U S Department of Health and Human Services www.hhs.gov
  CMS Home > Research, Statistics, Data and Systems > Information Security > Laws & Regulations
Information Security

Laws & Regulations

See the descriptions and links below, listed by category in reverse chronological order, for the key Public Laws (P.L.) and federal regulations regarding, or that impact, the implementation of Federal agency information security programs.

P.L. 107-347, E-Government Act of 2002 includes the Federal Information Security Management Act of 2002 (FISMA): which provides a comprehensive framework for ensuring the effectiveness of information security controls over information resources that support Federal operations and assets.  The link below is for the FISMA Implementation web page at the National Institute of Standards and Technology (NIST).  

FISMA Analysis provides a 9-page matrix of FISMA which was passed as TITLE X of the Homeland Security Act of 2002 and TITLE III of the E-Government Act of 2002

P.L. 104-231, Electronic Freedom of Information Act of 1996 (E-FOIA), amends 5 USC 552, Freedom of Information Act (FOIA) of 1974:  This act establishes procedures for the release of governmental records that ensures the principle of openness in government while guarding against specific harm to governmental and private interests.

Department of Justice (DOJ) Freedom of Information Act (FOIA) site is a valuable resource regarding how to make a FOIA request as well as why agencies may withhold information pursuant to nine exemptions and three exclusions contained in the statute.  

P.L. 104-191, Health Insurance Portability and Accountability Act of 1996 (HIPAA): is designed to protect confidential healthcare information through improved security standards and federal privacy legislation.  

HIPAA Administration Simplification (includes HIPAA Security Rule).  

P.L. 104-106, Clinger-Cohen Act (formerly the Information Technology Management Reform Act of 1996): provides that the federal government information technology shop be operated exactly as an efficient and profitable business would be operated.  

P.L. 97-255 Federal Manager's Financial Integrity Act of 1982 (FMFIA): requires ongoing evaluations and reports of the adequacy of the systems of internal accounting and administrative control.  

Homeland Security Presidential Directive/HSPD-12: August 27, 2004 Subject: Policy for Common Identification Standard for Federal Employees and Contractors.  This directive establishes a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors.

Homeland Security Presidential Directive/HSPD-7: December 17, 2003 Subject: Critical Infrastructure Identification, Prioritization and Protection.  This directive establishes a national policy to identify and prioritize and protect United States critical infrastructure and key resources.  

OMB Circular, A-123, Management Accountability and Control (June 21, 1995): Implements FMFIA by providing guidance to Federal managers on improving accountability and effectiveness of Federal programs and operations.  

OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources: Establishes minimum controls for Federal automated information security programs.  


FISMA Analysis (PDF - 154 Kb)

Related Links Inside CMS

HIPAA Administration Simplification

Related Links Outside CMSExternal Linking Policy



Department of Justice (DOJ) FOIA Site


Clinger-Cohen Act




OMB Circular A-123

OMB Circular A-130 Appendix III


Page Last Modified: 05/21/2008 4:07:00 PM
Help with File Formats and Plug-Ins

Submit Feedback