG early whenever activities are being considered to be performed Outside U.S. and its Outlying Territories.
  • Personnel should seek clarification whenever policy applicability is uncertain.
  • Early collaboration helps reduce delays and supports informed decision-making.

Key Message: Emphasize early planning, early engagement with ISPG, and consistent, risk-informed decision-making to support secure mission execution.

 

Q. What should personnel do if they are unsure whether an activity falls within the policy?

A. Personnel should consult their leadership, Contracting Officer (CO), Contract Specialist (CS), or Contracting Officer Representative (COR), and ISPG as appropriate. Early engagement is encouraged whenever policy applicability is uncertain.

Key Message: Ask early. Consult your leadership, CO, CS, or COR, and engage ISPG whenever there's uncertainty.

 

Q. When should organizations involve the Office of General Counsel (OGC)?

A. Organizations considering new business activities outside the United States and its Outlying Territories may benefit from consulting OGC early in the planning process. Legal guidance may inform business decisions before formal policy review and completion of the Risk Attestation.

Key Message: When legal considerations may affect an activity being performed Outside U.S. and its Outlying Territories, involve OGC early to help inform planning and decision-making.

 

Implementation

Q. Is CMS requiring organizations to immediately stop existing overseas activities?

A. No. The intent is to understand existing activities, evaluate associated risks through a structured assessment process, and determine appropriate next steps collaboratively. CMS does not intend to unnecessarily disrupt existing mission activities while those assessments are being completed.

Key Message: No. The objective is to understand existing activities, assess risk, and work collaboratively toward appropriate next steps without unnecessarily disrupting the mission.

Q. What is the overall objective of this policy?

A. The policy establishes a consistent, risk-informed governance framework that supports secure mission execution, strengthens organizational resilience, improves accountability, and enables informed decision-making regarding activities performed outside the United States and its Outlying Territories.

Key Message: The goal is simple: enable secure mission execution through a consistent, risk-informed governance framework for work performed Outside U.S. and its Outlying Territories.

 

Additional Information

 

Questions regarding policy applicability, approvals, or implementation should be directed to the Information Security and Privacy Group (ISPG) through established policy contacts.