Skip to Main Content


The CMS Information Security and Privacy Program is constantly updating its policies, standards, and procedures to keep pace with emerging cyber threats and to ensure that the most up-to-date security information is there when you need it.

The Information Security and Privacy Library will always be the most comprehensive resource for all of your information security needs, but to simplify your search, we’ve spotlighted a few key instructions, standards and policies that form the foundation of the CMS Information Security program.  For a more comprehensive list of instructions, please visit our “Information Security Library”.

Some of the most common policies and documents you should be aware of are:

HHS Information Systems Security and Privacy Policy (IS2P)

Provides policy guidance to Information Security programs of Operating Divisions (OPDIVs) and staff Divisions (STAFFDIVs) for the security and privacy of HHS data in accordance with the Federal Information Security Management Act of 2002 (FISMA).  In order to access the HHS IS2P, send an email to, or visit the HHS FISMA Working Group on the OMB Max Portal.

CMS Information Systems Security and Privacy Policy (IS2P2)

This Policy supersedes the CMS Policy for Information Security and Privacy (PISP_P) and the Policy for the Information Security Program (PISP).  It provides the framework under which CMS must protect and control access to CMS information and information systems.  This high level policy provides direction to all CMS employees, contractors and any individual who receives authorization to access CMS information technology systems or systems maintained on behalf of CMS.


If you experience any difficulties in finding the appropriate document or have a general security question, please feel free to send an email to the CISO Team at