Transcription
Centers for Medicare & Medicaid ServicesOffice of Information Technology (OIT)Information Security and Privacy Group7500 Security BoulevardBaltimore, Maryland 21244-1850Standard:CMS Information Security and PrivacyAcceptable Risk Safeguards (ARS)CMS Acceptable Risk Safeguards (ARS)FinalVersion 3.1Document Number: CMS CIO-STD-SEC01-3.1November 21, 2017
Effective Date/ApprovalThis Standard becomes effective on the date that CMS’s Chief Information Officer (CIO) signs it andremains in effect until it is rescinded, modified, or superseded.Signature:/S/George HoffmannActing Chief Information Officer andActing Director, Office of Information Technology(OIT)Date ofIssuance11/21/2017Standard Owner’s Review CertificationThis document must be reviewed in accordance with the established review schedule located onthe CMS websiteSignature:/S/Emery CsulakCMS Chief Information Security Officer and SeniorOfficial for PrivacyDate ofAnnualReview:11/17/2017
FinalCenters for Medicare & Medicaid ServicesSummary of ChangesVersionNumberEditorNameDateTable ColumnHeading3.0CMS01/24/2017Entire document3.1CMS10/12/2017Entire documentDescription of ChangeMajor Revision CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.1Reset control baselines totrack to NIST SP 800-53r4 andHHS IS2P selectionsAdded Non-Mandatorydesignation for controlsbeyond NIST SP 800-53r4 andHHS IS2PRevised to improve readabilityand clarify, standardizeformattingIncluded discussion andexamples on controlcustomizationRealigned CMS CIO andSystem CIO rolesClarified information availableto CCIC in agreed-upon formatand timeframeCorrected typographical errorsMinor updates to references(e.g., changes to OMBmemorandums)iNovember 28, 2017
This page intentionally blank.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.1iiNovember 21, 2017
FinalCenters for Medicare & Medicaid ServicesTable of Contents1. Introduction . 11.11.21.3Authority .2CMS Information Security and Privacy Program .2Version Consolidation.32. Purpose. 53. Scope. 73.1External Requirements on CMS Systems.74. ARS Structure . 94.14.24.34.44.54.6ARS Family Descriptions.9Control Requirements Structure .134.2.1 Security and Privacy Controls .134.2.2 Control Enhancements.144.2.3 Implementation Standards .154.2.4 Supplemental Guidance .164.2.5 References.164.2.6 Related Control Requirements.164.2.7 Priority .164.2.8 Assurance.17Assessment Procedure.174.3.1 Assessment Objective .174.3.2 Assessment Methods and Objects.18CMS Required Controls and Control Enhancements.18ARS Appendix B.19Authentication and E-Authentication.205. How to Use the CMS ARS with Customization/Tailoring . 215.15.2Mandatory and Non-Mandatory Controls and Control Enhancements.22How to Customize/Tailor Implementations for Controls and Control Enhancements .235.2.1 Recognizing Keywords that Facilitate Customizing.24Appendix A. References and Resources . A-1Appendix B. ARS Controls . B-1Appendix C. Acronyms . C-1Appendix D. Glossary. D-1Appendix E. Omitted and Not-Selected Controls and Control Enhancements. E-1CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.1iiiNovember 28, 2017
FinalCenters for Medicare & Medicaid ServicesAppendix F. Control and Control Enhancement ImplementationCustomization/Tailoring. F-1List of TablesTable 1: ARS Security Control Family Descriptions. 9Table 2: Controls and Control Enhancements Beyond NIST SP 800-53r4 . 18Table 3: Keyword and Phrases to Identify Tailorable Controls and Control Enhancements . 24Table 4: Example ARS Control/Control Enhancement Implementation Customization .F-1Table 5: Example Identifying Controls and Control Enhancements as Not Applicable to a SystemEnvironment.F-3CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.1ivNovember 21, 2017
FinalCenters for Medicare & Medicaid ServicesIntroduction1. IntroductionThe Centers for Medicare & Medicaid Services (CMS) Information Security and PrivacyAcceptable Risk Safeguards (ARS) provides guidance to CMS and its contractors as to theminimum acceptable level of required security controls (i.e., the minimum security and privacycontrol baselines1, collectively known as the CMS Minimum Security Requirement [CMSR]baselines) that must be implemented by CMS and CMS contractors to protect CMS’ informationand information systems, including CMS Sensitive Information.2 The CMSR is based on: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53Revision 4 (NIST SP 800-53r4), Security and Privacy Controls for Federal InformationSystems and Organizations, dated April 2013Federal Risk and Authorization Management Program (FedRAMP)Department of Health and Human Services (HHS) Information Systems Security andPrivacy Policy (IS2P)CMS Information Systems Security and Privacy Policy (CMS IS2P2) CMS-CIO-POLSEC-2016-0001CMS policies, procedures, and guidanceOther federal and non-federal guidance resourcesIndustry leading information security and privacy practices adopted by CMS.This document also provides non-mandatory controls and control enhancements that CMSencourages Business Owners to consider. Many of the mandatory and non-mandatory controlsare customizable (i.e., tailorable) by the Business Owner.3 Business Owners must review allcontrols since all are relevant and should be considered, even if they are not