CMS-10877 System Security and Privacy Plans (SSPs) workbook

Supporting Statement for Direct Enrollment Entities (CMS-10877)

CMS-10877 - Appendix_D_NEE-EDE-SSP-Workbook

OMB: 0938-1463

Document [pdf]
Download: pdf | pdf
OMB Control #: 0938-NEW
Expiration Date: XX/XX/20XX

Sensitive and Confidential Information – For Official Use Only

Non-Exchange Entity Name (Acronym)

Non-Exchange Entity System Security
and Privacy Plan
Prepared by: 
For: 


NEE SSP Version 0.1
SSP Report Publication Date
CMS SSP Template v 3.1

PRA DISCLOSURE: According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of
information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0938NEW, expiration date is XX/XX/20XX. The time required to complete this information collection is estimated to take up to
144,652 hours annually for all direct enrollment entities. If you have comments concerning the accuracy of the time estimate(s)
or suggestions for improving this form, please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail
Stop C4-26-05, Baltimore, Maryland 21244-1850. ****CMS Disclosure**** Please do not send applications, claims, payments,
medical records or any documents containing sensitive information to the PRA Reports Clearance Office. Please note that any
correspondence not pertaining to the information collection burden approved under the associated OMB control number
listed on this form will not be reviewed, forwarded, or retained. If you have questions or concerns regarding where to submit
your documents, please contact Brittany Cain at Brittany.Cain@cms.hhs.gov.

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

Introduction and Overview
The Centers for Medicare & Medicaid Services (CMS) is responsible for implementing many
provisions of the health insurance reform law, the Patient Protection and Affordable Care Act of
2010 (hereafter referred to as the “Affordable Care Act” or “ACA”). To facilitate and enhance
the eligibility determination and enrollment processes, CMS will provide centralized and
standardized business and technical services (“Hub Web Services”) through an application
programming interface (API) to the Federally Facilitated Exchange (FFE) Partner, including
Direct Enrollment (DE) Entities. This will enable the FFE Partner to establish a secure
connection to the CMS Data Services Hub (Hub). The API will enable the secure transmission of
key eligibility and enrollment information between CMS and the FFE Partner.
Protecting and ensuring the confidentiality, integrity, and availability (CIA) of Health Insurance
Exchange (hereafter simply the “Exchange”) information, common enrollment information, and
associated information systems is the responsibility of the Exchange and all of its business
partners. CMS is responsible for providing business, information, and technical guidance;
creating common baselines and standards for information technology (IT) system
implementation activities; and maintaining oversight of the FFE and IT systems that support the
Exchange and common enrollment IT systems. FFE partners are considered Non-Exchange
Entities (NEE) according to 45 CFR § 155.260 (b)(1) and as such are required to comply with
the privacy and security standards consistent with 45 CFR § 155.260(a)(1) - (6), including being
at least as protective as the standards the Exchange has established and implemented for itself
under 45 C.F.R. § 155.260(a)(3).

Purpose
This document provides the System Security Plan (SSP) template for each FFE Partner Entity
(Partner) responsible for implementing comprehensive security and privacy controls specified in
ACA regulations. This document is intended to be used by Partners who are applying for an
authorized connection to the Hub and access to consumer data contained within the Exchange
repositories. Partners are required to complete the SSP and document their compliance with
mandates of the ACA legislation and Department of Health and Human Services (HHS)
regulations. The SSP is the key tool for describing a Partner’s IT systems and supporting
application(s) security and privacy environment and for documenting the implementation of
security and privacy controls for the protection of all data received, stored, processed, and
transmitted by the ACA support IT systems and supporting applications. The SSP must be
initiated during the initial stages of the life cycle process for IT systems.
This document is released in template format. Once populated with content, it should include
detailed information about Partner information security and privacy controls.
The SSP should be reviewed and updated on an as-needed basis, at least annually, and when
there are major system modifications that could potentially impact the security and privacy of the
Partner’s information system.

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

i
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

Basic Assumptions about SSP for
ACA FFE Partner Systems
The preparer of the System Security and Privacy Plan should consider the following basic
assumptions about the Partner systems environment and the roles and responsibilities of various
parties:
1. Personally Identifiable Information (PII). All systems will be processing
ACA-related PII.
2. Outsourcing and Cloud environments. Most of the systems will be hosted in an
outsourced computing facility or cloud environment. In many cases, the Partner will not
be the service provider; accordingly, Implementation of Control statements like “The
organization …” can involve multiple parties.
3. Systems Development Life Cycle (SDLC). All systems will be required to follow an
organization-specific SDLC process. The supporting attachments includes a list of
artifacts and agreements required throughout this life-cycle process.
4. Terminology. The following includes definitions of terms used throughout the SSP:
•

The “organization” is used generally to mean single or multiple parties on the Partner
side, including the Partner or outsourced service provider. Whenever a Partner uses
the term “organization,” it is essential to specify the implementer.

•

The “Service Provider” is the party that provides the development and/or operational
support of a component of the information technology (IT) system.

