risk management handbook (rmh) chapter 11: physical and … · 2019-11-02 · • links risk...

Centers for Medicare & Medicaid Services Information Security and Privacy Group

Risk Management Handbook (RMH) Chapter 11: Physical and Environmental

Protection

Final

Version 1.0

October 8, 2019

Final Centers for Medicare & Medicaid Services

Chapter 11: Physical and Environmental Protection Version 1.0 ii

Record of Changes The table below capture changes when updating the document. All columns are mandatory.

Version Number Date Chapter

Section Author/Owner

Name Description of Change

1.0 10/08/2019 All ISPG Initial Publication


Chapter 11: Physical and Environmental Protection Version 1.0 iii

Effective Date/Approval This Procedure becomes effective on the date that CMS’s Director, Division of Security and Privacy Policy and Governance (DSPPG) signs it and remains in effect until it is rescinded, modified or superseded.

Signature: /s/ Date of Issuance

Michael Pagels Director, Division of Security and Privacy Policy and Governance (DSPPG) and Acting Senior Official for Privacy


Chapter 11: Physical and Environmental Protection Version 1.0 iv

Table of Contents Record of Changes ............................................................................................................. ii Effective Date/Approval ................................................................................................... iii Table of Contents .............................................................................................................. iv 1. Introduction ................................................................................................................... 1

1.1 Purpose..................................................................................................................1 1.2 Authority ...............................................................................................................1 1.3 Scope .....................................................................................................................2 1.4 Background ...........................................................................................................2

2. Policy.. ............................................................................................................................ 4 2.1 Information Systems Security and Privacy Policy (IS2P2) ..................................4 2.2 Chief Information Officer (CIO) Directives .........................................................4

3. Standards ........................................................................................................................ 5 3.1 Acceptable Risk Safeguards (ARS) ......................................................................5

4. HIPAA Integration ........................................................................................................ 6 5. Roles and Responsibilities ............................................................................................. 7 6. Executive Summary ....................................................................................................... 8 7. Procedures ...................................................................................................................... 8

7.1 Physical Access Authorizations (PE-2) ................................................................8 7.2 Physical Access Control (PE-3) .........................................................................10 7.3 Access Control for Transmission Medium (PE-4) .............................................12 7.4 Access Control for Output Devices (PE-5).........................................................13 7.5 Monitoring Physical Access (PE-6) ....................................................................14 7.6 Visitor Access Records (PE-8) ...........................................................................16 7.7 Power Equipment and Cabling (PE-9)................................................................17 7.8 Emergency Shutoff (PE-10)................................................................................18 7.9 Emergency Power (PE-11) .................................................................................18 7.10 Emergency Lighting (PE-12) ..............................................................................19 7.11 Fire Protection (PE-13) .......................................................................................20 7.12 Temperature and Humidity Controls (PE-14) ....................................................22 7.13 Water Damage Protection (PE-15) .....................................................................22 7.14 Delivery and Removal (PE-16)...........................................................................23 7.15 Alternate Work Site (PE-17)...............................................................................24 7.16 Location of Information System Components (PE-18) ......................................25

Appendix A: Acronyms ................................................................................................... 27 Appendix B: Glossary of Terms ..................................................................................... 28

Appendix C: Applicable Laws and Guidance ............................................................... 30

Appendix D: Points of Contact ....................................................................................... 33

Appendix E: Feedback and Questions ........................................................................... 34


Chapter 11: Physical and Environmental Protection Version 1.0 v

Tables Table 1: Crosswalk- Mapping Controls to HIPAA Requirements ................................................. 6

Table 2: Roles and Responsibilities ................................................................................................ 8

Table 3: CMS Defined Parameters- Control PE-2 .......................................................................... 9

Table 4: CMS Defined Parameters- Control PE-3 ........................................................................ 10

Table 5: CMS Defined Parameters-Control PE-3(1) .................................................................... 12



Table 8: CMS Defined Parameters-Control PE-6(4) .................................................................... 16


Table 10: CMS Defined Parameters-Control PE-13(1) ................................................................ 20

Table 11: CMS Defined Parameters- Control PE-13(2) ............................................................... 21

Table 12: CMS Defined Parameters-Control PE-15(1) ................................................................ 23

Figures Figure 1: Hierarchy of IS2P2, ARS, and RMH…………………………………………………... 1


Chapter 11: Physical and Environmental Protection Version 1.0 1

1. Introduction

1.1 Purpose The Centers for Medicare & Medicaid Services (CMS) Risk Management Handbook (RMH) Chapter 11 Physical and Environmental Protection provides the procedures for implementing the requirements of the CMS Information Systems Security and Privacy Policy (IS2P2) and the CMS Acceptable Risk Safeguards (ARS). The following is a diagram that breaks down the hierarchy of the IS2P2, ARS, and RMH:

Figure 1: Hierarchy of IS2P2, ARS, and RMH

This document describes procedures that facilitate the implementation of security controls associated with the Physical and Environmental Protection (PE) family of controls. To promote consistency among all RMH Chapters, CMS intends for Chapter 11 to align with guidance from the National Institute of Standards and Technology (NIST), tailoring that content to the CMS environment.

1.2 Authority The Federal Information Security Management Act (FISMA) requires each federal agency to develop, document and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency or contractor. The Federal Information Security Modernization Act of 2014 designates NIST with responsibility to develop guidance to federal agencies on information security and privacy requirements for federal information systems.



As an operating division of the Department of Health and Human Services (HHS), CMS must also comply with the HHS IS2P, Privacy Act of 1974 (“Privacy Act”), the Privacy and Security Rules developed pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the E-Government Act of 2002, which relates specifically to electronic authentication requirements. The HHS Office for Civil Rights (OCR) is responsible for enforcement of the HIPAA Security and Privacy Rules. CMS seeks to comply with the requirements of these authorities, and to specify how CMS implements compliance in the CMS IS2P2.

HHS and CMS governance documents establish roles and responsibilities for addressing privacy and security requirements. In compliance with the HHS Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CMS Chief Information Security Officer (CISO) as the CMS authority for implementing the CMS-wide information security program. HHS also designates the CMS Senior Official for Privacy (SOP) as the CMS authority for implementing the CMS-wide privacy program. Through their authority given by HHS, the CIO and SOP delegate authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program.

All CMS stakeholders must comply with and support the policies and the procedures referenced in this handbook to ensure compliance with federal requirements for implementation of information security and privacy controls.

1.3 Scope This handbook documents procedures that facilitate the implementation of the privacy and security controls defined in the CMS IS2P2 and the CMS ARS. This RMH Chapter provides authoritative guidance on matters related to the Physical and Environmental Protection family of controls for use by CMS employees and contractors that support the development, operations, maintenance, and disposal of CMS information systems. This handbook does not supersede any applicable laws, existing labor management agreements, and/or higher-level agency directives or other governance documents.

