Pub 100-17 Medicare Business Partners Systems Security Manual Update
The Information Security and Privacy Group (ISPG) has provided updated security requirements, the Acceptable Risk Safeguards (ARS) version 5.1 (previously version 5.0). As a result, the CMS Medicare Contractor Management Group (MCMG) has updated Internet Only Manual (IOM) 100-17, which contains the Business Partner System Security Manual (BPPSM) and the Medicare Administrative Contractor (MAC) ARS. This administrative update ensures that BPSSM and MAC ARS are aligned with the most recent ISPG update, reflecting the security controls that have already been implemented by the MACs.
The MACs shall review the updated BPSSM revision 15.1, which includes the updated MAC ARS to assess any impacts from the updates that have not already been addressed by the MAC. Should the MAC determine that additional resources or funding is necessary to meet any of the updated requirements in either the BPSSM or MAC ARS, they shall evaluate and document the workload required to meet the security requirements in their analysis.
Issued by: Centers for Medicare & Medicaid Services (CMS)
Issue Date: July 17, 2025
DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.