Application Teams
Overview
Application and system teams at CMS are the people who design, build, and maintain the platforms that CMS uses to deliver healthcare services. These teams are sometimes called Application Development Organizations (ADOs).
Every person working on CMS systems should aim to proactively to mitigate risk in the system lifecycle by considering security at each step and using tools and practices that meet federal standards for information security and privacy.
CMS Slack Channel: #security-communityAll resources in Application Teams
General Information
- Authorization to Operate (ATO)
- CMS CyberWorks
- CMS Information System Risk Assessment (ISRA)
- CMS Risk Management Framework (RMF)
- CMS Security and Privacy Handbooks
- CMS Technical Reference Architecture (TRA)
- Email Encryption Requirements at CMS
- Federal Information Security Modernization Act (FISMA)
- Federal Risk and Authorization Management Program (FedRAMP)
- Plan of Action and Milestones (POA&M)
- Rapid Cloud Review (RCR)
- Role Based Training (RBT)
- Security Controls Assessment (SCA)
- Security Impact Analysis (SIA)
- Software Bill of Materials (SBOM)
- Supply Chain Risk Management (SCRM)
Policies and Handbooks
- Access Control (AC)
- Audit and Accountability (AU)
- CMS Acceptable Risk Safeguards (ARS)
- CMS Breach Analysis Team (BAT) Handbook
- CMS Cybersecurity and Privacy Training & Awareness Handbook
- CMS Information Systems Security & Privacy Policy (IS2P2)
- CMS Key Management Handbook
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- CMS Threat Modeling Handbook
- Configuration Management (CM)
- HHS Policy for Rules of Behavior for Use of Information & IT Resources
- Identification and Authentication (IA)
- Information System Contingency Plan (ISCP) Handbook
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical & Environmental Protection (PE)
- Risk Management Handbook Chapter 12: Security & Privacy Planning (PL)
- Risk Management Handbook Chapter 15: System & Services Acquisition
- Risk Management Handbook Chapter 2: Awareness and Training (AT)
- Risk Management Handbook Chapter 8: Incident Response (IR)
- RMH Chapter 16: System & Communications Protection
- RMH Chapter 4: Security Assessment & Authorization
Tools and Services
Latest articles and updates
- 8/18/2025ArticlesFrom Zero Trust
Privileged Access Management (PAM) at CMS
Least-privilege is critical to securely managing privileged access to data. CMS ADOs should manage privileged access (PAM) for humans and non-humans.
- 8/15/2025ArticlesFrom Training and Awareness
Smart security with AI-driven Splunk
Improving CMS cybersecurity and enhancing SIEM performance with artificial intelligence
- 7/16/2025UpdatesFrom Policy
CISO Memo 25-01: Updates for collaboration tools
CISO Memorandum 25-01: Updated Best Practices and Guidance for the Use of Approved CMS Collaboration Tools