CMS Master Security Plan

Office of the Chief Information Security Officer Centers for Medicare & Medicaid Services 7500 Security Boulevard Baltimore, Maryland 21244-1850 CMS Master Security Plan FINAL Version 6.00 June 25, 2010 Document Number: CMS-CISO-2010-002

CMS Master Security Plan CMS-CISO-2010-002 (This Page Intentionally Blank) ii June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan SUMMARY OF CHANGES IN CMS MASTER SECURITY PLAN VERSION 0.01 1) Baseline Version. June 25, 2010 - Version 6.00 (FINAL) iii

CMS Master Security Plan CMS-CISO-2010-002 (This Page Intentionally Blank) iv June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan TABLE OF CONTENTS 1 INTRODUCTION...1 2 ORGANIZATIONAL REQUIREMENTS...1 2.1 PM-1 Information Security Program Plan... 1 2.2 PM-2 Senior Information Security Officer... 3 2.3 PM-3 Information Security Resources... 3 2.4 PM-4 Plan of Action and Milestones Process... 3 2.5 PM-5 Information System Inventory... 4 2.6 PM-6 Information Security Measures of Performance... 4 2.7 PM-7 Enterprise Architecture... 4 2.8 PM-8 Critical Infrastructure Plan... 5 2.9 PM-9 Risk Management Strategy... 5 2.10 PM-10 Security Authorization Process... 6 2.11 PM-11 Mission/Business Process Definition... 6 3 CMS OVERVIEW...7 3.1 Business Overview... 7 3.2 Systems Overview... 9 3.3 IT Operations Overview... Error! Bookmark not defined. 4 CMS INFORMATION SECURITY PROGRAM...11 4.1 Risk Management... 12 4.2 Common s... 12 4.3 Continuous monitoring... 13 4.4 Enterprise Architecture... 13 LIST OF TABLES Table 1 Attachment I s and Types... 14 June 25, 2010 - Version 6.00 (FINAL) v

CMS-CISO-2010-002 CMS Master Security Plan 1 INTRODUCTION The CMS Master Security Plan (MSP) is a complete replacement of the CMS Master Security Plan (Common Security s), dated April 17, 2009. It includes: Identification of CMS-wide organizational controls as defined in the Program Management (PM) family of controls required by the National Institute of Standards and Technology (NIST) Special Publication 800-53 Revision 3, Recommended Security s for Federal Information Systems and Organizations. Complete reformatting of document content to facilitate correlation with federal program management requirements and ease of use, A complete listing of the common controls structure, both planned and implemented, at CMS; Identification of the responsible official for components of the program; References regarding how to obtain additional information; and An overview section addressing CMS, its business missions, systems, and IT operations is included for orientation purposes. 2 ORGANIZATIONAL REQUIREMENTS This section identifies the core requirements for organizational components of the security management program as defined by the NIST SP 800-53 R3 Program Management (PM) of minimum controls. All of these controls are organizational level controls and apply throughout CMS. The s, Supplemental Guidance, and Related s sections of each reflect NIST SP 800-53 R3 language except for specific cases where NIST specified CMS customizations were required. Within this section, please interpret references to the term organization as CMS (or your specific company or agency). The CMS Implementation section of each control explains the CMS control or directs the reader to the appropriate documentation for the control. 2.1 PM-1 INFORMATION SECURITY PROGRAM PLAN : The organization: a. Develops and disseminates an organization-wide information security program plan that: Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; June 25, 2010 - Version 6.00 (FINAL) 1

