Acceptable Risk Safeguards (ARS)
The Centers for Medicare & Medicaid Services (CMS) Information Security Acceptable Risk Safeguards (ARS), CMS Minimum Security Requirements (CMSR) contain a broad set of required security standards based upon the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 3, Security and Privacy Controls for Federal Information Systems and Organizations, dated April 2013, as well as additional standards based on CMS policies, procedures, and guidance, other federal and non-federal guidance resources and industry leading security practices.
It is also important to note that the ARS does not address specific business-process requirements that ensure business requirements are fulfilled. The goal of the CMSRs is to provide a baseline of minimal internal/external information security and privacy assurance controls. It is the responsibility of the Business Owner of CMS systems, with direction provided by the Office of Information Services (OIS), to ensure that all applicable internal/external information security and privacy assurance controls are incorporated into CMS systems. Business Owners must document and certify the incorporated controls in their respective security plan and identify any risks in the corresponding risk assessment for their system.
Protecting and ensuring the confidentiality, integrity, and availability (CIA) for all of CMS’ information and information systems is the primary purpose of the information security and privacy assurance program. The ARS complies with the CMS Policy for the Information Security and Privacy and the CMS Policy for the Information Security and Privacy Program1 by providing a defense-in-depth security structure along with a least-privilege, need-to-know basis for all information access.
The CMSRs within the ARS are not intended to be an all-inclusive list of security controls nor are they intended to replace a Business Owner’s due diligence to incorporate additional controls to mitigate risk.
All CMS employees, contractors, sub-contractors, and their respective facilities supporting CMS business missions and performing work on behalf of CMS shall observe the baseline policy statements described in the CMS Policy for the Information Security and Privacy Program and the complementary controls defined in the ARS as the minimum security requirements for all CMS information and information systems.
Using EventTracker to meet ARS v3.1 Requirements
Requirement: Establish a process to determine, based on a risk assessment and CMS mission/business needs, that the information system is capable of auditing the events specified in “Implementation”.
- Collect all the logs from various systems for auditing purpose
Requirement: The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
Solution: EventTracker system collects audit records containing information that establishes:
- What type of event occurred?
- When the event occurred
- Where the event occurred
- The source of the event
- The outcome of the event
- The identity of any individuals or subjects associated with the event
Requirement: The information system protects audit information and audit tools from unauthorized access, modification, and deletion.
Solution: EventTracker protects audit information and audit tools from unauthorized:
Requirement: Monitor the information system.
Solution: EventTracker monitors and collects all events from all IDS devices at network perimeter points and host-based IDS sensors on critical servers.