TRA References

The TRA References contains references in each section of the CMS TRA.

Foundation

• CMS Acceptable Risk Safeguards (ARS)

• CMS Policy for Information Security and Privacy., Version 3, CMS, June 14, 2022

• National Institute of Standards and Technology (NIST), NIST Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A Security Life Cycle Approach for Security and Privacy, December 2018

• NIST SP 800-34 REV-1, Contingency Planning Guide for Federal Information Systems, May 10, 2010

• Federal Data Center Consolidation Initiative, Office of Management and Budget (OMB), Memorandum for Chief Information Officers, Federal CIO Kundra, February 26, 2010.

• Update to Data Center Consolidation Initiative (DCOI), Office of Management and Budget (OMB), Memorandum for Chief Information Officers, Federal CIO Kent, June 25, 2019.

• Federal Cloud Computing Strategy, OMB/Federal CIO Kundra, February 14, 2011 (Cloud First Policy)

• Federal Cloud Computing Strategy, OMB/Federal CIO Kent, June 24, 2019 (Cloud Smart Policy)

• Federal Shared Services Strategy, OMB/Federal CIO VanRoekel, May 2, 2012.

• OMB, Circular No. A-130, Managing Information as a Strategic Resource, November 8, 2000, revised July 28, 2016

• NIST Glossary

• NIST, Guide to Cyber Threat Information Sharing, SP 800-150

Network Services

CMS Network Services

• Medicare Pub 100-17, CMS/ Business Partners Systems Security Manual, (Rev. 11570; Issued 08-19-22; Effective 03-07-22; Implementation 04-03-23)

• CMS Cloud, IPv6 Migration

• NIST SP 800-119, Guidelines for the Secure Development of IPv6, December 2010

Security Services

• CMS Acceptable Risk Safeguards (ARS)

• CMS Policy for Information Security and Privacy, Version 3, CMS, June 14, 2022

• CMS Business Partners System Security Manual, Rev 14, CMS Pub 100-17, 6/5/2018

• CMS Risk Management Handbook Chapter 14: Risk Assessment (RA), April 13, 2021

• Federal Information Processing Standard (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, March 22, 2019

• National Institute of Standards and Technology (NIST), An Introduction to Computer Security, NIST Special Publication (SP) 800-12 Revision 1, June 22, 2017

• NIST, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, NIST SP 800-52 Rev. 2, August 29, 2019

• NIST, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53 Rev. 5, December 10, 2020

• NIST, Assessing Security and Privacy Controls in Information Systems and Organizations, NIST SP 800-53A Rev 5, January 25, 2022

• NIST, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 Rev 1, September 28, 2009

• NIST Guide to Information Technology Security Services, NIST SP 800-35, October 9, 2003

• NIST, Guidelines on Securing Public Web Servers, Version 2, NIST SP 800-44, October 9, 2007

• NIST, Guide to IPSec VPNs, NIST SP 800-77 Rev. 1,June 30, 2019

• NIST, Recommendation on Key Management, NIST SP 800-57 Part 1 Rev. 5, May 4, 2020 -

• NIST, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST, SP 800-37 Rev. 2, December 20, 2018

• NIST, Guide to Intrusion Detection and Prevention Systems (IDPS) , NIST SP 800-94, February 20, 2007

• National Security Agency (NSA), Net-Centric Enterprise Services (NCES) Profile of Web Service Security: Simple Object Access Protocol (SOAP) Message Security (WSSE), 02 May 2008, NSA Profile 20080522.