CMS Master Security Plan CMS-CISO-2010-002 Provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended; Includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance; Is approved by a senior official with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation; b. Reviews the organization-wide information security program plan annually; and c. Revises the plan to address organizational changes and problems identified during plan implementation or security control assessments. Supplemental Guidance: The information security program plan can be represented in a single document or compilation of documents at the discretion of the organization. The plan documents the organization-wide program management controls and organization-defined common controls. The security plans for individual information systems and the organization-wide information security program plan together, provide complete coverage for all security controls employed within the organization. Common controls are documented in an appendix to the organization s information security program plan unless the controls are included in a separate security plan for an information system (e.g., security controls employed as part of an intrusion detection system providing organization-wide boundary protection inherited by one or more organizational information systems). The organization-wide information security program plan will indicate which separate security plans contain descriptions of common controls. Organizations have the flexibility to describe common controls in a single document or in multiple documents. In the case of multiple documents, the documents describing common controls are included as attachments to the information security program plan. If the information security program plan contains multiple documents, the organization specifies in each document the organizational official or officials responsible for the development, implementation, assessment, authorization, and monitoring of the respective common controls. For example, the organization may require that the Facilities Management Office develop, implement, assess, authorize, and continuously monitor common physical and environmental protection controls from the PE family when such controls are not associated with a particular information system but instead, support multiple information systems. Related control: PM-8. CMS Implementation: The security program plan is contained within the MSP and its attached and referenced documents. 2 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan 2.2 PM-2 SENIOR INFORMATION SECURITY OFFICER : The organization appoints a senior information security officer with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. Supplemental Guidance: The security officer described in this control is an organizational official. For a federal agency (as defined in applicable federal laws, Executive Orders, directives, policies, or regulations) this official is the Senior Agency Information Security Officer. Organizations may also refer to this organizational official as the Senior Information Security Officer or Chief Information Security Officer (CISO). CMS Implementation: The Director of the Office of the Chief Information Security Officer (OCISO) is the CMS CISO with the mission and resources to coordinate, develop, implement, and maintain an organization-wide information security program. 2.3 PM-3 INFORMATION SECURITY RESOURCES : The organization: a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement; b. Employs a business case/exhibit 300/Exhibit 53 to record the resources required; and c. Ensures that information security resources are available for expenditure as planned. Supplemental Guidance: Organizations may designate and empower an Investment Review Board (or similar group) to manage and provide oversight for the information security-related aspects of the capital planning and investment control process. Related controls: PM-4, SA-2. CMS Implementation: Business owners are responsible for ensuring that capital planning and investment requests include the resources needed to implement the information security components within their systems. The Information Technology Investment Review Board (ITIRB) and Technical Review Board (TRB) provide oversight for this. 2.4 PM-4 PLAN OF ACTION AND MILESTONES PROCESS : The organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained and document the remedial information security actions to mitigate risk to organizational operations and assets, individuals, other organizations, and the Nation. Supplemental Guidance: The plan of action and milestones is a key document in the information security program and is subject to federal reporting requirements established by June 25, 2010 - Version 6.00 (FINAL) 3

CMS Master Security Plan CMS-CISO-2010-002 OMB. The plan of action and milestones updates are based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OMB FISMA reporting guidance contains instructions regarding organizational plans of action and milestones. Related control: CA-5. CMS Implementation: The Plan of Action and Milestones (POA&M) procedures are contained in the information security library, which is found at http://www.cms.gov/informationsecurity/isd. Automated tracking uses the CMS FISMA Tracking System (CFACTS). Contact CISO@cms.hhs.gov for specific information. 2.5 PM-5 INFORMATION SYSTEM INVENTORY : The organization develops and maintains an inventory of its information systems. Supplemental Guidance: This control addresses the inventory requirements in FISMA. OMB provides guidance on developing information systems inventories and associated reporting requirements. CMS Implementation: The OCISO maintains the information systems inventory separately in a database. Contact CISO@cms.hhs.gov for specific information. 2.6 PM-6 INFORMATION SECURITY MEASURES OF PERFORMANCE : The organization develops, monitors, and reports on the results of information security measures of performance. Supplemental Guidance: Measures of performance are outcome-based metrics used by an organization to measure the effectiveness or efficiency of the information security program and the security controls employed in support of the program. CMS Implementation: Continuous monitoring, security assessments, common controls, and POA&M reporting form the basis for measuring the performance of the information security program. Contact CISO@cms.hhs.gov for specific information. 2.7 PM-7 ENTERPRISE ARCHITECTURE : The organization develops an enterprise architecture with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation. Supplemental Guidance: The enterprise architecture developed by the organization is aligned with the Federal Enterprise Architecture. The integration of information security requirements and associated security controls into the organization s enterprise architecture helps to ensure that security considerations are addressed by organizations early in the system development life cycle and are directly and explicitly related to the organization s mission/business processes. 4 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan This also embeds into the enterprise architecture, an integral security architecture consistent with organizational risk management and information security strategies. Security requirements and control integration are most effectively accomplished through the application of the Risk Management Framework and supporting security standards and guidelines. The Federal Segment Architecture Methodology provides guidance on integrating information security requirements and security controls into enterprise architectures. Related controls: PL-2, PM-11, RA-2. CMS Implementation: The CMS Technical Reference Architecture (TRA) and its supplements define the enterprise architecture for CMS. The OCISO performs information security reviews and comments for all elements of TRA. 2.8 PM-8 CRITICAL INFRASTRUCTURE PLAN : The organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan. Supplemental Guidance: The requirement and guidance for defining critical infrastructure and key resources and for preparing an associated critical infrastructure protection plan are found in applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Related controls: PM-1, PM-9, PM-11, RA-3. CMS Implementation: Currently, there is no formal critical infrastructure plan. Developing one is a future, planned control. 2.9 PM-9 RISK MANAGEMENT STRATEGY : The organization: a. Develops a comprehensive strategy to manage risk to organizational operations and assets, individuals, other organizations, and the Nation associated with the operation and use of information systems; and b. Implements that strategy consistently across the organization. Supplemental Guidance: An organization-wide risk management strategy includes, for example, an unambiguous expression of the risk tolerance for the organization, acceptable risk assessment methodologies, risk mitigation strategies, a process for consistently evaluating risk across the organization with respect to the organization s risk tolerance, and approaches for monitoring risk over time. The use of a risk executive function can facilitate consistent, organization-wide application of the risk management strategy. The organization-wide risk management strategy can be informed by risk-related inputs from other sources both internal and external to the organization to ensure the strategy is both broad-based and comprehensive. Related control: RA-3. June 25, 2010 - Version 6.00 (FINAL) 5

