Skip to Main Content

Information Security Library

The Information Security Library is intended to serve as a one-stop resource for all of your information security needs.  The library contains a comprehensive listing of policy guidance, standards, regulations, laws, and other documentation related to the CMS Information Security Program.  Use the convenient search tool below to quickly locate relevant policies, procedures and guidelines.

If you experience any difficulties in finding the appropriate document or have a general security question, please feel free to send an email to the CISO Team at CISO@cms.hhs.gov.

Loading

Title Version Date
ROB for Connection to CMS 7.1 09/21/2012
Business Partner System Security Manual (BPSSM) As Amended Current
Minimum Security Configuration Standards for OS N/A 05/03/2012
SSP Procedure 1.1 08/31/2010
SSP Workbook App G Level 4 e-Authentication 1.5 07/31/2012
SSP Workbook App F Level 3 e-Authentication 1.5 07/31/2012
SSP Workbook App E Level 2 e-Authentication 1.5 07/31/2012
SSP Workbook App D Level 1 e-Authentication 1.5 07/31/2012
Security Certification Form Template 3.0 2014-04-08
ARS Appendix A CMSR High Impact Level Data 2.0 2013-09-20
Master Security Plan 6.0 06/25/2010
Policy for the Information Security Program 4.0 08/31/2010
ARS 2.0 2013-09-20
ARS Appendix B CMSR Moderate Impact Level Data 2.0 2013-09-20
ARS Appendix D CMSR e-Authentication Standard 2.0 2013-09-20
ARS Appendix C CMSR Low Impact Level Data 2.0 2013-09-20
SSP Workbook Main 1.5 07/31/2012
SSP Workbook App A High Impact Level Data (ZIP - 176 Kb) 1.5 07/31/2012
SSP Workbook App B Moderate Impact Level Data 1.5 07/31/2012
SSP Workbook App C Low Impact Level Data 1.5 07/31/2012
RMH Vol III Standard 3-2 Cloud Computing 1.0 05/03/2011
RMH Vol III Standard 3-1 Authentication 1.3 2014-04-17
RMH Vol II Procedure 1-1 Accessing CFACTS 1.0 04/21/2011
Incident Handling Template .22 09/30/2011
Assessments - Application Finding Report Template 1.0 03/19/2009
Assessment Plan Template 2.0 03/19/2009
Authorization To Operate Package Guide 3.0 12/01/2011
System Retirement Memo Template N/A 07/26/2012
Tool: CFACTS Intake Form 1.0 2012-11-02
Policy for Desktop-Laptop Resources 04-02 12/08/2008
CP Procedure 1.0 11/14/2008
Risk Assessment Procedure 1.0 03/19/2009
SSP Template 3.1 05/07/2009
ISSO Appointment Template N/A 09/04/2012
Risk Assessment Template 3.1 05/07/2009
Assessments - Infrastructure Finding Report Template 1.0 03/19/2009
CP Template 1.0 11/14/2008
Assessment Reporting Procedure 5.0 03/19/2009
Assessment Procedure 2.0 03/19/2009
Memorandum of Understanding (MOU) Template 1.1 2013-05-23
Interconnection Security Agreement (ISA)Template 1.1 2013-05-22
CP Test Template for Tabletop Tests 1.1 07/25/2007
Application for Access to CMS Computer Systems 09/2005 09/01/2005
System Security Levels by Information Type 4.0 03/30/2011
Policy for Information Security and Privacy 02 04/11/2013
RMH Vol II Procedure 2-6 Information System Description 1.0 2012-09-14
RMH Vol II Procedure 6-3 Security Information Review 1.0 2012-09-04
RMH Vol II Procedure 4-2 Documenting Security Controls in CFACTS 1.0 02/13/2012
RMH Vol II Procedure 5-6 Documenting Security Control Effectiveness in CFACTS 1.1 2013-09-18
RMH Vol II Procedure 6-2 POA&M Management 1.01 07/17/2012
RMH Vol II Procedure 7-3 CMS Annual Attestation Procedure 1.3 2014-02-03
CMS Information Security Risk Acceptance Template 1.2 2012-07-03
RMH Vol I Chapter 10 CMS Risk Management Terms, Definitions, and Acronyms 1 2012-07-13
Tool: System Categorization Worksheet N/A 2013-05-03
RMH Vol II Procedure 2-3 Categorizing an Information System 1.2 2013-04-23
RMH Vol II Procedure 7-8 Key Updates Procedure 1.0 08/17/2012
RMH Vol I Chapter 01 Risk Management in the XLC 1.0 2012-11-08
RMH Vol III Standard 7-1 Incident Handling 1.0 2012-12-06
RMH Vol II Procedure 7-2 Incident Handling Procedure 1.0 2012-12-06
Tool: Breach Harm Assessment 1.0 2013-01-07
CMS Information Security Contract Clause / Provision 1.0 2013-04-09
Risk Management Framework Overview 1.0 2013-09-23
RMH Vol III Standard 4-3 Non-Standard Account Authenticator Management 1.0 2013-10-30
ARS Current Version UNOFFICIAL Redlines 2.0 2013-09-20
RMH Vol III Standard 4-4 Contingency Planning 1.0 2014-02-28
EISG Awareness and Training Calendar 1.1 2014-06-18
RMH Vol II Procedure 3-3 Common Control Identification 1.0 2014-06-25
RMH Vol III Standard 7-2 Security Impact Analysis 1.0 2014-06-25
CISO Memorandum 14-02 – CMS Cloud Computing and Federal Risk and Authorization Management Program Guidance N/A 2014-07-10
Information Systems Security and Privacy Awareness Training 2014 2014-11-06
RMH Vol II Procedure 4-4 Contingency Plan Development 1.0 2014-11-06
RMH Vol II Procedure 4-5 Contingency Plan Exercise 1.0 2014-11-06