Spotlight

The CMS Information Security Program is constantly updating its policies, standards, and procedures to keep pace with emerging cyber threats and to ensure that the most up-to-date security information is there when you need it.

The Info Security Library will always be the most comprehensive resource for all of your information security needs, but to simplify your search, we’ve spotlighted a few key instructions, standards and policies that form the foundation of the CMS Information Security program.  For a more comprehensive list of instructions, please visit our “Information Security Library”.

Some of the most common policies and documents you should be aware of are:

HHS OCIO Policy for Information Systems Security and Privacy 

Provides policy guidance to Information Security programs of Operating Divisions (OPDIVs) and staff Divisions (STAFFDIVs) for the security and privacy of HHS data in accordance with the Federal Information Security Management Act of 2002 (FISMA).  This policy can be found here.

CMS Policy for Information Security (IS) 

High level policy for the CMS IS Program which provides procedures and controls at all levels to protect the confidentiality and integrity of information within CMS Information Systems.

Policy for the Information Security Program (PISP) 

Establishes the ground rules under which CMS shall operate and safeguard its information and information systems to reduce the risk and minimize the effect of security incidents.

CISO Team 

If you experience any difficulties in finding the appropriate document or have a general security question, please feel free to send an email to the CISO Team at CISO@cms.hhs.gov.