CMS Master Security Plan CMS-CISO-2010-002 CMS Implementation: The CMS risk management strategy and related procedures are contained in the information security library (http://www.cms.gov/informationsecurity/isd). 2.10 PM-10 SECURITY AUTHORIZATION PROCESS : The organization: a. Manages (i.e., documents, tracks, and reports) the security state of organizational information systems through security authorization processes; b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and c. Fully integrates the security authorization processes into an organization-wide risk management program. Supplemental Guidance: The security authorization process for information systems requires the implementation of the Risk Management Framework and the employment of associated security standards and guidelines. Specific roles within the risk management process include a designated authorizing official for each organizational information system. Related control: CA-6. CMS Implementation: The security authorization process is defined and delineated in the information security library located at http://www.cms.gov/informationsecurity/isd. To ensure that security authorization is integrated with CMS-wide risk management, there is one enterprise authorizing official, the CMS Chief Information Officer (CIO). 2.11 PM-11 MISSION/BUSINESS PROCESS DEFINITION : The organization: a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained. Supplemental Guidance: Information protection needs are technology-independent, required capabilities to counter threats to organizations, individuals, or the Nation through the compromise of information (i.e., loss of confidentiality, integrity, or availability). Information protection needs are derived from the mission/business needs defined by the organization, the mission/business processes selected to meet the stated needs, and the organizational risk management strategy. Information protection needs determine the required security controls for the organization and the associated information systems supporting the mission/business processes. Inherent in defining an organization s information protection needs is an understanding of the level of adverse impact that could result if a compromise of information occurs. The security categorization process is used to make such potential impact 6 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan determinations. Mission/business process definitions and associated information protection requirements are documented by the organization in accordance with organizational policy and procedure. Related controls: PM-7, PM-8, RA-2. CMS Implementation: Mission/business process definitions are contained within the CMS FISMA Tracking System (CFACTS). for identifying risk (both business and system risk), identifying the system security level, e-authentication level, and appropriate controls are in the information security library (http://www.cms.gov/informationsecurity/isd). 3 CMS OVERVIEW 3.1 BUSINESS OVERVIEW CMS, an operating division of the Department of Health and Human Services (DHHS), is responsible for overseeing Medicare, Medicaid, the State Children s Health Insurance Program (SCHIP), and the Medicare-Approved Drug Discount Cards. CMS is the largest purchaser of health care in the world, and serves approximately one of every four Americans. Medicare, Medicaid, and SCHIP outlays, including state funding, represent approximately one-third of every dollar spent on health care in the United States. The Medicare and Medicaid entitlement programs, which finance health care for elderly, disabled, and low-income persons, are a result of the 1965 amendments to the Social Security Act (Title XVIII and XIX). Medicare was an extension of the social insurance concept of the Social Security cash benefits programs. Medicaid was conceived as a Federal/State partnership in both policy setting and funding and as part of the social safety net for eligible low-income persons. As the trusted custodian for one of the largest repositories of individual health care data in the world, CMS protects and ensures the security of all forms of patient and payment information regardless of how it is created, distributed, or stored. Continual advances in high-level inquiry languages, the use of smaller, faster computers, and high-speed access to the Internet for continued customer supports are challenges for the privacy of patient and payment information. CMS uses automated systems to support the Medicare and Medicaid programs. The Agency employs about 4,500 persons in the CMS Central Office (CO) facility located at 7500 Security Boulevard, Baltimore, Maryland and in ten (10) Regional Office (RO) locations around the country. However, this workforce is only a portion of the large and complex network that makes the CMS program work successfully. Traditionally, a number of external entities under provisions of Title XVIII have supported Medicare beneficiary and healthcare provider requirements. These consist of healthcare related organizations contractually supporting the policies, procedures, enrollment, entitlement, claims processing, account information queries, and other support functions. The Medicare Integrity Program (MIP), which was created under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, enacted new authorities, which allow CMS to contract with entities beyond, but also including, our current Fiscal Intermediaries (FIs), and Carriers to perform specific program safeguard functions. CMS has established a number of Program Safeguard June 25, 2010 - Version 6.00 (FINAL) 7

