U S Department of Health and Human Services www.hhs.gov
  CMS Home > Research, Statistics, Data and Systems > Information Security > Procedures

Procedures

Links are provided below for the following CMS information security procedure documents.

CMS Information Security Application Contingency Plan Procedure is promulgated under the legislative requirements set forth in the FISMA and the guidelines established by the NIST SP 800-34.  The completion of a CP applies to all CMS applications except where an application is included as part of a General Support System (GSS) CP and/or GSS Disaster Recovery Plan (DRP). The Business Owner of every application within the CMS enterprise is required to ensure that a CP is implemented and maintained to reduce risks to reasonable and appropriate levels and to comply with business continuity priorities, applicable laws, regulations, and policies.

CMS Information Security Contingency Plan (CP) Tabletop Procedure is a cost-effective tool to validate the content of the CP.  The goals of the tabletop test is to ensure the plan content is viable and can be implemented in an emergency situation.

CMS Information Security Assessment Procedure is the CMS-established standard process for all IS assessments. The Assessment Procedure provides a common structure for planning and conducting the four (4) assessment phases with consistency throughout the CMS enterprise.

CMS Information Security Certification & Accreditation (C&A) Procedure provides the procedures that ensure consistency in the evaluation of security controls, facilitates security accreditation decisions and identifies and defines principle IS C&A roles and responsibilities.  The CMS IS C&A procedures is independent of the Life-Cycle status of the system.  

CMS Information Security (IS) Risk Assessment (RA) Procedure is the tool used by Business Owners for the Risk Management (RM) process to continuously identify and mitigate business and system risks throughout the life cycle of the system.  This ensures that adequate resources, policies, procedures, processes and practices are in place for the system.

CMS System Security Plan (SSP) Procedure provides the Business Owners with the tools to determine, implement an document the current level of information security controls of the system.  System security planning is an essential function that is an iterative process within the life-cycle of the system and is used, along with additional artifacts, to determine whether the system will be granted an authority to operate, i.e., accreditation.

CMS Information Security Incident Handling Procedure provides the systematic approach for handling information or information system suspected or actual incidents and the steps for resuming business operations while still preserving the incident's forensic information for further analysis and potential law enforcement/legal action.  

Downloads


CMS IS Application CP Procedure (PDF - 330 kb)

CMS IS Assessment Procedure (PDF - 535 kb)

CMS IS C&A Procedure (PDF - 453 Kb)

CMS IS RA Procedure (PDF - 535 Kb)

CMS SSP Procedure (PDF - 444 Kb)

CMS IS Incident Handling Procedure (PDF - 374 Kb)

Related Links Inside CMS

There are no Related Links Inside CMS

Related Links Outside CMSExternal Linking Policy

There are no Related Links Outside CMS

 

Page Last Modified: 04/17/2009 2:39:33 PM
Help with File Formats and Plug-Ins

Submit Feedback




www4