Purpose and audience

This memorandum is for all Business and System Owners, Information System Security Officers (ISSOs), and Application Development Organizations (ADOs) at the Centers for Medicare and Medicaid Services (CMS).

This memorandum provides CMS guidance regarding Authorization to Operate (ATO) requirements for information systems migrating to the OIT Hybrid Cloud environment.

Policy

A system migrating to the OIT Hybrid Cloud environment does not require a new ATO provided a Security Impact Analysis (SIA) is completed, signed and approved by: 

• The system team 
• Infrastructure and User Services Group (IUSG)
• Information Security and Privacy Group (ISPG)

Additional requirements

A new ATO is not required when the following conditions are met:

• The system has a current, active ATO.
• The system’s hosting environment is a CMS-authorized environment.
• An SIA documenting the migration scope and security impact is completed and signed / approved by the system team, IUSG, and ISPG.
• The system is integrated with Continuous Diagnostics and Mitigation (CDM) tooling, Enterprise Cloud-Native Protection Platform (CNAPP), and Enterprise Security Information and Event Management (SIEM)

Documentation

Collection and verification of the following artifacts must be completed upon migration to ensure there are no unintended consequences of the migration to the security and privacy controls of the system: 

• Approved Security Impact Analysis (SIA) signed by the system team, IUSG and ISPG

Contact

If you have questions, please contact the Information Security and Privacy Group (ISPG): CISO@cms.hhs.gov.