CMS Master Security Plan CMS-CISO-2010-002 Contractors (PSC) from a list of eligible and able contractors. CMS can issue, compete, evaluate, and award individual task orders among PSCs. These task orders are for some, all, or any sub-set of the work associated with the following payment safeguard functions: medical review, cost report audit, data analysis, provider education and fraud detection and prevention. The different types of traditional Medicare Fee-for-Service (FFS) contractor entities are defined as follows: Fiscal Intermediary (FI) A health insurance company that is nominated by a group or association of institutional providers of health care services, to make payments of covered Medicare services (Medicare Part A). Carrier A health insurance company that is selected (by competition or designation) by CMS to make payments to physicians and other practitioners for covered Medicare services (Medicare Part B). Durable Medical Equipment Regional Carrier (DMERC) A health insurance company that is selected (by competition or designation) by CMS to make payments to durable medical equipment suppliers. Regional Home Health Intermediary (RHHI) An FI designated by CMS to make payments for covered Medicare services to home health agencies and hospices. On December 8, 2003, the Medicare Prescription Drug, Improvement, and Modernization Act (MMA) of 2003 (PL 108-173) was signed into public law by the President. This Act modernized Medicare and provided additional services to eligible recipients, such as a prescription drug discount program and other improved benefits. Section 911 of the MMA required a major reform of Medicare contracting provisions. CMS refers to this part of the MMA, and its implementation, as Medicare Contracting Reform. Congress goal is to create a Medicare administrative structure that is capable of meeting current and future health care delivery challenges. In July 2006, CMS began implementing its plan to modernize FFS claims processing. CMS plans to establish 15 Medicare administrative contractor (MAC) jurisdictions and to award a contract to a single contractor in each jurisdiction to take responsibility for processing both Part A and Part B claims. CMS also has established four MACs to process claims for durable medical equipment. Additional MACs are planned for the processing of home health and hospice (HH) claims. The transition of claims processing operations from FIs/Carriers/DMERCs/RHHIs to the MACs must be completed by October 2011. In addition to Medicare FFS Contracting Reform, CMS has started the modernization of the IT infrastructure because of the MMA legislation. In March 2006, CMS announced the selection of new Enterprise Data Centers (EDCs) contracts. The winners of the EDC procurement are EDS Corp., IBM Corp., and Companion Data Services LLC (CDS). These three contractors will compete for all future data center tasks through this Indefinite Quantity, Indefinite Deliverable (IDIQ) contract vehicle. These contracts are the hub of the new CMS Information Technology (IT) infrastructure for the next decade. All CMS software applications and hosting operations for Medicare, Medicaid, and SCHIP will ultimately be transitioned to the new EDCs over the next five years. CMS plans for the data center in the North Building in Baltimore to become a test and validation environment for the production operation housed at the EDCs. As an integral part of the CMS IT Modernization Initiative, the EDCs will help CMS: 8 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 Further standardize the implementation of policy changes Establish better control of IT processes and procedures Allow additional e-government initiatives Reduce the CMS system security risk Support increasing health care processing workloads. Reduce cost CMS Master Security Plan To carry out its wide range of responsibilities, CMS works in partnership with many other entities to ensure beneficiaries have access to high quality care, including, but not limited to, the following: States, Territories, and Tribes, Other Federal agencies, Healthcare professionals and providers, Healthcare groups and associations, Beneficiary and consumer organizations, Accrediting bodies and researchers. 3.2 SYSTEMS OVERVIEW CMS tracks systems individually and the OCISO maintains the list of current systems in a database. For overview purposes only, the systems are discussed in groups that reflect the business mission(s) supported. Administrative Finance Systems A collection of automated systems that support consolidated budgetary and financial accounting functions. These applications serve as CMS s interface with Federal agencies such as DHHS, Treasury, and IRS on financial transactions. Customer Service Systems A collection of automated systems that directly provide the public with health care consumer information (e.g., CMS program eligibility and coverage, provider availability and quality, claim status). These systems make up CMS s e-gov presence. Health Care Quality Improvement Systems A collection of automated systems that facilitate the collaboration of CMS and the Quality Improvement Organizations to improve the health of Medicare beneficiaries. Activities involve analyzing data from various sources and changing the patterns of care to remedy widespread shortcomings in the health care system. Healthcare Integrated General Ledger Accounting System HIGLAS will replace the existing 52 separate accounting/payment systems for Medicare & Medicaid. HIGLAS June 25, 2010 - Version 6.00 (FINAL) 9