• NIST, Guide to Secure Web Services , NIST SP 800-95, August 29, 2007

• NIST, Information Security Continuous Monitoring for Federal Information Systems and Organizations, NIST SP 800-137, September 30, 2011

• OMB M-15-13, Policy to Require Secure Connections across Federal Websites and Web Services, June 8, 2015

• OMB M-08-23, Securing the Federal Government’s Domain Name System Infrastructure, August 22, 2008

• OMB M-05-04, Policies for Federal Agency Public Websites, December 17, 2004

• RFC 5905, Network Time Protocol Version 4: Protocol and Algorithms Specification, June 2010

CCIC Integration

• FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004

• NIST, SP 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems, February 2006

• NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments, September 2012

• NIST SP 800-53A, Assessing Security and Privacy Controls in Information Systems and Organizations, January 25, 2022

• NIST, SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories, August 2008

• OMB Memorandum M-06-16, Protection of Sensitive Agency Information, June 23, 2006

• OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, January 3, 2017

• OMB Memorandum M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program, December 2018

• CISA Binding Operational Directive (BOD) 18-02, Securing High Value Assets, May 2018

• CISA High Value Asset Control Overlay, Version 2.0, November 2017

• CISA Continuous Diagnostics and Mitigation (CDM) Program

• HHS Policy for the High Value Asset (HVA) Program, February 2018

• GSA, Continuous Diagnostics & Mitigation Tools

Wide Area Network Services

• Concept of Operations for Wide Area Network Modernization, Version 0.3, CMS, September 17, 2007.

• Enterprise Data Centers Program Management Office Concept of Operations, Initial Draft, Version 0.1, CMS, January 16, 2006.

• Enterprise Data Centers Concept of Operations, Version 1.1, CMS, October 1, 2004.

• Analysis of WAN Modernization Options, Draft, Version 0.7, CMS, January 5, 2006.

• Government Accountability Office (GAO), Centers for Medicare & Medicaid Services Need to Establish Critical Investment Management Capabilities, GAO-06-12 (p. 5), October 28, 2005

• GAO, The Centers for Medicare & Medicaid Services Needs to Improve Controls over Key Communication Network, GAO-06-750, August 30, 2006

• Office of Management and Budget, M-08-05, Implementation of Trusted Internet Connections, November 20, 2007

• Office of Management and Budget, M-05-22, Transition Planning for Internet Protocol Version 6 (IPV6)

• NIST, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53 Rev. 5, December 10, 2020

Access Control and Identity Management

• Federal Information Processing Standard (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules , March 22, 2019

• NIST, Digital Identity Guidelines, NIST SP 800-63

• NIST, An Introduction to Information Security, NIST SP 800-12 Rev. 1, June 2017

• NIST, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, NIST SP 800-52 Rev. 2, August 2019

• NIST, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53 Rev. 5, December 10, 2020

• NIST, Assessing Security and Privacy Controls in Information Systems and Organizations, NIST SP 800-53A Rev 5, January 25, 2022

• NIST, Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 Rev 1, September 28, 2009

• NIST, Guide to Information Technology Security Services, NIST SP 800-35, October 9, 2003

• NIST, Guidelines on Securing Public Web Servers, Version 2, NIST SP 800-44, October 9, 2007

• NIST, Guide to IPSec VPNs, NIST SP 800-77 Rev. 1,June 30, 2019

• NIST, Recommendation on Key Management, NIST SP 800-57 Part 1 Rev. 5, May 4, 2020

• NIST, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, NIST SP 800-37 Rev. 2, December 20, 2018

• NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS), February 2007

• CMS Acceptable Risk Safeguards (ARS)

• CMS Business Partners System Security Manual, Transmittal 9, CMS Pub 100-17, June 20, 2008

• CMS Risk Management Handbook, Chapter 14: Risk Assessment (RA), April 13, 2021

• Federal Identity, Credential, and Access Management (FICAM) Architecture and Playbooks

• FIPS PUB 201-3: Federal Identity Verification (PIV) of Federal Employees and Contractors, January 2022

Domain Name System Services

• NIST An Introduction to Information Security, NIST SP 800-12 Rev. 1, June 2017

• NIST, Security in Open Systems, NIST SP 800-7, July 1994

• DNS and BIND, 5th edition, Paul Albitz and Cricket Liu, May 2006.

• NIST, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53 Rev. 5, December 10, 2020

• Request for Proposals (RFP) for CMS Enterprise Data Centers Procurement, RFP No. CMS-2005-0003, CMS, July 24, 2005.

• NIST, Guide to Information Technology Security Services, NIST SP 800-35, October 9, 2003 - https://csrc.nist.gov/publications/detail/sp/800-35/final.

