publicdata/cms-gov
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cms-gov/security.cms.gov/learn/authorization-operate-ato
Scott Williams b906a0e722 Initial commit
2025-02-28 14:41:14 -05:00

1 line
No EOL
568 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>Authorization to Operate (ATO) | CMS Information Security &amp; Privacy Group</title><meta name="description" content="Testing and documenting system security and compliance to gain approval to operate the system at CMS"/><link rel="canonical" href="https://security.cms.gov/learn/authorization-operate-ato"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="Authorization to Operate (ATO) | CMS Information Security &amp; Privacy Group"/><meta property="og:description" content="Testing and documenting system security and compliance to gain approval to operate the system at CMS"/><meta property="og:url" content="https://security.cms.gov/learn/authorization-operate-ato"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/learn/authorization-operate-ato/opengraph-image.jpg?d21225707c5ed280"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="Authorization to Operate (ATO) | CMS Information Security &amp; Privacy Group"/><meta name="twitter:description" content="Testing and documenting system security and compliance to gain approval to operate the system at CMS"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/learn/authorization-operate-ato/opengraph-image.jpg?d21225707c5ed280"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=16&amp;q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&amp;w=32&amp;q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here&#x27;s how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here&#x27;s how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you&#x27;ve safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance &amp; Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance &amp; Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments &amp; Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy &amp; Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy &amp; Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&amp;M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools &amp; Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools &amp; Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting &amp; Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests &amp; Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-explainer undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">Authorization to Operate (ATO)</h1><p class="hero__description">Testing and documenting system security and compliance to gain approval to operate the system at CMS</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div><div class="tablet:position-absolute tablet:top-0"><div class="[ flow ] bg-primary-light radius-lg padding-2 text-base-darkest maxw-mobile"><div class="display-flex flex-align-center font-sans-lg margin-bottom-2 text-italic desktop:text-no-wrap"><img alt="slack logo" loading="lazy" width="21" height="21" decoding="async" data-nimg="1" class="display-inline margin-right-1" style="color:transparent" src="/_next/static/media/slackLogo.f5836093.svg"/>CMS Slack Channel</div><ul class="add-list-reset"><li class="line-height-sans-5 margin-top-0">#cra-help</li></ul></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8 content"><section><div class="text-block text-block--theme-explainer"><h2>What is ATO?</h2><p>Every information system operated by or on behalf of the U.S federal government is required to meet <a href="/learn/federal-information-systems-management-act-fisma">FISMA standards</a>, which includes system authorization (ATO) signed by an Authorizing Official (AO). This means that before a system can be deployed into production at CMS, the Business Owner and other stakeholders must go through the process of testing and documenting the systems security to demonstrate its compliance with federal requirements.</p><p>When this process is successfully completed, an Authorization to Operate (ATO) is signed and the system can be utilized at CMS. However, the ATO process requires months of planning, scheduling, testing, documenting, and collaborating with various individuals and groups across CMS so you should start working on your ATO as soon as possible.</p><h3>What is the ATO process?</h3><p>The ATO process is built around the <a href="https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf">Risk Management Framework</a> from the <a href="/learn/national-institute-standards-and-technology-nist">National Institute of Standards and Technology (NIST)</a>. This framework is based on the idea that no system is ever 100% secure risk is always present and evolving. So the best practice is to take a risk-based approach to system security, as laid out in the NIST Risk Management Framework (and reflected in the ATO process):</p><ul><li><strong>Prepare</strong>: Perform essential activities to prepare the organization to manage security and privacy risks</li><li><strong>Categorize</strong>: Categorize the system and information processed, stored, and transmitted based on an impact analysis</li><li><strong>Select</strong>: Select the set of <a href="https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final">NIST SP 800-53</a> controls to protect the system based on risk assessment(s)</li><li><strong>Implement</strong>: Implement the controls and document how the controls are deployed</li><li><strong>Assess</strong>: Assess to determine if the controls are in place, operating as intended, and producing the desired results</li><li><strong>Authorize</strong>: Senior official makes a risk-based decision to authorize the system (to operate)</li><li><strong>Monitor</strong>: Continuously monitor control implementation and risks to the system</li></ul><p>When this process is followed for every information system, CMS can track and manage the risk exposure of individual systems and the agency at large ensuring the protection of critical resources and sensitive information.</p><p>However, this is a complex and documentation-heavy process that spans the whole life cycle of a FISMA system. It can be challenging to keep in mind the specific steps that need to be taken in order to obtain and maintain ATO.</p><h3>ATO and your systems life cycle</h3><p>The ATO process can be mapped to the System Development Life Cycle (SDLC) so that its easier to see what activities should be completed at each stage. At CMS, this means the steps will align to the <a href="https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc">Target Life Cycle (TLC)</a> the system development governance process that all CMS systems must follow. These phases are briefly summarized below, with links to details that will help you plan ATO activities for your systems whole life cycle.</p></div><div><ol class="usa-process-list"><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Initiate</h4><div class="margin-top-05 usa-process-list__description"><p>In this phase, documentation is created about the general business needs that the system intends to address. If theres a similar solution already in use at CMS, it can be utilized rather than starting a new system that will require a new ATO. If proceeding with a new system idea, initial activities will begin for things like intake, hosting, consultations with stakeholders, and technical documentation. This is also when you will define the systems categorization, boundary, and security controls.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Develop and assess</h4><div class="margin-top-05 usa-process-list__description"><p>In this phase, the system is designed and developed according to requirements and user stories. It is deployed to a non-production environment and tested to make sure its working properly and that security requirements are met. This phase includes documenting and implementing all necessary security controls, finalizing required artifacts, and performing assessments that test the systems security posture.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Operate</h4><div class="margin-top-05 usa-process-list__description"><p>In this phase, ATO has been granted and the system is being used for its intended purpose at CMS. Periodic security activities such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound. The Business Owner and ISSO both keep documentation updated when changes are made to the system a critical part of maintaining a current ATO.</p></div></li><li class="usa-process-list__item"><h4 class="usa-process-list__heading">Retire</h4><div class="margin-top-05 usa-process-list__description"><p>In this phase, the system has reached the end of its useful life or the end of its contract. The decision to shut it down is made through a managed process and checklist, ensuring compliance with federal guidelines for retiring a government IT system. Final documentation is created, data is archived, and hardware is disposed of according to best practices. Even at this stage, there are security considerations and activities performed by the ISSO and others.</p></div></li></ol></div><div class="text-block text-block--theme-explainer"><h2>Initiate</h2><p>When a business need prompts the idea for a new system (or significant enhancements to a system) at CMS, the Business Owner and other key stakeholders must follow a governance process that makes use of existing resources and ensures the security of CMS information and systems. The first steps of the Initiate phase include documenting the business need and determining if a new system actually needs to be developed.