•

The “System Owner” is specifically the person in the Partner organization responsible
for all IT aspects of this system including the operation and maintenance of an
information system. This individual can also be the IT manager/owner of the general
support system (GSS).

•

A “general support system” is an interconnected set of information resources under
the same direct management control that shares common functionality. A GSS
normally includes hardware, software, information, applications, communications,
data, and users.

•

The “System Maintainer/Developer” is the individual or group of individuals that has
the responsibilities of continued maintenance (e.g., bug fixing, minor modifications /
enhancements, performance tuning, and/or customer service) of an implemented
system. A system maintainer may or may not also serve as the system developer for a
given project.

•

The “Business Owner” is the person in the Partner organization who is responsible
for the mission and ensures the system serves the business needs of the Partner.

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

ii
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

Completing the SSP
Instruction: A completed SSP must provide detailed technical information about
the system, describe the sensitive information the system processes or maintains,
and demonstrate that effective security and privacy controls have been
implemented to ensure protection against all known vulnerabilities. The SSP must
also document the policies, processes, and procedures that are associated with the
Partner organization, both at the program and system levels. Every SSP must be
dated, and every page in the SSP must display the date, version number, page
number, and total number of pages to facilitate review and tracking of
modifications and approvals.
To complete this template, and to prevent any unnecessary processing delays,
please provide the specific data requested in all associated tables and the various
summary discussion sections.
Those sections that require summary information or detailed discussions of
processes, policies, technical implementations, or other system-related
information are preceded by “[Click here and type text].” A detailed set of
instructions in blue font follows, providing the required level of specificity. Please
complete the necessary summary paragraphs in the spaces provided “[Click here
and type text]” and then use the instructions that follow as a checklist to ensure
that all necessary requirements are addressed. Once all necessary information has
been annotated in the summary paragraph(s), delete the provided instructions.
In a similar fashion, diagrams and other graphical display requests will be
annotated with “[Click here to include system diagram]” or other similar text.
Additional diagrams, flowcharts, or tables may be added at the author’s discretion
to properly describe essential components of the system, data flows, or
organizational structures.
The guidance in this document helps standardize the effort of the System
Developer/Maintainers, Business Owners, security and privacy officers, or
equivalents in creating SSPs for the Partner Systems. The SSP identifies the
following:
•
•
•
•
•
•
•
•

Applicable laws and/or regulations affecting the system;
The Rules of Behavior (RoB) associated with the system;
High- and moderate-level risks identified during the risk assessment;
Security and privacy in all levels of development;
Personnel responsible for oversight, development, and the security and privacy of the
system;
Business process(es) associated with the system;
The system environment;
System interconnections;

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

iii
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

•

System security level; and

•

Detail control implementation information.

How to Complete the Security and Privacy
Controls Sections of the SSP Workbook
Instruction: The following instructions should guide your completion of the
comprehensive implementation description of security and privacy controls.
•

Describe how the security and privacy controls are implemented for all
control families within the SSP.

•

Discuss in detail the strategy used in implementing the controls.

•

Include in the Configuration Management (CM) control section the
baseline security configurations of the system/application.

•

Document the organizational component or contractor who is responsible
for supporting and maintaining the control.

Control guidance is not provided for most controls so the organization should
leverage the most current NIST SP 800-53 for guidance. However, for the
following controls, control guidance has been provided:
•

AC-2: Account Management

•

AC-10: Concurrent Session Control

•

AC-17: Remote Access

•

TR-1: Privacy Notice

Throughout this SSP, policies and procedures must be explicitly referenced (title
and date or version) to clearly identify the document referenced. Section numbers
or similar mechanisms should allow the reviewer to easily find the reference.
For applications and platforms that are leveraging/inheriting controls at the
infrastructure level (or anything lower in the stack), the implementation
description must simply say “inherited.” The assessor must verify that inherited
controls are in place.
Note that “-1” Controls (AC-1, AU-1, SC-1, etc.) cannot be inherited and must be
described in some way by the system component service provider.
[Delete this and all other instructions from your final version of this document.]

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

iv
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

Responding to Controls
Instruction: Each control within the SSP is designed to document and explain
specific procedural, technical, and policy protections that have been applied to a
specific system. As each control is documented, a detailed picture should emerge
and accurately reflect the security strategy that is employed to ensure the
confidentiality, integrity, and availability of both the sensitive data a system
processes, and the resources that are deemed essential to its sustained operation.
Three primary fields comprise each control and include:
•

Control. This field establishes the specific requirement(s) that must be met. For
instance, Security Control AC-1 establishes a standard that requires written
Access Control policies and procedures that specifically address carefully
prescribed requirements (and also requires their review every three years).

•

Related Control Requirements. This field identifies any control requirements
that may address similar issues and can prove useful when verifying consistency
in the application of security and privacy controls across the organization.

