The debut of CyberGeek has allowed ISPG to re-evaluate the way we publish and manage our core documents. CyberGeek is now the official ISPG website and serves as the single-source of truth for security and privacy at CMS that provides: 

• Policy guidance in plain language that is digestible and easy to understand
• Clear text that breaks down complex compliance activities into actionable content and next steps 
• An improved experience for content publishers, who can now make changes and edits without having to rely on versioned PDFs 

As more new content becomes available, ISPG leadership is also looking at some of our legacy documents and seeing where we can make improvements – including the templates that are currently housed in the legacy Information Security and Privacy Library. 

What is changing? 

The CMS Policy Team has reviewed our current security and privacy templates and determined that many do not reflect the current-state of both system management and information delivery at CMS. As a result, the Policy Team has made decisions about how to proceed with each template to best support our current processes and standards. 

Some templates are moving to the new ISPG website, while others are now managed in other systems (such as CFACTS). All templates will soon be retired completely from the CMS Information Security and Privacy Library. 

Why is this change happening? 

Every FISMA system at CMS is unique. Each system has distinct risk factors and challenges that impact how it is managed long-term. CMS is moving towards a more flexible approach to procedural guidance that is not solely dependent on specific security controls and is instead: 

• Risk-driven rather than compliance-driven 
• Capability-oriented rather than control-oriented
• More understandable and actionable

While our security and privacy standards will always be aligned with the NIST SP 800-53 catalog of security controls, we recognize that pre-formatted templates may not serve the needs of the majority of systems at CMS moving forward. Templates can be helpful tools, but they are often limited by their contents. Many of our current templates lack the nuance and specificity required to meet System Teams where they are when it comes to managing their systems. 

What templates are changing? 

The legacy CMS Information Security and Privacy Library is the current home to 12 templates that address various FISMA system compliance activities. Here’s what’s happening with each one:

Business Impact Analysis (BIA) Process and Template

This template will remain in the legacy library for now (located here), as CMS makes improvements to its Business Impact Analysis (BIA) process. Later, you will be able to find updated BIA information (and any related templates) on CyberGeek.

CMS Information Security Risk Acceptance Template

This template will be permanently retired from the legacy library. You can now find all Risk Acceptance Forms in CFACTS under the Risk Acceptance (RBD) tab in the Navigation Menu. 

CMS Penetration Testing Rules of Engagement Template

The Penetration Testing Rules of Engagement Template (PenTesting ROE Template) is permanently retired from the legacy library. The PenTesting team will work with you to determine the Rules of Engagement (ROE) for your specific PenTest. Learn more about PenTesting here.

Information System Risk Assessment Template

This template is permanently retired. All information about the ISRA can be found in CFACTS and completed in CFACTS. You can also read more about the ISRA process here.

Interconnection Security Agreement Template

You can now find this document on CyberGeek. Simply copy the text from the site and paste it into a document to start your template. You can find it on this page.

Memorandum of Understanding (MOU) Template

MOUs, MOAs, and IAAs are administered by the Office of Acquisitions and Grants Management (OAGM) within CMS. This template is permanently retired from the legacy library. If you require an MOU or MOA, please contact InteragencyAgreements@cms.hhs.gov. You can also visit CyberGeek to learn more about MOUs.

NIST Information System Contingency Plan Template

This template will no longer be housed in the legacy library. You can access the low, medium, and high templates directly from the NIST website. These templates can also be found on the Contingency Planning page on CyberGeek. 

RMH Chapter 08 Incident Response - Incident Report Template / Form

For now, this form is still accessible on the Information Security and Privacy Library. You can find it linked on this page in CyberGeek. But this form isn't owned by ISPG, so we will be working with the CMS IT Service team to determine a new path for accessing this form when reporting an incident.

RMH Chapter 08 Incident Response - Tabletop Exercise Template (and other Incident Response templates)

All other templates related to Incident Response are now located on the ISPG website (CyberGeek). Simply copy and paste the information into a document to start your template. You can find Incident Response templates here.

Security Assessment Plan Template

This template is no longer recommended for use and is no longer housed in the legacy library. System teams are encouraged to work with their assessment teams (like the Cybersecurity and Risk Assessment Program Team) to manage the security assessments required for your system. 

Security Assessment Report Template

This template is no longer recommended for use and is no longer housed in the legacy library. System teams are encouraged to work with their assessment teams (like the Cybersecurity and Risk Assessment Program Team) to manage the security assessments and reports required for your system. 

Security Impact Analysis (SIA) Template 

This template can now be found on CyberGeek here. Simply copy and paste the text of the template into a document to get started.

Questions?

Stay tuned to CyberGeek for more information and new templates coming soon! As always, if you have questions about security and privacy policy and how it impacts your system, reach out to the experts on Slack at #ispg-sec_privacy-policy who can help you get the answers you need.