Published on: 10/1/2025
New guidance for SI
A new guidance page is published for the System and Information Integrity (SI) control family, to help system teams at the Centers for Medicare & Medicaid Services (CMS) meet requirements from the CMS Acceptable Risk Safeguards (ARS). The SI control family from NIST SP 800-53 helps CMS ensure that sensitive information is safeguarded and healthcare operations remain resilient.
Read the new guidance for System and Information Integrity (SI).
This new page joins the growing collection of policy guidance provided by CMS to help everyone follow the requirements of the ARS. The former Risk Management Handbook (RMH) chapters are being replaced by informational guides from the Policy team.
Why SI matters at CMS
The System and Information Integrity program at CMS ensures that systems operate securely, reliably, and in compliance with federal standards by:
- Rapidly detecting and correcting software flaws
- Monitoring for security alerts, advisories, and unauthorized access
- Protecting against malicious code, spam, and phishing threats
- Validating data inputs and outputs to prevent corruption or tampering
- Supporting the confidentiality, integrity, and availability of CMS information assets
- Enabling continuous delivery of critical healthcare services for millions of Americans
The SI program at CMS takes a proactive and layered approach to protecting systems and data — including continuous monitoring to ensure ongoing security in a landscape of evolving threats.
What you’ll find in the SI guide
The new guidance page for System and Information Integrity includes CMS-specific practices for SI. Topics include:
Flaw remediation and patch management
CMS conducts frequent vulnerability scans, applies security patches quickly, and leverages automated tools and technical standards such as the CMS Technical Reference Architecture (TRA). These practices ensure vulnerabilities are identified and resolved before they can be exploited.
Threat protection and malicious code
CMS employs Endpoint Detection and Response (EDR), anti-malware tools, and sandboxing to defend against malicious code. Real-time monitoring identifies suspicious activity, while secure channels and awareness programs help users recognize and report phishing and spam threats.
Security alerts and Incident Response
CMS actively monitors federal and industry security advisories. Through enterprise alerting tools, our Incident Response teams coordinate rapid investigations — supported by threat intelligence, vulnerability scanning, and established playbooks.
Audit logging and privileged access monitoring
All critical activities, system changes, and data access are logged. Privileged user activity — such as that of administrators and database managers — is closely monitored with least-privilege enforcement. This ensures accountability and protects High Value Assets (HVAs).
Network and intrusion monitoring
Centralized Intrusion Detection and Prevention Systems (IDS/IPS) monitor traffic across CMS networks, while Wireless Intrusion Prevention Systems (WIPS) detect and block unauthorized wireless access points.
Input validation and error handling
CMS business applications are required to validate inputs, filter suspicious data, and ensure error messages do not expose sensitive information. This safeguards application integrity and reduces risks from injection or corruption attacks.
Secure information lifecycle management
From data collection through secure disposal, CMS follows federal records management and retention requirements. This includes secure deletion methods, legally permissible de-identification of data for testing or training, and honoring requests for data amendments to ensure accuracy.
Cryptography and memory protection
CMS uses FIPS 140-3 validated cryptographic modules to protect data in transit and at rest. System defenses also include memory protection measures such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
Protecting PII and PHI
CMS is committed to safeguarding both Personally Identifiable Information (PII) and Protected Health Information (PHI). We conduct regular reviews of data holdings, enforce strict privacy policies, and provide procedures for handling individual amendment requests in line with HHS guidance.
Questions?
If you have questions or need help regarding policy or guidance information, you can contact the Policy team:
- Email: CISO@cms.hhs.gov
- CMS Slack: #ispg-sec_privacy-policy
Give feedback
We welcome your feedback on the security guidance provided by the CMS Information Security and Privacy Program. Use our feedback form if you have suggestions or comments about the new SI page.
