CMSR Consulting & Compliance Services

The Centers for Medicare & Medicaid Services (CMS) publication titled "CMS Information Security (IS) Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements (CMSR)" is a broad set of required security standards based on NIST SP 800-53, along with other applicable Department of Health and Human Services (HHS) publications, and other supporting standards. In summary, the aforementioned document provides overall guidance to CMS itself and to contractors as to the minimum level of required security controls to be in place for ensuring the confidentiality, integrity, and availability (CIA) of CMS' information systems.

Please note, however, that a CMS system is to be developed that ultimately meets higher standards, where applicable. This means that other regulatory compliance requirements with stricter controls and more comprehensive measures take precedence. Again, these are minimum baseline controls that are to be in place for CMS systems, ones that incorporate the concept of CIA as previously discussed, along with utilizing a Defense-in-depth security framework.

Security Policies are Essential for CMSR and SSP Compliance

Another important component of the CMSR publication is the “CMS System Security Plan (SSP) procedures” document, which effectively states that the The SSP documents the IS controls that protect the confidentiality, integrity and availability (CIA) of the system”. Simply stated, Owners must document and certify the incorporated controls of the CMS platform into their respective CMS System Security Plan (SSP), which ultimately means having documented policies and procedures in place, such as those for information security, and other supporting operational and business controls.

CMSR Consulting & Compliance Services and Policy and Procedure Writing 

Trust FLANK for all your CMSR consulting needs as we can help in implementing all required controls, along with developing much-needed operational and information security policies and procedures. There are strict requirements for compliance with many of today health laws, legislation, and industry directives, especially the Centers for Medicare & Medicaid Services (CMS) publication titled "CMS Information Security (IS) Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements (CMSR)".