The CMS Information Security and Privacy Program is constantly updating its policies, standards, and procedures to keep pace with emerging cyber threats and to ensure that the most up-to-date security information is there when you need it.
The Information Security and Privacy Library will always be the most comprehensive resource for all of your information security needs, but to simplify your search, we’ve spotlighted a few key instructions, standards and policies that form the foundation of the CMS Information Security program. For a more comprehensive list of instructions, please visit our “Information Security Library”.
Some of the most common policies and documents you should be aware of are:
Provides policy guidance to Information Security programs of Operating Divisions (OPDIVs) and staff Divisions (STAFFDIVs) for the security and privacy of HHS data in accordance with the Federal Information Security Management Act of 2002 (FISMA). In order to access the HHS IS2P, send an email to Fisma@hhs.gov, or visit the HHS FISMA Working Group on the OMB Max Portal.
This Policy supersedes the CMS Policy for Information Security and Privacy (PISP_P) and the Policy for the Information Security Program (PISP). It provides the framework under which CMS must protect and control access to CMS information and information systems. This high level policy provides direction to all CMS employees, contractors and any individual who receives authorization to access CMS information technology systems or systems maintained on behalf of CMS.
If you experience any difficulties in finding the appropriate document or have a general security question, please feel free to send an email to the CISO Team at CISO@cms.hhs.gov.
Information Systems Security and Privacy Awareness (ISSPA) Training
The Information Systems Security and Privacy Awareness (ISSPA) training course is designed to provide the Centers for Medicare and Medicaid Services (CMS) employees, contractors, and others with access to CMS data, systems, and networks with knowledge to protect information systems and sensitive data from internal and external threats. The CMS Information Systems Security and Privacy Awareness (ISSPA) course is mandatory for all users of CMS Information Systems. It is also mandatory for users to retake the Information Systems Security and Privacy Awareness course annually in conjunction with the mandatory annual certification. In addition to the CMS Information Systems Security and Privacy Awareness course, CMS users are required to obtain Role-based training as specified by their specific user role.