Control Implementation Description. This field must be completed by the SSP
author to demonstrate compliance with the specific standards established in the
initial Control field. The author should clearly reference specific policies by name
and then demonstrate to the assessment team that the referenced policy and/or
procedures meet both the intent and the actual, specified requirements (such as a
policy that addresses purpose, scope, roles, and responsibilities, etc.) The policy
and procedures must also be reviewed at the required frequencies to ensure that
the content is accurate and current.
[Delete this and all other instructions from your final version of this document.]
•

Responding to Control Implementation Descriptions
Instruction: When completing control implementation description fields, address
the following:

Identify the Control Status
Instruction: When documenting the Control Implementation Description field,
indicate the status of the control. There may be multiple control statuses within a
control response if there are multiple responsible entities, or a different
implementation status for different control objectives or implementation
standards.
Indicate the current “Control Status” with one of the following:
•

Implemented – System provides control that mitigates vulnerability/threat.

•

Inherited – Control implementation is provided by outside source other than
system (i.e., GSS, physical security, SOC/NOC, etc.).

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

v
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

•

Compensated – System implements an equivalent security capability or level of
protection for the information system to mitigate vulnerability/threat.

•

Planned – Control is not implemented and actions are planned to mitigate
vulnerability/threat. Security and privacy controls that are planned should be
documented in the Plan of Action and Milestones (POA&M).

•

Not Applicable (N/A)– The control does not directly apply to the information
system. The system either does not perform the functions described by the
controls, or the system does not employ technology under threat. Note: If a
control is N/A, please indicate why it is N/A.

Who Is Responsible for Implementing the Solution?
Instruction: Explain who is responsible for each control implementation. The
term “organization defined” must be interpreted as being the Partner’s
responsibility unless otherwise indicated (such as third-party service provider). In
some cases, CMS has chosen to define or provide parameters, in others they have
left the decision up to the Partner. In the implementation of many controls,
multiple organizations (or parties, persons, or entities) may bear some
responsibility. For instance, some security functionality may be outsourced to a
subcontractor, while a Partner employee or organization handles other elements of
the same control.

What Is the Solution? Does the Solution Satisfy the Control Requirements?
Instruction: Provide a detailed description of the solution implemented for the
control. Ensure that all stated control requirements and implementation standards
are addressed. The solution documented in the Control Implementation
Description must satisfy each of these requirements. If the solution does not fully
address each control requirement, document any compensating controls in place
that reduce the residual risk.

How Often Is the Control Reviewed and by Whom?
Instruction: Please provide the review interval at the end of your Control
Implementation Description. Also indicate the individual or party (by title)
responsible for the review (e.g., “The IT Security Program Policy is reviewed and
updated annually by the Security and Privacy Officer.”).

Additional Considerations for Describing Control Implementation
When documenting control implementations, it is important to provide as much
detail as possible to fully describe how all aspects of the control have been
addressed. In describing the control:
•

Describe in detail how the control is implemented either through process,
policy, or technical implementation; it is not enough to state a control is in
place.

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

vi
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

•

If automated tools are utilized, describe the tool and how it satisfies the
control requirement.

•

Identify for each control who or what role is responsible for its
implementation, and how often the control is reviewed to ensure it is
working as intended.

•

Attach maintenance, visitor, audit logs, and Rules of Behavior
documentation as evidence of control implementation, if necessary.

•

Include the title, version, and date when referencing policy documentation.
Also identify the documentation’s location, method of distribution, and
how often policies and procedures are reviewed and by whom.

Sample Control Implementations
The following controls in Table Instr-1-1 and Table Instr-1-2 have sample
responses that have been entered in the Control Implementation Description
field using the appropriate format. Please refer to these samples as you document
your Control Implementation Description.
[Delete this entire section of instructions from your final version of this
document.]
Table Instr-1-1. Sample 1 – CM-4: Security Impact Analysis (Sample Response)
CM-4: Security Impact Analysis
Control
The organization analyzes changes to the information system to determine potential security and privacy impacts
prior to change implementation. Activities associated with configuration changes to the information system are
audited.
Implementation Standards
1. A security and privacy impact analysis is recommended as part of change management.

Related Control Requirement(s):

CA-2, CA-7, CM-3, CM-9, SA-5, SA-10, SI-2

Control Implementation Description: SAMPLE
NEE Entity IT Department
Control Status: Implemented and Inheritable Common Control
The NEE Entity facility team maintains a site scan system that monitors the temperature and humidity in the
computer room. The HVAC is monitored daily by internal staff / personnel who receive alarms in the command
center when the system varies outside of set parameters.
If NEE Entity customer requires a change that may impact security, a joint meeting is set up between the NEE
Entity IT Department and the customer to discuss the impact before proceeding with the change. In addition, both
parties agree on the correct data categorization rating (low, medium/moderate or severe) for that particular touch
point. Activities associated with the change implementation are documented in the Change Ticket and can be
audited if needed. Changes to configurations controlled by the INSUR System including those associated with
security controls for interfaces and core INSUR middleware are fairly static. Audits are not conducted for any given
interval by the NEE Entity IT Department. The service providers HB Systems and ABC Data Center are
responsible for configuration change control for hardware, OS, boundary protection devices.
Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

vii
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

CM-4: Security Impact Analysis
Contractor: HB Systems
Control Status: Planned
HB Systems is in the process of implementing a formal security analysis process as part of change control. Refer
to POA&M item# 37.
Data Center: ABC Data Centers
Control Status: Implemented
A security review and approval by the client and ABC Data Centers is required prior to implementation of all
changes per the NEE Entity IT Department Change Management Process.
An audit of this process is performed annually by the NEE Entity IT Department for all state and contractors
supporting the INSUR System.

