This memo is rescinded as of January 3, 2022 with the publication of ARS 5.0 and its updates to the Access Control Family (AC)-02 Account Management Standard.

The original memo is provided below for historical reference only.

Purpose

This Memorandum informs all CMS stakeholders of the update to the CMS Acceptable Risk Safeguards AC-02 Account Management standard line “J". Account Management is a critical function for developing and implementing an access control framework that is appropriate for protecting the information contained in the systems and applications. 

What’s changed

According to the ARS 3.1, AC-l2, line "J" requires reviewing accounts every 90 days for High and Moderate systems, and every 365 days for Low systems. The Department of Health & Human Services (HHS) Information Systems Security and Privacy Policy (lS2P) stipulates that systems with a FIPS Categorization of Low, Moderate, and High are given 365 days for review.

Policy update

ln an effort to fall in line with this department standard, effective immediately, the ARS Account Management control will require the following:

All accounts must be reviewed for compliance with account management requirements every 365 days for all system categorizations. 

Additional resources

• CMS Acceptable Risk Safeguards (ARS)
• CMS Access Control Handbook

Contact

If you have questions about this policy change, contact the CISO Team. 

• Email: CISO@cms.hhs.gov 
• CMS Slack: #ispg-sec_privacy-policy

This memorandum does not supersede any requirements of government law, rule, or regulation.