Risk Management Handbook (RMH) Chapter 2: Awareness And .
FinalCenters for Medicare & Medicaid ServicesCenters for Medicare & Medicaid ServicesInformation Security and Privacy GroupRisk Management Handbook (RMH) Chapter 2:Awareness and TrainingFinalVersion 1.0February 15, 2019
Risk Management Handbook (RMH) Chapter 2: Awareness and TrainingRecord of ChangesThe “Record of Changes” table below capture changes when updating the document. Allcolumns are mandatory.VersionNumberDateChapter SectionAuthor/OwnerNameDescription of Change1.02/15/2019AllISPGFinal Publicationii
Risk Management Handbook (RMH) Chapter 2: Awareness and TrainingEffective Date/ApprovalThis Procedure becomes effective on the date that CMS’ Deputy Chief Information SecurityOfficer signs it and remains in effect until it is rescinded, modified or superseded.Signature:Kevin A.Dorsey -SDigitally signed by Kevin A.Dorsey -SDate: 2019.02.27 11:34:50-05'00'Kevin Allen DorseyCMS Deputy Chief Information Security Officer(DCISO)iiiDate ofIssuanceFebruary 21, 2019
Risk Management Handbook (RMH) Chapter 2: Awareness and TrainingTable of ContentsRecord of Changes . iiEffective Date/Approval . iiiTable of Contents . iv1. Introduction . 11.11.21.31.4Purpose .1Authority .1Scope .2Background .22. Policy . 32.12.2Information Systems Security and Privacy Policy (IS2P2).4Chief Information Officer (CIO) Directives .43. Standards . 43.1Acceptable Risk Safeguards (ARS) .54. HIPAA Integration . 55. Roles and Responsibilities . 66. Procedures . 66.16.26.3Security Awareness Training (AT-2) .66.1.1 Security Awareness Insider Threat (AT-2(2)) .7Role-Based Security Training (AT-3) .8Security Training Records (AT-4) .11Appendix A. Acronyms . 14Appendix B. Glossary of Terms . 15Appendix C. Applicable Laws and Guidance . 18Appendix D. CMS NICE Role Education Course Mapping Guide . 21Appendix E. Cybersecurity & Privacy Training Catalog. 22Appendix F. Role-Based Training Report Template . 23Appendix G. Points of Contact . 24Appendix H. Feedback and Questions. 25iv
Risk Management Handbook (RMH) Chapter 2: Awareness and TrainingTablesTable 1: CMS Defined Parameters – Control AT-2 . 6FiguresFigure 1: RBT Self-Assessment Table . 10Figure 2: Contractor RBT Report . 12Figure 3: Contractor RBT Report Attestation. 13v
Risk Management Handbook (RMH) Chapter 2: Awareness and Training1.Introduction1.1PurposeThe Centers for Medicare & Medicaid Services (CMS) Risk Management Handbook (RMH)Chapter 2 Awareness and Training provides the procedures for implementing the requirements ofthe CMS Information Systems Security and Privacy Policy (IS2P2) and the CMS Acceptable RiskSafeguards (ARS). The following is a diagram that breaks down the hierarchy of the IS2P2, ARS,and RMH:This document describes procedures that facilitate the implementation of security controlsassociated with the Awareness and Training (AT) family of controls. To promote consistencyamong all RMH Chapters, CMS intends for Chapter 2 to align with guidance from the NationalInstitute of Standards and Technology (NIST), tailoring that content to the CMS environment.1.2AuthorityThe Federal Information Security Management Act (FISMA) requires each federal agency todevelop, document and implement an agency-wide program to provide information security forthe information and systems that support the operations and assets of the agency, including thoseprovided or managed by another agency or contractor. The Federal Information SecurityModernization Act of 2014 designates NIST with responsibility to develop guidance to federalagencies on information security and privacy requirements for federal information systems.As an operating division of the Department of Health and Human Services (HHS), CMS must alsocomply with the HHS IS2P, Privacy Act of 1974 (“Privacy Act”), the Privacy and Security Rulesdeveloped pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA),and the E-Government Act of 2002, which relates specifically to electronic authenticationrequirements. The HHS Office for Civil Rights (OCR) is responsible for enforcement of the1