Table Instr-1-2. Sample 2 – AR-5: Privacy Awareness and Training (Sample Response)
AR-5: Privacy Awareness and Training
Control
The organization:
a.

Develops, implements, and updates a comprehensive privacy training and awareness strategy aimed at
ensuring personnel understand privacy responsibilities and procedures ;

b.

Administers basic privacy training no less often than once every three hundred sixty-five (365) days, and
targeted , role-based privacy training for personnel having responsibility for PII or for activities that involve
PII no less often than once every three hundred sixty-five (365) days; and
Ensures that personnel certify (manually or electronically) acceptance of responsibilities for privacy
requirements no less often than once every three hundred sixty-five (365) days.

C.

Implementation Standards:
1. A privacy education and awareness training program must be developed and implemented for all
employees and individuals working on behalf of the organization involved in managing, using, and/or
processing PII.
2. Privacy education and awareness training must include responsibilities associated with sending PII in
email.
3. Communications and training related to privacy and security must be job-specific and commensurate with
the employee’s responsibilities.
4. Agencies must initially train employees (including managers) on their privacy and security responsibilities
before permitting access to organization information and information systems. Thereafter, agencies must
provide at least annual refresher training to ensure employees continue to understand their
responsibilities.
5. Additional or advanced training must be provided commensurate with increased responsibilities or
change in duties.
6. Both initial and refresher training must include acceptable rules of behavior and the consequences when
the rules are not followed.
7.

Training must address the rules for telework and other authorized remote access programs.

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

viii
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

AR-5: Privacy Awareness and Training
Related Control Requirement(s):
AT-2, AT-3, AT-4, TR-1

Control Implementation Description: SAMPLE
Control Status: Inherited and Inheritable Hybrid Control
The Organizational Privacy Coordinator in conjunction with the Information Systems Security Officer has
developed a comprehensive training and awareness program that includes the following:
1.

2.
3.

4.

Requirement for all users and managers to complete awareness training on an annual basis. The training
includes an overview of privacy protection policies and procedures, privacy definitions, privacy technical
and operational safeguards, overview of the incident response process that includes how to detect and
report privacy incidents and to who, and common security threats and mitigation strategies.
Requirement for all new staff to complete training prior to granting access authorization to IT information
systems and networks.
Based on notifications from Human Resources of all positions performing more specific security and
privacy related responsibilities a requirement to obtain specific security and privacy training that includes
real-world scenarios related to best practices for protecting PII through understanding how security and
privacy principles are applied to specific job responsibilities such as Help Desk operators, security
administrators, and privacy officers. These courses are required every three years
All training is automatically recorded and tracked on the training website that is maintained by Human
Resources.

[Delete this entire section of instructions from your final version of this
document.]

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

ix
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

System Security Plan
Prepared by: 
Organization Name: .
Street Address:



Suite/Room/ Building: 
City, State Zip:



Prepared for 
Organization Name: .
Street Address:



Suite/Room/Building: 
City, State Zip:

City, State 

Record of Changes
Date


Description


Revision History
Date

Description

Version
of SSP

Author

















Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

x
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

How to contact us
For questions about this document including how to use it, contact
directenrollment@cms.hhs.gov.

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xi
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

Table of Contents
Introduction and Overview ........................................................................................................... i
Purpose i
Basic Assumptions about SSP for ACA FFE Partner Systems ................................................. ii
Completing the SSP ..................................................................................................................... iii
How to Complete the Security and Privacy Controls Sections of the SSP Workbook .......... iv
Responding to Controls .......................................................................................................... v
Responding to Control Implementation Descriptions ............................................................ v
Identify the Control Status ............................................................................................. v
Who Is Responsible for Implementing the Solution? ................................................... vi
What Is the Solution? Does the Solution Satisfy the Control Requirements? .............. vi
How Often Is the Control Reviewed and by Whom?.................................................... vi
Additional Considerations for Describing Control Implementation ..................................... vi
Sample Control Implementations ................................................................................. vii
1. Information System Name/Title ........................................................................................... 1
2. Information System Categorization ..................................................................................... 1
2.1 Security Objectives Categorization............................................................................... 2
2.2 E-Authentication Determination ................................................................................... 2
3. Information System Owner .................................................................................................. 2
4. Authorizing Official ............................................................................................................... 3
5. Other Designated Contacts ................................................................................................... 4
6. Assignment of Security and Privacy Responsibility ........................................................... 5
7. Information System Operational Status .............................................................................. 6
8. Information System Type ...................................................................................................... 6
8.1 Cloud Service Models ................................................................................................... 6
9. General System Description.................................................................................................. 7
9.1 System Function or Purpose ......................................................................................... 7
9.2 Description of the Business Process ............................................................................. 7
9.3 Information System Components and Boundaries ....................................................... 8
9.4 Types of Users ............................................................................................................ 10
9.5 Network Architecture.................................................................................................. 13
10. System Environment and Inventory .................................................................................. 15
11. Description of Operational / System Environment and Special Considerations ........... 15
11.1 Operational Information.............................................................................................. 15
11.2 System Information..................................................................................................... 15
11.3 System Environment ................................................................................................... 16
11.4 Data Flow .................................................................................................................... 19
Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xii
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

