CMS Privacy Policy and Governance website

The CMS Division of Security, Privacy Policy and Governance (DSPPG) in the Information Security and Privacy Group (ISPG) leads the development of CMS specific privacy policy and guidance. On this site, you will find links to all CMS privacy policies, standards, procedures, and guidelines as well as privacy training and complete instructions for reporting a known or suspected security/privacy incident. 


CMS Acceptable Risk Safeguards (ARS 3.0)

The Centers for Medicare & Medicaid Services (CMS) announces the release of the CMS Acceptable Risk Safeguards 3.0 (ARS) and provides information regarding the changes, timelines, and other activities related to the implementation of Privacy and Security.  This is the first fully integrated release of privacy and security controls in a single document.  The Office of Information Technology (OIT) published the CMS ARS 3.0 on January 31, 2017.  The ARS 3.0 Webinar and FAQs are currently located on the CMS Information Security and Privacy Library and addresses anticipated questions. More information about the CMS ARS 3.0 or its impact on your information systems, can be obtained by contacting contact your Cyber Risk Advisor, Portfolio Privacy SME or the CISO Mailbox.

See The Full Text Versions Of CMS Computer Matching Agreements - Opens in a new window  

CMS conducts computer matching programs with other federal agencies and with state agencies.  A complete list of matching programs currently in effect is provided below, with links to the matching agreement and public notice describing each program. General Information about Computer Matching Agreements is located on the left navigation bar.

New OMB Memorandum (M-17-12) - Opens in a new window  Preparing for and Responding to a Breach of Personally Identifiable Information

This OMB Memorandum sets forth the policy for Federal agencies to prepare for and respond to a breach of personally identifiable information (PII). It includes a framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach, as well as guidance on whether and how to provide notification and services to those individuals. The memo will promote consistency in the way agencies prepare for and respond to a breach by requiring common standards and processes in addition to allowing agencies the flexibility to tailor their response to a breach based upon the specific facts and circumstances of each breach and the analysis of the risk of harm to potentially affected individuals.  This Memorandum rescinds and replaces the following previously issued OMB memoranda: OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007); Recommendations for Identity Theft Related Data Breach Notification (Sept. 20, 2006); OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006); and OMB M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006).  For authoritative CMS requirements and implementation guidance, refer to the ARS 3.0 in the CMS Information and Security Library.

CMS Privacy Impact Assessments (PIA) - Opens in a new window  

The CMS Division of Security, Privacy Policy and Governance (DSPPG) and Division of Security & Privacy Compliance (DSPC) provides the technical and management support necessary for the agency to achieve compliance with Title II and III of the E-Government Act of 2002 and the Federal Information Security Management Act (FISMA).  A key component of this legislation is the completion, publication, and submission of information technology (IT) system Privacy Impact Assessments (PIAs).  Conducting a PIA facilitates the identification of systems that contain personally identifiable information (PII) and satisfies system compliance with all relevant privacy laws, regulations, and guidance.  The PIA process also ensures that privacy protections are incorporated into every stage of an IT system's life cycle, and measures the effectiveness of these protections.  All systems are required to have a current PIA, which includes at minimum and whenever system changes require an annual review of the assessment by CMS System Business Owners and Information System Security Officers (ISSO) and approval that it meets privacy compliance by the CMS Privacy Office.  See the download for a table of CMS Privacy and Security Portfolio Teams.

CMS Third-Party Websites and Applications - Opens in a new window

The Office of Management and Budget Memorandum 10-23, Guidance for Agency Use of Third-Party Websites and Applications, requires that agencies assess their uses of third-party Websites and applications to ensure that the uses protect privacy. The mechanism by which agencies perform this assessment is a privacy impact assessment (PIA). In accordance with HHS policy, operating divisions (OPDIVs) are responsible for completing and maintaining PIAs on all third-party Websites and applications in use. Upon completion of each assessment, agencies are required to make the PIAs publicly available. CMS implementation specifications are included in the ARS 3.0.

To view the CMS Third-Party Websites and Applications (TPWA) Privacy Impact Assessments for each individual OPDIV system, please refer to the link above.

Privacy/Security Incidents

Known or suspected privacy/security incidents involving CMS data must be reported immediately to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963 or via e-mail to  Even if you are not positive, but only suspect that it might be a security incident, you must still submit a report and allow the experts to determine whether or not it is a security incident.  For additional information, refer to the ARS 3.0.

Contact Us

The CMS Privacy Officer may be reached via e-mail at or by calling 410-786-5357. See the download section below for a table of Cyber Risk Advisors and Privacy Portfolio Subject Matter Experts.

Page Last Modified:
05/12/2017 06:30 AM