</p><h3>Document the business need</h3><p>All new business needs and material changes to existing systems must be documented in the Initiate phase. During this period, the Business Owner will talk with knowledgeable stakeholders to learn about CMS infrastructure and existing assets. Together they will define and document the general business need or desired enhancement and explore solution options. These stakeholders often include:</p><ul><li>Information Security and Privacy Group (ISPG)</li><li>Office of Acquisition and Grants Management (OAGM)</li><li>Governance Review Team (GRT)</li><li>Governance Review Board (GRB)</li><li>Office of Information Technology (OIT) Navigators</li><li>Enterprise Architecture (EA) Team</li><li>Technical Review Board (TRB)</li><li>Office of Financial Management (OFM)</li><li>Section 508 Team</li><li>Various Subject Matter Experts (SMEs)</li></ul><h3>Consider existing options</h3><p>An important step in the governance process is to consider existing solution options at CMS to determine whether a new system is indeed necessary. In particular, <a href="/learn/cms-cloud-services"><strong>cloud computing options</strong></a> should be considered, such as Platform-as-a-Service (PaaS), <a href="/learn/saas-governance-saasg">Software-as-a-Service (SaaS)</a>, and Infrastructure-as-a-Service (IaaS). CMS has a variety of cloud offerings available that help save time and money on development, compliance, and security. If an existing solution at CMS or HHS can be leveraged, there is no reason to duplicate efforts by developing a new system.</p><h3>Decide to proceed with a new system</h3><p>If no solution exists to meet the need, the Business Owner and stakeholders will move forward with the governance process for a new system, receive a Life Cycle ID, and then follow the ATO process. The governance team can help the Business Owner with basic funding and contracting needs. ISPG leadership assigns a Cyber Risk Advisor (CRA) based on the CMS component organization the system will fall under, and the Business Owner appoints an Information System Security Officer (ISSO). ISPG also assigns a Privacy SME to each project to support privacy related considerations.</p><h3>Getting started</h3><p>Once the decision is made to develop a new system, intake and other foundational activities will start. This phase requires meetings with various groups across CMS to ensure that resources are used efficiently, governance processes are followed, and security requirements are met.</p><h4>Determine a hosting solution</h4><p>It is important to decide on the primary hosting location for the solution. Hosting the solution within CMS for example, using <a href="/learn/cms-cloud-services">CMS Cloud Services</a> instead of using vendor provided hosting locations is much preferred. Leveraging CMS hosting allows the team to access a wide variety of services from CMS. This saves time and money on compliance, so they don't have to worry about reducing cost on implementation to stay on budget. This should be the primary goal at this point in the process.</p><h4>Complete Appendix A</h4><p>To ensure that the contract for developing a new system includes the appropriate security measures, the system stakeholders (such as the Business Owner, Privacy SME, ISSO, and CRA) must complete the document <a href="https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements">CMS Security and Privacy Requirements for IT Procurements</a>.These standards help government agencies protect all of their assets from security threats and privacy risks, especially when the assets will be managed by third-party organizations. Part of this process includes completing "Appendix A" of this document, which is signed by the CMS Chief Information Security Officer (CISO) and the CMS Senior Official for Privacy (SOP).</p><p><a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/CMS-Security-and-Privacy-Language-for-Procurements">Learn more about security and privacy requirements for CMS technology procurements here.</a></p><h4>Complete EASi intake form</h4><p>If you decide to create a new solution at CMS, the <a href="https://impl.easi.cms.gov/">Easy Access to System Information (EASi)</a> system helps you get started by automating the governance process and connecting you and your contract to funding at CMS. The Business Owner submits an intake form in EASi to start the governance process and get a Life Cycle ID for their system. This is required for every CMS system, and key to securing funding for a new project.</p><h4>Consult with Governance Review Team (GRT)</h4><p>Submitting the intake form engages the Governance Review Team (GRT), who works with the Business Owner, the Enterprise Architecture (EA) team, and SMEs to create a business case for their system. The resulting case includes pros, cons, and alternative options. If the Business Owner decides to move forward with pursuing an ATO for a new system, this iterative and collaborative process should result in a strong business case to present to the Governance Review Board (GRB).</p><h4>Present to the Governance Review Board (GRB)</h4><p>Once they have settled on a direction for their system, the Business Owner and/or their Navigator present their case. The presentation is reviewed by relevant SMEs followed by the GRB itself, which issues an assessment and provides one or more options for the Business Owner to pursue.</p><h4>Complete Enterprise Architecture Activities</h4><p>Once the Business Owner selects their chosen path forward, they will work with Enterprise Architecture (EA) to complete a Core System Information Form. EA will then issue a Universally Unique Identification (UUID) number, which allows the project to be entered into the <a href="https://cfacts.cms.gov/apps/ArcherApp/Home.aspx">CMS FISMA Continuous Tracking System (CFACTS)</a>. The Life Cycle ID and UUID numbers will remain associated with the project for the duration of its life cycle.</p><h3>Creating an Authorization Package</h3><p>After the initial consultations and intake processes, the focus turns to Assessment and Authorization activities the security-related steps required for ATO. An Authorization Package is the collection of documentation put together by the Business Owner and their team to prove that the system has been designed, built, tested, assessed, and categorized appropriately to meet ATO requirements.</p><p>As you might imagine, collecting and submitting all required information can take a lot of time and resources. To avoid delays in your development process, it is important to start collecting your system documentation as soon as possible.</p><h4>Use CFACTS to track compliance</h4><p>The <a href="https://cfacts.cms.gov/apps/ArcherApp/Home.aspx">CMS FISMA Continuous Tracking System (CFACTS)</a> is the tool used to track and manage the security and compliance of all CMS systems. Upon receipt of the UID number from Enterprise Architecture, ISPG enters the new system into CFACTS. To access CFACTS, each user will need the CFACTS_USER_P job code from CMS. From this point on, the Business Owner and their team work together with various stakeholders to complete the required ATO documentation in CFACTS. Once all the documentation is compiled, the ISSO submits the <strong>CMS System ATO Request Form</strong>, which is filled out and submitted within CFACTS. (This form can also be used to request "re-authorization" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)</p><h4>Compile Tier 1 Documentation</h4><p>The specific documents required are based on many factors and vary from system to system, but all projects should expect to provide the following Tier 1 Documentation:</p><ul><li><a href="/learn/system-security-and-privacy-plan-sspp">System Security and Privacy Plan (SSPP)</a></li><li><a href="/learn/cms-information-system-risk-assessment-isra">Information Security Risk Assessment (ISRA)</a></li><li><a href="/learn/privacy-impact-assessment-pia">Privacy Impact Assessment (PIA)</a></li><li><a href="/learn/contingency-plan">Contingency Plan (CP)</a></li><li><a href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook">Contingency Plan Exercise</a>(often called Tabletop Exercise)</li></ul><h4>Compile additional documentation</h4><p>Additional documentation that is often required includes:</p><ul><li>Project management personnel and policies</li><li>Security and privacy documentation</li><li>Risk assessment and abatement</li><li>Architecture diagrams</li><li>Hardware and software inventories</li><li>Vulnerability scanning documentation</li><li>Open <a href="/learn/plan-action-and-milestones-poam">Plan of Action &amp; Milestones (PO&amp;AMs)</a></li><li><a href="/learn/isso-appointment-letter">ISSO Appointment Letter</a></li><li>TRB Letter</li><li><a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-5-configuration-management-cm">Configuration Management</a></li><li>Baseline security configurations</li><li>Configuration compliance audits policies</li><li>Maintenance and update policies</li><li>Compliance monitoring tool output</li><li>Malware protection</li><li>User ID conventions, group membership, and information system accounts for each component</li><li><a href="https://security.cms.gov/learn/system-audits">Audit documentation</a></li><li>System procedures manual</li><li>Job descriptions and personnel policies</li><li>Physical access and remote work policies</li><li>Data Use and Service Level Agreements</li><li>Source code</li><li>And others</li></ul><h3>Categorization, boundary, and controls</h3><p>During the documentation process described above, the team will add all required information into CFACTS and work together to categorize the system, document the system boundary, and assign appropriate security controls. These activities formally define what kind of information the system handles, the level of risk associated with the system, and what kind of controls are necessary to manage that risk.