mandatory toimplement, because these controls may help to reduce overall risk.It should be noted that the minimal baseline for cloud deployments is defined within theFedRAMP Reference Guides.4 Additionally, previous versions of the ARS consisted of multipleappendices. ARS 3.0, and later versions, are organized within a single document.1Acontrol baseline is the minimum list of security controls required for safeguarding an IT system based on the organizationallyidentified needs for confidentiality, integrity, and/or availability. A different baseline exists for each security categorydefined by NIST Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of FederalInformation and Information Systems.2 This Policy uses the term “CMS Sensitive Information” as defined in the Risk Management Handbook Volume I Chapter 10,CMS Risk Management Terms, Definitions, and Acronyms ty/Downloads/RMH VI 10 Terms Defs Acronyms.pdf) andsubject to Executive Order 13556, Controlled Unclassified Information -information). This definition includes all data that requireprotection due to the risk and magnitude of loss or harm, such as Personally Identifiable Information (PII), Protected HealthInformation (PHI), and Federal Tax Information (FTI).3 The ARS provides guidance on customizing (tailoring) controls and enhancements for specific types of missions/businessfunctions, technologies, or environments of operation. Users of the ARS may tailor specific mandatory controls as well asmost of the non-mandatory and unselected controls.4 Complete documentation on the FedRAMP baselines is available at CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.11November 28, 2017
FinalCenters for Medicare & Medicaid Services1.1IntroductionAuthorityThe Office of Management and Budget (OMB) designated the Department of Homeland Security(DHS) and NIST as authorities to provide guidance to federal agencies for implementinginformation security and privacy laws and regulations, including Federal Information SecurityModernization Act of 2014 (FISMA). Other legislation and regulations affecting CMS includethe Privacy Act of 1974 (“Privacy Act”) and the Health Insurance Portability and AccountabilityAct of 1996 (HIPAA). The ARS addresses CMS applicable information security and privacycontrol requirements arising from federal legislation, mandates, directives, executive orders, andHHS policy by integrating NIST SP 800-53r4, with the HHS IS2P and specific programmaticlegislation and CMS regulations. Appendix A provides references to these authoritative sources.Per HHS IS2P Appendix A Section 10.2, the CMS Chief Information Officer (CIO) designatesthe Chief Information Security Officer (CISO) as the CMS authority for implementing the CMSwide information security program. HHS IS2P Appendix A Section 15 designates the SeniorOfficial for Privacy (SOP) as the CMS authority for implementing the CMS-wide privacyprogram. Through the ARS, the CIO delegates authority and responsibility to specificorganizations and officials within CMS to develop and administer defined aspects of the CMSInformation Security and Privacy Program as appropriate. All CMS stakeholders must complywith and support the ARS to ensure compliance with federal requirements and programmaticpolicies, standards, procedures, and information security and privacy controls.The CMS CISO or SOP must review any waivers or deviations from the CMSR baselines andmake appropriate recommendations to the CIO for risk acceptance.1.2CMS Information Security and Privacy ProgramCMS has an information security and privacy program managed by the Information Security andPrivacy Group (ISPG) under the leadership of the CMS CISO/SOP. ISPG is responsible forensuring the information security and privacy program: Defines CMSR baselines that are compliant with authoritative legislation, statute,directives, mandates, ands overarching policies.Provides:o Cyber Risk Advisor (CRA) and privacy services to Business Owners andInformation System Security Officers (ISSOs)o An Authority to Operate (ATO) processo A Plan of Actions and Milestones (POA&M) processo A common set of security and privacy controls (e.g., policy) that can be inheritedacross CMS (i.e., Office of the Chief Information Security Officer [OCISO]control catalog)Overseeing an inheritable (common) control process that facilitates control inheritancefrom CMS data centers and under FedRAMP deployments.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.12November 28, 2017
FinalCenters for Medicare & Medicaid Services1.3IntroductionVersion ConsolidationPrevious versions of the ARS consisted of multiple appendices. Each of these appendicesprovided the requirements for information systems categorized differently under the NISTFederal Information Processing Standards (FIPS) 199, Standards for Security Categorization ofFederal Information and Information Systems. Separate appendices provided the requirementsfor systems categorized as High, Moderate, and Low. This concept allowed readers to select theapplicable appendix based on system security categorization. However, maintaining threeseparate appendices required CMS in effect to maintain three versions of the ARS. ARS 3.0, andlater versions, identify the controls required for systems categorized under each of the FIPS 199security categories, and identify controls and control enhancements appropriate for systems thatcontain Personally Identifiable Information (PII), that contain Protected Health Information(PHI), or are Cloud Service Providers (CSPs)5. These later versions of ARS, however, areorganized to provide these controls within a single document.5 WhileCSPs are required to comply with FedRAMP baselines, CMS has customized a few of the controls and implementationstandards to ensure CMS’s assurance requirements are met within a FedRAMP environment.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.13November 28, 2017