• Secure Domain Name System (DNS) Deployment Guide, NIST SP 800-81-2, September 2013

• Quick CMS Extranet DNS References for CMS Business Partners.doc, GFI.

• CMS DNS Name Space and 3 Zone DNS Naming Convention.doc, GFI.

• Final - CMS (MDCN) Extranet DNS - MMA Help Desk Configuration.doc, GFI.

Infrastructure Services

Virtualization

• Federal Information Processing Standard (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, March 22, 2019

Cloud IaaS and PaaS Infrastructure

• CMS Acceptable Risk Safeguards (ARS)

• HHS Cloud Computing Tactical Implementation and Transition, v1.2.2b, Department of Health and Human Services, July 2012.

• National Institute of Standards and Technology (NIST), Special Publication (SP) 800-146, Cloud Computing Synopsis and Recommendations, May 2012

• NIST SP 800-145, The NIST Definition of Cloud Computing, September 2011

• NIST SP 800-144, Guidelines on Security and Privacy in Public Cloud Computing, December 2011

• Cloud Security Alliance, Security Guidance for Critical Areas of Focus in Cloud Computing 4.0, July 26, 2017

• Office of Management and Budget (OMB), M-11-29, Chief Information Officer Authorities, August 8, 2011

• Federal Cloud Computing Strategy, OMB/Federal CIO Kundra, February 14, 2011 (Cloud First Policy)

• Federal Cloud Computing Strategy, OMB/Federal CIO Kent, June 24, 2019 (Cloud Smart Policy)

• CMS Information Security and Privacy Overview - https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity

• Memorandum: Security Authorization of Information Systems in Cloud Computing Environments, Office of Management and Budget, Federal CIO (Steven VanRoekel), December 8, 2011

• FedRAMP Security Controls, v1.0, U.S. General Services Administration, December 8, 2011.

• NIST, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53 Rev. 5, December 10, 2020

• Common security and privacy acronyms used at CMS

• CMS Cloud Computing Standard, CMS Office of the Chief Information Security Officer, Risk Management Handbook Volume III, Version 1.0, May 3, 2011

• NIST, Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information Systems and Organizations: A Security Life Cycle Approach for Security and Privacy, December 2018

IT Performance Management

• IBM Tivoli Composite Application Monitor (ITCAM), Version 7.2.1.2

• Monitoring and Diagnosing Applications with Application Response Measurement (ARM) 4.0, Mark W. Johnson, IBM, 1998

• CMS Acceptable Risk Safeguards (ARS)

File Transfer

• CMS Enterprise File Transfer Infrastructure, Version 1.1, June 2006 (Updated: October 2006), Document Number: CMS-CIO-STD-ARC02.

• CMS Enterprise File Transfer Gentran User’s Guide, Version 2.0, April 15, 2010.

• CMS Enterprise File Transfer Connect:Direct User’s Guide, Version 2.0, April 15, 2010.

• Internet Engineering Task Force (IETF) SSH File Transfer Protocol, Draft 13

• IETF File Transfer Protocol (FTP) over Transport Layer Security (TLS), RFC4217

• Federal Information Processing Standard (FIPS) Publication 140-3, Security Requirements for Cryptographic Modules, March 22, 2019

• “Enterprise File Transfer Architecture Redesign Overview,” CMS YouTube Video, May 2, 2011 -

Internet of Things (IoT)

• NIST SP 800-53 Rev. 5, NIST, Security and Privacy Controls for Information Systems and Organizations, December 10, 2020

• NIST, IoT security guidance

• NIST, NISTIR 8228: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, June 2019

Disaster Recovery

• CMS Risk Management Handbook Chapter 12: Security & Privacy Planning (PL)

• Department of Homeland Security Federal Continuity Directive 1, January 17, 2017

• Department of Homeland Security Federal Continuity Directive 2, June 13, 2017

Application Development

Centers for Medicare & Medicaid Services (CMS) Publications

• CMS Acceptable Risk Safeguards (ARS)

• CMS Risk Management Handbook Chapter 5: Configuration Management (CM)

Executive Branch Guidance

• “U.S. Digital Services Playbook”

Defense Information Systems Agency (DISA) Guides

• Application Security and Development (ASD) Security Technical Implementation Guide (STIG), Version 5, DISA, September 30, 2020

National Institute of Standards and Technology (NIST)

• NIST, SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, June 2017 -

• NIST SP 800-132, Recommendation for Password-based Key Derivation Part 1: Storage Applications, December 2010

Additional References

• Managing the Software Process, Watts Humphrey, Addison-Wesley, 1990.

