Information Security

Information Security Library

The Information Security Library is intended to serve as a one-stop resource for all of your information security needs.  The library contains a comprehensive listing of policy guidance, standards, regulations, laws, and other documentation related to the CMS Information Security Program.  Use the convenient search tool below to quickly locate relevant policies, procedures and guidelines.

If you experience any difficulties in finding the appropriate document or have a general security question, please feel free to send an email to the CISO Team at CISO@cms.hhs.gov.

Title Version Date
ROB for Connection to CMS 7.0 08/19/2011
Business Partner System Security Manual (BPSSM) 10.0 07/17/2009
Minimum Security Configuration Standards for OS N/A 05/02/2012
Incident Handling Procedure 2.3 12/03/2010
SSP Procedure 1.1 08/31/2010
Test Scripts Main 1.0 08/31/2010
Test Scripts App C Low Level Data Assessments 1.0 08/31/2010
Test Scripts App B Moderate Level Data Assessments 1.0 08/31/2010
Test Scripts App A High Impact Level Assessments 1.0 08/31/2010
SSP Workbook App G Level 4 e-Authentication 1.5 07/31/2012
SSP Workbook App F Level 3 e-Authentication 1.5 07/31/2012
SSP Workbook App E Level 2 e-Authentication 1.5 07/31/2012
SSP Workbook App D Level 1 e-Authentication 1.5 07/31/2012
Security Certification Form Template 2.0 09/09/2010
ARS Appendix A CMSR High Impact Level Data 1.5 07/31/2012
Master Security Plan 6.0 06/25/2010
Policy for the Information Security Program 02-04 08/31/2010
ARS 1.5 2012-07-31
ARS Appendix B CMSR Moderate Impact Level Data 1.5 07/31/2012
ARS Appendix D CMSR e-Authentication Standard 1.5 07/31/2012
ARS Appendix C CMSR Low Impact Level Data 1.5 07/31/2012
SSP Workbook Main 1.5 07/31/2012
SSP Workbook App A High Impact Level Data (ZIP - 176 Kb) 1.5 07/31/2012
SSP Workbook App B Moderate Impact Level Data 1.5 07/31/2012
SSP Workbook App C Low Impact Level Data 1.5 07/31/2012
RMH Vol III Standard 3-2 Cloud Computing (EISG) 1.0 05/03/2011
CAA List N/A 06/15/2009
Security CBT N/A N/A
RMH Vol III Standard 3-1 Authentication 1.2 07/31/2012
RMH Vol II Procedure 1-1 Accessing CFACTS 1.0 04/21/2011
Incident Handling Template .22 09/30/2011
Assessments - Application Finding Report Template 1.0 03/19/2009
Assessment Plan Template 2.0 03/19/2009
Authorization To Operate Package Guide 3.0 12/01/2011
System Retirement Memo Template N/A 07/26/2012
Policy for Desktop-Laptop Resources 04-02 12/08/2008
CP Procedure 1.0 11/14/2008
Risk Assessment Procedure 1.0 03/19/2009
SSP Template 3.1 05/07/2009
ISSO Appointment Template N/A 03/30/2009
Risk Assessment Template 3.1 05/07/2009
Assessments - Infrastructure Finding Report Template 1.0 03/19/2009
CP Template 1.0 11/14/2008
Assessment Reporting Procedure 5.0 03/19/2009
Assessment Procedure 2.0 03/19/2009
Audit Guide 2.0 03/08/2009
Memorandum of Understanding (MOU) Template 1.0 04/28/2009
Interconnection Security Agreement (ISA)Template 1.0 04/28/2008
CP Test Template for Tabletop Tests 1.1 07/25/2007
Application for Access to CMS Computer Systems 09/2005 09/01/2005
C & A Procedure 2.1 08/25/2009
System Security Levels by Information Type 4.0 03/30/2011
Policy for Information Security 01 04/12/2006
RMH Vol II Procedure 4-2 Documenting Security Controls in CFACTS 1.0 05/03/2012
RMH Vol II Procedure 5-6 Documenting Security Control Effectiveness in CFACTS 1.0 02/13/2012
RMH Vol II Procedure 6-2 POA&M Management 1.01 07/17/2012
RMH Vol II Procedure 7-3 CMS Annual Attestation Procedure 1.0 02/13/2012
CMS Information Security Risk Acceptance Template 1.2 2012-07-03
RMH Vol I Chapter 10 CMS Risk Management Terms, Definitions, and Acronyms 1 2012-07-13
Tool: System Categorization Worksheet N/A 2012-07-18
RMH Vol II Procedure 2-3 Categorizing an Information System 1.0 07/17/2012
RMH Vol II Procedure 7-8 Key Updates Procedure 1.0 08/17/2012
ARS 1-5 UNOFFICIAL Redlines 1.0 08/15/2012