1.4 Background This handbook aligns with NIST SP 800-53 catalogue of controls, the CMS IS2P2, and the CMS ARS. Each procedure relates to a specific NIST security control family. Additional sections of this document crosswalk requirements to other control families and address specific audit requirements issued by various sources (e.g., OMB, OIG, HHS).

RMH Chapter 11 provides processes and procedures to assist with the consistent implementation of the PE family of controls for any system that stores, processes, or transmits CMS information on behalf of CMS. This chapter identifies the policies, minimum standards, and procedures for the



effective implementation of selected security and privacy controls and control enhancements in the PE family.

CMS’s comprehensive information security and privacy policy framework includes:

• An overarching policy (CMS IS2P2) that provides the foundation for the security and privacy principles and establishes the enforcement of rules that will govern the program and form the basis of the risk management framework

• Standards and guidelines (CMS ARS) that address specific information security and privacy requirements

• Procedures (RMH series) that assist in the implementation of the required security and privacy controls based upon the CMS ARS standards.

FISMA further emphasizes the importance of continuously monitoring information system security by requiring agencies to conduct assessments of security controls at a risk-defined frequency. NIST SP 800-53 states under the PE control family that an organization must define, develop, disseminate, review, and update its documentation at least once every three years. This includes a formal, documented system security package that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and formal, documented processes and procedures to facilitate the implementation of the policy and associated controls.

The Risk Assessment process exists within the Risk Management Framework (RMF) which emphasizes:

• Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls

• Maintaining awareness of the security state of information systems on an ongoing basis though enhanced monitoring processes

• Providing essential information to senior leaders to facilitate decisions regarding the mitigation or acceptance of information-systems-related risk to organizational operations and assets, individuals, external organizations, and the Nation.

The RMF1 has the following characteristics:

• Promotes the concept of near-real-time risk management and ongoing-information-system authorization through the implementation of robust continuous monitoring processes;

1 https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final

https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final

https://csrc.nist.gov/publications/detail/sp/800-37/rev-1/final



• Encourages the use of automation to provide senior leaders the necessary information to make cost-effective, risk-based decisions with regard to the organizational information systems supporting their core missions and business functions;

• Integrates information security and privacy protections into the enterprise architecture and CMS Defined System Development Life Cycle (CMS-SDLC)

• Provides guidance on the selection, implementation, assessment, and monitoring of controls and the authorization of information systems;

• Links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function); and

• Establishes responsibility and accountability for security and privacy controls deployed within organizational information systems and inherited by those systems (i.e., common controls).

2. Policy Policy delineates the security management structure, clearly assigns security responsibilities, and lays the foundation necessary to reliably measure progress, compliance, and direction to all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems or systems maintained on behalf of CMS to assure the confidentiality, integrity, and availability of CMS information and information systems.

2.1 Information Systems Security and Privacy Policy (IS2P2) The CMS IS2P22 defines the framework and policy under which CMS protects and controls access to CMS information and information systems in compliance with HHS policy, federal law, and regulations. This Policy requires all CMS stakeholders to implement adequate information security and privacy safeguards to protect all CMS sensitive information.

The policy contained within the CMS IS2P2 and the procedures contained within this document assist in satisfying the requirements for controls that require CMS to create a policy and associated procedures related to information systems.

2.2 Chief Information Officer (CIO) Directives The CMS Chief Information Officer (CIO), the CMS Chief Information Security Officer (CISO), and the CMS Senior Official for Privacy (SOP) jointly develop and maintain the CMS IS2P2. The

2 https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-

Security-Library-Items/CMS-Information-Systems-Security-and-Privacy-Policy-IS2P2.html?DLPage=1&DLEntries=10&DLFilter=is2&DLSort=0&DLSortDir=ascending

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/CMS-Information-Systems-Security-and-Privacy-Policy-IS2P2.html?DLPage=1&DLEntries=10&DLFilter=is2&DLSort=0&DLSortDir=ascending






CIO delegates authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program as appropriate.

The dynamic nature of information security and privacy disciplines and the constant need for assessing risk across the CMS environment can cause gaps in policy, to arise outside of the policy review cycle. The CMS Policy Framework includes the option to issue a CIO Directive3 to address identified gaps in CMS policy and instruction to provide immediate guidance to CMS stakeholders while a policy is being developed, updated, cleared, and approved.

3. Standards Standards define both functional and assurance requirements within the CMS security and privacy environment. CMS policy is executed with the requirements prescribed in standards with the objective of enabling consistency across the CMS environment. The CMS environment includes users, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks. These components are responsible for meeting and complying with the security and privacy baseline defined in policy and further prescribed in standards. The parameters and thresholds for policy implementation are built into the CMS standards, and provide a foundation for the procedural guidance provided by the Risk Management Handbook series.

3.1 Acceptable Risk Safeguards (ARS) The CMS Acceptable Risk Safeguards (ARS)4 provides guidance to CMS and its contractors as to the minimum acceptable level of required security and privacy controls that must be implemented to protect CMS’s information and information systems, including CMS sensitive information. The initial selection of the appropriate controls is based on control baselines. The initial control baseline is the minimum list of controls required for safeguarding an IT system based on the organizationally identified needs for confidentiality, integrity, and/or availability.

A different baseline exists for each security category (high, moderate, low) as defined by NIST Federal Information Processing Standards (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems. The ARS provides a catalog of low, moderate, and high controls, in addition to non-mandatory controls outside of the FIPS-199 baseline selection. The ARS, based upon the FIPS 200 and NIST SP 800-53, provides guidance on tailoring controls and enhancements for specific types of missions and business functions, technologies, or

3 https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-

Policies/Policies.html 4 https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-

Security-Library-Items/ARS-31-Publication.html?DLPage=1&DLEntries=10&DLSort=0&DLSortDir=ascending

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Policies.html

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/ARS-31-Publication.html?DLPage=1&DLEntries=10&DLSort=0&DLSortDir=ascending







environments of operation. Users of the ARS may tailor specific mandatory controls as well as most of the non-mandatory and unselected controls.

4. HIPAA Integration The HIPAA Security Rule is designed to be flexible, scalable, and technology neutral, which enables it to be adaptive and seamlessly integrated with detailed frameworks such as FISMA. Although both regulations are governed by different federal agencies, the HIPAA Security Rule only applies to covered entities and their business associates as defined within HIPAA. Implementation of the FISMA requirements helps achieve compliance with the HIPAA Security Rule. HIPAA provides guidance to address the provisions required for the security of health-related information, whereas FISMA presents instructions for the security of the information and the information systems that support these activities.

The table below shows a crosswalk mapping of security controls found in this RMH to specific sections and requirements found in HIPAA.

