Skip to main content
Updates
from Policy

System and Communications Protection (SC) at CMS

The System and Communications Protection (SC) control family is a core component of the CMS cybersecurity program. It safeguards how information is transmitted,

Published on: 2/13/2026

2 minute read

The System and Communications Protection (SC) control family is a core component of the CMS cybersecurity program. It safeguards how information is transmitted, processed, and protected within and across CMS system boundaries.

Because CMS systems handle sensitive data — including Protected Health Information (PHI) and Personally Identifiable Information (PII) — securing system communications is essential to maintaining confidentiality, integrity, availability, and public trust.

Why SC Matters

The SC program helps CMS:

  • Protect PHI and PII through encryption and secure communications
  • Reduce attack surface by controlling inbound and outbound network traffic
  • Prevent unauthorized access and data exfiltration
  • Support compliance with FISMA, NIST RMF, HIPAA, the Privacy Act, and HHS/CMS policy requirements
  • Promote secure system architecture and engineering practices

How CMS Protects System Communications

CMS implements SC controls through layered safeguards, including:

  • Boundary Protection: Firewalls, IDS/IPS, network segmentation, managed interfaces, and controlled external connections
  • Cryptographic Protection: FIPS-validated encryption, TLS 1.2+ for data in transit, and approved algorithms (e.g., AES-256) for data at rest
  • Secure Transmission: Certificate validation, secure session management, and protection against interception or tampering
  • Documented and Authorized Interfaces: All system connections must be approved, monitored, encrypted, and documented in system security plans

Shared Responsibility

All CMS personnel and contractors play a role in protecting system communications. Key responsibilities include:

  • Using CMS-approved encryption and secure protocols
  • Disabling insecure services (e.g., Telnet, FTP)
  • Applying least privilege principles
  • Validating certificates and managing them appropriately
  • Documenting system interfaces and data flows

The System and Communications Protection program strengthens CMS’s ability to securely deliver healthcare services, protect sensitive information, and maintain the trust of beneficiaries, partners, and stakeholders.

Secure communications are not optional — they are foundational to CMS mission success.

See all blog posts

About the publisher

The Information Security and Privacy Policy Team (also known as CMS CISO Team) manages the policies, standards, and guidance that keep information and systems safe at CMS. Our goal is to help you understand requirements and apply them effectively in your project environments – so you can focus on delivering value to CMS beneficiaries and customers.

View all posts by Policy