This is the Centers for Medicare & Medicaid Services repository that provides the Acceptable Risk Safeguards (ARS) in machine-readable format to support compliance as code initiatives.
We believe compliance activity at the scale of CMS requires automation to be successful and repeatable. Compliance as Code standards like OSCAL allow teams to bridge between the "Governance" layer and operational tools. With this repository, CMS aims to support innovative teams in leveraging automation to improve the CMS security posture and reduce the burden of compliance.
ARS are the Acceptable Risk Safeguards used to define a baseline of minimum information security and privacy assurance controls at CMS. These controls are based on both internal CMS governance documents and laws, regulations, and other authorities created by institutions external to CMS. Protecting and ensuring the confidentiality, integrity, and availability for all of CMS’ information and information systems is the primary purpose of the information security and privacy assurance program. The ARS complies with the CMS guidelines by providing a defense-in-depth security structure along with a least-privilege, need-to-know basis for all information access. CMS updates ARS to keep up with the latest risk safeguards and these come in the form or
As ARS are updated, are numbered, with the highest number being the latest release. We provide formats CMS has adopted NIST's OSCAL standard for Compliance as Code.
If you're looking to ship software to production at CMS, your system will need to comply with ARS controls. Product teams looking to automate compliance (including but not limited to automatically generating their System Security Plans) can use these machine-readable ARS controls to support their efforts.
This repository is updated in an automated fashion. CMS is not actively monitoring this repository for pull requests or issues at this time. For inquiries, please refer to the contact section of this document.