Issued by: Centers for Medicare & Medicaid Services (CMS)

Issue Date: November 14, 2014

Program Area: Distributed Data Collection (DDC) for RA Including HCRP/EDGE Server

Question: Why is the security and monitoring of antivirus programs the responsibility of the issuers and not the responsibility of Amazon?

Answer: Amazon uses a Shared Security model, which means Amazon has certain responsibility to the underlying infrastructure to a certain point and then everything that is put on top of that infrastructure is the responsibility of the issuer. Specifically, Amazon is responsible for all hardware and infrastructure up to the hypervisor level and then everything that resides on top of the hypervisor is the issuer's responsibility. More information on Amazon's Shared Security model can be found at AWS@amazon.com/security.

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.