What is Access Control (AC)?

At the Centers for Medicare & Medicaid Services (CMS), cybersecurity isn’t just about blocking threats—it’s also about ensuring that only the right people can access the right resources at the right time. CMS’s Access Control (AC) program helps protect sensitive systems and information by managing how access is requested, approved, granted, monitored, and removed.

Why AC matters

Access control is foundational to protecting the confidentiality, integrity, and availability of CMS systems and data. Strong access control helps CMS:

• Prevent unauthorized access and misuse
• Limit access based on job responsibilities (least privilege)
• Support secure remote and mobile work
• Detect unusual activity through logging and monitoring
• Meet federal security requirements (including FISMA and NIST SP 800-53) and HHS/CMS policy

How CMS implements access control

CMS access control practices are aligned with federal and departmental policy, including HHS IS2P and CMS’s IS2P2, and implemented in accordance with CMS security requirements such as the Acceptable Risk Safeguards (ARS). CMS security leadership—including the CISO and ISSOs—supports consistent implementation across CMS environments.

Key features of the CMS Access Control program

Account management

• Access is granted based on verified identity, role, and valid business need
• Access requests require appropriate approvals and user readiness (e.g., required training and Rules of Behavior)
• Accounts and privileges are reviewed regularly and updated or removed when no longer needed
• Temporary, emergency, or guest access is time-limited and monitored

Strong authentication

• CMS uses multi-factor authentication (MFA) and secure session controls
• Timeouts and session protections reduce the risk of unauthorized use

Remote and mobile access

• Remote access is provided through CMS-approved secure solutions (e.g., VPN or virtual desktop services)
• Remote connections use FIPS-validated encryption and must meet CMS security requirements
• Mobile and portable devices must follow strict access and encryption standards

Privileged access and separation of duties

• Privileged accounts are restricted to authorized personnel and managed carefully
• Administrative actions are logged and subject to oversight
• Separation of duties reduces the risk of misuse and improves accountability

Monitoring and anomaly detection

• Account activity is logged to support auditing and investigations
• Suspicious activity can be flagged and escalated through CMS cybersecurity monitoring and incident response channels

Controlled information sharing

• Access controls help manage how information flows within and between systems
• External sharing is governed through approved agreements and secure transfer methods

Conclusion

CMS’s Access Control program helps protect systems and sensitive information by enforcing least privilege, strong authentication, secure remote access, and continuous oversight. Whether working onsite or remotely, following access control requirements is essential to maintaining trust and supporting CMS’s mission.