U S Department of Health and Human Services www.hhs.gov
  CMS Home > Research, Statistics, Data and Systems > Information Security > Certification & Accreditation

Certification & Accreditation

CMS Information Security Certification & Accreditation (C&A) Program - Federal law requires the Centers for Medicare & Medicaid Services (CMS) to implement a risk-based program for cost-effective information security (IS).  All business processes operate with some level of risk, and one of the most effective ways to protect these business processes is through the implementation of effective internal security controls, risk evaluation, and risk management.

To manage a risk-based IS program, Business Owners are responsible for executing the processes defined in the CMS IS C&A Program, such as:

•Information Security Risk Assessment
•System Security Plans (SSP)
•Information Security Contingency Plan
•Security Testing & Evaluation
•Identify vulnerabilities and risk resulting from system implementation
•Receive, in writing by the Chief Information Officer (CIO), the authorization to operation an information system prior to implementation and whenever significant changes in the system occur.

These responsibilities form the foundation for the CMS IS C&A Program, which is a critical component of the CMS Integrated IT Investment & System Life Cycle Framework (a.k.a. "System Lifecycle Framework").  See the link below.  The System Lifecycle Framework provides a foundation and supporting structure designed to aid in the successful planning, engineering, implementation, maintenance, management, and governance of CMS IT investments and system life cycle projects.  The Framework covers the entire life cycle of an IT investment, which is the period of time that begins when an IT investment is first conceived and ends when the investment no longer exists.

The C&A Program Procedures cover six (6) distinct phases to form a continuous security management practice for all CMS systems/applications.  Each phase of the C&A Program has individual objectives, tasks, and artifacts that are required.  The completion of each successive phase depends upon the output of the preceding phase.  To manage the C&A Program effectively and efficiently, individual tasks, responsibilities, and expectations are defined within each phase. The C&A phases are structured to integrate the C&A Program within the existing CMS "Framework."

Business Owners of systems that are already in production, or are currently accredited, may only need to address the final phase of the C&A Program, which defines activities performed during maintenance of the system and for periodic re-accreditation.

Downloads

CMS IS C&A Procedures (PDF - 453 Kb)

CMS System Security Levels (PDF - 67 Kb)

CMS IS RA and SSP Guidance (PDF - 256 Kb)

CMS IS RA Methodology (PDF - 3,665 Kb)

CMS SSP Methodology (PDF - 363 Kb)

CMS IS Testing Approach (PDF - 485 Kb)

CMS IS Contingency Plan Procedures (PDF - 330 Kb)

Related Links Inside CMS

System Lifecycle Framework

CMS IS Templates

Related Links Outside CMSExternal Linking Policy

There are no Related Links Outside CMS

 

 

Page Last Modified: 12/10/2008 2:24:45 PM
Help with File Formats and Plug-Ins

Submit Feedback




www1