</p><h4>Categorize the system</h4><p>“System categorization” is a required step for every information system with an ATO. The team will classify the system into one of three levels that represent the potential impact to organizations and individuals in the case of a security breach.</p><p>At the end of this process, the system will be categorized as either High, Moderate, or Low risk according to the <a href="https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf">Federal Information Processing Standards (FIPS) Publication 199</a>. This will determine the required controls. In particular, this will also determine whether the system should be classified as a High Value Asset (HVA) System. HVAs require additional security measures due to their unique risks.</p><h4>Document the system boundary</h4><p>Next, the team will document the system architecture, components and boundary in CFACTS. The boundary separates what is part of the system from what is not. It is documented through network diagrams, hardware / software inventories, and narrative explanation.</p><p>Including a good boundary diagram makes assessments easier and expedites the ATO process. It should include information about what your team is directly responsible for building and maintaining in addition to anything your system is connected to (or utilizing) that someone else is responsible for building and maintaining.</p><p>A boundary diagram should:</p><ul><li>Include CMS shared services and how they connect to your system</li><li>Show proxy - URL Filtering and whitelisting outbound traffic</li><li>Separate S3 buckets for each Subnet</li><li>Display zonal VRF between VDCs and AWS</li><li>Include API Consumers internal access path(s)</li><li>Depict all AWS Services being used</li></ul><p>If your team has questions about this, email the Technical Review Board at <a href="mailto:cms-trb@cms.hhs.gov">cms-trb@cms.</a></p><h4>Assign a control baseline</h4><p>Based on the impact categorization from the information provided, the system is assigned a baseline of controls—Low, Moderate, or High. These controls follow the <a href="https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a>, which are the standards and controls for information security and privacy applied to CMS systems to mitigate risk. The ISSO and project team will provide implementation details for each control in CFACTS. This often includes some back-and-forth between the development team, the ISSO, and the CRA as the artifacts are reviewed and accepted.</p><h2>Develop and Assess</h2><p>This phase is when the system is actually being designed, built, and deployed using the requirements and user stories that will ensure the system meets business needs. At this point the system will be in a non-production environment, meaning it is not being formally used for its intended purpose yet (and is not publicly available).</p><p>Then the system must be assessed for security and compliance with CMS standards. This includes documenting and implementing all necessary controls, finalizing required artifacts and supplemental documentation, and completing testing and assessments. When all these steps are complete and documented, the system will ideally be granted an ATO so it can begin operating.</p><p>There are some key steps to keep in mind as the new system enters the Develop and Assess phase.</p><h3>Establish stakeholder communications</h3><p>This part of the system life cycle is document-heavy and requires input from many stakeholders. To minimize costly delays, each project should have a communication plan in place to ensure all parties are in the loop throughout the process. The plan should include all relevant points of contact, including:</p><ul><li>Information System Security Officer (ISSO)</li><li>ISSO Contracting Support (ISSOCS)</li><li>Cyber Risk Advisor (CRA)</li><li>Business Owner (BO)</li><li>Penetration (Pen) Test Coordinator</li><li>Cybersecurity and Risk Assessment Program (CSRAP) team (within ISPG)</li><li>System Developer and Maintainer (SDM)</li><li>Privacy Subject Matter Expert (PSME)</li><li>Technical Review Board (TRB)</li></ul><h3>Design, develop, and deploy</h3><p>Design and development is managed by the Business Owner (BO) and project team. The <a href="https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc">CMS Target Life Cycle</a> requires only a small set of artifacts, and specific methodologies are determined by the BO and team. All initiatives should follow best practices in development and Program Management. Typically, the project team will work with the CMS Cloud Services team to provision the different environments such as development, implementation, and production. <strong>As the system is developed, the project team should also move forward with documentation and other compliance activities</strong>.</p><p>Once the system is designed and developed, it is deployed in a non-production environment and tested for compliance with requirements and CMS standards. In order to become production ready, everything must comply with CMS <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA">Technical Reference Architecture (TRA)</a> and meet the security, privacy, and accessibility standards outlined in the <a href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a>.</p><h3>Define the accreditation boundary</h3><p>The <a href="https://csrc.nist.gov/glossary/term/accreditation_boundary">accreditation boundary</a> describes all components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. So it defines exactly what components and assets the ATO will cover.</p><p>When defining the accreditation boundary, assets are provided and supported by the CMS cloud service provider. Additionally, the Application Development Organization (ADO) often a contractor provides and supports components. Each project team is responsible for maintaining those assets within the accreditation boundary.</p><p>The ISSO works with the project team to define the boundary according to the three-tier architecture set by the CMS Technical Review Board (GRB). If the system is hosted in the CMS Amazon Web Service (AWS) cloud GSS, it can access and use approved templates to simplify the process.</p><h3>Implement controls</h3><p>The accreditation boundary creates an inventory of all system components that will require security controls. A system may be able to inherit controls based on its hosting, platform, data center, and other variables, which can greatly ease the process. With the boundary established, the ISSO will start documenting all ARS security controls in CFACTS, starting with any inheritable controls available.</p><p>Implementing controls often involves conversations between the ISSO and project team, especially technical stakeholders, as well as a CRA. To minimize back-and-forth, all relevant stakeholders should be engaged and prepared to participate.</p><h3>Conduct a system test</h3><p>With all components documented and controls in CFACTS, its time for a system test. The purpose of a system test is to evaluate the endtoend system specifications and make sure the system is working as expected. This test validates the complete and fully integrated software product, and involves the full project team.</p><h3>Start continuous monitoring</h3><p>The <a href="https://www.cisa.gov/">Cybersecurity and Infrastructure Security Agency (CISA)</a> works with partners across government and the private sector to secure national infrastructure. A big part of this effort the <a href="https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a> program is strengthening the cybersecurity of federal networks and systems.</p><p>As part of the ATO process, the ISSO onboards each system to CDM in three stages:</p><ul><li>Stage 1: Engage Data Center assessment</li><li>Stage 2: Implement and integrate required capabilities</li><li>Stage 3: Validate and verify data</li></ul><p>The system is also onboarded to the <a href="https://security.cms.gov/learn/cms-cloud-services">CMS Cloud</a> Environment for cloud hosting (if applicable), and the <a href="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic">CMS Cybersecurity Operations Center (CCIC)</a> for security monitoring, event management, and incident handling.</p><h3>Complete Tier 13 artifacts</h3><p>As seen in the Initiate Phase, all systems require Tier 1 artifacts. Based on the boundary and controls, they may also require additional documentation. The project team should work with their ISSO and CRA to determine the documentation required for their system and upload it to CFACTS.</p><h3>Review for assessment readiness</h3><p>Once all controls, artifacts, and additional documentation are in CFACTS, the ISSO and project team will review the information before the project formally moves to the assessment phase.