Risk Management Handbook (RMH) Chapter 2: Awareness and TrainingHIPAA Security and Privacy Rules. CMS seeks to comply with the requirements of theseauthorities, and to specify how CMS implements compliance in the CMS IS2P2.HHS and CMS governance documents establish roles and responsibilities for addressing privacyand security requirements. In compliance with the HHS Information Systems Security and PrivacyPolicy (IS2P), the CMS Chief Information Officer (CIO) designates the CMS Chief InformationSecurity Officer (CISO) as the CMS authority for implementing the CMS-wide informationsecurity program. HHS also designates the CMS Senior Official for Privacy (SOP) as the CMSauthority for implementing the CMS-wide privacy program. Through their authority given byHHS, the CIO and SOP delegate authority and responsibility to specific organizations and officialswithin CMS to develop and administer defined aspects of the CMS Information Security andPrivacy Program.All CMS stakeholders must comply with and support the policies and the procedures referencedin this handbook to ensure compliance with federal requirements for implementation ofinformation security and privacy controls.1.3ScopeThis handbook documents procedures that facilitate the implementation of the privacy and securitycontrols defined in the CMS IS2P2 and the CMS ARS. This RMH Chapter provides authoritativeguidance on matters related to the Awareness and Training family of controls for use by CMSemployees and contractors that support the development, operations, maintenance, and disposal ofCMS information systems. This handbook does not supersede any applicable laws, existing labormanagement agreements, and/or higher-level agency directives or other governance documents.1.4BackgroundThis handbook aligns with NIST SP 800-53 catalogue of controls, the CMS IS2P2, and the CMSARS. Each procedure relates to a specific NIST security control family. Additional sections of thisdocument crosswalk requirements to other control families and address specific audit requirementsissued by various sources (e.g., OMB, OIG, HHS, etc.).RMH Chapter 2 provides processes and procedures to assist with the consistent implementation ofthe AT family of controls for any system that stores, processes, or transmits CMS information onbehalf of CMS. This chapter identifies the policies, minimum standards, and procedures for theeffective implementation of selected security and privacy controls and control enhancements inthe AT family.CMS’s comprehensive information security and privacy policy framework includes: An overarching policy (CMS IS2P2) that provides the foundation for the security andprivacy principles and establishes the enforcement of rules that will govern the programand form the basis of the risk management framework Standards and guidelines (CMS ARS) that address specific information security andprivacy requirements Procedures (RMH series) that assist in the implementation of the required security andprivacy controls based upon the CMS ARS standards.2
Risk Management Handbook (RMH) Chapter 2: Awareness and TrainingFISMA further emphasizes the importance of continuously monitoring information systemsecurity by requiring agencies to conduct assessments of security controls at a risk-definedfrequency. NIST SP 800-53 states under the AT control family that an organization must define,develop, disseminate, review, and update its documentation at least once every three years. Thisincludes a formal, documented system security package that addresses purpose, scope, roles,responsibilities, management commitment, coordination among organizational entities, andcompliance; and formal, documented processes and procedures to facilitate the implementation ofthe policy and associated controls.The Risk Assessment process exists within the Risk Management Framework (RMF) whichemphasizes: Building information security capabilities into federal information systems through theapplication of state-of-the-practice management, operational, and technical securitycontrols Maintaining awareness of the security state of information systems on an ongoing basisthough enhanced monitoring processes Providing essential information to senior leaders to facilitate decisions regarding themitigation or acceptance of information-systems-related risk to organizational operationsand assets, individuals, external organizations, and the Nation.The RMF 1 has the following characteristics:2. Promotes the concept of near-real-time risk management and ongoing-information-systemauthorization through the implementation of robust continuous monitoring processes; Encourages the use of automation to provide senior leaders the necessary information tomake cost-effective, risk-based decisions with regard to the organizational informationsystems supporting their core missions and business functions; Integrates information security and privacy protections into the enterprise architecture andeXpedited Life Cycle (XLC); Provides guidance on the selection, implementation, assessment, and monitoring ofcontrols and the authorization of information systems; Links risk management processes at the information system level to risk managementprocesses at the organization level through a risk executive (function); and Establishes responsibility and accountability for security and privacy controls deployedwithin organizational information systems and inherited by those systems (i.e., commoncontrols).PolicyPolicy delineates the security management structure, clearly assigns security responsibilities, andlays the foundation necessary to reliably measure progress, compliance, and direction to all 00-37/rev-1/final3