Table 1: Crosswalk- Mapping Controls to HIPAA Requirements

Physical and Environmental Protection (PE) Control

HIPAA Section

PE-2 §§ 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii)

PE-3 §§ 164.306(e), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(b), 164.314(b)(2)(i)





Physical and Environmental Protection (PE) Control

HIPAA Section

PE-6 §§ 164.308(a)(1)(i), 164.308(a)(1)(ii)(B), 164.308(a)(1)(ii)(D), 164.308(a)(5)(ii)(B), 164.308(a)(5)(ii)(C), 164.308(a)(6)(ii), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii) , 164.312(b), 164.314(b)(2)(i) , 164.314(a)(2)(i)(C)

PE-9 §§ 164.308(a)(1)(ii)(B), 164.308(a)(7)(i), 164.308(a)(7)(ii)(A), 164.308.(a)(7)(ii)(E), 164.310(a)(1), 164.310(a)(2)(i), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(b), 164.310(c), 164.310(d)(1), 164.310(d)(2)(iii), 164.312(a)(2)(ii), 164.314(a)(1), 164.314(b)(2)(i)

PE-10 §§ 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310, 164.316(b)(2)(iii)

PE-11 §§ 164.308(a)(7)(i), 164.308.(a)(7)(ii)(E), 164.310(a)(2)(i), 164.312(a)(2)(ii), 164.314(a)(1), 164.314(b)(2)(i)

PE-12 §§ 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310, 164.316(b)(2)(iii)

PE-13 §§ 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310, 164.316(b)(2)(iii)

PE-14 §§ 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310, 164.316(b)(2)(iii)

PE-15 §§ 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310, 164.316(b)(2)(iii)

PE-16 §§ 164.308(a)(1)(ii)(A), 164.310(a)(2)(ii), 164.310(a)(2)(iii), 164.310(a)(2)(iv), 164.310(d)(1), 164.310(d)(2)

PE-18 §§ 164.308(a)(7)(i), 164.308(a)(7)(ii)(C), 164.310, 164.316(b)(2)(iii)

5. Roles and Responsibilities A comprehensive list of information security and privacy roles and responsibilities for CMS stakeholders is contained in the CMS IS2P2. The table below shows the roles from the CMS IS2P2 that are specific to the procedures contained within this RMH chapter.



Table 2: Roles and Responsibilities

Role Applicable Controls

All Users PE-5; PE-17 CMS IT Service Desk PE-17

6. Executive Summary The controls listed in this chapter focus on how the organization must: ensure that information systems are protected by limiting physical access to information systems, equipment, and the respective operating environments to only authorized individuals; protect the physical plant and support infrastructure for information systems; provide supporting utilities for information systems; protect information systems against environmental hazards; and provide appropriate environmental controls in facilities containing information systems. Procedures in this chapter describe requirements for physical access, access control, records management, emergency protections, and physical locations of systems, with regard to physical and environmental protection.

7. Procedures Procedures assist in the implementation of the required security and privacy controls. In this section, the Physical and Environmental Protection family of procedures is outlined. To increase traceability, this procedure maps to the associated NIST security controls using the corresponding control number from the CMS IS2P2.

7.1 Physical Access Authorizations (PE-2) The Physical Access Authorizations control includes employees, contractors, and others with permanent physical access authorization credentials; this control does not apply to visitors or areas within facilities that have been designated as publicly accessible. Access authorization credentials include badges, identification cards, and smart cards. Organizations determine the strength of authorization credentials required consistent with federal standards, policies, and procedures.

Homeland Security Presidential Directive 12 (HSPD-12)5 is a strategic initiative intended to enhance security, increase government efficiency, reduce identity fraud, and protect personal privacy. HSPD-12 requires development and agency implementation of a mandatory, government-wide standard for secure and reliable forms of identification for federal employees and contractors requiring physical access to federally controlled facilities and logical access to federally controlled information systems.

5 https://www.dhs.gov/homeland-security-presidential-directive-12

https://www.dhs.gov/homeland-security-presidential-directive-12




Guidance for systems processing, storing, or transmitting PHI: Under the HIPAA Security Rule, this is an addressable implementation specification. HIPAA covered entities must conduct an analysis as described at 45 C.F.R. § 164.306 (Security standards: General rules) part (d) (Implementation specifications) to determine how it must be applied within the organization. Maintaining a current list of personnel that are authorized to access facilities where sensitive information is located protects the information from unauthorized access. For the purposes of this control, “sensitive information” includes personally identifiable information (PII) and protected health information (PHI).

The table below outlines the CMS defined parameters for PE-2.

Table 3: CMS Defined Parameters- Control PE-2

Control Control Requirement CMS Parameter PE-2 The organization:

c. Reviews the access list detailing authorized facility access by individuals [Assignment: organization-defined frequency]; and

The organization: c. Reviews the access list detailing authorized facility access by individuals every (90 High, 180 Moderate, 365 Low) days; and

CMS develops, approves, and maintains a list of individuals with authorized access to the facility where the information system resides; issues authorization credentials for facility access; reviews the access list detailing authorized facility access by individuals; and removes individuals from the facility access list when access is no longer required.

Federal regulations require that the Physical Access Control System (PACS) utilize the HSPD-12 credential, commonly referred to as the Personal Identity Verification (PIV), to control physical access. PIV credentials at CMS are maintained through the use of PACS. PACS enables an authority to control physical access to areas and resources in a given physical facility. PIV credentials for physical access are valid for no more than 5 years and 9 months, but must be surrendered or cancelled when access is no longer officially required. Currently, there is no requirement for a periodic reinvestigation to maintain a PIV credential. In accordance with Federal Information Processing Standards (FIPS)-201-26 Personal Identity Verification (PIV) of Federal Employees and Contractors, these permissions must be removed from the credential within 18 hours of a change in card holder status, resulting in loss of the access privilege.

For physical access authorization to controlled areas, PACS Central within the Physical Access Management (PAM) system is to be used to submit a request. The request is then routed to the Access Authority of that area for authorization. The Access Authority for each area maintains the list of individuals with authorized access, performing reviews every 90 days.

6 https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf

https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.201-2.pdf





7.2 Physical Access Control (PE-3) Physical Access Control applies to organizational employees and visitors without permanent physical access authorization credentials.

Physical access control systems comply with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Identity, credential, and access management (ICAM) comprises the tools, policies and systems that allow an organization to manage, monitor and secure access to protected resources. The Federal ICAM (FICAM) program, managed by General Services Administration (GSA) Office of Information Integrity and Access, provides collaboration opportunities and guidance on IT policy, standards, implementation and architecture, to help federal agencies implement ICAM.