FinalIntroductionCenters for Medicare & Medicaid ServicesThis page intentionally blank.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.14November 28, 2017
FinalCenters for Medicare & Medicaid ServicesPurpose2. PurposeThe goal of the ARS is to define a baseline of minimum information security and privacyassurance controls (i.e., the CMSR baselines). These controls are based on both internal CMSgovernance documents and laws, regulations, and other authorities created by institutionsexternal to CMS.Protecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS’information and information systems is the primary purpose of the information security andprivacy assurance program. The ARS complies with the CMS IS2P26 by providing a defense-indepth security structure along with a least-privilege, need-to-know basis for all informationaccess.Incorporating controls cataloged in the ARS will ensure that CMS and CMS contractor systemsmeet a minimum level of information security and privacy assurance. CMS systems are alsosubject to technical security protections defined under CMS’ other governance documents (e.g.,the CMS Technical Reference Architecture (TRA), applicable TRA Supplements, and the CMSExpedited Life Cycle (XLC)). These documents, managed under the Office of the CMS CIO,describe architecture and lifecycle standards required of CMS systems.7The controls within the ARS are not intended to be an all-inclusive list of information securityand privacy requirements nor are they intended to replace a Business Owner’s due diligence toincorporate additional controls to mitigate risk. The ARS controls are the minimum-security andprivacy requirements to be considered and employed where applicable throughout the riskmanagement process and the CMS XLC.86 TheCMS IS2P2 can be found at y/Information-Security-Library.html7 Business Owners may refer to stems/CMS-InformationTechnology/XLC/index.html for a complete set of CMS information system development architecture, design, and lifecyclerequirements.8 Business Owners must review both the non-mandatory (CMS recommended) controls and enhancements listed in the ARS andcontrols and enhancements under NIST SP 800-53 that were not selected (i.e., those that CMS did not pre-select forinclusion into the ARS as mandatory controls and enhancements, or that CMS selected for inclusion in the ARS but only asnon-mandatory controls and enhancements) to determine if any of the controls and/or enhancements would assist inreducing risks to the system.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.15November 28, 2017
FinalPurposeCenters for Medicare & Medicaid ServicesThis page intentionally blank.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.16November 28, 2017
FinalCenters for Medicare & Medicaid ServicesScope3. ScopeAll CMS employees, contractors, sub-contractors, and their respective facilities supporting CMSbusiness missions and performing work on behalf of CMS must observe the baseline policystatements described in the CMS IS2P2. The ARS controls provide a roadmap to compliancewith the CMS IS2P2 and serve as a guideline to be used throughout the XLC to ensure that CMSinformation systems are adequately secured and CMS information is appropriately protected.The Business Owner, assisted by the System Developer/Maintainer, has primary responsibilityfor evaluating the ARS and determining the appropriateness of each control for their system andensuring their proper implementation and effectiveness.3.1External Requirements on CMS SystemsCMS presumes there are other authorities, both internal and external to CMS, that imposerequirements on at least some information systems and business processes. It is the responsibilityof the Business Owners of CMS systems, with direction provided by the Office of InformationTechnology (OIT), to ensure that all applicable internal/external information security and privacyassurance controls are incorporated into CMS systems. Business Owners must document andcertify the incorporated controls in their respective system security plan and identify residualrisks in the corresponding risk assessment for their system.9For example, any system that receives, processes, or stores, and any devices that transmit,Federal Tax Information (FTI), in addition to complying with ARS, must also comply withInternal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines forFederal, State and Local Agencies (available at www.irs.gov/uac/Safeguards-Program). InternalRevenue Code (IRC) section 6103 establishes FTI as confidential information with statutoryprotection under federal law, and provides criminal and civil sanctions for its unauthorizedaccess or disclosure.9 Residualrisk is the risk remaining after efforts have been made to mitigate or eliminate the risk. A residual risk may be knownbut is not completely controllable (i.e., not fully mitigated), or, it may be unknown. A residual risk is assumed by theBusiness Owner as the risk for providing the capability/service.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.17November 28, 2017
