21. What are the CMS Minimum Security Requirements (CMSR) and why are information security policies and procedures so important?

The Centers for Medicare & Medicaid Services (CMS) publication titled "CMS Information Security (IS) Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements (CMSR)" is a broad set of required security standards based on NIST SP 800-53 Revision 3 "Recommended Security Controls for Federal Information Systems", (and subsequent versions of 800-53 thereof) along with other applicable Department of Health and Human Services (HHS) publications, and other supporting standards. In summary, the aforementioned document provides overall guidance to CMS itself and to contractors as to the minimum level of required security controls that are to be in place for ensuring the confidentiality, integrity, and availability (CIA) of CMS' information systems.

Please note, however, that a CMS system is to be developed that ultimately meets higher standards, where applicable. This means that other regulatory compliance requirements with stricter controls and more comprehensive measures take precedence. Again, these are minimum baseline controls that are to be in place for CMS systems, ones that incorporate the concept of CIA as previously discussed, along with utilizing a Defense-in-depth security framework.

Security Policies are Essential for CMSR and SSP Compliance

Yet another important component of the CMSR publication is the “CMS System Security Plan (SSP) procedures” document, which effectively states that the “The SSP documents the IS controls that protect the confidentiality, integrity and availability (CIA) of the system”. Simply stated, Owners must document and certify the incorporated controls of the CMS platform into their respective CMS System Security Plan (SSP), which ultimately means having documented policies and procedures in place, such as those for information security, and other supporting operational and business controls.

Where can organizations find comprehensive policy and procedure templates containing literally hundreds of industry leading policies, procedures, forms, checklists, templates, provisioning and hardening documents – and more – from FLANK, that’s where.

Download Security Documents today for the CMSR and SSP

One of the more notable requirements within the actual SSP publication is to “develop and maintain information security policies, procedures, and control techniques to address system security planning…”
-CMS SSP Publication, Version 1.1 – FINAL.

Again, one can clearly see the importance of having in place documented operational, business specific, and information security policies and procedures, such as those available from FLANK. Additionally, it’s also important to note that “risk management and “risk assessment” have become critical initiatives for many businesses today, with a large component of it being driven by regulatory compliance measures that focus heavily on the concept of understanding, interpreting, and identifying risk. With the Global Information Security Compliance Packet (GISCP) set of policies, procedures and other supporting documentation, organizations will receive risk management and risk assessment documentation, and much more.

View sample policy documents online, along with the detailed product data sheet that lists all documentation received when purchasing and downloading the FLANK21 today.

Note: Other notable documents worth viewing regarding CMS include the following:

  • CMS Information Security (IS) Acceptable Risk Safeguards (ARS) | CMS Minimum Security Requirements | Final | Version 1.5, July 31, 2012.
  • CMS System Security Plan (SSP) | Final | Version 1 | March 19, 2009.
  • CMS PUB 100-25 | Information Security Acceptable Risk Safeguards.