Application Teams
Overview
Application and system teams at CMS are the people who design, build, and maintain the platforms that CMS uses to deliver healthcare services. These teams are sometimes called Application Development Organizations (ADOs).
Every person working on CMS systems should aim to proactively to mitigate risk in the system lifecycle by considering security at each step and using tools and practices that meet federal standards for information security and privacy.
All resources in Application Teams
General Information
- Authorization to Operate (ATO)
- CMS Cybersecurity Community (C3) Forum
- CMS CyberWorks
- CMS Guidance for Security and Privacy Policies
- CMS Information System Risk Assessment (ISRA)
- CMS ISSO Journal
- CMS Risk Management Framework (RMF)
- CMS Technical Reference Architecture (TRA)
- CMS Vulnerability Disclosure Program (VDP)
- Email Encryption Requirements at CMS
- Federal Information Security Modernization Act (FISMA)
- Federal Risk and Authorization Management Program (FedRAMP)
- Key Management Plan Template
- Password Requirements
- Plan of Action and Milestones (POA&M)
- Rapid Cloud Review (RCR)
- Role Based Training (RBT)
- Security Controls Assessment (SCA)
- Security Impact Analysis (SIA)
- Software Bill of Materials (SBOM)
- Supply Chain Risk Management (SCRM)
- Vetting and Credentialing (V&C)
Policies and Handbooks
- Access Control (AC)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- CMS Acceptable Risk Safeguards (ARS)
- CMS Breach Analysis Team (BAT) Handbook
- CMS Breach Response Plan
- CMS Cybersecurity and Privacy Training & Awareness Handbook
- CMS Information Systems Security & Privacy Policy (IS2P2)
- CMS Key Management Handbook
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- CMS Threat Modeling Handbook
- Configuration Management (CM)
- Guidance for Responsible Use of Artificial Intelligence (AI) at CMS
- HHS Policy for Rules of Behavior for Use of Information & IT Resources
- Identification and Authentication (IA)
- Incident Response (IR)
- Information System Contingency Plan (ISCP)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical & Environmental Protection (PE)
- Risk Management Handbook Chapter 12: Security & Privacy Planning (PL)
- Risk Management Handbook Chapter 15: System & Services Acquisition
- Risk Management Handbook Chapter 2: Awareness and Training (AT)
- RMH Chapter 16: System & Communications Protection
- RMH Chapter 4: Security Assessment & Authorization
- Security & Privacy Planning (PL)
- Supply Chain Risk Management (SR)
- System and Communication Protection (SC)
- System and Services Acquisition (SA)
Tools and Services
- Advanced Cybersecurity Concepts
- CMS Cybersecurity Integration Center (CCIC)
- CMS FISMA Continuous Tracking System (CFACTS)
- CMS Hybrid Cloud
- Cyber Risk Reports (CRR)
- Cybersecurity and Risk Assessment Program (CSRAP)
- Penetration Testing (PenTesting)
- SaaS Governance (SaaSG)
- SaaS Security Posture Management (SSPM)
- Threat Modeling
Latest articles and updates
- 2/23/2026ArticlesFrom Zero Trust
Core cyber essentials for a resilient digital environment
Learn the cyber essentials that will prevent critical breaches, eliminate misconfigurations, and build lasting, verifiable security with a Zero Trust approach.
- 2/13/2026UpdatesFrom Policy
System and Communications Protection (SC) at CMS
The System and Communications Protection (SC) control family is a core component of the CMS cybersecurity program. It safeguards how information is transmitted,
- 2/3/2026ArticlesFrom CRM
Improving data quality in preparation for onboarding to CDM
Learn how to properly manage data quality in order to smooth the path to CDM onboarding and ensure that CMS systems and end users are protected.