CMS Master Security Plan CMS-CISO-2010-002 represents the consolidation of two major CMS projects within the office of the CMS Chief Financial Officer. The first project, the Integrated General Ledger and Accounting System (IGLAS) project, was initiated to improve the accounting & financial management processes used by CMS's Medicare contractors to administer the Medicare Parts A & B programs. The second project was an effort to improve the agency's central administrative accounting & financial management processes. These two activities were combined into the HIGLAS project. Human Resource Management Systems A collection of automated systems that support collection and maintenance of information about the CMS organization structure and workforce, and HR-related processes (e.g., travel, training, time and attendance). IT Management Systems A collection of automated systems that support business processes for which the Chief Information Officer is responsible. Medicare Advantage & Rx Plan Operation Systems A collection of automated systems that support collection and maintenance of beneficiary enrollments, premiums and payments for affordable health care and prescription drug coverage as legislated by Medicare Prescription Drug, Improvement and Modernization Act (MMA) of 2003. Medicaid & State Health Insurance Systems A collection of automated systems that support administration and funding of the Medicaid and State Children s Health Insurance programs, as well as drug pricing and rebate functions. Medicare Beneficiary Enrollment Systems A collection of automated systems that support the collection and maintenance of information (e.g., demographics, enrollment, insurance, premium payments) about Medicare Program beneficiaries. Medicare Claims Processing Systems A collection of automated systems that support the processing of bills and reimbursement claims for medical goods and services under the Medicare Program. Scope includes Standard Systems and Common Working File operations. Medicare Financial Management & Payment Systems A collection of automated systems that support Medicare Contractor workload and budget administration, and provider cost reporting. Medicare Utilization Data Collection & Access Systems A collection of automated systems that support the collection and analysis of Medicare and Medicaid Program enrollment and utilization data. Medicare Appeal Systems A collection of systems that support the appeals processes for Medicare Fee-for-Service and Managed Care. Payment Quality Review Systems A collection of automated systems that support the review of Medicare Program payments for medical goods and services. Quality review areas include, but may not be limited to overpayment, duplicate payment, fraud and abuse, monetary penalty tracking, and overall benefit savings. 10 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan Procurement & Property Management Systems A collection of automated systems that support the identification, purchasing and management of agency property (e.g., office equipment and furniture, records, paper stock), as well as the awarding and management of contracts, grants, etc. used to acquire goods and services for the agency. Provider Enrollment Systems A collection of systems that support medical goods and services provider enumeration and enrollment in support of CMS health insurance programs. Retiree Drug Subsidy Systems A collection of systems that support the Medicare Retiree Drug Subsidy Provisions of the MMA. Integrated Data Repositories An enterprise resource designated to house entitlement, enrollment, utilization, quality and provider performance information, as well as data on physicians, providers, employer plans, Medicaid recipients, and Medicare secondary payers by storing one instance of timely, quality data/information, with multiple integrated views. Electronic Health Record Systems A collection of systems that supports web-based access to electronic health records. Medicaid Integrity Systems A collection of systems to facilitate the Medicaid integrity requirements, including prevention or detection of fraud, waste and abuse; data mining and analysis; audit of Medicaid payments for appropriateness; evaluation of provider enrollment with suspect background and behavior indicators; and claims review and provider audits. CMS IT Infrastructure This includes the Enterprise Data Centers (EDCs) systems which host CMS software and web applications for Medicare, Medicaid and SCHIP. The infrastructure houses mainframe computers, mid-tier computers, file/print servers, LAN/WAN network communications equipment, and Voice communications supporting CMS Central Office users and CMS remote partners. Wide Area Network (WAN) Services, Medicare Data Communications Network (MDCN), and CMSNet Medicare Data Communications Network (MDCN) is a private WAN managed by AT&T s Managed Data Network Services. MDCN supports the mission of CMS by providing the infrastructure for allowing communications and data transmission between CMS business related entities. CMSNet is the CMS private network that includes intranet and WAN components and will replace the MDCN as described in CMS Technical Reference Architecture - Wide Area Network (WAN) Services Supplement. Q-Net Quality Net (QNet) is an environment that uses shared database servers and WAN resources to monitor and improve utilization and quality of care for Medicare and Medicaid beneficiaries. 4 CMS INFORMATION SECURITY PROGRAM All CMS and CMS Partner IT systems (applications, platforms, services, and support infrastructure) are subject to FISMA reporting as either a system or subsystem. The CMS CISO maintains the list of these systems for this dynamically changing population in a database. Contact CISO@cms.hhs.gov for specific information. June 25, 2010 - Version 6.00 (FINAL) 11

