CMS Acceptable Risk Safeguards (ARS)

1 Centers for Medicare & Medicaid Services Office of Information Technology (OIT) Information Security and Privacy Group 7500 Security Boulevard Baltimore, Maryland 21244-1850 Standard: CMS Information Security and Privacy Acceptable Risk Safeguards (ARS) CMS Acceptable Risk Safeguards (ARS) Final Version Document Number: November 21, 2017 Effective Date/Approval This Standard becomes effective on the date that CMS s Chief Information Officer (CIO) signs it and remains in effect until it is rescinded, modified, or superseded. Date of Signature: /S/ Issuance 11/21/2017 George Hoffmann Acting Chief Information Officer and Acting Director, Office of Information Technology (OIT) Standard Owner s Review Certification This document must be reviewed in accordance with the established review schedule located on the CMS website Date of Annual Signature: /S/ Review.

2 11/17/2017 Emery Csulak CMS Chief Information Security Officer and Senior Official for Privacy Final Centers for Medicare & Medicaid Services Summary of Changes Version Number Editor Name Date Table Column Heading Description of Change CMS 01/24/2017 Entire document Major Revision CMS 10/12/2017 Entire document Reset control baselines to track to NIST SP 800-53r4 and HHS IS2P selections Added Non-Mandatory designation for controls beyond NIST SP 800-53r4 and HHS IS2P Revised to improve readability and clarify, standardize formatting Included discussion and examples on control customization Realigned CMS CIO and System CIO roles Clarified information available to CCIC in agreed-upon format and timeframe Corrected typographical errors Minor updates to references ( , changes to OMB memorandums) CMS Acceptable Risk Safeguards (ARS) Document Number: November 28, 2017 i This page intentionally blank.

3 CMS Acceptable Risk Safeguards (ARS) Document Number: November 21, 2017 ii Final Centers for Medicare & Medicaid Services Table of Contents 1. 1 Authority ..2 CMS Information Security and Privacy Program ..2 Version 2. 5 3. 7 External Requirements on CMS 4. ARS Structure .. 9 ARS Family Control Requirements Security and Privacy Controls ..13 Control Implementation Standards ..15 Supplemental Guidance ..16 Related Control Priority ..16 Assessment Assessment Assessment Methods and CMS Required Controls and Control ARS Appendix Authentication and E- 5. How to Use the CMS ARS with Customization/Tailoring.

4 21 Mandatory and Non-Mandatory Controls and Control How to Customize/Tailor Implementations for Controls and Control Enhancements ..23 Recognizing Keywords that Facilitate Appendix A. References and Resources .. A-1 Appendix B. ARS Controls .. B-1 Appendix C. Acronyms .. C-1 Appendix D. D-1 Appendix E. Omitted and Not-Selected Controls and Control E-1 CMS Acceptable Risk Safeguards (ARS) Document Number: November 28, 2017 iii Final Centers for Medicare & Medicaid Services Appendix F. Control and Control Enhancement Implementation F-1 List of Tables Table 1: ARS Security Control Family Descriptions .. 9 Table 2: Controls and Control Enhancements Beyond NIST SP 800-53r4 .. 18 Table 3: Keyword and Phrases to Identify Tailorable Controls and Control Enhancements .. 24 Table 4: Example ARS Control/Control Enhancement Implementation Customization.

5 F-1 Table 5: Example Identifying Controls and Control Enhancements as Not Applicable to a System CMS Acceptable Risk Safeguards (ARS) Document Number: November 21, 2017 iv Final Centers for Medicare & Medicaid Services Introduction 1. Introduction The Centers for Medicare & Medicaid Services (CMS) Information Security and Privacy Acceptable Risk Safeguards (ARS) provides guidance to CMS and its contractors as to the minimum Acceptable level of required security controls ( , the minimum security and privacy control baselines1, collectively known as the CMS Minimum Security Requirement [CMSR] baselines) that must be implemented by CMS and CMS contractors to protect CMS information and information systems, including CMS sensitive The CMSR is based on: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4 (NIST SP 800-53r4), Security and Privacy Controls for Federal Information Systems and Organizations, dated April 2013 Federal Risk and Authorization Management Program (FedRAMP) Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P) CMS Information Systems Security and Privacy Policy (CMS IS2P2) CMS-CIO-POL-SEC-2016-0001 CMS policies, procedures, and guidance Other federal and non-federal guidance resources Industry leading information security and privacy practices adopted by CMS.