</p><h3>Assessing and testing a new system</h3><p>Assessments and tests are conducted to ensure that the new system has implemented necessary security controls and meets CMS requirements. If the results show any unacceptable weaknesses in the system, the team will need to mitigate them before continuing the process to request ATO.</p><h3>Schedule tests promptly</h3><p>The ISSO and project team will set the timing for the required <a href="/learn/penetration-testing">Penetration Testing</a> and <a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a> (or, alternatively, a <a href="/learn/security-controls-assessment-sca">Security Controls Assessment</a>). The ISSO reaches out to the PenTest Team and the CSRAP team to schedule the tests. <strong>As the team works, the timeline and schedule should be shared with the CRA</strong>.</p><h3>Conduct Penetration Testing</h3><p><a href="/learn/penetration-testing">Penetration Testing (or PenTesting)</a> helps determine the security of a system by attempting to exploit vulnerabilities. It mimics real-world scenarios to see if bad actors will be able to penetrate the system and cause harm to organizations or individuals.</p><p>The ISSO and project team work with a PenTest coordinator to schedule and conduct the test. To avoid delays,<strong> the pen test should be requested at least 3 months before the ATO deadline</strong>. <a href="https://security.cms.gov/learn/penetration-testing-pentesting">Learn all about PenTesting here</a>, including scheduling instructions.</p><p>After the test, the PenTest team will notify the project team of any issues, which must be mitigated within 25 days. If the issue cant be resolved in 25 days, the team must create a <a href="/learn/plan-action-and-milestones-poam">Plan of Action and Milestones (POA&amp;M)</a> to manage it.</p><p>Finalized results from Penetration Testing are uploaded as a CAAT spreadsheet into CFACTS, and all parties (including the CISO team) are notified that the results are complete and available.</p><h3>Conduct the Cybersecurity and Risk Assessment Program (CSRAP)</h3><p><a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a> was created to improve the Security Controls Assessment (SCA) process by introducing risk-based security assessment for CMS systems. Instead of emphasizing technical findings and compliance with controls (which are still important), CSRAP facilitates and encourages risk-based decision making.</p><p>CSRAP focuses on the core controls that pose the highest risk to CMS and defines mission-oriented security objectives. CSRAP reports incorporate plain language, relevant findings and actionable results and conclusions to aid project teams risk-based decision making. <a href="https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap">Learn all about CSRAP here</a>, including scheduling instructions.</p><p>To fulfill the CSRAP requirement, the ISSO works with the CSRAP team and project team to create and complete an assessment plan. <strong>To avoid delays, this assessment should be scheduled at least 3 months before the ATO deadline</strong>. Once the CSRAP is complete, the CSRAP Final Package will be uploaded to CFACTS.</p><h3>Check for 508 compliance</h3><p>While it is not an explicit requirement for ATO, accessibility is an important consideration for all project teams at CMS. <a href="https://www.section508.gov/">Section 508</a> of the Rehabilitation Act requires all federal systems to be accessible to people with disabilities. To ensure the system is accessible to all users, the project team should consider 508 accessibility compliance throughout design, development, and deployment. <a href="https://www.section508.gov/develop/">Some 508 resources from GSA can be found here</a>.</p><h3>Manage identified risks with POA&amp;Ms</h3><p>All information systems include some level of risk. An ATO is designed to document and manage risk, not eliminate it. Once the PenTest and CSRAP assessment identify risks, the ISSO will work with the project team and CRA to create a <a href="/learn/plan-action-and-milestones-poam">Plan of Action and Milestones (POA&amp;M)</a>.</p><p>Plan of Action and Milestones (POA&amp;Ms) are high-level statements that describe how a team will address security weaknesses identified for their system. All federal systems must document POA&amp;Ms to track and mitigate findings from assessments and audits. The ISSO coordinates with the team to manage, remediate, and (if necessary) accept the risk of open POA&amp;Ms. Learn all about managing POA&amp;Ms in the <a href="https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook">CMS POA&amp;M Handbook</a>.</p><h3>CMS System ATO Request / Re-authorization Form</h3><p>With all documentation and assessments completed and uploaded to CFACTS, the ISSO can now request ATO certification. The ISSO submits the <strong>CMS System ATO Request / Re-authorization Form</strong>, which is filled out and submitted within CFACTS. (This form can also be used to request "re-authorization" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)</p><h3>ATO review and certification</h3><p>The complete ATO package is reviewed by the CRA, ISSO, BO and ISPG. Once approved by ISPG, the package is submitted to the CISO and CIO for final approval. Once approved by the CISO and CIO, an ATO letter is sent to the BO and ISSO. The CRA uploads the approved ATO package to CFACTS and notifies all relevant parties, including <a href="https://www.fedramp.gov/">FedRAMP</a>.</p><p>The system now officially has an ATO “the authority to operate decision that culminates from the security authorization process of an information technology system in the U.S. federal government”. With a completed and approved ATO, the system moves into the Operate phase of its life cycle.</p><h2>Operate</h2><p>The Operate phase is what we think of as normal business operations. The system runs in a production environment, and the team does normal upgrades, enhancements and maintenance. The system is being used to achieve the business objectives stated in the Initiate phase.</p><p>To remain compliant with the Authority to Operate (ATO), the Business Owner maintains the Target Life Cycle (TLC) System Profile with every production release. Annual security requirements such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound.</p><p>The following maintenance issues must be supported throughout this phase:</p><ul><li>Upgrades</li><li>System software patches</li><li>Hardware upgrades</li><li>Modifications to interfaces with other systems</li></ul><p>During the Operate Phase the project team works with the Information System Security Officer (ISSO) to maintain current documentation and to support periodic reviews and audits. The inability to produce current documentation may impact a systems ATO.</p><h3>Conduct annual assessments</h3><p>Each system undergoes annual assessments and maintenance throughout their life cycle to ensure compliance with its ATO and identify potential vulnerabilities. These typically include:</p><ul><li>Updating core documentation</li><li>Updating the <a href="/learn/contingency-plan">Contingency Plan (CP)</a></li><li>Conducting a <a href="https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook">Contingency Plan Exercise</a> (often in the form of aTableop Exercise)</li><li>Undergoing <a href="https://security.cms.gov/learn/penetration-testing-pentesting">Penetration Testing</a></li><li>Addressing and closing any <a href="https://security.cms.gov/learn/plan-action-and-milestones-poam">Plan of Action and Milestones</a> (POA&amp;Ms)</li><li>Assessing controls</li></ul><h3>Request re-authorization</h3><p>Every three years, a system's ATO is assessed for re-authorization. Much like the annual assessments, this includes a review of a subset of system controls and POA&amp;Ms. Once the review is completed, the ISSO and Business Owner submit an ATO request form proving that all testing has been completed. ISPG then reviews the request form and renews the system authorization.</p><h3>Update ATO if system changes</h3><p>A significant change to a system can require an update to its ATO. A significant change is defined as a change that is likely to substantively affect the security or privacy posture of a system (see <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf">NIST SP 800-37</a> for more information). This includes upgraded hardware or applications, changes in the information collected by the system or how the information is handled, changes to system ports or services, and more.</p><p>If a system is undergoing a significant update, the Business Owner checks with the ISSO to see if an authorization change will be necessary. The ISSO completes a Security Impact Analysis (SIA). If it is determined that the update will not impact system security, the change is determined to be minor. In this case the only action is to update any relevant documentation in CFACTS.</p><p>If the update is determined to be a significant change, the system could require a new ATO. In this case, the ISSO works with the BO and team to complete a new intake form.</p><h3>Resolve cyber risk events</h3><p>As more activities move online and to the cloud, the chance of cyber attacks and other risks go up. If a risk event is identified, the ISSO and team must work quickly and collaboratively to isolate and resolve it. The ISSO must open an incident response ticket with the IT service desk to start an investigation. (This is done in <a href="https://cmsitsm.servicenowservices.com/connect">ServiceNOW</a>). They will execute the CMS incident management lifecycle process to address any actual or false positive events.