Control Control Requirement CMS Parameter PE-3

The organization: a. Enforces physical access authorizations at [Assignment: organization-defined entry/exit points to the facility where the information system resides] by; 2. Controlling ingress/egress to the facility using [Selection (one or more): [Assignment: organization-defined physical access control systems/devices]; guards]; b. Maintains physical access audit logs for [Assignment: organization-defined entry/exit points]; c. Provides [Assignment: organization-defined security safeguards] to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity [Assignment: organization-defined circumstances requiring visitor escorts and monitoring]; f. Inventories [Assignment: organization-defined physical access

The organization: a. Enforces physical access authorizations at defined entry/exit points to the facility (defined in the applicable security plan) where the information system resides by; 2. Controlling ingress/egress to the facility using guards and/or defined physical access control systems/devices (defined in the applicable security plan). b. Maintains physical access audit logs for defined entry/exit points (defined in the applicable security plan); c. Provides defined security safeguards (defined in the applicable security plan) to control access to areas within the facility officially designated as publicly accessible; d. Escorts visitors and monitors visitor activity in defined circumstances requiring visitor escorts and monitoring (defined in the applicable security plan); f. Inventories defined physical access devices (defined in the applicable security



Control Control Requirement CMS Parameter devices] every [Assignment: organization-defined frequency]; and g. Changes combinations and keys [Assignment: organization-defined frequency] and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

plan) no less often than every (90 High, 90 Moderate, or 180 Low) days; and g. Changes combinations and keys for defined high-risk entry/exit points (defined in the applicable security plan) within every 365 days, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated.

CMS enforces physical access control by promoting a secure location, protected with appropriate security structures and entry controls. Physical access points can include facility access points, interior access points to information systems and/or components requiring supplemental access controls, or both. Safeguards include:

• Verifying individual access authorizations before granting access to the facility; • Controlling ingress/egress to the facility using guards and/or defined physical access

control systems/devices; and • Maintaining physical access audit logs for defined entry/exit points.

Components of organizational information systems (e.g., workstations, terminals) may be located in areas designated as publicly accessible with organizations safeguarding access to such devices. Safeguards include:

• Providing defined security safeguards to control access to areas within the facility officially designated as publicly accessible; and

• Escorting visitors and monitoring visitor activity in defined circumstances requiring visitor escorts and monitoring. A CMS employee or authorized contractor (i.e., contractor with escort privileges) who is in possession of a valid, CMS issued badge assumes responsibility for a visitor to CMS facilities. Note: All foreign national visits require prior approval and will be assigned a “host” who will be responsible for ensuring that the visit is in full compliance with applicable policies and procedures.

Physical access control devices can include keys, locks, combinations, and card readers. Safeguards include:

• Securing keys, combinations, and other physical access devices; changing combinations and keys for defined high-risk entry/exit points as required, and/or when keys are lost, combinations are compromised, or individuals are transferred or terminated; and

• Maintaining inventory of defined physical access devices, as required.

7.2.1 Information System Access (PE-3(1)) Physical access authorizations are enforced, in addition to physical access controls, for those secure areas within facilities where there is a concentration of information system components (e.g., server rooms, media storage areas, data and communication centers).

The table below outlines the CMS defined parameters for PE-3(1).



Table 5: CMS Defined Parameters-Control PE-3(1)

Control Control Requirement CMS Parameter PE-3(1)

The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at [Assignment: organization-defined physical spaces containing one or more components of the information system].

The organization enforces physical access authorizations to the information system in addition to the physical access controls for the facility at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).

CMS enforces physical access authorizations at physical spaces that contain information system components to provide an adequate level of security to protect CMS data and information systems from unauthorized access. Physical access authorizations include:

• Controlling access by the use of door and window locks and security personnel or physical authentication devices, such as biometrics and/or smart card/PIN combination; and

• Storing and operating information system components in physically secure environments with access limited to authorized personnel.

At CMS, personnel are required to obtain an upgraded background investigation and approval by Department of Public Safety (DPS) for authorization.

7.3 Access Control for Transmission Medium (PE-4) Transmission medium is the means through which data is sent from one place to another, using cables or electromagnetic signals to transmit data. Physical security safeguards applied to information system distribution and transmission lines help to prevent accidental damage, disruption, and physical tampering. These applied safeguards also help to prevent eavesdropping or in transit unauthorized modification of unencrypted transmissions.




The organization controls physical access to [Assignment: organization-defined information system distribution and transmission lines] within organizational facilities using [Assignment: organization-defined security safeguards].

The organization controls physical access to telephone closets and information system distribution and transmission lines within organizational facilities using defined security safeguards (defined in the applicable security plan).

CMS implements security safeguards to control physical access to information system distribution and transmission lines. Safeguards include:



• Storing information system distribution and transmission lines in authorized access areas.

Access is limited to authorized personnel to prevent theft, vandalism and undocumented changes. Contact based card readers, pins, and/or security guards control physical access.

• Encasing transmission lines by metal conduit, which is capable of shielding sensitive circuits from electromagnetic interference, in an effort to prevent accidental damage, eavesdropping and disruption.

• Disabling unused physical ports is a method used to help secure the network from unauthorized access.

7.4 Access Control for Output Devices (PE-5) Controlling physical access by placing output devices in secured areas, allowing access to authorized individuals, and placing output devices in monitored locations prevents unauthorized individuals from obtaining the output. Printers, copiers, scanners and monitors are examples of information system output devices.

Printers:

CMS provides personal printers to support individual users and network printers that are accessible by network connection. Each CMS employee, with an assigned office or cubicle, is issued a personal printer for use. This printer can only be used when the laptop is in the computer docking station. Network printers are shared output devices used amongst CMS employees and Contractors that have CMS issued laptops. Safeguards include:

• Setting up devices to automatically print cover pages, also known as separator pages, with each print job. These cover pages contain useful information, such as the 4-character CMS user identification (ID), which can be used to identify the originator of the print job.

• Configuring devices to ensure data is not saved or stored within the device once the print job is cleared out of the print queue.

Print at home capabilities are available for CMS employees who have a need to print documents while at an Alternative Duty Station (ADS). Completion and submission of the Print at Home Agreement 7 allows the employee to connect his or her personally owned Universal Serial Bus (USB) printer (parallel cables and wireless printers are not supported) to the CMS issued laptop and install the printer drivers and print documents. By signing this agreement, CMS employees are attesting to:

• Ensure that CMS information is protected from unauthorized access, use, disclosure, duplication, modification, diversion, or destruction—whether accidental or intentional – in order to maintain confidentiality, integrity, and availability;

• Implement proper physical security measures to be used to secure hardcopy documents, containing confidential, sensitive or proprietary information used by CMS to fulfill its mission;

7 https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame2.aspx?sourcedoc=/CT/Documents/Print-at-Home-

Agreement.docx&action=default&DefaultItemOpen=1

https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame.aspx?sourcedoc=/CT/Documents/Print-at-Home-Agreement.docx&action=default&DefaultItemOpen=1

https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame.aspx?sourcedoc=/CT/Documents/Print-at-Home-Agreement.docx&action=default&DefaultItemOpen=1

https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame2.aspx?sourcedoc=/CT/Documents/Print-at-Home-Agreement.docx&action=default&DefaultItemOpen=1

https://cmsintranet.share.cms.gov/CT/_layouts/15/WopiFrame2.aspx?sourcedoc=/CT/Documents/Print-at-Home-Agreement.docx&action=default&DefaultItemOpen=1



• Maintain all information and/or media containing confidential data such as paper and files

in a secure location or locked cabinet when not in use. CMS documents containing protected health information (PHI), personally identifiable information (PII) or other sensitive data may not be printed using your home printer; and

• Securely store any documents printed at home and to return documents to CMS for proper disposition (e.g., filing, shredding). (RMH Chapter 10: Media Protection8 provides additional information on media sanitization.)

