U S Department of Health and Human Services www.hhs.gov
  CMS Home > Research, Statistics, Data and Systems > Information Security > Certification & Accreditation

Certification & Accreditation

CMS Information Security Certification & Accreditation (C&A) Program - Federal law requires the Centers for Medicare & Medicaid Services (CMS) to implement a risk-based program for cost-effective information security (IS).  All business processes operate with some level of risk, and one of the most effective ways to protect these business processes is through the implementation of effective internal security controls, risk evaluation, and risk management.

To manage a risk-based IS program, Business Owners are responsible for executing the processes defined in the CMS IS C&A Program, such as:

•Information Security Risk Assessment
•System Security Plans (SSP)
•Information Security Contingency Plan (CP)
•Security Testing & Evaluation
•Identify vulnerabilities and risk resulting from system implementation
•Receive, in writing by the Chief Information Officer (CIO), the authority to operate (ATO) an information system prior to initial implementation, whenever significant system changes occur, a change in the security profile of the system, the system has a major security incident or when the authority to operate expires (at a minimum every 3 years).

These responsibilities form the foundation for the CMS IS C&A Program, which is a critical component of the CMS Integrated IT Investment & System Life Cycle Framework (a.k.a. "System Lifecycle Framework").  See the link below.  The System Lifecycle Framework provides a foundation and supporting structure designed to aid in the successful planning, engineering, implementation, maintenance, management, and governance of CMS IT investments and system life cycle projects.  The Framework covers the entire life cycle of an IT investment, which is the period of time that begins when an IT investment is first conceived and ends when the investment no longer exists.

The C&A Program Procedures cover six (6) distinct phases to form a continuous security management practice for all CMS systems/applications.  Each phase of the C&A Program has individual objectives, tasks, and artifacts that are required.  The completion of each successive phase depends upon the output of the preceding phase.  To manage the C&A Program effectively and efficiently, individual tasks, responsibilities, and expectations are defined within each phase. The C&A phases are structured to integrate the C&A Program within the existing CMS "Framework."

Business Owners of systems that are already in production, or are currently accredited, may only need to address the final phase of the C&A Program, which defines activities performed during maintenance of the system and for periodic re-accreditation.

Select the "Templates" link to the left or below in the "Related Links Inside CMS" section to locate all the template documents that are used during the CMS IS C&A process.

Downloads

All Downloads are available in the "Info Security Library" link on the left hand menu

Related Links Inside CMS

System Lifecycle Framework

Info Security Library

Related Links Outside CMSExternal Linking Policy

There are no Related Links Outside CMS

 

 

Page Last Modified: 04/21/2009 4:34:28 PM
Help with File Formats and Plug-Ins

Submit Feedback




www4