CMS Acceptable Risk Safeguards (ARS 3.0)
The Centers for Medicare & Medicaid Services (CMS) announces the release of the CMS Acceptable Risk Safeguards 3.0 (ARS) and provides information regarding the changes, timelines, and other activities related to the implementation of Privacy and Security. This is the first fully integrated release of privacy and security controls in a single document. The Office of Information Technology (OIT) published the CMS ARS 3.0 on January 31, 2017. The ARS 3.0 Webinar and FAQs are currently located on the CMS Information Security and Privacy Library and addresses anticipated questions. More information about the CMS ARS 3.0 or its impact on your information systems, can be obtained by contacting contact your Cyber Risk Advisor, Portfolio Privacy SME or the CISO Mailbox.
CMS conducts computer matching programs with other federal agencies and with state agencies. A complete list of matching programs currently in effect is provided below, with links to the matching agreement and public notice describing each program. General Information about Computer Matching Agreements is located on the left navigation bar.
New OMB Memorandum (M-17-12) - Opens in a new window Preparing for and Responding to a Breach of Personally Identifiable Information
This OMB Memorandum sets forth the policy for Federal agencies to prepare for and respond to a breach of personally identifiable information (PII). It includes a framework for assessing and mitigating the risk of harm to individuals potentially affected by a breach, as well as guidance on whether and how to provide notification and services to those individuals. The memo will promote consistency in the way agencies prepare for and respond to a breach by requiring common standards and processes in addition to allowing agencies the flexibility to tailor their response to a breach based upon the specific facts and circumstances of each breach and the analysis of the risk of harm to potentially affected individuals. This Memorandum rescinds and replaces the following previously issued OMB memoranda: OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007); Recommendations for Identity Theft Related Data Breach Notification (Sept. 20, 2006); OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments (July 12, 2006); and OMB M-06-15, Safeguarding Personally Identifiable Information (May 22, 2006). For authoritative CMS requirements and implementation guidance, refer to the ARS 3.0 in the CMS Information and Security Library.
The Office of Management and Budget Memorandum 10-23, Guidance for Agency Use of Third-Party Websites and Applications, requires that agencies assess their uses of third-party Websites and applications to ensure that the uses protect privacy. The mechanism by which agencies perform this assessment is a privacy impact assessment (PIA). In accordance with HHS policy, operating divisions (OPDIVs) are responsible for completing and maintaining PIAs on all third-party Websites and applications in use. Upon completion of each assessment, agencies are required to make the PIAs publicly available. CMS implementation specifications are included in the ARS 3.0.
To view the CMS Third-Party Websites and Applications (TPWA) Privacy Impact Assessments for each individual OPDIV system, please refer to the link above.
Known or suspected privacy/security incidents involving CMS data must be reported immediately to the CMS IT Service Desk by calling 410-786-2580 or 1-800-562-1963 or via e-mail to CMS_IT_Service_Desk@cms.hhs.gov. Even if you are not positive, but only suspect that it might be a security incident, you must still submit a report and allow the experts to determine whether or not it is a security incident. For additional information, refer to the ARS 3.0.
The CMS Privacy Officer may be reached via e-mail at Privacy@cms.hhs.gov or by calling 410-786-5357. See the download section below for a table of Cyber Risk Advisors and Privacy Portfolio Subject Matter Experts.