CMS Master Security Plan CMS-CISO-2010-002 CMS developed an Information Security (IS) Program to oversee and protect the complex and extensive CMS business environment. The CMS IS Program supports the CMS on-site and offsite systems (CMS systems operated/maintained at the CMS CO, ROs, or at off-site contractor facilities). It also supports the External Business Partner systems such as FIs, Carriers, DMERC s, MAC s, etc. The IS Program implementation is supported with the CMS Information Security website located at http://www.cms.hhs.gov/informationsecurity, which contains the library of all CMS policies, procedures, standards and guidelines for the CMS Information Security Program (http://www.cms.gov/informationsecurity/isd). This is a dynamically changing program, geared to achieving cost-effective, risk-based security measures in the constantly evolving landscapes of business missions, threat environments, and legislative and regulatory requirements. Non-CMS entities that process information on behalf of CMS, either directly or indirectly, must follow the CMS IS Program and additionally have, maintain and report on their program management controls (identified in section 2). NIST SP 800-53 and SP 800-37 Guide for Applying the Risk Management Framework to Federal Information Systems (subtitled A Security Life Cycle Approach) are shifting some focus areas within the MSP. The prior foundation for the program encompassed: policies, standards, and procedures; training and awareness; security architecture; and obtaining an authorization to operate. These continue, but within an emphasis on addressing the more dynamic aspects of risk management within the business to achieve a risk-based approach involving: total integration with the CMS Integrated IT Investment & System Life Cycle Framework (ILC), establishment and maintenance of common controls, and continuous monitoring of the security posture and risks of CMS systems. 4.1 RISK MANAGEMENT CMS views risk management as an enterprise-wide issue. There is one Authorizing Official for all CMS systems: the CIO. The CIO, Chief Technology Officer (CTO), and CISO perform the risk executive function jointly. The CMS Policy for the Information Security Program (PISP) sets the ground rules under which CMS shall operate and safeguard its information and information systems to reduce the risk, and minimize the effect of security incidents. The CMS Information Security Acceptable Risk Safeguards (ARS) Including CMS Minimum Security Requirements (CMSR) provides the minimum level of required security controls to protect CMS information and information systems to CMS and its contractors. Both of these documents are available at the CMS Information Security website library, located at http://www.cms.gov/informationsecurity/isd. 4.2 COMMON CONTROLS CMS has established common controls. The CISO approves common controls and common control providers. The OCISO maintains the list, including all controls, control types (e.g., 12 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan common, hybrid, system specific), common control provider, and scope of the control. Attachment 1 contains the list as of the date of this plan. For more information, or a current list please contact CISO@cms.hhs.gov. 4.3 CONTINUOUS MONITORING The OCISO oversees the continuous monitoring program. It has both manual and automated components, including system life cycle, IT governance, and security review and assessment processes and the soon to be implemented automated CMS FISMA Tracking System (CFACTS) and ncircle IP360 enterprise-monitoring tool. Please contact CISO@cms.hhs.gov for specific detailed information. 4.4 ENTERPRISE ARCHITECTURE The Technical Reference Architecture (TRA) provides the technical architecture approach and technical reference standards of CMS. TRA Supplements provide additional engineering detail allowing CMS contractors to build environments that adhere to both the approved CMS architecture as well as other CMS standards. Each architecture standard is reviewed and accepted as a foundational component of CMS Enterprise Architecture in accordance with CMS IT governance process. The TRA consists of the foundation TRA document and CMS TRA Supplements, authorized and approved by the CMS CTO. CMS CTO leads the development of the TRA with the support of all components of the Office of Information Services (OIS) and input from CMS IT contractors. The Agency maintains the Architecture according to its established Business Rules, as described in CMS TRA Business Rules Supplement. The foundation CMS TRA document and the CMS TRA Supplement documents, as well as their development and maintenance schedules, are managed by the CMS Enterprise Architecture and Strategy Group (EASG)/Division of IT Governance. Any changes to the TRA or its supplements must be approved by the CTO of the Agency. Any request for grant of special considerations should go to the CMS Technical Review Board (TRB). The CMS TRA Architecture Change Request Process Supplement, Version 1.0 describes the process for handling all requests for changes. June 25, 2010 - Version 6.00 (FINAL) 13

CMS Master Security Plan Table 1 Attachment I s and Types CMS-CISO-2010-002 CMSR CMSR NAME Type of Common Provider AC-1 Access Policy and Scope of Common OIS/OCISO Enterprisewide AC-2 Account Management Hybrid AC-3 Access Enforcement Platform or service or Systemspecific AC-4 Information Flow Platform or service Enforcement or Systemspecific AC-5 Separation of Duties Hybrid AC-6 Least Privilege Hybrid AC-7 AC-8 AC-9 Unsuccessful Login Attempts System Use Notification Previous Logon (Access) Notification Platform or service or Systemspecific Platform or service or Systemspecific Platform or service or Systemspecific Hybrid AC-10 Concurrent Session AC-11 Session Lock Hybrid AC-14 Permitted Actions System-specific without Identification only or Authentication AC-17 Remote Access Hybrid AC-18 Wireless Access Common Baltimore campus AC-19 AC-20 AC-22 AT-1 Access for Mobile Devices Use of External Information Systems Publicly Accessible Content Security Awareness and Training Policy and Common CMS Owned Equip. Common OIS/OCISO CMS Employees Hybrid Common OIS/OCISO Enterprisewide AT-2 Security Awareness Hybrid OIS/OCISO Notes EDCG is managing wireless functionality 14 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan CMSR CMSR NAME Type of Common Provider Scope of AT-3 Security Training Hybrid OIS/OCISO AT-4 Security Training Records Common OIS/OCISO CMS Employees AT-5 Contacts with Security Groups and Associations Common OIS/OCISO Enterprisewide AU-1 Audit and Accountability Policy and Common OIS/OCISO Enterprisewide AU-2 Auditable Events Hybrid AU-3 Content of Audit Hybrid Records AU-4 Audit Storage Hybrid Capacity AU-5 Response to Audit Hybrid Processing Failures AU-6 Audit Review, Analysis, and System-specific only Reporting AU-7 Audit Reduction and Report Generation System-specific only AU-8 Time Stamps Hybrid AU-9 Protection of Audit Information Platform or service or Systemspecific AU-10 Non-Repudiation Platform or service or Systemspecific AU-11 Audit Record Retention Platform or service or Systemspecific AU-12 Audit Generation Platform or service or Systemspecific CA-1 Security Assessment and Authorization Policies and Common OIS/OCISO Enterprisewide CA-2 Security Assessments Hybrid CA-3 Information System Connections Common Systems run CA-5 Plan of Action and Milestones (POA&M) System-specific only CA-6 Security Authorization System-specific only Notes June 25, 2010 - Version 6.00 (FINAL) 15

