Published: 6/21/2023
ISPG will transition away from the Risk Management Handbook
What you need to know about this change and how it will impact your daily work
The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS.
The new website aims to provide:
- Policy guidance in plain language that is digestible and easy to understand
- Clear text that breaks down complex compliance activities into actionable content and next steps
- An improved experience for content publishers, who can now make changes and edits without having to rely on versioned PDFs
As more new content becomes available, ISPG leadership is also looking at some of our legacy documents and seeing where we can make improvements – including the Risk Management Handbook (RMH).
What is changing?
With the launch of CyberGeek, you may have noticed that the current chapters of the RMH can be found on a page called CMS Security and Privacy Handbooks. This page will be the new home for all updated policy Handbooks produced and maintained by ISPG.
The CMS Security and Privacy Handbooks are designed to be helpful resources that guide the activities of CMS staff and contractors who support the development, operations, maintenance, and disposal of CMS information systems. They are aligned with the NIST SP 800-53 catalog of security controls, which are the foundation for CMS's security and privacy standards. The Handbooks also support the risk management approach laid out in the NIST Risk Management Framework and the Federal Information Security Management Act (FISMA).
Over time, the RMH chapters will be modified and absorbed into the broader CMS Security and Privacy Handbooks for a more flexible approach to procedural guidance – not dependent on specific security controls, but still covering all the topics needed to help CMS staff and contractors follow policies, standards, and best practices.
Why is this change happening?
CMS has made many changes in an effort to evolve the processes and procedures we use to keep systems and user data safe. Programs like Ongoing Authorization (OA), Cybersecurity and Risk Assessment Program (CSRAP), and Continuous Diagnostics and Mitigation (CDM) are moving CMS towards a compliance approach that is:
- Risk-driven rather than compliance-driven
- Capability-oriented rather than control-oriented
- More understandable and actionable
The decision to move away from control-based documentation and instead focus on system capabilities was made to better-align CMS policies with current NIST standards. This directly impacts documents like the RMH, which was structured tightly around controls.
What can I expect moving forward?
As we implement this change, you can expect to see more Handbooks focused on system capabilities rather than specific controls. That means – for example – that instead of using the former RMH Chapter 1: Access Control (AC), you will find on CyberGeek the new CMS Access Control Handbook.
Stay tuned to CyberGeek for more information and new Handbooks coming soon! As always, if you have questions about security and privacy policy and how it impacts your system, reach out to the experts on Slack at #ispg-sec_privacy-policy, who can help you get the answers you need.
About the publisher:
The ISPG Policy Team (also known as CMS CISO Team) manages the policies, standards, and guidance that keep information and systems safe at CMS. Our goal is to help you understand requirements and apply them effectively in your project environments – so you can focus on delivering value to CMS beneficiaries and customers.