FinalScopeCenters for Medicare & Medicaid ServicesThis page intentionally blank.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.18November 28, 2017
FinalCenters for Medicare & Medicaid ServicesARS Structure4. ARS StructureThe information security and privacy controls have a well-defined organization and structure.They are organized into 26 control families for ease of use in the control selection andspecification process. The families are established by NIST SP 800-53r4 and are in alignmentwith the 18 security-related areas specified in FIPS 200,10 Minimum Security Requirements forFederal Information and Information Systems, and the 8 privacy families listed in Appendix J ofNIST SP 800-53r4.The minimal baseline for cloud deployments is defined within the FedRAMP Reference Guidesand is not repeated within this document. Complete documentation on the FedRAMP baselines isavailable at 4.1ARS Family DescriptionsEach family contains controls related to the security (or privacy) functionality of the family. Atwo-character identifier is assigned to uniquely identify each of the security and privacy controlfamilies. Table 1 summarizes the 26 control families and the associated two-character identifierused in the ARS.Table 1: ARS Security Control Family DescriptionsFamily (andIdentifier)DescriptionAccess Control (AC)The controls listed in this section focus on how the organization must limit informationsystem access to authorized users, to processes acting on behalf of authorized users, orto devices (including other information systems); and how the organization must limitthe types of transactions and functions that authorized users are permitted to conduct.Awareness andTraining (AT)The controls listed in this section focus on how the organization must: (i) ensure thatmanagers and users of organizational information systems are made aware of thesecurity risks associated with their activities and of the applicable laws, ExecutiveOrders, directives, policies, standards, instructions, regulations, or procedures relatedto the security of organizational information systems; and (ii) ensure thatorganizational personnel are adequately trained to carry out their assigned IS-relatedduties and responsibilities.10 Ofthe eighteen security control families in NIST Special Publication 800-53r4, 17 families are described in the security controlcatalog in Appendix F, and are closely aligned with the seventeen minimum security requirements for federal informationand information systems in FIPS Publication 200. One additional family (Program Management [PM] family) providescontrols for information security programs required by FISMA. This family, while not specifically referenced in FIPSPublication 200, provides security controls at the organization level rather than the information system level.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.19November 28, 2017
FinalCenters for Medicare & Medicaid ServicesFamily (andIdentifier)ARS StructureDescriptionAudit andAccountability (AU)The controls listed in this section focus on how the organization must: (i) create,protect, and retain information system audit records to the extent needed to enable themonitoring, analysis, investigation, and reporting of unlawful, unauthorized, orinappropriate information system activity; and (ii) ensure that the actions of individualinformation system users can be uniquely traced to those users so they can be heldaccountable for their actions.Security Assessmentand Authorization(CA)The controls listed in this section focus on how the organization must: (i) periodicallyassess the security controls in organizational information systems to determine if thecontrols are effective in their application; (ii) develop and implement plans of actiondesigned to correct deficiencies and reduce or eliminate vulnerabilities inorganizational information systems; (iii) authorize the operation of organizationalinformation systems and any associated information system connections; and (iv)monitor information system security controls on an ongoing basis to ensure thecontinued effectiveness of the controls.ConfigurationManagement (CM)The controls listed in this section focus on how the organization must: (i) establish andmaintain baseline configurations and inventories of organizational informationsystems(including hardware, software, firmware, and documentation) throughout therespective system development life cycles; and (ii) establish and enforce securityconfiguration settings for information technology products employed in organizationalinformation systems.Contingency Planning(CP)The controls listed in this section focus on how the organization must establish,maintain, and implement plans for emergency response, backup operations, and postdisaster recovery for organizational information systems