CMS Master Security Plan CMS-CISO-2010-002 CMSR CMSR NAME Type of Common Provider CA-7 CM-1 Continuous Monitoring Configuration Management Policy and Hybrid Scope of Common OIS/OCISO Enterprisewide CM-2 Baseline Hybrid Configuration CM-3 Configuration Change Hybrid CM-4 Security Impact Hybrid Analysis CM-5 Access Restrictions Hybrid for Change CM-6 Configuration Hybrid Settings CM-7 Least Functionality Hybrid CM-8 Information System Component Inventory System-specific only CM-9 Configuration Hybrid Management Plan CP-1 Contingency Planning Policy and Common OIS/OCISO Enterprisewide CP-2 Contingency Plan Hybrid CP-3 Contingency Training Hybrid CP-4 Contingency Plan Hybrid Testing and Exercises CP-6 Alternate Storage Site Common Systems run CP-7 Alternate Processing Site Common Systems run CP-8 Telecommunications Services Common Systems run CP-9 Information System Backup Common Systems run CP-10 Information System Hybrid Recovery and Reconstitution IA-1 Identification and Authentication Policy and Common OIS/OCISO Enterprisewide IA-2 IA-3 Identification and Authentication (Organizational Users) Device Identification and Authentication Hybrid EUA Common Systems run IA-4 Identifier Hybrid IACS, EUA Notes 16 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan CMSR CMSR NAME Type of Common Provider IA-5 IA-6 IA-7 IA-8 IR-1 Management Authenticator Management Authenticator Feedback Cryptographic Module Authentication Identification and Authentication (Non- Organizational Users) Incident Response Policy and Scope of Platform or service or Systemspecific Platform or service or Systemspecific Platform or service or Systemspecific Platform or service or Systemspecific Common OIS/OCISO Enterprisewide IR-2 Incident Response Training Common Systems run IR-3 Incident Response Testing and Exercises Common Systems run IR-4 Incident Handling Common Systems run IR-5 Incident Monitoring Common Systems run IR-6 Incident Reporting Common Systems run IR-7 Incident Response Assistance Common Systems run IR-8 MA-1 Incident Response Plan System Maintenance Policy and Version 5 CMSR additional Common Systems run Common OIS/OCISO Enterprisewide MA-2 led Maintenance Common Systems run MA-3 Maintenance Tools Hybrid MA-4 Non-Local Maintenance Common Systems run MA-5 Maintenance Personnel Common Systems run MA-6 Timely Maintenance Common Systems run MP-1 Media Protection Policy and Common OIS/OCISO Enterprisewide Notes June 25, 2010 - Version 6.00 (FINAL) 17

CMS Master Security Plan CMS-CISO-2010-002 CMSR CMSR NAME Type of Common Provider Scope of MP-2 Media Access Common Systems run MP-3 Media Marking Common Systems run MP-4 Media Storage Common Systems run MP-5 Media Transport Hybrid MP-6 Media Sanitization Hybrid MP- CMS-1 Media Related Records Common Systems run PE-1 Physical and Environmental Protection Policy and Common OIS/OCISO Enterprisewide PE-2 Physical Access Hybrid OOM Authorizations PE-3 Physical Access Common OOM/SEMG CMS facilities PE-4 Access for Transmission Common OOM/SEMG CMS facilities Medium PE-5 Access for Hybrid OOM/SEMG Output Devices PE-6 Monitoring Physical Access Common OOM/SEMG CMS facilities PE-7 Visitor Common OOM/SEMG CMS facilities PE-8 Access Records Common OOM/SEMG CMS facilities PE-9 Power Equipment and Power Cabling Common OOM/SEMG CMS facilities PE-10 Emergency Shutoff Common OOM/SEMG CMS facilities PE-11 Emergency Power Common OOM/SEMG CMS facilities PE-12 Emergency Lighting Common OOM/SEMG CMS facilities PE-13 Fire Protection Common OOM/SEMG CMS facilities PE-14 Temperature and Humidity s Common OOM/SEMG CMS facilities PE-15 Water Damage Protection Common OOM/SEMG CMS facilities PE-16 Delivery and Removal Common OOM/SEMG Systems run PE-17 Alternate Work Site Hybrid OOM/SEMG PE-18 Location of Information System Components Common OOM/SEMG Systems run Notes 18 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan CMSR CMSR NAME Type of Common Provider PL-1 PL-2 PL-4 Security Planning Policy and System Security Plan (SSP) Rules of Behavior (ROB) Scope of Common OIS/OCISO Enterprisewide System-specific only Common OIS/OCISO Enterprisewide PL-5 Privacy Impact Assessment (PIA) System-specific only PL-6 Security-Related Hybrid OIS/OCISO Activity Planning PS-1 Personnel Security Policy and Common OOM/SEMG CMS Employees PS-2 Position Categorization Common OOM/SEMG CMS Employees PS-3 Personnel Screening Common OOM/SEMG CMS Employees PS-4 Personnel Hybrid OOM/SEMG Termination PS-5 Personnel Transfer Hybrid OOM/SEMG PS-6 Access Agreements Hybrid OOM/SEMG PS-7 Third-Party Personnel Hybrid OOM/SEMG Security PS-8 Personnel Sanctions Common OOM CMS Employees RA-1 Risk Assessment Policy and Common OIS/OCISO Enterprisewide RA-2 Security Categorization System-specific only RA-3 Risk Assessment System-specific only RA-5 Vulnerability Scanning Common OIS/OCISO IT assets scanned by OIS/OCISO SA-1 System and Services Acquisition Policy and SA-2 Allocation of Resources System-specific only SA-3 Life Cycle Support System-specific only SA-4 Acquisitions System-specific only SA-5 Information System System-specific Common OIS/OCISO Enterprisewide Notes Spans servers, networks, & workstations June 25, 2010 - Version 6.00 (FINAL) 19