</p><p>Once the risk is under control, system security should be reviewed and updated to lower the chances of the risk recurring in the future. The updates must be tested to ensure they both remediated the risk and that they haven't negatively impacted any other systems. <a href="https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir">Learn more about Incident Response here</a>.</p><p>The system continues to operate undergoing assessment, reassessment, and change management through the end of its contract or useful life. Once it reaches either of these milestones, the system transitions to the Retirement phase.</p><h2>Retire</h2><p>A system moves to the Retire phase once it reaches the end of its useful life or the end of its contract. At this point, the decision is made to shut it down through a managed process outlined in the System Disposition Checklist. This ensures compliance with federal guidelines when retiring a government IT system. There are many aspects to consider, including the following:</p><ul><li>Records retention</li><li>Information security</li><li>Investment close-out procedures</li></ul><p>The Business Owner (BO) and Information System Security Officer (ISSO) conduct a thorough planning process to define all tasks to decommission the system. There are several documents that must be completed by the ISSO and Project team and signed by the BO and/or the ISSO.</p><ul><li>System Disposition Checklist</li><li>System Disposition Plan</li><li>System Retirement Memo</li><li>Certificate of Destructions</li></ul><p>Any remaining activities must be transitioned to a different process or system. All contracts are closed and data is archived according to the System of Record Notice (SORN) or other guidelines. Any remaining hardware must be disposed of according to federal best practices.</p><h2>Types of authorizations</h2><p>Every system that is integrated at CMS—either built in-house or contracted—must get a compliance authorization to operate and access government data. This ensures that the agency is aware of all components interacting with its data, and that each system can be monitored for compliance and risk mitigation. This helps safeguard sensitive personal information, manage the risk to critical infrastructure, and address cybersecurity issues when they arise.</p><p>If you are introducing a new system at CMS, you must go through the security and compliance process.</p><p>CMS recognizes that every system is unique and that a one-size-fits-all approach wont work. There are several different types of compliance authorizations provided by CMS to manage agency-wide risk.</p><h3>Authority to Operate (ATO)</h3><p>As explained above, the Authority to Operate (ATO) is awarded by the CMS Authorization Official (AO) to systems that meet requisite security requirements. Typically, ATOs grant a system compliance for three years, although there are circumstances where CMS will authorize a system for a shorter period of time (see more information about this below).</p><h4>When should ATO be used?</h4><p>Information systems that intend to operate for three years or more are required to get an ATO. This includes projects that:</p><ul><li>Store, process, and distribute Personally Identifiable Information (PII), Personal Health Information (PHI), or other sensitive information</li><li>Have been reviewed and approved through the existing CMS governance process (EASi)</li><li>Have funding and contracting vehicles to develop, implement and maintain a FISMA information system</li></ul><p>Learn more about the process and requirements for ATO.</p><h3>Ongoing Authorization (OA)</h3><p>Getting authorization for a system to operate through <a href="/learn/ongoing-authorization">Ongoing Authorization (OA)</a> is a new initiative at CMS. Its goal is to fundamentally change authorization and compliance from reactive evaluation to proactive, ongoing monitoring. Rather than subjecting project teams to the current 3-year compliance cycle, the OA approach provides real-time data about a systems security posture.</p><p>OA is equivalent to ATO in that it gives systems the authorization to operate, but its done through automation and continuous assessment of risk, instead of through documentation-heavy compliance processes. This reduces the load on Business Owners, ISSOs, and project teams while providing CMS a clearer picture of its risk level at any given moment.</p><h4>When should OA be used?</h4><p>To be eligible for OA, systems must leverage the latest control automation tools, including the latest control automation tools. Additionally, all <a href="/learn/continuous-diagnostics-and-mitigation-cdm">Continuous Diagnostics and Mitigation (CDM)</a> tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL).</p><p><a href="/learn/ongoing-authorization">Learn more about the process and requirements for OA.</a></p><h3>Re-authorization</h3><p>A system may need to be reassessed and re-authorized if the application team is planning to make significant changes. When changes to a system are being planned, the team completes a <a href="/learn/security-impact-analysis-sia">Security Impact Analysis (SIA)</a> to determine how the changes will impact the systems security and ATO.</p><p>If the change is significant and the analysis reveals that re-authorization is necessary, the team schedules an CSRAP assessment to determine if there are any potential findings (risks). If there are findings, the team works to mitigate them. Once findings are mitigated to an acceptable level, the Cyber Risk Advisor (CRA) presents the case for the re-authorization to the Business Owner for a new ATO letter.</p><h4>When should re-authorization be used?</h4><p>Changes to a system that are considered “significant” and may require re-authorization include:</p><ul><li>System security boundary</li><li>Encryption methodologies</li><li>Administrative functionality within the application</li><li>The kinds of information stored (for example, PII)</li><li>The external services used or how/what data flows to/from them</li></ul><p>Example changes that <strong>do not require re-authorization</strong>, as long as they dont include the above:</p><ul><li>Features and functionality</li><li>Bug fixes</li><li>Interface changes</li><li>Documentation updates</li></ul><h2>ATO stakeholders</h2><p>The process of gaining and maintaining Authorization to Operate (ATO) involves many stakeholders across the organization. Its important for each person or group to understand their responsibilities and to communicate clearly with other stakeholders during the process.</p><h3>Chief Information Security Officer (CISO)</h3><p>The CISO is an agency official (federal government employee). They carry out the Chief Information Officers (CIO) information security responsibilities under federal requirements in conjunction with the Senior Official for Privacy. From setting policy and guidance to approving Authorization to Operation (ATOs), the CISO drives information security at CMS.</p><h4>Responsibilities related to ATO</h4><ul><li>Define information security and privacy control requirements</li><li>Delegate authority to approve system configuration deviations to the Cyber Risk Advisor (CRA) and Information System Security Officer (ISSO)</li><li>Publish an Ongoing Authorization process</li><li>Approve ISSO appointments from the Program Executive</li><li>Approve the independent security control assessment deliverables</li><li>Coordinate with stakeholders to ensure compliance with control family requirements</li><li>Authorize the immediate disconnection or suspension of flagged systems until the AO orders reconnection</li></ul><h3>Cyber Risk Advisor (CRA)</h3><p>The CRA is an agency official (federal government employee). They work with ISSOs and project teams to help ensure that projects adhere to security controls and are documented and tracked accordingly in the CMS FISMA Continuous Tracking System (CFACTS). They act as the subject matter expert in all areas of the <a href="https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf">CMS Risk Management Framework (RMF)</a>.</p><h4>Responsibilities related to ATO</h4><ul><li>Evaluate and communicate the risk posture of each system to executive leadership and make risk-based recommendations to the Authorizing Official (AO)</li><li>Help ensure that all requirements of the CMS ARS and <a href="/learn/cms-security-and-privacy-handbooks">the procedures of the Risk Management Handbook (RMH) </a>are implemented</li><li>Participate in the System Development Life Cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs based on security, functionality, and cost</li><li>For each system, coordinate with Data Guardian, System Owner, Business Owner, and ISSO to identify types of information processed, assign security categorizations, and manage information security and privacy risk</li><li>Ensure information security and privacy testing is performed throughout the SDLC and results are considered during the development phase</li><li>Monitor system security posture by reviewing all proposed information security and privacy artifacts to make recommendations to the ISSO</li></ul><h3>Business Owner (BO)</h3><p>The BO is a CMS official (federal government employee). They are Group Directors or Deputy Group Directors, and they encounter the ATO process when they are building or implementing a system to address their business needs. BOs are not expected to be technical or security experts, but their participation and collaboration is critical to the success of the ATO.