Copier/Scanner devices:

Located in designated rooms throughout CMS, copier/scanner devices allow a full range of capabilities necessary to manage internal documents. Safeguards include:

• Requiring the use of PIV Credentials for copying and scan-to-email capabilities. Device-based login is an effective way to control who can access and use the device and to manage and limit user access according to job responsibilities.

• Configuring devices to ensure data is not saved or stored within the device beyond the completion of the copier/scanner action.

Monitors:

CMS complies with the Rules of Behavior for Use of Health and Human Services Information Resources (HHS RoB)9 which includes the general security practice of locking workstations and removing PIV cards from laptops when leaving them unattended. All new users of HHS information resources must read the HHS RoB and sign the accompanying acknowledgement form before accessing data or other information, systems, and/or networks. This acknowledgement, affirming their knowledge of and agreement to the HHS RoB, must be completed annually thereafter.

CMS users are offered two primary methods to lock the laptop:

• Use the Ctrl + Alt + Delete command and select “Lock”; or • Use the “Lock Computer” shortcut. This shortcut is installed on the Desktop of CMS issued

laptops. CMS issued laptops are configured to automatically lock after 20 minutes of inactivity; in screen lock settings, this “Wait” time cannot be changed by the user.

7.5 Monitoring Physical Access (PE-6) Physical access monitoring includes investigations of and responses to detected physical security incidents. Physical security incidents include security violations or suspicious physical access

8 https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-

Technology/InformationSecurity/Downloads/RMH-Chapter-10-Media-Protection.pdf 9 https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs-information-

resources/index.html

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/RMH-Chapter-10-Media-Protection.pdf

https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs-information-resources/index.html








activities such as accesses outside of normal work hours, repeated accesses to areas not normally accessed, accesses for unusual lengths of time, and out-of-sequence accesses.



Control Control Requirement CMS Parameter PE-6 The organization:

b. Reviews physical access logs [Assignment: organization-defined frequency] and upon occurrence of [Assignment: organization-defined events or potential indications of events]; and

The organization: b. Reviews physical access logs weekly and upon occurrence of security incidents or indications of potential events involving physical security; and

CMS monitors physical access to the facility where the information system resides to detect and respond to physical security incidents. Security staff provides real-time monitoring, 24 hours per day, 7 days a week, and 365 days a year, for potential security breaches or disturbances. Response plans, that outline the method for responding, are used for identified physical security incidents.

Information retained within CMS’s electronic security system is intended for security purposes only. There are instances when the information collected within these security systems could prove valuable in both criminal and administrative proceedings. Due to the sensitive nature of the information retained, it cannot be released to anyone without regards to the privacy of the individuals contained within.

CMS applies the following rules for the release of security information:

• Criminal Evidence: Information that may be used as evidence in criminal proceedings will only be released upon the request of a duly authorized law enforcement entity. This information includes video of a traffic accident in a parking lot, record of entry into a controlled access location, and video of an altercation.

• Administrative Evidence: Requests for information that may be used as evidence in administrative proceedings will only be considered from managers, as it applies to a member of their organization, or a member of the Division of Workforce Compliance. A member of the security team or individual entrusted with the retention of security information will review the system to meet the specific request. Only the specifically requested information will be provided. For example, if management wanted to determine if a specific employee reported to work over a particular weekend, the security official could review logs from the weekend and inform the manager that the employee did or did not sign in over the weekend and if so, what times. The security official is not to release all of the logs to the manager for the manager’s own review.



7.5.1 Intrusion Alarms/Surveillance Equipment (PE-6 (1)) Intrusion alarms and surveillance equipment work in tandem with physical access controls to alert security personnel when unauthorized access is attempted. Monitoring of this equipment is useful for incident verification.

CMS’s intrusion alarms and surveillance equipment are linked to the PAM system. CMS’s video surveillance systems maintain a 14 day recorded video capability.

7.5.2 Monitoring Physical Access to Information Systems (PE-6 (4)) Physical spaces within facilities that contain one or more information system components (e.g., server rooms, media storage areas, data centers, communications centers) requires additional physical access monitoring.




The organization monitors physical access to the information system in addition to the physical access monitoring of the facility as [Assignment: organization-defined physical spaces containing one or more components of the information system].

The organization monitors physical access to the information system, in addition to the physical access monitoring of the facility, at defined physical spaces (defined in the applicable security plan) containing a concentration of information system components (e.g., server rooms, media storage areas, data and communications centers, etc.).

CMS provides monitoring to defined physical spaces by the use of additional access card readers restricting access to only authorized personnel. Further measures can include the use of mantraps, which are a physical access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens.

7.6 Visitor Access Records (PE-8) Visitor access records include the recording and collection of visitor data, either manually or through electronic visitor management systems, or both. Visitor access records are not required for publicly accessible areas.




The organization: a. Maintains visitor access records to the facility where the information

The organization: a. Maintains visitor access records to the facility where the information system resides for two (2) years; and



Control Control Requirement CMS Parameter system resides for [Assignment: organization-defined time period]; and b. Reviews visitor access records [Assignment: organization-defined frequency].

b. Reviews visitor access records no less often than monthly.

CMS adheres to the retention schedule found in National Archives and Records Administration (NARA) General Records Schedule (GRS) 5.6: Security Records10 for maintaining visitor access records at the facility for 2 years. In addition, visitor access records are reviewed every 30 days.

Visitor access records consist of the following data:

• Name and organization of the person visiting; • Visitor’s signature; • Form of identification/Valid U.S. Government issued photo identification; • Date of access; • Time of entry and departure; • Purpose of visit; and • Name and organization of person visited.

7.6.1 Automated Records Maintenance/Review (PE-8 (1)) Maintenance and review of visitor access records are enabled by automated mechanisms that aid in the capture and management of records.

CMS uses PAM, which contains multiple modules to perform security tasks, including visitor management.