CMS Master Security Plan CMS-CISO-2010-002 CMSR CMSR NAME Type of Common Provider SA-6 SA-7 Documentation Software Usage Restrictions User-Installed Software only Hybrid OIS/OCISO Scope of Common OIS/OCISO Enterprisewide SA-8 Security Engineering Principles System-specific only SA-9 External Information System Services Common OIS Systems run SA-10 Developer Hybrid OIS/OCISO Configuration Management SA-11 Developer Security Hybrid OIS/OCISO Testing SA-12 Supply Chain Protection System-specific only SA-13 Trustworthiness System-specific only SC-1 System and Communications Protection Policy and Common OIS/OCISO Enterprisewide SC-2 SC-3 SC-4 SC-5 Application Partitioning Security Function Isolation Information in Shared Resources Denial of Service Protection SC-7 Boundary Protection Platform or service or Systemspecific SC-8 SC-9 Transmission Integrity Transmission Confidentiality Platform or service or Systemspecific Platform or service or Systemspecific Common Systems run Platform or service or Systemspecific Platform or service or Systemspecific Platform or service or Systemspecific SC-10 Network Disconnect Platform or service or System- Notes Spans servers, networks, & workstations 20 June 25, 2010 - Version 6.00 (FINAL)

CMS-CISO-2010-002 CMS Master Security Plan CMSR CMSR NAME Type of Common Provider SC-12 Cryptographic Key Establishment and Management SC-13 Use of Cryptography Platform or service or Systemspecific SC-14 Public Access Protections Scope of specific Common Systems run Platform or service or Systemspecific Hybrid SC-15 Collaborative Computing Devices SC-17 Public Key Infrastructure Certificates SC-18 Mobile Code Hybrid SC-19 Voice Over Internet Hybrid Protocol SC-20 Secure Name/Address Resolution Service (Authoritative Source) SC-21 SC-22 Secure Name/Address Resolution Service (Recursive or Caching Resolver) Architecture and Provisioning for Name/Address Resolution Service SC-23 Session Authenticity Platform or service or Systemspecific SC-24 Fail in Known State System-specific only SC-28 SC-32 SC- CMS-1 SC- CMS-2 SI-1 Protection of Information at Rest Information System Partitioning Electronic Mail Common Systems run Common Systems run Common Systems run Common Systems run Platform or service or Systemspecific Common Systems run Hybrid Persistent Cookies Inherited HHS System and Information Integrity Policy and Common OIS/OCISO Enterprisewide Notes Architecture driven June 25, 2010 - Version 6.00 (FINAL) 21

CMS Master Security Plan CMS-CISO-2010-002 CMSR CMSR NAME Type of Common Provider Scope of SI-2 Flaw Remediation Hybrid SI-3 Malicious Code Common Systems run Protection SI-4 SI-5 SI-6 SI-7 Information System Monitoring Security Alerts, Advisories, and Directives Security Functionality Verification Software and Information Integrity Hybrid OIS/OCISO Common OIS/OCISO Enterprisewide Platform or service or Systemspecific Platform or service or Systemspecific SI-8 Spam Protection Inherited HHS CMS email SI-9 Information Input Platform or service Restrictions or Systemspecific SI-10 Information Input Validation System-specific only SI-11 Error Handling System-specific only SI-12 Information Output Handling and Retention Hybrid OIS/OCISO Notes Spans servers, networks, & workstations participating in the vulnerability management program. 22 June 25, 2010 - Version 6.00 (FINAL)