Business Rules for Application Performance Monitoring

To guide IT PM within the CMS Production Environments, CMS developed the following business rules for performance monitoring and measurement (PMM).

BR-PMM-1: Performance Monitoring Data Is FOUO

IT PM data, generated from CMS data and the performance of CMS IT resources, will be treated as For Official Use Only (FOUO).

Related CMS ARS Security Controls include: SI-4 - System-Generated Alerts.

Rationale:

IT PM data contains information about the performance of government applications, which should be used only for ensuring and improving the performance of CMS processing systems. This data is also used to update the CPIC Annual Operational Analysis Report. IT PM data must be kept long enough to inform such reports as well as meet federal and CMS data retention and records management guidelines.

BR-PMM-2: Control Access to Performance Monitoring Data

Access to the performance monitoring data must be controlled.

Related CMS ARS Security Controls include: SI-4 - System-Generated Alerts.

Rationale:

Performance monitoring data is FOUO and may contain CMS data.

BR-PMM-3: Monitor Production Environments

All applications in Production must be monitored for performance. This includes infrastructure and application performance monitoring.

In addition to mandated security logging, applications must also log performance and troubleshooting data, such as transaction paths taken and timing.

Rationale:

Production applications must be monitored for performance to ensure that CMS services are provided with known quality.

TRA 2024 Revision 3.0 • General Distribution / Unclassified Information