An Interconnection Security Agreement (ISA) is a document that defines the security-related aspects of an intended connection between an agency system and an external system. The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit.
In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations and listing appropriate courses of action in the event of a security incident or breach. ISAs also authorize mutual permission to connect both parties and establish a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks.
ISAs are typically preceded by a formal Memorandum of Understanding (MOU) that defines high-level roles and responsibilities for the management of the planned cross-domain connection.
Federal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks. All CMS ISAs are based on the National Institute of Standards and Technology (NIST) Security Guide for Interconnecting Information Technology Systems Special Publication (SP) 800-47 Rev. 1.
ISAs require the use of the Interconnection Security Agreement (ISA) Template. The template is provided below -- your team may copy the information from this page and substitute the information relevant to your specific system and connection needs.
This CMS and ISA Review Log is maintained to record the annual reviews. The CMS and ISA Review Log is provided below.
The purpose of this Interconnection Security Agreement (ISA) is to establish procedures for mutual cooperation and coordination between the Centers for Medicare & Medicaid Services (CMS) and hereafter referenced as the “Non-CMS Organization,” regarding the development, management, operation, and security of a connection between CMS’ , hereafter known as the CMS Network, and the Non-CMS Organization’s network. This ISA is intended to minimize security risks and ensure the confidentiality, integrity, and availability (CIA) of CMS information as well as the information that is owned by the external organization that has a network interconnection with CMS. This ISA ensures the adequate security of CMS information being accessed and provides that all network access satisfies the mission requirements of both CMS and Non-CMS Organizations, hereafter known as “both parties.”
Federal policy requires agencies to develop ISAs for federal information systems and networks that share or exchange information with external information systems and networks. This ISA is based on the National Institute of Standards and Technology (NIST) Security Guide for Interconnecting Information Technology Systems (Special Publication (SP) 800-47). NIST SP 800-47 states: “A system approved by an ISA for interconnection with one organization’s system shall meet the protection requirements equal to, or greater than, those implemented by the other organization’s system.” The guidelines establish information security (IS) measures that shall be taken to protect the connected systems and shared data. CMS IT managers and IS personnel shall comply with NIST SP 800-47 or any successor document in managing the process of interconnecting information systems and networks.
The ISA contains all information both parties need to understand their responsibilities to each other in protecting the privacy and security of the systems they will connect and the information they will use that connection to transmit. In addition to assigning specific responsibilities to each party, it outlines security safeguards, including administrative, operational, and technical requirements. Administrative requirements include the business and legal requirements for each party, setting out contractual obligations, and listing appropriate recourses. It also authorizes
mutual permission to connect both parties and establishes a commitment to protect data that is exchanged between the networks or processed and stored on systems that reside on the networks. Through this ISA, both parties shall minimize the susceptibility of their connected systems and networks to IS risks and aid in mitigation and recovery from IS incidents.
As an agency of the Department of Health and Human Services (DHHS), CMS administers the Medicare, Medicaid, and State Children’s Health Insurance Program (SCHIP) programs. Its mission is to ensure effective, up-to-date healthcare coverage and to promote quality care for beneficiaries.
The CMS IS Program helps CMS accomplish its mission by ensuring the CIA of CMS information resources. The CMS IS Program has developed policies, standards, procedures, and guidelines that ensure the adequate protection of agency information and comply with Federal laws and regulations. CMS monitors the security of its network twenty-four (24) hours a day, seven (7) days a week, i.e., 24/7, through a variety of administrative, operational, and technical processes. Training initiatives are continuously updated to ensure that managers, users, and technical personnel know they are responsible for the adequate security of their information systems.
The CMS CIO is responsible for the overall implementation and administration of the CMS Information Security Program.
The CMS CISO supports the CIO in implementing the CMS IS Program. The CMS CISO directs, coordinates, and evaluates the IS policy of CMS.
The CMS ISSO is the liaison for IS within their assigned portfolio of systems. ISSOs implement standard IS policies and collaborate across CMS concerning the CIA of information resources. Although the ISSOs report directly to their own management, as part of their IS responsibilities, the ISSOs have responsibilities to the CMS CISO and, thus, to the CMS CIO. In their IS role, ISSOs take direction from the CMS CIO or the CMS CISO when action is required to protect CMS assets from potential vulnerabilities and threats. The CMS CISO and ISSOs will work with Non-CMS Organizations to enhance IS measures.
The CMS Business Owner (BO) is responsible for the management and oversight of the hereafter known as the CMS information system that requires the interconnection with the Non-CMS Organization. The BO serves as the primary point of contact (POC) for the Non-CMS Organization on matters related to .