U S Department of Health and Human Services www.hhs.gov
  CMS Home > Research, Statistics, Data and Systems > Information Security > Policies
Information Security

Policies

The CMS policies listed below, document the controls which must be implemented in all CMS information systems.  Any policy which cannot be followed (e.g., due to technical restraints, lack of resources, etc.) must be documented in the CMS Information Security (IS) Risk Assessment (RA) for the system and it must include the mitigating controls associated with the vulnerability.  Links are provided below for each item.

CMS Policy for Information Security (IS) - high level policy for the CMS IS Program as required by the Federal Information Security Management Act (FISMA).  

CMS Policy for the Information Security Program (PISP) - sets the ground rules under which CMS shall operate and safeguard its information and information systems to reduce the risk and minimize the effect of security incidents.  

CMS Business Partners System Security Manual (BPSSM) (Publication 100-17) - addresses the CMS IS program requirements for Medicare business partners (i.e. Medicare Carriers, FIs, CWF host sites, Standard System Maintainers, Regional Laboratory Carriers, Claims Processing Data Centers, EDCs and MACs).

Program Memorandums/Transmittals - are day-to-day operating instructions, policies, and procedures based on statutes and regulations, guidelines, models, and directives.  They are used by CMS program components, Medicare business partners, contractors, and State survey agencies to administer CMS programs.

  • CR 5500, Business Partner System Security Manual, April 6, 2007

Expired IS Program Memorandums (select the Program Memorandums/Transmittals link below)

  • CR 4342, Business Partner System Security Manual, March 17, 2006
  • CR 4111, Business Partner System Security Manual, December 9, 2005
  • CR 3605, Business Partner System Security Manual, December 23, 2004
  • CR 3106, Medicare Business Partners System Security, March 5, 2004
  • CR 2568, CMS Medicare Manual System, Pub 100-17 System Security, March 28, 2003
  • CR 2518, FY 2003 Systems Security Activities and Due Dates, January 24, 2003
  • CR 2189, Core Security Requirements (CSR) and Associated Responsibilities, June 11, 2002
  • CR 2071, Amplification of Annual Compliance Audit Requirements, March 26, 2002
  • CR 2010, Supplemental Systems Security Information for FY02, February 8, 2002
  • CR 1844, Supplemental Instructions on CMS Business Partners Systems Security Requirements, September 25, 2001
  • CR 1705, Clarification of HCFA Core Security Requirements, May 17, 2001
  • CR 1652, Certification Package for Internal Controls for FY Ending September 30, 2001, May 14, 2001
  • CR 1439, Information Technology (IT) Security Requirements, January 26, 2001
Downloads

CMS Policy for IS (PDF - 4 Mb)

CMS PISP (PDF - 596 Kb)

CMS BPSSM (PDF - 6.2 MB)

Related Links Inside CMS

Program Memorandums / Transmittals

Related Links Outside CMSExternal Linking Policy

There are no Related Links Outside CMS

 

Page Last Modified: 05/21/2008 3:50:36 PM
Help with File Formats and Plug-Ins

Submit Feedback




www3