11.5 Ports, Protocols, and Services ..................................................................................... 21
12. System Interconnections...................................................................................................... 23
13. Laws, Regulations, Standards, and Guidance................................................................... 26
13.1 Applicable Laws and Regulations .............................................................................. 26
13.2 Applicable Standards and Guidance ........................................................................... 26
14. Minimum Security and Privacy Controls.......................................................................... 27
14.1 Access Control (AC) ................................................................................................... 36
14.1.1 AC-1: Access Control Policy and Procedures Requirements ......................... 36
14.1.2 AC-2: Account Management .......................................................................... 36
14.1.3 AC-3: Access Enforcement............................................................................. 40
14.1.4 AC-4: Information Flow Enforcement............................................................ 40
14.1.5 AC-5: Separation of Duties............................................................................. 41
14.1.6 AC-6: Least Privilege ..................................................................................... 41
14.1.7 AC-7: Unsuccessful Logon Attempts ............................................................. 44
14.1.8 AC-8: System Use Notification ...................................................................... 44
14.1.9 AC-10: Concurrent Session Control ............................................................... 45
14.1.10 AC-11: Session Lock ...................................................................................... 46
14.1.11 AC-12: Session Termination........................................................................... 46
14.1.12 AC-14: Permitted Actions Without Identification or Authentication ............. 47
14.1.13 AC-17: Remote Access ................................................................................... 47
14.1.14 AC-18: Wireless Access ................................................................................. 51
14.1.15 AC-19: Access Control for Mobile Systems .................................................. 52
14.1.16 AC-20: Use of External Information Systems ................................................ 53
14.1.17 AC-21: Information Sharing ........................................................................... 55
14.1.18 AC-22: Publicly Accessible Content .............................................................. 55
14.2 Awareness and Training (AT) .................................................................................... 55
14.2.1 AT-1: Security Awareness and Training Policy and Procedures.................... 55
14.2.2 AT-2: Security Awareness Training ............................................................... 56
14.2.3 AT-3: Role-Based Security Training .............................................................. 57
14.2.4 AT-4: Security Training Records.................................................................... 58
14.3 Audit and Accountability (AU) .................................................................................. 58
14.3.1 AU-1: Audit and Accountability Policy and Procedures ................................ 58
14.3.2 AU-2: Audit Events ........................................................................................ 58
14.3.3 AU-3: Content of Audit Records .................................................................... 60
14.3.4 AU-4: Audit Storage Capacity ........................................................................ 61
14.3.5 AU-5: Response to Audit Processing Failures................................................ 61
14.3.6 AU-6: Audit Review, Analysis, and Reporting .............................................. 62
14.3.7 AU-7: Audit Reduction and Report Generation ............................................. 64
Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xiii
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

14.3.8 AU-8: Time Stamps ........................................................................................ 65
14.3.9 AU-9: Protection of Audit Information .......................................................... 66
14.3.10 AU-10: Non-Repudiation................................................................................ 66
14.3.11 AU-11: Audit Record Retention ..................................................................... 67
14.3.12 AU-12: Audit Generation ............................................................................... 67
14.4 Security Assessment and Authorization (CA) ............................................................ 68
14.4.1 CA-1: Security Assessment and Authorization Policy and Procedures.......... 68
14.4.2 CA-2: Security Assessments ........................................................................... 68
14.4.3 CA-3: System Interconnections ...................................................................... 69
14.4.4 CA-5: Plan of Action and Milestones ............................................................. 70
14.4.5 CA-6: Security Authorization ......................................................................... 71
14.4.6 CA-7: Continuous Monitoring ........................................................................ 71
14.4.7 CA-8: Penetration Testing .............................................................................. 72
14.4.8 CA-9: Internal System Connections ............................................................... 73
14.5 Configuration Management (CM) .............................................................................. 74
14.5.1 CM-1: Configuration Management Policy and Procedures ............................ 74
14.5.2 CM-2: Baseline Configuration........................................................................ 74
14.5.3 CM-3: Configuration Change Control ............................................................ 76
14.5.4 CM-4: Security Impact Analysis .................................................................... 77
14.5.5 CM-5: Access Restrictions for Change........................................................... 78
14.5.6 CM-6: Configuration Settings......................................................................... 79
14.5.7 CM-7: Least Functionality .............................................................................. 80
14.5.8 CM-8: Information System Component Inventory ......................................... 81
14.5.9 CM-9: Configuration Management Plan ........................................................ 84
14.5.10 CM-10: Software Usage Restrictions ............................................................. 84
14.5.11 CM-11: User-Installed Software ..................................................................... 85
14.6 Contingency Planning (CP) ........................................................................................ 85
14.6.1 CP-1: Contingency Planning Policy and Procedures ...................................... 85
14.6.2 CP-2: Contingency Plan.................................................................................. 86
14.6.3 CP-3: Contingency Training ........................................................................... 88
14.6.4 CP-4: Contingency Plan Testing..................................................................... 88
14.6.5 CP-6: Alternate Storage Site ........................................................................... 89
14.6.6 CP-8: Telecommunications Services .............................................................. 90
14.6.7 CP-9: Information System Backup ................................................................. 91
14.6.8 CP-10: Information System Recovery and Reconstitution ............................. 92
14.7 Identification and Authentication (IA)........................................................................ 93
14.7.1 IA-1: Identification and Authentication Policy and Procedures ..................... 93
Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xiv
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

