Business / System Owner
Overview
As a Business or System Owner (or other program manager) at CMS, you’re focused on the value and performance of the system(s) that you are responsible for. These systems contain sensitive data related to healthcare services, so it’s important to ensure the safety of that data through security and privacy compliance and best practices.
Our goal is to connect you quickly to the people and resources that can assist you -- not only in achieving compliance, but also in promoting a security-first culture at CMS.
All resources in Business / System Owner
General Information
- Authorization to Operate (ATO)
- Breach Response
- CMS Computer Matching Agreement (CMA)
- CMS CyberWorks
- CMS Enterprise Data Encryption (CEDE)
- CMS Guidance for Security and Privacy Policies
- CMS Information Exchange Agreement (IEA)
- CMS Information Security Advisory Board (CISAB)
- CMS Information System Risk Assessment (ISRA)
- CMS Interconnection Security Agreement (ISA)
- CMS ISSO Journal
- CMS Risk Management Framework (RMF)
- CMS Technical Reference Architecture (TRA)
- CMS Vulnerability Disclosure Program (VDP)
- Data Sharing Agreements
- Email Encryption Requirements at CMS
- Federal Information Security Modernization Act (FISMA)
- Federal Risk and Authorization Management Program (FedRAMP)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- ISSO Appointment Letter
- Ongoing Authorization (OA)
- Plan of Action and Milestones (POA&M)
- Privacy Impact Assessment (PIA)
- Rapid Cloud Review (RCR)
- Role Based Training (RBT)
- Security and Privacy Requirements for IT Procurements
- Security Controls Assessment (SCA)
- Security Impact Analysis (SIA)
- Software Bill of Materials (SBOM)
- Supply Chain Risk Management (SCRM)
- System Audits
- Zero Trust
Policies and Handbooks
- Access Control (AC)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- CMS Acceptable Risk Safeguards (ARS)
- CMS Breach Analysis Team (BAT) Handbook
- CMS Breach Response Handbook
- CMS Cyber Risk Management Plan (CRMP)
- CMS Cybersecurity and Privacy Training & Awareness Handbook
- CMS Guide to Federal Laws, Regulations, and Policies
- CMS Information Systems Security & Privacy Policy (IS2P2)
- CMS Key Management Handbook
- CMS Plan of Action and Milestones (POA&M) Handbook
- CMS Privacy Impact Assessment (PIA) Handbook
- CMS Privacy Program Plan
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- CMS Threat Modeling Handbook
- Configuration Management (CM)
- Guidance for Responsible Use of Artificial Intelligence (AI) at CMS
- HHS Policy for Rules of Behavior for Use of Information & IT Resources
- Identification and Authentication (IA)
- Incident Response (IR)
- Information System Contingency Plan (ISCP) Exercise Handbook
- Information System Contingency Plan (ISCP) Handbook
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical & Environmental Protection (PE)
- Risk Management Handbook Chapter 12: Security & Privacy Planning (PL)
- Risk Management Handbook Chapter 15: System & Services Acquisition
- Risk Management Handbook Chapter 2: Awareness and Training (AT)
- Risk Management Handbook Chapter 8: Incident Response (IR)
- RMH Chapter 16: System & Communications Protection
- RMH Chapter 4: Security Assessment & Authorization
- System and Services Acquisition (SA)
- Vetting & Credentialling Informational Guide
Tools and Services
- CMS Cybersecurity Integration Center (CCIC)
- CMS FISMA Continuous Tracking System (CFACTS)
- CMS Hybrid Cloud
- Continuous Diagnostics and Mitigation (CDM)
- Cyber Risk Reports (CRR)
- Cybersecurity and Risk Assessment Program (CSRAP)
- ISSO As A Service
- Penetration Testing (PenTesting)
- SaaS Governance (SaaSG)
- SaaS Security Posture Management (SSPM)
- Threat Modeling
Latest articles and updates
- 12/4/2025UpdatesFrom Policy
CISO Memo 25-02: Mandatory enrollment of all cloud resources into CNAPP
All CMS cloud resources must be enrolled in the enterprise Cloud-Native Application Protection Platform (CNAPP) by June 30, 2026
- 10/1/2025UpdatesFrom Policy
New policy guidance: System and Information Integrity (SI)
New guidance is published for the SI control family, provided by the CMS Information Security and Privacy Program.
- 9/26/2025UpdatesFrom Policy
New policy guidance: Identification and Authentication (IA)
A new informational guide is published for the IA control family, provided by the CMS Information Security and Privacy Program.
Visit the blog to see more articles and posts.