CMS Policies and Guidance
Overview
As CMS works to improve healthcare for millions of Americans, information security and privacy policies ensure that sensitive data is protected. CMS Policies and Guidance are how CMS implements federal requirements from higher-level authorities such as HHS, FISMA, and NIST.
The policy and guidance pages found on this site are approved by the CMS Chief Information Security Officer (CISO), and are regularly reviewed to ensure accuracy. Updates or changes are posted to the blog. If you have a question about security policy at CMS, contact the ISPG Policy team.
All resources in CMS Policies and Guidance
General Information
- About
- Acronyms
- CMS Enterprise Data Encryption (CEDE)
- CMS Governance, Risk, and Compliance (GRC)
- CMS Guidance for Security and Privacy Policies
- CMS Information Exchange Agreement (IEA)
- CMS Interconnection Security Agreement (ISA)
- CMS Risk Management Framework (RMF)
- CMS Technical Reference Architecture (TRA)
- CMS Vulnerability Disclosure Program (VDP)
- Email Encryption Requirements at CMS
- ISSO Appointment Letter
- Key Management Plan Template
- Password Requirements
- Privacy Impact Assessment (PIA)
- Rapid Cloud Review (RCR)
- Role Based Training (RBT)
- Security and Privacy Requirements for IT Procurements
- System Audits
- Vetting and Credentialing (V&C)
Policies and Handbooks
- Access Control (AC)
- Audit and Accountability (AU)
- Awareness and Training (AT)
- CMS Acceptable Risk Safeguards (ARS)
- CMS Breach Response Plan
- CMS Cyber Risk Management Plan (CRMP)
- CMS Guide to Federal Laws, Regulations, and Policies
- CMS Information Systems Security & Privacy Policy (IS2P2)
- CMS Plan of Action and Milestones (POA&M) Handbook
- CMS Privacy Program Plan
- CMS Risk Management Framework (RMF): Assess Step
- CMS Risk Management Framework (RMF): Authorize Step
- CMS Risk Management Framework (RMF): Categorize Step
- CMS Risk Management Framework (RMF): Implement Step
- CMS Risk Management Framework (RMF): Monitor Step
- CMS Risk Management Framework (RMF): Prepare Step
- CMS Risk Management Framework (RMF): Select Step
- Configuration Management (CM)
- Guidance for Responsible Use of Artificial Intelligence (AI) at CMS
- Identification and Authentication (IA)
- Incident Response (IR)
- Information System Contingency Plan (ISCP)
- Information System Contingency Plan (ISCP) Exercise Handbook
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical & Environmental Protection (PE)
- Risk Assessment (RA)
- Risk Management Handbook Chapter 12: Security & Privacy Planning (PL)
- Risk Management Handbook Chapter 15: System & Services Acquisition
- Risk Management Handbook Chapter 2: Awareness and Training (AT)
- RMH Chapter 16: System & Communications Protection
- RMH Chapter 4: Security Assessment & Authorization
- Security & Privacy Planning (PL)
- Supply Chain Risk Management (SR)
- System and Communication Protection (SC)
- System and Information Integrity (SI)
- System and Services Acquisition (SA)
Tools and Services
Latest articles and updates
- 3/11/2026UpdatesFrom CRM
Advancing Security Operations and Data Visibility Across CMS: Key Takeaways from
CRC forum shares updates on CMS cybersecurity efforts, highlighting platform improvements, visibility gains, and user‑driven enhancements across the enterprise.
- 3/11/2026ArticlesFrom CRM
CRM Automation Strengthening Operational Excellence and CMS Security Posture
CRM PMO and RDI enhance Cyber Risk Management Operations by automating key workflows, improving data integrity, compliance, and operational efficiency.
- 2/13/2026UpdatesFrom Policy
System and Communications Protection (SC) at CMS
The System and Communications Protection (SC) control family is a core component of the CMS cybersecurity program. It safeguards how information is transmitted,