• CWE™/SANS TOP 25 Most Dangerous Software Errors, SANS Institute

• SAFECode, “Fundamental Practices for Secure Software Development”, 3rd Edition, March 2018

• “Common Weakness Enumeration (CWE™)”, The MITRE Corporation

• Viega and Messier, Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More, O’Reilly, 2003.

• Martin, R. C. Clean code: a handbook of agile software craftsmanship. Pearson Education, 2008.

• Beck, K. Test-driven development: by example. Addison-Wesley Professional, 2003.

• Gilb, T., Graham, D., & Finzi, S. (1993). Software inspection. Addison-Wesley Longman Publishing Co., Inc., 1993.

• Meszaros, G. xUnit test patterns: Refactoring test code. Pearson Education, 2007.

• Capers Jones, “Software Engineering Best Practices: Lessons from Successful Projects in the Top Companies”, McGraw-Hill, 2010.

• Diomidis Spinelis, “15 Rules for Writing Quality Code”, June 9, 2014

• Watts S. Humphrey, Managing the Software Process, Addison-Wesley, 1990.

• John Ousterhout, “Why threads are a bad idea (for most purposes)”, September 28, 1995

CMS Standards

• CMS Acceptable Risk Safeguards (ARS)

• “Security in a Web Services World: A Proposed Architecture and Roadmap”, IBM and Microsoft, April 1, 2002

Best Commercial Practices

• Duvall, Paul, Matyas, Steve, and Glover, Andrew, Continuous Integration: Improving Software Quality and reducing Risk, Addison Wesley, 2007.

• Humble, Jez and Farley, David, Continuous Delivery: Reliable Software Releases Through Build, Test, and Deployment Automation, Addison Wesley, 2011, ISBN 978 0 321 60191.9.

Web Services and Web APIs

CMS Standards

• CMS Acceptable Risk Safeguards (ARS)

• CMS Policy for Information Security and Privacy, Version 3, CMS, June 14, 2022

• CMS SOA Strategy, Version 1.0, CMS, June 30, 2010

NIST Special Publications

• NIST, Guide to Secure Web Services, NIST SP 800-95, August 29, 2007

Industry Security Standards

• “Security in a Web Services World: A Proposed Architecture and Roadmap”, IBM and Microsoft, April 1, 2002

• “Enabling the Mission – A Practical Guide to Federal Service Oriented Architecture”, Federal CIO Council, 2008.

REST Standards

• Architecture of REST: W3C, Architecture of the World Wide Web, 15 Dec 2004

• Atom Standard, IETF, The Atom Syndication Format, Dec 2005

• HTTP Semantics, IETF RFC 9110, June 2022

• The JavaScript Object Notation (JSON) Data Interchange Format, IETF STD 90 RFC 8259, December 2017

• JSON Web Tokens, IETF RFC 7519, May 2015

• MIME Standard, IETF, Multipurpose Internet Mail Extensions (MIME): Format of Internet Message Bodies, Nov 1996

• List of Media Types (MIME Types), Internet Assigned Numbers Authority (IANA), Media Types, Sep 30, 2022

• NIEM Standard; NIEM

• RSS Feed Standard, W3C

• SOA Architecture: OASIS, OASIS Reference Architecture Foundation for Service Oriented Architecture, Version 1.0, 04 Dec 2012

• URI Standard: IETF, Universal Resource Identifier (URI)L Generic Syntax, IETF STD 66, RFC 3986, January 2015

• WADL Standard: W3C (Mark J. Hadley), Web Application Description Language (WADL), Aug 31 2009