to ensure the availability ofcritical information resources and continuity of operations in emergency situations.Identification andAuthentication (IA)The controls listed in this section focus on how the organization must (i) identifyinformation system users, processes acting on behalf of users, or devices; and (ii)authenticate (or verify) the identities of those users, processes, or devices, as aprerequisite to allowing access to organizational information systems.Incident Response (IR)The controls listed in this section focus on how the organization must: (i) establish anoperational incident handling capability for organizational information systems thatincludes adequate preparation, detection, analysis, containment, recovery, and userresponse activities; and (ii) track, document, and report incidents to appropriateorganizational officials and/or authorities.Maintenance (MA)The controls listed in this section focus on how the organization must: (i) performperiodic and timely maintenance on organizational information systems; and (ii)provide effective controls on the tools, techniques, mechanisms, and personnel used toconduct information system maintenance.Media Protection (MP)The controls listed in this section focus on how the organization must: (i) protectinformation system media, both paper and digital; (ii) limit access to information oninformation system media to authorized users; and (iii) sanitize or destroy informationsystem media before disposal or release for reuse.CMS Acceptable Risk Safeguards (ARS)Document Number: CMS CIO-STD-SEC01-3.110November 28, 2017
FinalCenters for Medicare & Medicaid ServicesFamily (andIdentifier)ARS StructureDescriptionPhysical andEnvironmentalProtection (PE)The controls listed in this section focus on how the organization must: (i) limit physicalaccess to information systems, equipment, and the respective operating environmentsto authorized individuals; (ii) protect the physical plant and support infrastructure forinformation systems; (iii) provide supporting utilities for information systems; (iv)protect information systems against environmental hazards; and (v) provideappropriate environmental controls in facilities containing information systems.Planning (PL)The controls listed in this section focus on how the organization must develop,document, periodically update, and implement security plans for organizationalinformation systems that describe the security controls in place or planned for theinformation systems and the rules of behavior for individuals accessing the informationsystems.Personnel Security(PS)The controls listed in this section focus on how the organization must: (i) ensure thatindividuals occupying positions of responsibility within organizations (including thirdparty service providers) are trustworthy and meet established security criteria for thosepositions; (ii) ensure that organizational information and information systems areprotected during and after personnel actions such as terminations and transfers; and(iii) employ formal sanctions for personnel failing to comply with organizationalsecurity policies and procedures.Risk Assessment (RA)The controls listed in this section focus on how the organization must periodicallyassess the risk to organizational operations (including mission, functions, image, orreputation), organizational assets, and individuals, resulting from the operation oforganizational information systems and the associated processing, storage, ortransmission of organizational information.System and ServicesAcquisition (SA)The controls listed in this section focus on how the organization must: (i) allocatesufficient resources to protect organizational information systems; (ii) employ systemdevelopment life cycle processes that incorporate information security and privacyassurance considerations; (iii) employ software usage and installation restrictions; and(iv) ensure that third-party providers employ adequate security measures to protectinformation, applications, and/or services outsourced from the organization.System andCommunicationsProtection (SC)The controls listed in this section focus on how the organization must: (i) monitor,control, and protect organizational communications (i.e., information transmitted orreceived by organizational information systems) at the external boundaries and keyinternal boundaries of the information systems; and (ii) employ architectural designs,software development techniques, and systems engineering principles that promoteeffective information security and privacy assurance within organizational informationsystems.System andInformation Integrity(SI)The controls listed in this section focus on how the organization must: (i) identify,report, and correct information and information system flaws in a timely manner; (ii)provide protection from malicious code at appropriate locations within organizationalinformation systems; and (iii) monitor information system security alerts and
The ARS provides guidance on customizing (tailoring) controls and enhancements for specific types of missions/business functions, technologies, or environments of operation. Users of the ARS may tailor specific mandatory controls as well as most of the non-mandatory and unselected controls.