7.7 Power Equipment and Cabling (PE-9) Organizations are responsible for determining the types of protection that are needed to protect power equipment and power cabling from damage and destruction. This protection occurs at different locations (both internal and external to organizational facilities) and environments of operation. Examples of power equipment and cabling include generators and power cabling outside of facilities, internal cabling and uninterruptable power sources within offices or data centers, and power sources for self-contained entities such as vehicles and satellites.

CMS facilities adhere to the mandatory standards outlined in GSA’s Facilities Standards for the Public Buildings Service (P100)11, as amended.

10 https://www.archives.gov/files/records-mgmt/grs/grs05-6.pdf 11 https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-

overview

https://www.archives.gov/files/records-mgmt/grs/grs05-6.pdf

https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview







Infrastructure assets are protected by restricting access and by the use of environmental detection devices. CMS permits only authorized personnel to access infrastructure assets, including power generators, heating, ventilation, and air conditioning (HVAC) systems, cabling, and wiring closets.

7.8 Emergency Shutoff (PE-10) Emergency shutoff switches or devices provide the capability of shutting off power to the information system or individual system components in emergency situations. Placing these shutoff switches or devices in a location that will allow for personnel to approach the shutoff switch(es) safely permits easy access in emergency situations without risk to the individual and protects the emergency power shutoff capability from unauthorized or inadvertent activation.




The organization: b. Places emergency shutoff switches or devices in [Assignment: organization-defined location by information system or system component] to facilitate safe and easy access for personnel;

The organization: b. Places emergency shutoff switches or devices in a location that does not require personnel to approach the equipment to facilitate safe and easy access for personnel;

CMS implements and maintains emergency shutoff switches or emergency power off (EPO) buttons as a safety mechanism that can be used to shut power off from the information system or from individual system components in an emergency. These clearly marked shutoff devices are installed at the exit doors.

7.9 Emergency Power (PE-11) Emergency power, using a short-term, uninterruptible power supply (UPS) permits an orderly shutdown of the information system and/or transition of the information system to a long-term alternate power supply in the event of a primary power source loss.





The organization provides a short-term uninterruptible power supply to facilitate [Selection (one or more): an orderly

The organization provides a short-term uninterruptible power supply to facilitate an orderly shutdown of the information

12 https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-

overview







Control Control Requirement CMS Parameter shutdown of the information system; transition of the information system to long-term alternate power] in the event of a primary power source loss

system and/or transition of the information system to a long-term alternate power source in the event of a primary power source loss.

CMS provides a short-term UPS that provides emergency power when the input power source or main power fails. The UPS provides near-instantaneous protection from input power interruptions, by supplying energy stored in batteries.

CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management.

7.9.1 Long-Term Alternate Power Supply - Minimal Operational Capability (PE-11 (1)) Long-term alternate power supply for the information system provides the capability of maintaining minimally required operational capability in the event of an extended loss of the primary power source.


CMS has on-site, diesel-powered generators that are capable of providing a long-term alternate power supply. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

7.10 Emergency Lighting (PE-12) Automatic emergency lighting that activates and covers emergency exits and evacuation routes is crucial to ensure adequate illumination in the event of a power outage or disruption.


CMS employs and maintains emergency lighting, that activates in the event of a power outage or disruption, and that covers emergency exits and evacuation routes within the facility. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.


overview 14 https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-

overview











7.11 Fire Protection (PE-13) Fire protection includes devices and systems that are effective in detecting, extinguishing, or controlling a fire event. Preventing fires or limiting damage can ensure work operations continue without interruption.


CMS’s fire protection devices and systems, supported by independent energy sources, work to detect, notify and compartmentalize or suppress the unwanted effects of potentially destructive fires. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

7.11.1 Detection Devices/Systems (PE-13(1)) Detection devices/systems automatically activate to notify personnel and emergency responders in the event of a fire.





The organization employs fire detection devices/systems for the information system that activate automatically and notify [Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders] in the event of a fire.

The organization employs fire detection devices/systems for the information system that activate automatically and notify defined personnel or roles (defined in the applicable security plan) and defined emergency responders (defined in the applicable security or safety plan) in the event of a fire

CMS’s detection system is comprised of a networked series of fire alarm panels, annunciator panels, addressable audible and visual alarms and initiating devices including smoke detectors, heat detectors, and pull stations.



overview











7.11.2 Suppression Devices/Systems (PE-13(2)) Fire suppression devices/systems provide automatic activation notification to specific personnel, roles, and emergency responders.



Table 11: CMS Defined Parameters- Control PE-13(2)


The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to Assignment: organization-defined personnel or roles] and [Assignment: organization-defined emergency responders].

The organization employs fire suppression devices/systems for the information system that provide automatic notification of any activation to defined personnel (or roles) and defined emergency responders (defined in the applicable security or safety plan)

CMS employs a monitored fire alarm system that notifies critical parties (e.g., CMS’s Network Command Center (NCC), designated personnel, emergency services/local fire department) as soon as detection devices or systems have been activated.

7.11.3 Automatic Fire Suppression (PE-13(3)) Automatic fire suppression systems have the capability to control and extinguish fires without human intervention.

Options for automatic suppression systems include:

• Aqueous systems (e.g., wet-pipe sprinkler system); and • Gaseous systems (e.g., clean agent system)


Wet-pipe sprinkler systems are installed at CMS facilities. The sprinkler system is heat-activated and responds with water suppression only in the area(s) where heat is detected.



overview











7.12 Temperature and Humidity Controls (PE-14) Environmental conditions can pose a threat to the hardware of the network. Maintaining recommended temperature and humidity levels in the data center can reduce unplanned downtime caused by environmental conditions.

Maintaining and monitoring levels of temperature and humidity where the information system resources (e.g., data centers, server rooms) reside is critical to system reliability. High temperatures can cause equipment to overheat and malfunction. If the relative humidity levels are too high, water condensation can occur which results in hardware corrosion and early system and component failure. If the relative humidity is too low, computer equipment becomes susceptible to electrostatic discharge (ESD) which can cause damage to sensitive components.




The organization: a. Maintains temperature and humidity levels within the facility where the information system resides at [Assignment: organization-defined acceptable levels]; and b. Monitors temperature and humidity levels [Assignment: organization-defined frequency].

The organization: a. Maintains temperature and humidity levels within the facility where the information system resides within acceptable vendor-specified levels; b. Monitors temperature and humidity levels within the defined frequency (defined in the applicable security plan);

Temperature and humidity levels are maintained within the vendor-specified levels for optimal system reliability. Zone temperature sensors and humidity sensors are used for continuous monitoring.

CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

7.13 Water Damage Protection (PE-15) Shut-off valves help prevent water damage by closing off the water supply. Master shut-off or isolation valves can be used to protect the information system resources from damage resulting from water leakage. Isolation valves are used to shut off water supplies at a specific location, usually for maintenance or safety purposes, and can be employed in addition to or in lieu of master shutoff valves.