Risk Management Handbook (RMH) Chapter 2: Awareness and Trainingemployees, contractors, and any individual who receives authorization to access CMS informationtechnology (IT) systems or systems maintained on behalf of CMS to assure the confidentiality,integrity, and availability of CMS information and information systems.2.1Information Systems Security and Privacy Policy (IS2P2)The CMS IS2P2 2 defines the framework and policy under which CMS protects and controls accessto CMS information and information systems in compliance with HHS policy, federal law, andregulations. This Policy requires all CMS stakeholders to implement adequate information securityand privacy safeguards to protect all CMS sensitive information.The policy contained within the CMS IS2P2 and the procedures contained within this documentassist in satisfying the requirements for controls that require CMS to create a policy and associatedprocedures related to information systems.2.2Chief Information Officer (CIO) DirectivesThe CMS Chief Information Officer (CIO), the CMS Chief Information Security Officer (CISO),and the CMS Senior Official for Privacy (SOP) jointly develop and maintain the CMS IS2P2. TheCIO delegates authority and responsibility to specific organizations and officials within CMS todevelop and administer defined aspects of the CMS Information Security and Privacy Program asappropriate.The dynamic nature of information security and privacy disciplines and the constant need forassessing risk across the CMS environment can cause gaps in policy, to arise outside of the policyreview cycle. The CMS Policy Framework includes the option to issue a CIO Directive 3 to addressidentified gaps in CMS policy and instruction to provide immediate guidance to CMS stakeholderswhile a policy is being developed, updated, cleared, and approved.3.StandardsStandards define both functional and assurance requirements within the CMS security and privacyenvironment. CMS policy is executed with the requirements prescribed in standards with theobjective of enabling consistency across the CMS environment. The CMS environment includesusers, networks, devices, all software, processes, information in storage or transit, applications,services, and systems that can be connected directly or indirectly to networks. These componentsare responsible for meeting and complying with the security and privacy baseline defined in policyand further prescribed in standards. The parameters and thresholds for policy implementation arebuilt into the CMS standards, and provide a foundation for the procedural guidance provided bythe Risk Management Handbook ?DLPage 1&DLEntries 10&DLFilter is2&DLSort 0&DLSortDir ascending3 ndPolicies/Policies.html4
Risk Management Handbook (RMH) Chapter 2: Awareness and Training3.1Acceptable Risk Safeguards (ARS)The CMS Acceptable Risk Safeguards (ARS) 4 provides guidance to CMS and its contractors as tothe minimum acceptable level of required security and privacy controls that must be implementedto protect CMS’s information and information systems, including CMS sensitive information. Theinitial selection of the appropriate controls is based on control baselines. The initial controlbaseline is the minimum list of controls required for safeguarding an IT system based on theorganizationally identified needs for confidentiality, integrity, and/or availability.A different baseline exists for each security category (high, moderate, low) as defined by NISTFederal Information Processing Standards (FIPS) 199, Standards for Security Categorization ofFederal Information and Information Systems. The ARS provides a catalog of low, moderate, andhigh controls, in addition to non-mandatory controls outside of the FIPS-199 baseline selection.The ARS, based upon the FIPS 200 and NIST SP 800-53, provides guidance on tailoring controlsand enhancements for specific types of missions and business functions, technologies, orenvironments of operation. Users of the ARS may tailor specific mandatory controls as well asmost of the non-mandatory and unselected controls.4.HIPAA IntegrationThe HIPAA Security Rule