• WSDL 2.0 Standard: W3C, Web Services Description Language 2.0 (WSDL), June 26 2007

REST References

• S. Allamaraju, RESTful Web Services Cookbook, Feb 2010, O’Reilly

• Amazon, Simple Storage Service (S3)

• G. Beuchelt, T. Kehoe, P. J. Miller, R. Modeen, C. Partridge, M. Patron, D. P. Robbins, and R. O. Wilson, RESTful Services Guidance for Developers v 1.0, MITRE Technical Report MTR100093, Apr 2010, MITRE

• Roy Fielding, Architectural Styles and the Design of Network-based Software Architectures, 2000, PhD Thesis UC Irvine

• Mark Massé, REST API Design Rulebook, O’Reilly, Oct 2011

• S. Tyagi, RESTful Web Services, Aug 2006

• L. Richardson and S. Ruby, RESTful Web Services, May 2007, O’Reilly

• Gabriel Bechara, “Web Services Versioning”

• “API Evangelist”

• General Services Administration, “18F API Standards”

SOAP Standards

• The WS-* Standards, OASIS

• The SOAP Standard, W3C, Simple Object Access Protocol (SOAP), 27 Apr 2007

• SOAP with Attachments Standard, W3C, SOAP Message Transmission Optimization Mechanism (MTOM), 25 Jan 2005

Web-based UI Services

• CMS Identity Mark Guidelines, CMS

• Communications Handbook: Agency Guidelines, CMS, July 2009.

• Section 508.gov

• Office for Civil Rights, Department of Health and Human Services (HHS)

• Health Information Privacy, HHS

• Platform for Privacy Preferences (P3P) Project, W3C

• CMS Acceptable Risk Safeguards (ARS)

Open Source Software

• CMS Open Source Software Policy, CMS Open Source Software Policy

• The Open Source Definition, Open Source Initiative

• Release CMS Code as Open Source Software (OSS), CMS Research Spotlight - May 9, 2022

• Woods, D. and G. Guliani, Open Source for the Enterprise: Managing Risks, Reaping Rewards, O’Reilly Media, Inc., July 2005

• Comparison of Free Software Licenses

Portlet Services

• CMS Acceptable Risk Safeguards (ARS)

• Java Specification Request (JSR) 168: Portlet Specification, Java Community Process

• JSR 286: SA SL Specification, Java Community Process

• Introduction to JSR 168 - The Java Portlet Specification, Sun Microsystems, 2003

Business Intelligence

• CMS Business Intelligence Strategy, Version 1.5, CMS, December 9, 2008.

• Cognos ReportNet Guidelines, CMS, March 3, 2006.

• MicroStrategy 8 Guidelines, CMS, March 16, 2006.

• CMS Integrated Data Strategy, Draft, CMS / Office of E-Health Standards and Services (OESS), August 2007.

• CMS Acceptable Risk Safeguards (ARS)

• CMS MicroStrategy System Security Plan, Version 1.0, Draft, April 18, 2010.

Containers and Microservices

• You've heard the benefits of containers, now understand the challenges, David Linthicum

• Ten Layers of Container Security, Redhat

• Introduction to Microservices, Chris Richardson

• Microservices and DevOps: Better together, Mulesoft

• Microservices definition

• Adopting Microservices at Netflix: Lessons for Architectural Design

• Where to Start with Containers and Microservices

• Why You Need a Container Orchestration Tool

• From Containers to Container Orchestration

• Amazon Elastic Container Service

• Serverless Architecture The Future of Business Computing

Input Validation

• Apache Struts 2.3.x Security Bulletin, March 29, 2017

• Biasini, N.Content-Type: Malicious - New Apache Struts2 0-day Under Attack, March 8, 2017

• CWE-20: Improper Input Validation

• Improper Data Validation, (n.d.)

Configuration Management

• CMS Policy for Configuration Management, CMS-CIO-POL-MGT01-01, April 2012

• ISO/IEC/IEEE 12207, Software Life Cycle Processes, November 2017

• NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, October 2019