CMS protects the information system resources from water damage resulting from broken plumbing lines or other sources of water leakage by providing master shut-off valves or isolation valves that are accessible, functional, and known to key personnel. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

7.13.1 Automation Support (PE-15 (1)) Automated mechanisms (e.g., water detection sensors, alarms and notification systems) are used to detect and provide an alert to the presence of water near the information system.




The organization employs automated mechanisms to detect the presence of water in the vicinity of the information system and alerts [Assignment: organization-defined personnel or roles].

The organization employs automated mechanisms to detect the presence of water near the information system and alerts defined personnel or roles (defined in the applicable security plan)

CMS uses water detection sensors to detect water from environmental events (e.g., floods), as well as from equipment failure, leaks and broken pipes.

CMS uses a web-based data center monitoring system that allows monitoring of critical support equipment. This provides centralized oversight and features include real-time monitoring and event management. CMS uses asset management software to plan, manage and track the required maintenance activities of the equipment.

7.14 Delivery and Removal (PE-16) Effectively enforcing authorizations for entry and exit of information system components may require restricting access to delivery areas and possibly isolating the areas from the information system and media libraries.




The organization authorizes, monitors, and controls [Assignment: organization-defined types of information system

The organization authorizes, monitors, and controls the flow of all information system-related components entering and


overview







Control Control Requirement CMS Parameter components] entering and exiting the

facility and maintains records of those items.

exiting the facility and maintains records of those items

CMS authorizes, monitors and controls the flow of information system-related components entering and exiting the facility through the use of procedures which include controlled access to the facility, secure storage and the maintenance of entry/exit records.

7.15 Alternate Work Site (PE-17) Alternate work sites may provide readily available alternate locations as part of contingency operations. Organizations may define different sets of security controls for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. This control supports the contingency planning activities of organizations and the federal telework initiative.

There is a direct relationship between an agency’s Continuity of Operations (COOP) plan and telework. Both programs, telework and COOP, share a basic objective: to perform and maintain agency functions from an alternative location. Telework can help ensure that essential Federal functions continue through hazardous weather, pandemic, physical attacks, or any other event that would result in the closure of Government facilities.

The Telework Enhancement Act of 201020 provides a framework for agencies to better leverage technology and to maximize the use of flexible work arrangements, including those involving emergency situations.




The organization: a. Employs [Assignment: organization-defined security controls] at alternate work sites;

The organization: a. Employs appropriate security controls at alternate work sites to include, but not to be limited to, requiring the use of laptop cable locks, recording serial numbers and other identification information about laptops, and disconnecting modems at alternate work sites;

The CMS telework program is a valuable tool to meet mission objectives. CMS’s policy that governs telework is located in the Master Labor Agreement (MLA)21, Article 29: Telecommuting Programs.

20 https://www.govinfo.gov/content/pkg/BILLS-111hr1722enr/pdf/BILLS-111hr1722enr.pdf 21 https://cmsintranet.share.cms.gov/ER/Documents/2017Master-Labor-Agreement.pdf

https://www.govinfo.gov/content/pkg/BILLS-111hr1722enr/pdf/BILLS-111hr1722enr.pdf

https://cmsintranet.share.cms.gov/ER/Documents/2017Master-Labor-Agreement.pdf

https://www.govinfo.gov/content/pkg/BILLS-111hr1722enr/pdf/BILLS-111hr1722enr.pdf




Participation in the CMS telework program is voluntary. A completed telework agreement between the employee and CMS is required for participation. Employees with a valid telework agreement may be required by CMS to telecommute at an approved ADS in the instances of: a full day building closure; an early building closure for non-weather related reasons; or a delayed opening (e.g., inclement weather or in other emergencies). CMS may also require telework employees to work at an ADS when a COOP is in effect.

Per Office of Personnel Management (OPM)22, there is no Federal statute or regulation that specifically prohibits Federal contractors from teleworking. The decision to allow a contractor to telework would be made by the contractor’s supervisor and/or in conjunction with CMS. CMS employs appropriate security controls at alternate work sites. Security controls include technology-enforced protection such as Virtual Private Network (VPN) technology, multi-factor authentication, anti-virus software, and encryption. In addition, procedures, including the HHS RoB23, which applies to remote use of HHS information (in both electronic and physical forms) and information systems, rely on users to follow rules or perform certain steps that are not necessarily enforced by technical means

For security incidents, contact the CMS IT Service Desk by calling (410) 786-2580 or (800) 562-1963; or by sending an email to [email protected] to open a ticket.

7.16 Location of Information System Components (PE-18) Positioning the information system components within the facility is critical to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access.

The location of physical entry points should be considered where unauthorized individuals, while not being granted access, might be in close proximity to information systems. This increases the potential for unauthorized access to organizational communications (e.g., through the use of wireless sniffers or microphones).




The organization positions information system components within the facility to minimize potential damage from [Assignment: organization-defined physical and environmental hazards] and to minimize the opportunity for unauthorized access.

The organization positions information system components within the facility to minimize potential damage from physical and environmental hazards, and to minimize the opportunity for unauthorized access.

22 https://www.opm.gov/faq/telework/Can-Federal-contractors-telework.ashx 23 https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs-information-

resources/index.html

https://www.opm.gov/faq/telework/Can-Federal-contractors-telework.ashx



mailto:[email protected]

https://www.opm.gov/faq/telework/Can-Federal-contractors-telework.ashx





CMS positions the information system components to minimize potential damage from physical and environmental hazards and to minimize the opportunity for unauthorized access. Considerations when positioning information system components include:

• Security: layered security consists of access card readers, mantraps, video surveillance and/or security staff

• Fire protection: fire protection systems, as well as implementation of fire prevention programs in operations

• Electrical power: proven and reliable power grid with backup power that consists of one or more UPS, in addition to battery banks and generators.

• Geographic location: probability and frequency of natural disasters, extreme weather, and seismic activity to occur at a specific location.

• Structural design: techniques that can be used to make the actual data center resistant to physical attacks (e.g., reinforced with steel and concrete)

In addition, the raised floor space, air conditioning support, UPS, generators, and related support equipment must be coordinated with the other areas of the facility and properly positioned within the facility’s perimeter in order to improve their interaction.



Appendix A: Acronyms Selected acronyms used in this document are defined below.

