U S Department of Health and Human Services www.hhs.gov
  CMS Home > Research, Statistics, Data and Systems > Information Security > Standards

Standards

These standards document the actions which must be followed by all CMS information Business Owners.  Any standards which cannot be followed due to technical constraints, lack of resources, etc., must be documented in the CMS IS RA for the system and the mitigating controls associated with the vulnerability must also be documented.  Links are provided below for each item.

CMS Information Security Acceptable Risk Safeguards (ARS) contains a broad set of CMS security controls based upon NIST requirements.  The ARS is periodically revised as a result of the mandate for the annually review of NIST Special Publication (SP) 800-53, Recommended Security Controls for Federal Information Systems

CMS Information Security Business Risk Assessment (RA) Methodology provides decision-makers with the information required to understand the impact of interruptions on business functions and outcomes.  The IS Business RA Methodology is currently under revision and being combined with the IS RA Methodology, which is being renamed the IS RA Procedure document. This is due to recently issued directives from the OMB and NIST.   

CMS Information Security (IS) Certification & Accreditation (C&A) Methodology was superseded by the CMS Information Security Certification & Accreditation Program Procedures, version 2.0, dated October 10, 2007 which is located on the "Procedures" page.    

CMS Information Security (IS) Risk Assessment (RA) Methodology - presents a systematic approach for the RA process, and the steps required to produce an Information Security RA Report for systems that are part of a General Support System (GSS) or Major Application (MA).  The IS RA Methodology is currently under revision and being combined with the IS Business RA Methodology.  The new document will be the IS RA Procedure. This is due to recently issued directives from the OMB and NIST.   

CMS Reporting Standard for Information Security (IS) Testing must be used when documenting the results of IS testing.  The Reporting Standard for IS Testing is currently under revision due to recently issued directives from the OMB and NIST.    

CMS System Security Levels - establishes common criteria for security levels by information category.

CMS System Security Plan (SSP) Methodology - presents the systematic approach for the SSP process, and the steps required to produce an SSP for systems that are part of a GSS or MA.  The SSP Methodology is currently under revision, and will be renamed the SSP Procedure, due to recently issued directives from the OMB and NIST.    

Downloads


CMS IS ARS (PDF - 133 Kb)

CMS IS Business RA Methodology (PDF - 215 Kb)

CMS IS Business RA Template (ZIP - 604 Kb)

CMS IS C&A Template (ZIP - 880 Kb)

CMS IS RA Methodology (PDF - 200 Kb)

CMS IS RA Template (ZIP - 59 Kb)

CMS Reporting Standard for IS Testing (PDF - 59 Kb)

CMS Reporting Standard for IS Testing Template (ZIP - 140 Kb)

CMS System Security Levels (PDF - 70 Kb)

CMS SSP Methodology (PDF - 363 Kb)

CMS SSP Template (ZIP - 215 Kb)

Related Links Inside CMS

There are no Related Links Inside CMS

Related Links Outside CMSExternal Linking Policy

There are no Related Links Outside CMS

Page Last Modified: 11/19/2008 8:04:43 PM
Help with File Formats and Plug-Ins

Submit Feedback




www3