</p><h4>Responsibilities related to ATO</h4><p>During an ATO, the BO works closely with technical and security stakeholders particularly the ISSO to ensure that the data and information in their system is properly documented and managed. Working with their team, the BOs responsibilities include:</p><p><strong>Document and Protect PII and PHI</strong></p><ul><li>Comply with the the <a href="https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/POLICY_DL_InvestmentMgmt.pdf">CMS Policy for IT Investment Management &amp; Governance</a></li><li>Coordinate with the CRA and ISSO to identify the information their system processes, and document and manage any PII and PHI<ul><li>Ensure that CMS has the legal authority to conduct activities involving the collection, use, and disclosure of information</li><li>Assign the appropriate security categorizations to the information system</li><li>Determine information security and privacy impacts and manage risks</li></ul></li><li>Work with Contracting Officers (COs) and Contracting Officers Representatives (CORs) to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized</li><li>Coordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the Senior Official for Privacy to ensure appropriate information security and privacy contracting language from relevant sources is included into each IT contract. Relevant sources must include, but are not limited to:<ul><li>HHS Office of the Assistant Secretary for Financial Resources (ASFR)</li><li>HHS Office of Grants and Acquisition Policy and Accountability (OGAPA)</li><li>CMS Office of Acquisition and Grants Management (OAGM)</li></ul></li><li>Coordinate with the CRA, ISSO and others to ensure compliance with the CMS ARS and the Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies</li></ul><p><strong>Manage CMS Data Privacy and Security</strong></p><ul><li>Own and manage access to the information stored, processed, or transmitted in the system</li><li>Manage and approve all use and disclosure of data from CMS programs or systems</li><li>Verify that CMS programs and systems only disclose the minimum data necessary</li><li>Confirm adequate security and privacy controls are in place to protect CMS systems</li><li>Prepare <a href="/learn/privacy-impact-assessment-pia">Privacy Impact Assessments (PIAs)</a> for programs or systems with the direction from the CRA</li><li>Support the analysis of incidents involving PII and help determine the appropriate action to make notification of privacy breaches and reporting, monitoring, tracking, and closure of incidents</li></ul><h3>Information System Security Officer (ISSO)</h3><p>The ISSO is either a CMS official (federal government employee) or a Contractor (also known as an ISSO Contract Support). They are the key connection between the BO and the CMS security apparatus. They work closely with the BO, the CRA and other stakeholders to move a system through the ATO process.</p><p>An ISSOs role in the ATO process which overlaps with many ongoing duties related to system security is outlined in the <a href="https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities">ISSO Handbook</a>.</p><h3>System Developer</h3><p>The Developer must be a CMS official (federal government employee). They are responsible for providing management and oversight to the project team developing and maintaining the system. This includes working with the team to implement the security controls needed for an ATO. They work with the ISSO, project team, <a href="https://security.cms.gov/learn/security-automation-framework-saf">CMS Security Automation Framework (SAF)</a>, and the DevSecOps support team to help project teams build successful DevSecOps platforms and secure system ecosystems.</p><h4>Responsibilities related to ATO</h4><ul><li>Create, document, and implement information security- and privacy-related functional requirements to protect CMS information, systems, and processes, including:<ul><li>Integrate requirements effectively into IT products and systems</li><li>Ensure requirements are adequately planned and addressed in all aspects of system architecture</li><li>Integrate and deploy automated information security and privacy capabilities (as required)</li></ul></li><li>Coordinate with the ISSO to identify the necessary information security and privacy controls for the system</li><li>Follow the CMS System Development Life Cycle (SDLC) in developing and maintaining a system, including:<ul><li>Understand the relationships among the system's features and information security and privacy safeguards</li><li>Ensure all development practices comply with the <a href="https://www.cms.gov/tra/Home/Home.htm">CMS Technical Reference Architecture</a> (TRA)</li></ul></li><li>Execute the Risk Management Framework tasks listed in <a href="https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final">NIST SP 800-37</a> and the CMS Risk Management Handbook</li><li>Ensure CMS systems or applications that share data for any purpose are capable of extracting data by pre-approved categories</li><li>Share only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected</li></ul><h3>Assessor</h3><p>The Assessor sits on the CMS security team and is responsible for checking the compliance of systems. Assessors must be independent and impartial, which means they are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems under assessment.</p><h4>Responsibilities related to ATO</h4><p>Assessors work with the ISSO and CRA to validate and verify that a systems documented controls work. They use assessment cases to test the system. The process typically involves the following steps:</p><ul><li>The ISSO notifies the CRA that an assessment is being requested, and a tentative assessment date is set</li><li>The CRA provides the ISSO with pricing information and instructions for using the Comprehensive Acquisitions Management System (CAMS) to pay for the assessment, and notifies the independent assessor that an assessment needs to be scheduled</li><li>At least six weeks prior to the assessment kick-off, the ISSO works with the BO to move funds for the assessment using the CAMS</li><li>The assessment begins once the funds are verified as available via the CAMS</li></ul><h3>Authorizing Official (AO)</h3><p>The AO is responsible for the overall impact categorization and risk acceptance. They determine if the risk of operating the system is acceptable, and if so, issue an Authority to Operate (ATO) for that system. They often designate this responsibility to one or more other people. At most federal agencies this role is performed by the Chief Information Officer (CIO).</p><h3>Penetration Tester (PenTester)</h3><p>PenTesters test the security of a system by attempting to exploit vulnerabilities.These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. After the test, a findings report is produced.At CMS, this service is offered and funded by the <a href="https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic">CMS Cybersecurity Integration Center (CCIC)</a>.</p><p><a href="https://security.cms.gov/learn/penetration-testing">Learn more about CMS PenTesting here.</a></p><h3>Program / Project Team</h3><p>Those who are trying to build/launch the system.</p><h3>System Owner</h3><p>The system owner is usually the product lead or tech lead of the project team. They will be named in the ATO documents and are the main contact during the evaluation process that leads up to an ATO.</p><h3>Enterprise Architecture and Data Group (EA)</h3><p>Every federal agency is required to develop Enterprise Architecture to guide information technology investments. The CMS EA Group is located in the Office of Information Technology (OIT), and it works to help document all information system architecture at the agency. This includes working with project teams to provide the documentation required for an ATO.</p><h3>Governance Review Team (GRT)</h3><p>The Governance Review Team is a key stakeholder group during the Initiate Phase of the ATO process. It helps project teams determine if there is a need to build a new system, and to work through the IT governance process.</p><p>The GRT directs project teams to available resources, advises them on how to properly develop and document their business case, and analyzes potential existing solutions at CMS. Based on these discussions, the GRT makes recommendations to the Governance Review Board (GRB) about whether to move forward with developing a new system.</p></div></section></div></div></div><div class="cg-cards grid-container"><h2 class="cg-cards__heading" id="related-documents-and-resources">Related documents and resources</h2><ul aria-label="cards" class="usa-card-group"><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/penetration-testing-pentesting">Penetration Testing (PenTesting)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cybersecurity-risk-assessment-program-csrap">Cybersecurity and Risk Assessment Program (CSRAP)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>A streamlined risk-based control(s) testing methodology designed to relieve operational burden.