Acronyms Terms

ARS Acceptable Risk Safeguards

CMS Centers for Medicare & Medicaid Services

CMS IS2P2 CMS Information Systems Security and Privacy Policy

FISMA 2014 Federal Information Security Modernization Act of 2014

HHS Health and Human Services

HIPAA Health Insurance Portability and Accountability Act of 1996

NIST National Institute of Standards and Technology

OMB Office of Management and Budget

ODP Organizational Defined Parameters

PHI Protected Health Information

PII Personally Identifiable Information

PIV Personal Identity Verification

POC Point of Contact

RMH Risk Management Handbook

SDLC System Development Life Cycle

SOP Senior Official for Privacy

SP Special Publication

URL Universal Resource Locator

USB Universal Serial Bus

US-CERT United States Computer Emergency Readiness Team

USGCB U.S. Government Configuration Baselines

VPN Virtual Private Network



Appendix B: Glossary of Terms Selected terms found in this document are defined below.

Terms Definitions

Acceptable Risk Safeguards

CMS Information Security Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements (CMSR)

Centers for Medicare & Medicaid Services

CMS covers 100 million people through Medicare, Medicaid, the Children's Health Insurance Program, and the Health Insurance Marketplace.

Information Systems Security and Privacy Policy

This Policy provides direction to all CMS employees, contractors, and any individual who receives authorization to access CMS information technology (IT) systems or systems maintained on behalf of CMS to assure the confidentiality, integrity, and availability of CMS information and systems. As the federal agency responsible for administering the Medicare, Medicaid, Children’s Health Insurance Program (CHIP), and Health Insurance Marketplace (HIM); CMS collects, creates, uses, discloses, maintains, and stores personal, healthcare, and other sensitive information subject to federal law, regulation, and guidance.

Protected Health Information

Individually identifiable health information that is:

• Transmitted by electronic media, • Maintained in electronic media, or • Transmitted or maintained in any other form or medium.

Note: PHI excludes individually identifiable health information in employment records held by a covered HIPAA entity in its role as employer.

Personal Identifiable Information

Information which can be used to distinguish or trace an individual’s identity, such as the name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

Risk Management Handbook

The Risk Management Handbook (RMH) compiles CMS standards, requirements, directives, practices, and procedures for protecting CMS information and information systems.

Rules of Behavior Guidelines describing permitted actions by users and the responsibilities when utilizing a computer system.

The rules that have been established and implemented concerning use of, security in and acceptable level of risk for the system. Rules will clearly delineate responsibilities and expected behavior of all individuals with access to the system.

Rules should cover such matters as work at home, dial-in access, connection to the Internet, use of copyrighted works, unofficial use of



Terms Definitions federal government equipment, the assignment, and limitation of system privileges, and individual accountability.



Appendix C: Applicable Laws and Guidance

The Applicable Laws and Guidance appendix provides references to both authoritative and guidance documentation supporting the “document.” Subsections are organized to “level of authority” (e.g., Statutes take precedence over Federal Directives and Policies).

C.1 Statutes

1 Health Insurance Portability and Accountability Act of 1996 (HIPAA)

http://www.hhs.gov/hipaa

C.2 Federal Directives and Policies 1 FedRAMP Rev. 4 Baseline

https://www.fedramp.gov/files/2015/03/FedRAMP-Control-Quick-Guide-Rev4-FINAL-01052015.pdf

2 Homeland Security Presidential Directive 12 https://www.dhs.gov/homeland-security-presidential-directive-12

3 U.S. General Services Administration: Facilities Standards for Public Buildings Service (P100) https://www.gsa.gov/real-estate/design-construction/engineering-and-architecture/facilities-standards-p100-overview

4 National Archives and Records Administration (NARA) schedule GRS 5.6: Security Records https://www.archives.gov/files/records-mgmt/grs/grs05-6.pdf

C.3 OMB Policy and Memoranda 1 OMB Circular A-130, Management of Federal Information Resources

https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130trans4.pdf

2 OMB Memo: M-11-27, Implementing the Telework Enhancement Act of 2010: Security Guidelines https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2011/m11-27.pdf

http://www.hhs.gov/hipaa







https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130trans4.pdf

https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2011/m11-27.pdf



C.4 NIST Guidance and Federal Information Processing Standards 1 FIPS-201-2 Personal Identity Verification (PIV) of Federal Employees and Contractors


2 FIPS-200 Minimum Security Requirements for Federal Information and Information Systems https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.200.pdf

3 NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

4 NIST SP 800-116, Guidelines for the Use of PIV Credentials in Facility Access https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-116r1.pdf

5 NIST SP 800-46, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf

6 NIST SP 800 73, Interfaces for Personal Identity Verification – Part 1: PIV Card Application Namespace, Data Model and Representation https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf

7 NIST SP 800 76, Biometric Specifications for Personal Identity Verification https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf

8 NIST SP 800 78, Cryptographic Algorithms and Key Sizes for Personal Identity Verification https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-78-4.pdf

C.5 HHS Policy 1

1 HHS-OCIO-2014-0001 HHS Information System Security and Privacy Policy (HHS IS2P)– 2014 Edition.


https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.200.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf



https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-60v1r1.pdf



To obtain a copy of this document, email [email protected]

2 Rules of Behavior for Use of Health and Human Services Information Resources (HHS RoB)

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/IS2P2.pdf

C.6 CMS Policy and Directives 1 CMS Information Systems Security and Privacy Policy (IS2P2)

https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Downloads/IS2P2.pdf

C.7 Associated CMS Resources 1 Master Labor Agreement


2 Physical Security Handbook https://cmsintranet.share.cms.gov/WR/Documents/CMS- PhysicalSecurityProgramHandbook.pdf#search=physical%20security%20handbook

3 Acceptable Risk Safeguards (ARS) 3.1 https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/ARS-31-Publication.html?DLPage=1&DLEntries=10&DLFilter=ars%203.1&DLSort=0&DLSortDir=ascending




https://cmsintranet.share.cms.gov/WR/Documents/CMS-%20%20PhysicalSecurityProgramHandbook.pdf#search=physical%20security%20handbook



https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/ARS-31-Publication.html?DLPage=1&DLEntries=10&DLFilter=ars%203.1&DLSort=0&DLSortDir=ascending






Appendix D: Points of Contact

CMS IT Service Desk

Name Email Phone CMS IT Service Desk [email protected] 410-786-2580

800-562-1963

CMS Telework Program

Name Email Phone CMS Telework Program [email protected] NA

CMS Building Operations- Emergency Service

Name Email Phone CMS Building Operations- Emergency Service Baltimore/Woodlawn area

NA Normal working hours: Customer Service Desk: 410-786-2165 After hours: Security Control Center: 410-786-2929

CMS Building Operations- Emergency Service Washington, D.C.

NA Normal working hours: Customer Service Desk: 202-619-0100 After hours: CMS Guards: 202-472-1111





Appendix E: Feedback and Questions

Information security is a dynamic field and as such policies, standards, and procedures must be continually refined and updated. Feedback from the user community is invaluable and ensures accurate documentation. For any recommendations for improvements to this document or any questions about the material included within, please email the CISO mailbox at [email protected]. Your feedback will be evaluated for incorporation into future releases of the document.
