Firmware and Supply Chain Requirements in the Latest CMS Acceptable Risk Safeguards (ARS)
The Centers for Medicare & Medicaid Services (CMS) is a critical part of the U.S. Department of Health and Human Services (HHS) and is responsible for the personally identifiable information (PII) of more than 140 million Americans. Naturally, the CMS needs to ensure that sensitive data stays protected even as it is shared across countless CMS contractors and subcontractors. To this end, the agency has established the Acceptable Risk Safeguards (ARS), which explicitly defines the minimum security controls required for protecting CMS data.
These minimum baselines are applied to the CMS itself as well as any organization that uses CMS data. The technical requirements are based on NIST’s highly influential SP 800-53 security controls and other federal regulations such as FedRAMP. SP 800-53 puts a strong focus on firmware and supply chain security, and these areas are likewise front and center in the CMS ARS. Just as a high-level reference, in the latest version of the ARS (version 5.1), the term “firmware” appears 47 times, while “supply chain” appears 130 times, spread across a wide range of controls and control families. These are not one-off requirements or corner cases, but rather key elements of a strong security practice.
For insurers and healthcare organizations that use CMS data, this means that their security and compliance teams will now have strong requirements that they will need to meet in order to maintain compliance. Let’s take a look at a few examples and what organizations can do today.
SI-07 – Software, Firmware, and Information Integrity
Firmware is called out repeatedly in the ARS including in CA – Assessment and Monitoring, CM – Change Management, RA – Risk Assessment, MA – Maintenance, and SC -System and Communication Protection. However, the most pointed firmware requirements are tied to the SI – System and Information Integrity controls. More specifically SI-07 focuses on Software, Firmware, and Information Integrity and calls out the requirement to:
a. Employ integrity verification tools to detect unauthorized changes to software, firmware, and information; and
b. Take the following actions when unauthorized changes to the software, firmware, and information are detected: e.g., parity checks, cyclical redundancy checks, cryptographic hashes.
Eclypsium gives organizations a simple, automated way to address these requirements.
Referenced by name in NIST SP 1800-34 as a vendor-agnostic platform integrity verification solution, the Eclypsium Platform automates the monitoring of firmware on a wide range of devices including laptops, servers, and network devices. The platform can ensure the devices are only running known good versions of firmware and can further track any changes, and identify risks, vulnerabilities, or threats within firmware or components.
This assessment is performed on every scan, performed on every startup, and via a configurable schedule dictated by customer requirements. Eclypsium also analyzes other critical system components, configurations, and code for problems. This includes things such as auditing Secure Boot configuration, TPM configuration, hardware changes, and root-of-trust validity.
SR – Supply Chain Risk Management
NIST 800-53 rev. 5 put an unprecedented focus on supply chain security. While supply chain issues were called out in previous versions, rev 5 introduced a new control family dedicated to the topic, SR – Supply Chain Risk Management. CMS notably has brought many of these controls into the latest ARS. Specifically, the ARS calls out:
Threat actions that may increase security or privacy risks include unauthorized production, the insertion or use of counterfeits, tampering, theft, insertion of malicious software and hardware, and poor manufacturing and development practices in the supply chain.
To address these risks, organizations will need to meet the following requirements:
Establish a process or processes to identify and address weaknesses or deficiencies in the supply chain elements and processes of Business/System-defined system or system component (defined in applicable security and privacy plans) in coordination with CMS OIT, or designee, and the CMS CISO, or designee;
Document, monitor, and maintain valid provenance of the following systems, system components, and associated data: HVA systems, components, and data.
Assess the system, system component, or system service prior to selection, acceptance, modification, or update.
Once again Eclypsium gives organizations a turn-key way to address these requirements. Prior to acquisition, teams can use supply chain intelligence from the Eclypsium Guide to evaluate prospective products for the presence of low-level vulnerabilities and misconfigurations within products and components. Eclypsium can subsequently verify that all systems and updates match vendor-supplied SBOMs and that products and components have not been altered or tampered with in the supply chain. Eclypsium can further detect insecure update mechanisms and can provide ongoing behavioral monitoring after an update in order to detect potential threats delivered within vendor-approved updates.
Again, these are just some of the supply chain and firmware requirements that organizations will need to meet in order to comply with CMS minimum baselines. Fortunately, Eclypsium provides a sensible solution for a potentially complex problem. To learn more about how we can help address your CMS requirements, please contact the Eclypsium team at [email protected].