14.7.2 IA-2: User Identification and Authentication (Organizational Users) ............ 94
14.7.3 IA-3: Device Identification and Authentication ............................................. 95
14.7.4 IA-4: Identifier Management .......................................................................... 96
14.7.5 IA-5: Authenticator Management ................................................................... 96
14.7.6 IA-6: Authenticator Feedback......................................................................... 99
14.7.7 IA-7: Cryptographic Module Authentication.................................................. 99
14.7.8 IA-8: Identification and Authentication (Non-Organizational Users) .......... 100
14.8 Incident Response (IR) ............................................................................................. 100
14.8.1 IR-1: Incident Response Policy and Procedures ........................................... 100
14.8.2 IR-2: Incident Response Training ................................................................. 101
14.8.3 IR-3: Incident Response Testing................................................................... 101
14.8.4 IR-4: Incident Handling ................................................................................ 102
14.8.5 IR-5: Incident Monitoring ............................................................................. 103
14.8.6 IR-6: Incident Reporting ............................................................................... 104
14.8.7 IR-7: Incident Response Assistance.............................................................. 105
14.8.8 IR-8: Incident Response Plan........................................................................ 106
14.8.9 IR-9: Information Spillage Response............................................................ 106
14.9 Maintenance (MA) .................................................................................................... 107
14.9.1 MA-1: System Maintenance Policy and Procedures .................................... 107
14.9.2 MA-2: Controlled Maintenance .................................................................... 107
14.9.3 MA-3: Maintenance Tools ............................................................................ 108
14.9.4 MA-4: Nonlocal Maintenance ...................................................................... 109
14.9.5 MA-5: Maintenance Personnel ..................................................................... 110
14.9.6 MA-6: Timely Maintenance ......................................................................... 111
14.10 Media Protection (MP) ............................................................................................. 111
14.10.1 MP-1: Media Protection Policy and Procedures ........................................... 111
14.10.2 MP-2: Media Access ..................................................................................... 112
14.10.3 MP-3: Media Marking .................................................................................. 112
14.10.4 MP-4: Media Storage .................................................................................... 113
14.10.5 MP-5: Media Transport................................................................................. 113
14.10.6 MP-6: Media Sanitization ............................................................................. 114
14.10.7 MP-7: Media Use .......................................................................................... 115
14.11 Physical and Environmental Protection (PE) ............................................................ 115
14.11.1 PE-1: Physical and Environmental Protection Policy and Procedures ......... 115
14.11.2 PE-2: Physical Access Authorizations .......................................................... 116
14.11.3 PE-3: Physical Access Control ..................................................................... 117
14.11.4 PE-4: Access Control for Transmission Medium ......................................... 117
Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xv
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

14.11.5 PE-5: Access Control for Output Devices .................................................... 118
14.11.6 PE-6: Monitoring Physical Access ............................................................... 118
14.11.7 PE-8: Visitor Access Records ....................................................................... 119
14.12 Planning (PL) ............................................................................................................ 119
14.12.1 PL-1: Security Planning Policy and Procedures ........................................... 119
14.12.2 PL-2: System Security Plan .......................................................................... 120
14.12.3 PL-4: Rules of Behavior ............................................................................... 121
14.12.4 PL-8: Information Security Architecture ...................................................... 122
14.13 Personnel Security (PS) ............................................................................................ 123
14.13.1 PS-1: Personnel Security Policy and Procedures .......................................... 123
14.13.2 PS-2: Position Risk Designation ................................................................... 123
14.13.3 PS-3: Personnel Screening ............................................................................ 123
14.13.4 PS-4: Personnel Termination ........................................................................ 124
14.13.5 PS-5: Personnel Transfer .............................................................................. 125
14.13.6 PS-6: Access Agreements ............................................................................. 125
14.13.7 PS-7: Third-Party Personnel Security ........................................................... 126
14.13.8 PS-8: Personnel Sanctions ............................................................................ 126
14.14 Risk Assessment (RA) .............................................................................................. 127
14.14.1 RA-1: Risk Assessment Policy and Procedures............................................ 127
14.14.2 RA-3: Risk Assessment ................................................................................ 127
14.14.3 RA-5: Vulnerability Scanning ...................................................................... 128
14.15 System and Services Acquisition (SA) ..................................................................... 130
14.15.1 SA-1: System and Services Acquisition Policy and Procedures .................. 130
14.15.2 SA-2: Allocation of Resources ..................................................................... 130
14.15.3 SA-3: System Development Life Cycle........................................................ 131
14.15.4 SA-4: Acquisition Process ............................................................................ 131
14.15.5 SA-5: Information System Documentation .................................................. 133
14.15.6 SA-8: Security Engineering Principles ......................................................... 133
14.15.7 SA-9: External Information System Services ............................................... 134
14.15.8 SA-10: Developer Configuration Management ............................................ 134
14.15.9 SA-11: Developer Security Testing and Evaluation ..................................... 135
14.15.10 SA-15: Development Process, Standards, and Tools ............................... 136
14.15.11 SA-17: Developer Security Architecture and Design ............................... 136
14.15.12 SA-22: Unsupported System Components ............................................... 137
14.16 System and Communications Protection (SC) .......................................................... 137
14.16.1 SC-1: System and Communications Protection Policy and Procedures ....... 137
14.16.2 SC-2: Application Partitioning ..................................................................... 137
Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xvi
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