</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-fisma-continuous-tracking-system-cfacts">CMS FISMA Continuous Tracking System (CFACTS)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>CFACTS is a CMS database that tracks application security deficiencies and POA&amp;Ms, and supports the ATO process</p></div></div></li><li class="usa-card grid-col-12 tablet:grid-col-4"><div class="usa-card__container "><div class="usa-card__header"><h3 class="margin-top-1 line-height-sans-2 text-bold text-base-darkest"><a class="usa-card__link text-no-underline" href="/learn/cms-technical-reference-architecture-tra">CMS Technical Reference Architecture (TRA)</a></h3></div><div class="usa-card__body font-sans-2xs line-height-sans-4 text-base-darkest"><p>The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency</p></div></div></li></ul></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare &amp; Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"authorization-operate-ato\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"learn\",\"authorization-operate-ato\"],\"initialTree\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"authorization-operate-ato\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"learn\",{\"children\":[[\"slug\",\"authorization-operate-ato\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"learn\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[9461,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"192\",\"static/chunks/app/learn/%5Bslug%5D/page-5b91cdc45a95ebbe.js\"],\"default\"]\n18:Te02,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is ATO?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eEvery information system operated by or on behalf of the U.S federal government is required to meet \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFISMA standards\u003c/a\u003e, which includes system authorization (ATO) signed by an Authorizing Official (AO). This means that before a system can be deployed into production at CMS, the Business Owner and other stakeholders must go through the process of testing and documenting the systems security to demonstrate its compliance with federal requirements.\u003c/p\u003e\u003cp\u003eWhen this process is successfully completed, an Authorization to Operate (ATO) is signed and the system can be utilized at CMS. However, the ATO process requires months of planning, scheduling, testing, documenting, and collaborating with various individuals and groups across CMS so you should start working on your ATO as soon as possible.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is the ATO process?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ATO process is built around the \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eRisk Management Framework\u003c/a\u003e from the \u003ca href=\"/learn/national-institute-standards-and-technology-nist\"\u003eNational Institute of Standards and Technology (NIST)\u003c/a\u003e. This framework is based on the idea that no system is ever 100% secure risk is always present and evolving. So the best practice is to take a risk-based approach to system security, as laid out in the NIST Risk Management Framework (and reflected in the ATO process):\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003ePrepare\u003c/strong\u003e: Perform essential activities to prepare the organization to manage security and privacy risks\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eCategorize\u003c/strong\u003e: Categorize the system and information processed, stored, and transmitted based on an impact analysis\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSelect\u003c/strong\u003e: Select the set of \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53\u003c/a\u003e controls to protect the system based on risk assessment(s)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImplement\u003c/strong\u003e: Implement the controls and document how the controls are deployed\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAssess\u003c/strong\u003e: Assess to determine if the controls are in place, operating as intended, and producing the desired results\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAuthorize\u003c/strong\u003e: Senior official makes a risk-based decision to authorize the system (to operate)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitor\u003c/strong\u003e: Continuously monitor control implementation and risks to the system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWhen this process is followed for every information system, CMS can track and manage the risk exposure of individual systems and the agency at large ensuring the protection of critical resources and sensitive information.\u003c/p\u003e\u003cp\u003eHowever, this is a complex and documentation-heavy process that spans the whole life cycle of a FISMA system. It can be challenging to keep in mind the specific steps that need to be taken in order to obtain and maintain ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eATO and your systems life cycle\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ATO process can be mapped to the System Development Life Cycle (SDLC) so that its easier to see what activities should be completed at each stage. At CMS, this means the steps will align to the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e the system development governance process that all CMS systems must follow. These phases are briefly summarized below, with links to details that will help you plan ATO activities for your systems whole life cycle.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:Te02,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is ATO?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eEvery information system operated by or on behalf of the U.S federal government is required to meet \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFISMA standards\u003c/a\u003e, which includes system authorization (ATO) signed by an Authorizing Official (AO). This means that before a system can be deployed into production at CMS, the Business Owner and other stakeholders must go through the process of testing and documenting the systems security to demonstrate its compliance with federal requirements.\u003c/p\u003e\u003cp\u003eWhen this process is successfully completed, an Authorization to Operate (ATO) is signed and the system can be utilized at CMS. However, the ATO process requires months of planning, scheduling, testing, documenting, and collaborating with various individuals and groups across CMS so you should start working on your ATO as soon as possible.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is the ATO process?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ATO process is built around the \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eRisk Management Framework\u003c/a\u003e from the \u003ca href=\"/learn/national-institute-standards-and-technology-nist\"\u003eNational Institute of Standards and Technology (NIST)\u003c/a\u003e. This framework is based on the idea that no system is ever 100% secure risk is always present and evolving. So the best practice is to take a risk-based approach to system security, as laid out in the NIST Risk Management Framework (and reflected in the ATO process):\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003ePrepare\u003c/strong\u003e: Perform essential activities to prepare the organization to manage security and privacy risks\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eCategorize\u003c/strong\u003e: Categorize the system and information processed, stored, and transmitted based on an impact analysis\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSelect\u003c/strong\u003e: Select the set of \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53\u003c/a\u003e controls to protect the system based on risk assessment(s)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImplement\u003c/strong\u003e: Implement the controls and document how the controls are deployed\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAssess\u003c/strong\u003e: Assess to determine if the controls are in place, operating as intended, and producing the desired results\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAuthorize\u003c/strong\u003e: Senior official makes a risk-based decision to authorize the system (to operate)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitor\u003c/strong\u003e: Continuously monitor control implementation and risks to the system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWhen this process is followed for every information system, CMS can track and manage the risk exposure of individual systems and the agency at large ensuring the protection of critical resources and sensitive information.\u003c/p\u003e\u003cp\u003eHowever, this is a complex and documentation-heavy process that spans the whole life cycle of a FISMA system. It can be challenging to keep in mind the specific steps that need to be taken in order to obtain and maintain ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eATO and your systems life cycle\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ATO process can be mapped to the System Development Life Cycle (SDLC) so that its easier to see what activities should be completed at each stage. At CMS, this means the steps will align to the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e the system development governance process that all CMS systems must follow. These phases are briefly summarized below, with links to details that will help you plan ATO activities for your systems whole life cycle.