Published on: 6/29/2026
2 minute read
CMS Acceptable Risk Safeguards (ARS) 5.2 Is Now Available
The latest version of the CMS Acceptable Risk Safeguards (ARS) 5.2 is now available, providing important updates to help strengthen security across the CMS enterprise.
While ARS 5.2 includes improvements throughout the catalog, the most significant updates focus on Zero Trust, High Value Asset (HVA) requirements, and Federal Tax Information (FTI) safeguards. These enhancements better align CMS security requirements with evolving federal cybersecurity priorities and provide clearer guidance for protecting our most sensitive systems and data.
Whether you're responsible for implementing, assessing, or managing security controls, now is the time to review the updated requirements and understand how they may impact your systems, security documentation, and continuous monitoring activities.
Protecting CMS information is a shared responsibility, and ARS 5.2 provides the latest guidance to help us continue strengthening our security posture.
Visit the CMS ARS page on CyberGeek to access the updated documentation and supporting resources.
The Information System Security and Privacy Policy (IS2P2) has also been updated to reflect minor changes to SaaS verbiage and business owner responsibilities.
Questions or Feedback?
If you have any comments or questions about ARS 5.2, please reach out to the Policy Team at CISO@cms.hhs.gov or join the conversation on our Slack channel, #ARS-Feedback.