14.16.3 SC-4: Information in Shared Resources ....................................................... 138
14.16.4 SC-5: Denial of Service Protection ............................................................... 138
14.16.5 SC-6: Resource Availability ......................................................................... 139
14.16.6 SC-7: Boundary Protection ........................................................................... 139
14.16.7 SC-8: Transmission Confidentiality and Integrity ........................................ 142
14.16.8 SC-10: Network Disconnect ......................................................................... 143
14.16.9 SC-12: Cryptographic Key Establishment and Management ....................... 144
14.16.10 SC-13: Cryptographic Protection ............................................................. 144
14.16.11 SC-17: Public Key Infrastructure Certificates .......................................... 145
14.16.12 SC-18: Mobile Code ................................................................................. 145
14.16.13 SC-19: Voice Over Internet Protocol ....................................................... 145
14.16.14 SC-20: Secure Name / Address Resolution Service (Authoritative Source)
146
14.16.15 SC-21: Secure Name / Address Resolution Service (Recursive or Caching
Resolver) ....................................................................................................... 146
14.16.16 SC-22: Architecture and Provisioning for Name / Address Resolution
Service........................................................................................................... 147
14.16.17 SC-23: Session Authenticity ..................................................................... 147
14.16.18 SC-24: Fail in Known State ...................................................................... 147
14.16.19 SC-28: Protection of Information at Rest ................................................. 147
14.16.20 SC-CMS-1: Electronic Mail ..................................................................... 148
14.17 System and Information Integrity (SI) ...................................................................... 148
14.17.1 SI-1: System and Information Integrity Policy and Procedures ................... 148
14.17.2 SI-2: Flaw Remediation ................................................................................ 149
14.17.3 SI-3: Malicious Code Protection................................................................... 150
14.17.4 SI-4: Information System Monitoring .......................................................... 151
14.17.5 SI-5: Security Alerts, Advisories, and Directives ......................................... 153
14.17.6 SI-6: Security Functionality Verification...................................................... 154
14.17.7 SI-7: Software, Firmware, and Information Integrity ................................... 154
14.17.8 SI-8: Spam Protection ................................................................................... 155
14.17.9 SI-10: Information Input Validation ............................................................. 156
14.17.10 SI-11: Error Handling ............................................................................... 156
14.17.11 SI-12: Information Handling and Retention ............................................. 157
14.17.12 SI-16: Memory Protection ........................................................................ 157
14.18 Authority and Purpose (AP)...................................................................................... 157
14.18.1 AP-1: Authority to Collect ............................................................................ 157
14.18.2 AP-2: Purpose Specification ......................................................................... 158
14.19 Accountability, Audit, and Risk Management (AR) ................................................ 158
Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xvii
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

14.19.1 AR-1: Governance and Privacy Program ..................................................... 158
14.19.2 AR-2: Privacy Impact and Risk Assessment ................................................ 159
14.19.3 AR-4: Privacy Monitoring and Auditing ...................................................... 159
14.19.4 AR-5: Privacy Awareness and Training ....................................................... 160
14.19.5 AR-7: Privacy-Enhanced System Design and Development ........................ 160
14.19.6 AR-8: Accounting of Disclosures ................................................................. 161
14.20 Data Quality and Integrity (DI)................................................................................. 161
14.20.1 DI-1: Data Quality ........................................................................................ 161
14.21 Data Minimization and Retention (DM) ................................................................... 162
14.21.1 DM-1: Minimization of Personally Identifiable Information ....................... 162
14.21.2 DM-2: Data Retention and Disposal ............................................................. 163
14.21.3 DM-3: Minimization of PII Used in Testing, Training, and Research ......... 164
14.22 Individual Participation and Redress (IP) ................................................................. 164
14.22.1 IP-1: Consent ................................................................................................ 164
14.22.2 IP-2: Individual Access ................................................................................. 165
14.22.3 IP-3: Redress ................................................................................................. 165
14.22.4 IP-4: Complaint Management ....................................................................... 166
14.23 Security (SE) ............................................................................................................. 166
14.23.1 SE-1: Inventory of Personally Identifiable Information ............................... 166
14.23.2 SE-2: Privacy Incident Response .................................................................. 167
14.24 Transparency (TR) .................................................................................................... 167
14.24.1 TR-1: Privacy Notice .................................................................................... 167
14.24.2 TR-3: Dissemination of Privacy Program Information ................................ 168
14.25 Use Limitation (UL) ................................................................................................. 169
14.25.1 UL-1: Internal Use ........................................................................................ 169
14.25.2 UL-2: Information Sharing with Third Parties ............................................. 169
15. Systems Security Plan Attachments ................................................................................. 171
15.1 Attachment 1 – Information Security Policies and Procedures ................................ 173
15.2 Attachment 2 – Information System Documentation ............................................... 174
15.3 Attachment 3 – E-Authentication Worksheet ........................................................... 175
15.3.1 FFE Partner Identity Proofing Requirements ............................................... 175
15.3.2 Information System Name / Title ................................................................. 175
15.3.3 E-Authentication Level Definitions .............................................................. 176
15.3.4 E-Authentication Level Selection ................................................................. 178
15.4 Attachment 4 – PIA .................................................................................................. 179
15.4.1 Privacy Overview and Point of Contact (POC) ............................................ 179
15.5 Attachment 5 – Rules of Behavior ............................................................................ 181
Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xviii
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

