Information Security – Overview

MS Information Security (IS) “Virtual Handbook”

The links to the left are the collection of all CMS policies, standards, procedures, and guidelines which implement the CMS Information Security Program.

“Holding Ourselves to a Higher Standard”

As CMS is a trusted custodian of individual health care data, we must protect its most valuable assets, its information and its information systems. At CMS, we believe that putting the government’s credibility at risk is not acceptable.
Computer Based Training (CBT) is mandatory for most users of CMS Information Systems when an individual is initially issued their CMS User Id and then in conjunction with annual certification of their CMS User Id. Select the “CBT Instructions” menu item on the left or the “Information Security CBT” link below.
Access to CMS Systems – for more information about CMS User Ids in the EUA system, the annual User Id certification process, EUA Passport or EUA Workflow, select the the “EUA” link to the left or below. Select the “IACS” link below for User Ids related to Medicare Parts C and D.
Identity Theft – find out everything that you need to know about how to protect yourself or recovery from Identity Theft by visiting the Federal Trade Commission’s web site by selecting the “Identity Theft” link below.
Information System Security Officers (ISSO) are the primary points of contact within each CMS Office/Center regarding information security issues and they are the component’s liaison with the CMS Chief Information Security Officer (CISO). CMS contractors should contact their Project Officer in order to identify which ISSO supports their system. Select the “ISSO” link below. The CMS ISSO list access is restricted to authorized CMS users.
Security in the Systems Development Lifecycle (SDLC) – Are you involved in the design or maintenance of an information system for CMS ??? Select the links to the left to access the applicable information security laws, regulations, policies, procedures, standards and guidelines that affect all CMS information and information systems. The overall “Systems Lifecycle Framework” can be reached through the link below.
Security Incidents – Known or suspected security incidents involving CMS information or information systems should be reported immediately to the CMS IT Service Desk by calling 410-786-2580 begin_of_the_skype_highlighting 410-786-2580 end_of_the_skype_highlighting or 1-800-562-1963 begin_of_the_skype_highlighting 1-800-562-1963 end_of_the_skype_highlighting or via e-mail to Even if you are not positive but only suspect that it might be a security incident, you should still submit a report and allow the experts to determine whether or not it is a security incident. According the Computer Security Incident Response Team ( a security incident is “An event which changes the security posture of an organization or circumvents security polices developed to prevent financial loss and/or the destruction, theft, or compromise of proprietary information. Also, an event investigated by an organization due to unusual activity, that cannot be explained as a consequence of normal operations.
Some possible classifications for security incidents are:
  • Unauthorized Electronic Monitoring
  • Misuse of Systems (internal or external)
  • Website Defacement, Probes/Scans
  • Denial of Service
  • Intrusion/Hack
  • Virus Attacks (Unable to clean, rename, or delete)
  • IDS alert notifications
  • External/Internal Threats (espionage)
  • Unauthorized accesses to information systems
  • Theft of intellectual property
  • Extortion

CISO Team – Do you have a question or comment about the CMS Information Security Program ??? Send an e-mail to and the CISO Team will find the answer for you.