6 This document also provides non-mandatory controls and control enhancements that CMS encourages Business Owners to consider. Many of the mandatory and non-mandatory controls are customizable ( , tailorable) by the Business Business Owners must review all controls since all are relevant and should be considered, even if they are not mandatory to implement, because these controls may help to reduce overall risk. It should be noted that the minimal baseline for cloud deployments is defined within the FedRAMP Reference Additionally, previous versions of the ARS consisted of multiple appendices. ARS , and later versions, are organized within a single document. 1 A control baseline is the minimum list of security controls required for safeguarding an IT system based on the organizationally identified needs for confidentiality, integrity, and/or availability. A different baseline exists for each security category defined by NIST Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems.

7 2 This Policy uses the term CMS sensitive Information as defined in the Risk Management handbook Volume I Chapter 10, CMS Risk Management Terms, Definitions, and Acronyms ( ) and subject to Executive Order 13556, Controlled Unclassified Information ( ). This definition includes all data that require protection due to the risk and magnitude of loss or harm, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and Federal Tax Information (FTI). 3 The ARS provides guidance on customizing (tailoring) controls and enhancements for specific types of missions/business functions, technologies, or environments of operation. Users of the ARS may tailor specific mandatory controls as well as most of the non-mandatory and unselected controls. 4 Complete documentation on the FedRAMP baselines is available at CMS Acceptable Risk Safeguards (ARS) Document Number: November 28, 2017 1 Final Centers for Medicare & Medicaid Services Introduction Authority The Office of Management and Budget (OMB) designated the Department of Homeland Security (DHS) and NIST as authorities to provide guidance to federal agencies for implementing information security and privacy laws and regulations, including Federal Information Security Modernization Act of 2014 (FISMA).

8 Other legislation and regulations affecting CMS include the Privacy Act of 1974 ( Privacy Act ) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The ARS addresses CMS applicable information security and privacy control requirements arising from federal legislation, mandates, directives, executive orders, and HHS policy by integrating NIST SP 800-53r4, with the HHS IS2P and specific programmatic legislation and CMS regulations. Appendix A provides references to these authoritative sources. Per HHS IS2P Appendix A Section , the CMS Chief Information Officer (CIO) designates the Chief Information Security Officer (CISO) as the CMS authority for implementing the CMS-wide information security program. HHS IS2P Appendix A Section 15 designates the Senior Official for Privacy (SOP) as the CMS authority for implementing the CMS-wide privacy program. Through the ARS, the CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate.

9 All CMS stakeholders must comply with and support the ARS to ensure compliance with federal requirements and programmatic policies, standards, procedures, and information security and privacy controls. The CMS CISO or SOP must review any waivers or deviations from the CMSR baselines and make appropriate recommendations to the CIO for risk acceptance. CMS Information Security and Privacy Program CMS has an information security and privacy program managed by the Information Security and Privacy Group (ISPG) under the leadership of the CMS CISO/SOP. ISPG is responsible for ensuring the information security and privacy program: Defines CMSR baselines that are compliant with authoritative legislation, statute, directives, mandates, ands overarching policies. Provides: o Cyber Risk Advisor (CRA) and privacy services to Business Owners and Information System Security Officers (ISSOs) o An Authority to Operate (ATO) process o A Plan of Actions and Milestones (POA&M) process o A common set of security and privacy controls ( , policy) that can be inherited across CMS ( , Office of the Chief Information Security Officer [OCISO] control catalog) Overseeing an inheritable (common) control process that facilitates control inheritance from CMS data centers and under FedRAMP deployments.

10 CMS Acceptable Risk Safeguards (ARS) Document Number: November 28, 2017 2 Final Centers for Medicare & Medicaid Services Introduction Version Consolidation Previous versions of the ARS consisted of multiple appendices. Each of these appendices provided the requirements for information systems categorized differently under the NIST Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. Separate appendices provided the requirements for systems categorized as High, Moderate, and Low. This concept allowed readers to select the applicable appendix based on system security categorization. However, maintaining three separate appendices required CMS in effect to maintain three versions of the ARS. ARS , and later versions, identify the controls required for systems categorized under each of the FIPS 199 security categories, and identify controls and control enhancements appropriate for systems that contain Personally Identifiable Information (PII), that contain Protected Health Information (PHI), or are Cloud Service Providers (CSPs)5.