15.6 Attachment 6 – Information System Contingency Plan ........................................... 182
15.7 Attachment 7 – Configuration Management Plan .................................................... 183
15.8 Attachment 8 – Equipment List ................................................................................ 184
15.9 Attachment 9 – Software List ................................................................................... 185
15.10 Attachment 10 – SSP Detailed Configuration Setting Standards ............................. 186
15.11 Attachment 11 – Incident Response Plan ................................................................. 187
15.12 Attachment 12 – Applicable Laws, Regulations, Standards, and Guidance............. 188
15.13 Attachment 13 – Security and Privacy Agreements and Compliance Artifacts ....... 189
Appendix A. List of Acronyms ................................................................................................. 192

List of Tables
Table Instr-1-1. Sample 1 – CM-4: Security Impact Analysis (Sample Response) ...................... vii
Table Instr-1-2. Sample 2 – AR-5: Privacy Awareness and Training (Sample Response) .......... viii
Table 1-1. Information System Name and Title .............................................................................. 1
Table 2-1. Security Categorization ................................................................................................. 1
Table 2-2. Baseline Security Configuration .................................................................................... 2
Table 3-1. Information System Owner............................................................................................ 3
Table 4-1. System Authorizing Official .......................................................................................... 3
Table 5-1. Information System Management Point of Contact ...................................................... 4
Table 5-2. Information System Technical Point of Contact ............................................................ 4
Table 6-1. Non-Exchange Entity Name Internal ISSO (or Equivalent) Point of Contact .............. 5
Table 6-2. Non-Exchange Entity Internal Official for Privacy (or Equivalent) Point of Contact .. 5
Table 6-3. CMS ISSO Point of Contact .......................................................................................... 6
Table 7-1. System Status ................................................................................................................. 6
Table 8-1. Service Provider Architecture Layers Represented in this SSP..................................... 7
Table 9-1. Internal Personnel Roles and Privileges ...................................................................... 10
Table 9-2. External Users.............................................................................................................. 12
Table 11-1. System Environment .................................................................................................. 17
Table 11-2. Ports, Protocols, and Services .................................................................................... 22
Table 12-1. Interconnections......................................................................................................... 24
Table 12-2. System Interconnections ............................................................................................ 25
Table 13-1. Information System Name Laws and Regulations .................................................... 26
Table 13-2. Information System Name – Standards and Guidance .............................................. 26
Table 14-1. Summary of Required Security and Privacy Controls............................................... 27
Table 15-1. Attachment File Naming Convention ...................................................................... 171
Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xix
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

Table 15-2. Information System Name and Title ........................................................................ 175
Table 15-3. Maximum Potential Impacts for Each of the Three Assurance Levels (IAL, AAL, and
FAL) ............................................................................................................................................ 178
Table 15-4. E-Authentication Assurance Levels and Authentication Solutions ......................... 178
Table 15-5. System Name Privacy POC ..................................................................................... 179
Table 15-6. Required Security and Privacy Agreements and Compliance Artifacts for EDE
Entities ........................................................................................................................................ 190
Table 15-7. Required Security and Privacy Agreements and Compliance Artifacts for NEEs
participating in Classic Direct Enrollment Program Only .......................................................... 191

List of Figures
Figure 9-1. Authorization Boundary Diagram ................................................................................ 9
Figure 9-2. Network Diagram ....................................................................................................... 14
Figure 11-1. Data Flow Diagram .................................................................................................. 20

Non-Exchange Entity System Security and Privacy Plan
NEE SSP Version 0.1
CMS SSP Template v 3.1

xx
SSP Report Publication Date

Sensitive and Confidential Information – For Official Use Only

Sensitive and Confidential Information – For Official Use Only
Non-Exchange Entity Name (Acronym)

System Security Plan Approvals
Signatures of Non-Exchange Entity Organization System Authorizing Official(s) are required
below.

Name



Title



Date



Date