CIO Resource Library Overview

The Centers for Medicare & Medicaid Services (CMS) Chief Information Officer (CIO) Policy Framework governs the development, review, approval, maintenance, and revocation of agency-level CIO policy documents written by CMS or on behalf of CMS. CIO policy documents include policies, technical standards, and directives that encompass topics related to information technology (IT) and information security and privacy.

The CMS CIO Policy Framework uses agency-level policies, directives, and technical standards to convey IT Governance. Categories of CIO documents are described below.

Policy

A policy is a guiding principle, direction, or expectation typically established by CMS senior management to influence and determine decisions. A CIO Policy is usually predicated on oversight requirements. Typical characteristics: (1) Include clear, concise and simple language and comply with the Plain Language Act of 2010; (2) Contain “must” statements; (3) Address what the rule is rather than how to implement it; (4) Is readily available to all affected parties; (5) Results in punitive actions for failure to comply.

CMS CIO policies are mandatory. All new or substantially revised CIO policies require substantial agency-wide vetting and clearance by the CIO and are submitted for version control and posted on the public-facing CMS website. Note: Policies containing sensitive information are subject to restricted distribution and may not be posted on the CMS website.    

CIO Directive

A CIO Directive allows the CIO to respond to identified gaps in CMS policy and instruction. Directives are used to issue direction on policy-level issues where current direction does not exist. CIO Directives may also serve as a stop-gap to provide immediate guidance while a policy is being developed/updated, cleared, and approved. CIO Directives may require action or may be for informational purposes to help clarify existing policy.

CMS Technical Standards

For the purposes of CMS CIO Policy Framework, a technical standard refers to one or more related technical specifications that have been internally developed, sanctioned, and mandated for use by CMS. CMS’ technical standards are documented in the form of the CMS Technical Reference Architecture (TRA) and Supplements and information security standards. The CMS TRA specifies standards for compliance with CMS’ Enterprise Architecture, CIO policies, and the CMS Acceptable Risk Safeguards (ARS). CMS technical standards are enforced and are enforceable based on CMS-defined conformance criteria.

Guidelines and Best Practices

Guidelines provide guidance and best practices relative to a particular topic. They may accompany, interpret, or provide guidance for implementing CIO policies, or may provide guidance to various CMS IT Life Cycle activities. Guidelines are recommended best practices but are not required to be in compliance with policy. A guideline aims to streamline particular processes according to a set routine or sound practice. By definition, following a guideline is never mandatory. Guidelines are not binding and are not enforced. Some CMS IT guidelines are referred to as “Practices Guides”.

A best practice is a technique, method, process, activity, incentive, or reward that is believed to be one of the most effective approaches for delivering a particular outcome when applied to a particular condition or circumstance. The idea is that with proper processes, checks, and testing, a desired outcome can be delivered with fewer problems and unforeseen complications. Best practices can also be defined as the most efficient (least amount of effort) and effective (best results) way of accomplishing a task, based on repeatable procedures that have proven themselves over time for large numbers of people. A best practice can be adopted as a guideline.

CIO Procedures

CIO procedures consist of step by step instructions to assist workers in implementing policies, standards, and guidelines. Procedures document “how to” accomplish specific IT tasks or use IT services. These procedures may apply at the agency level or they may be localized to reflect the practices or requirements of a specific CMS office, center, group, division, or workgroup.