is designed to be flexible, scalable, and technology-neutral, whichenables it to be adaptive and seamlessly integrate with detailed frameworks such as FISMA.Though both regulations are governed by different federal agencies, the HIPAA Security Rule onlyapplies to covered entities and their business associates as defined within HIPAA. Implementationof the FISMA requirements helps achieve compliance with the HIPAA Security Rule. HIPAAprovides guidance to address the provisions required for the security of health-related information,whereas FISMA presents instructions for the security of the information and the informationsystems that support these activities.The following table is a crosswalk of what controls found in this RMH map to specific sectionsand requirements found in HIPAA.4Security Awareness and Training (AT) ControlHIPAA SectionSecurity Awareness Training (AT-2)§164.308(a)(5)Role-Based Security Training (AT-3)§164.308(a)(2); §164.308(a)(3)(i);§164.308(a)(5)(i); §164.308(a)(5)(ii)(A);§164.308(a)(5)(ii)(B); DLPage 1&DLEntries 10&DLSort 0&DLSortDir ascending5
Risk Management Handbook (RMH) Chapter 2: Awareness and Training5.Roles and ResponsibilitiesA comprehensive list of information security and privacy roles and responsibilities for CMSstakeholders is contained in the CMS IS2P2. The following roles from the CMS IS2P2 are specificto the procedures contained within this RMH chapter.RoleApplicable ControlsAll UsersCMS Business Owner (BO)CMS Contracting Officer (CO) and ContractingOfficer’s Representative (COR)CMS Chief Information Security OfficerAT-2; AT-2(2); AT-3, AT-4AT-4AT-46.AT-4ProceduresProcedures assist in the implementation of the required security and privacy controls. In thissection, the AT family procedures are outlined. To increase traceability, each procedure maps tothe associated NIST controls using the control number from the CMS IS2P2.6.1Security Awareness Training (AT-2)The purpose of Security and Privacy Awareness Training prepares users to manage security andprivacy risks through a broad campaign that introduces them to the concepts, scenarios, and toolsused to compromise information security and privacy protections. The content for securityawareness training differs from organization to organization and is dependent on specificorganizational requirements including personnel that have permissions to different types of data.Common security awareness techniques include but are not limited to displaying informationalposters, emails, office supplies with security reminders printed on them, security messages duringlogons, and conducting information security awareness events.The table below outlines the CMS organizationally defined parameters (ODPs) for AT-2.Table 1:
The Federal Information Security Management Act (FISMA) requires each federal agency to develop, document and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency or contractor.
Part One: Heir of Ash Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18 Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23 Chapter 24 Chapter 25 Chapter 26 Chapter 27 Chapter 28 Chapter 29 Chapter 30 .
Sentara RMH nurses continue to develop their professional practice, knowledge, and skills by returning to school to advance their nursing degrees and by obtaining specialty certifications. At the end of 2021, Sentara RMH had 72.3% of nurses who held a BSN or higher degree. We continue to increase this percentage each year as demonstrated
Microsoft Dynamics (RRE), which is a retail-centric scalable solution based on the Microsoft Dynamics AX platform. Of course RMH can be used in a large environment if the head office requirements are . RMH POS includes a new way to customize the entire POS interface, and if necessary, create custom layout mark-up that defines the user .
TO KILL A MOCKINGBIRD. Contents Dedication Epigraph Part One Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 Part Two Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18. Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23 Chapter 24 Chapter 25 Chapter 26
Standards and guidelines (CMS ARS) that address specific information security and privacy requirements Procedures (RMH series) that assist in the implementation of the required security and privacy controls based upon the CMS ARS standards. FISMA further emphasizes the
DEDICATION PART ONE Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10 Chapter 11 PART TWO Chapter 12 Chapter 13 Chapter 14 Chapter 15 Chapter 16 Chapter 17 Chapter 18 Chapter 19 Chapter 20 Chapter 21 Chapter 22 Chapter 23 .
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk
