Menu Close
  • CR
  • Templates

System Security Plan (SSP)

The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system owner, and the senior agency information security officer (SAISO). Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable.

Popup contact form

Registration

By clicking the Download button, the information you submitted may be used to communicate
with you regarding other services we offer. We will not sell or share your information to third parties.

Plan of Action and Milestones (POA&M’S)

A plan of action and milestones (POA&M), also referred to as a corrective action plan, is a tool that identifies tasks that need to be accomplished to remediate security vulnerabilities.  The goal of a POA&M should be to reduce the risk of the vulnerability identified.

This POA&MS adheres to the guidance identified in the NIST (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.

Popup contact form

Registration

By clicking the Download button, the information you submitted may be used to communicate
with you regarding other services we offer. We will not sell or share your information to third parties.

Minimum Acceptable Risk Standards for Exchanges (MARS-E)

The Minimum Acceptable Risk Standards for Exchanges (MARS-E), Version 2.0 is a document suite of guidance, requirements, and templates assembled by the Centers for Medicare & Medicaid Services (CMS) in accordance with the agency’s Information Security program. The guidance in the MARS-E document suite addresses the mandates of the Patient Protection and Affordable Care Act of 2010 (hereafter simply the “Affordable Care Act” or “ACA”), and applies to all ACA Administering Entities. “Administering Entity” means Exchanges or Marketplaces, whether federal or state, state Medicaid agencies, Children’s Health Insurance Program (CHIP) agencies, or state agencies administering the Basic Health Program.

  • Version 2.0 of the MARS-E document suite consists of four companion documents:
  • Volume I: Harmonized Security and Privacy Framework, Version 2.0
  • Volume II: Minimum Acceptable Risk Standards for Exchanges, Version 2.0
  • Volume III: Catalog of Minimum Acceptable Risk Security and Privacy Controls for Exchanges, Version 2.0
  • Volume IV: ACA Administering Entity System Security Plan, Version 2.0

This suite of documents defines a risk-based Security and Privacy Framework for use in the design and implementation of Exchange information technology (IT) systems for which CMS has oversight responsibility.

Popup contact form

Registration

By clicking the Download button, the information you submitted may be used to communicate
with you regarding other services we offer. We will not sell or share your information to third parties.