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1a:Tc210,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eInitiate\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen a business need prompts the idea for a new system (or significant enhancements to a system) at CMS, the Business Owner and other key stakeholders must follow a governance process that makes use of existing resources and ensures the security of CMS information and systems. The first steps of the Initiate phase include documenting the business need and determining if a new system actually needs to be developed.\u003c/p\u003e\u003ch3\u003eDocument the business need\u003c/h3\u003e\u003cp\u003eAll new business needs and material changes to existing systems must be documented in the Initiate phase. During this period, the Business Owner will talk with knowledgeable stakeholders to learn about CMS infrastructure and existing assets. Together they will define and document the general business need or desired enhancement and explore solution options. These stakeholders often include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation Security and Privacy Group (ISPG)\u003c/li\u003e\u003cli\u003eOffice of Acquisition and Grants Management (OAGM)\u003c/li\u003e\u003cli\u003eGovernance Review Team (GRT)\u003c/li\u003e\u003cli\u003eGovernance Review Board (GRB)\u003c/li\u003e\u003cli\u003eOffice of Information Technology (OIT) Navigators\u003c/li\u003e\u003cli\u003eEnterprise Architecture (EA) Team\u003c/li\u003e\u003cli\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003cli\u003eOffice of Financial Management (OFM)\u003c/li\u003e\u003cli\u003eSection 508 Team\u003c/li\u003e\u003cli\u003eVarious Subject Matter Experts (SMEs)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eConsider existing options\u003c/h3\u003e\u003cp\u003eAn important step in the governance process is to consider existing solution options at CMS to determine whether a new system is indeed necessary. In particular, \u003ca href=\"/learn/cms-cloud-services\"\u003e\u003cstrong\u003ecloud computing options\u003c/strong\u003e\u003c/a\u003e should be considered, such as Platform-as-a-Service (PaaS), \u003ca href=\"/learn/saas-governance-saasg\"\u003eSoftware-as-a-Service (SaaS)\u003c/a\u003e, and Infrastructure-as-a-Service (IaaS). CMS has a variety of cloud offerings available that help save time and money on development, compliance, and security. If an existing solution at CMS or HHS can be leveraged, there is no reason to duplicate efforts by developing a new system.\u003c/p\u003e\u003ch3\u003eDecide to proceed with a new system\u003c/h3\u003e\u003cp\u003eIf no solution exists to meet the need, the Business Owner and stakeholders will move forward with the governance process for a new system, receive a Life Cycle ID, and then follow the ATO process. The governance team can help the Business Owner with basic funding and contracting needs. ISPG leadership assigns a Cyber Risk Advisor (CRA) based on the CMS component organization the system will fall under, and the Business Owner appoints an Information System Security Officer (ISSO). ISPG also assigns a Privacy SME to each project to support privacy related considerations.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGetting started\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce the decision is made to develop a new system, intake and other foundational activities will start. This phase requires meetings with various groups across CMS to ensure that resources are used efficiently, governance processes are followed, and security requirements are met.\u003c/p\u003e\u003ch4\u003eDetermine a hosting solution\u003c/h4\u003e\u003cp\u003eIt is important to decide on the primary hosting location for the solution. Hosting the solution within CMS for example, using \u003ca href=\"/learn/cms-cloud-services\"\u003eCMS Cloud Services\u003c/a\u003e instead of using vendor provided hosting locations is much preferred. Leveraging CMS hosting allows the team to access a wide variety of services from CMS. This saves time and money on compliance, so they don't have to worry about reducing cost on implementation to stay on budget. This should be the primary goal at this point in the process.\u003c/p\u003e\u003ch4\u003eComplete Appendix A\u003c/h4\u003e\u003cp\u003eTo ensure that the contract for developing a new system includes the appropriate security measures, the system stakeholders (such as the Business Owner, Privacy SME, ISSO, and CRA) must complete the document \u003ca href=\"https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements\"\u003eCMS Security and Privacy Requirements for IT Procurements\u003c/a\u003e.These standards help government agencies protect all of their assets from security threats and privacy risks, especially when the assets will be managed by third-party organizations. Part of this process includes completing \"Appendix A\" of this document, which is signed by the CMS Chief Information Security Officer (CISO) and the CMS Senior Official for Privacy (SOP).\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/CMS-Security-and-Privacy-Language-for-Procurements\"\u003eLearn more about security and privacy requirements for CMS technology procurements here.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eComplete EASi intake form\u003c/h4\u003e\u003cp\u003eIf you decide to create a new solution at CMS, the \u003ca href=\"https://impl.easi.cms.gov/\"\u003eEasy Access to System Information (EASi)\u003c/a\u003e system helps you get started by automating the governance process and connecting you and your contract to funding at CMS. The Business Owner submits an intake form in EASi to start the governance process and get a Life Cycle ID for their system. This is required for every CMS system, and key to securing funding for a new project.\u003c/p\u003e\u003ch4\u003eConsult with Governance Review Team (GRT)\u003c/h4\u003e\u003cp\u003eSubmitting the intake form engages the Governance Review Team (GRT), who works with the Business Owner, the Enterprise Architecture (EA) team, and SMEs to create a business case for their system. The resulting case includes pros, cons, and alternative options. If the Business Owner decides to move forward with pursuing an ATO for a new system, this iterative and collaborative process should result in a strong business case to present to the Governance Review Board (GRB).\u003c/p\u003e\u003ch4\u003ePresent to the Governance Review Board (GRB)\u003c/h4\u003e\u003cp\u003eOnce they have settled on a direction for their system, the Business Owner and/or their Navigator present their case. The presentation is reviewed by relevant SMEs followed by the GRB itself, which issues an assessment and provides one or more options for the Business Owner to pursue.\u003c/p\u003e\u003ch4\u003eComplete Enterprise Architecture Activities\u003c/h4\u003e\u003cp\u003eOnce the Business Owner selects their chosen path forward, they will work with Enterprise Architecture (EA) to complete a Core System Information Form. EA will then issue a Universally Unique Identification (UUID) number, which allows the project to be entered into the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e. The Life Cycle ID and UUID numbers will remain associated with the project for the duration of its life cycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCreating an Authorization Package\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAfter the initial consultations and intake processes, the focus turns to Assessment and Authorization activities the security-related steps required for ATO. An Authorization Package is the collection of documentation put together by the Business Owner and their team to prove that the system has been designed, built, tested, assessed, and categorized appropriately to meet ATO requirements.\u003c/p\u003e\u003cp\u003eAs you might imagine, collecting and submitting all required information can take a lot of time and resources. To avoid delays in your development process, it is important to start collecting your system documentation as soon as possible.\u003c/p\u003e\u003ch4\u003eUse CFACTS to track compliance\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e is the tool used to track and manage the security and compliance of all CMS systems. Upon receipt of the UID number from Enterprise Architecture, ISPG enters the new system into CFACTS. To access CFACTS, each user will need the CFACTS_USER_P job code from CMS. From this point on, the Business Owner and their team work together with various stakeholders to complete the required ATO documentation in CFACTS. Once all the documentation is compiled, the ISSO submits the \u003cstrong\u003eCMS System ATO Request Form\u003c/strong\u003e, which is filled out and submitted within CFACTS. (This form can also be used to request \"re-authorization\" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)\u003c/p\u003e\u003ch4\u003eCompile Tier 1 Documentation\u003c/h4\u003e\u003cp\u003eThe specific documents required are based on many factors and vary from system to system, but all projects should expect to provide the following Tier 1 Documentation:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eInformation Security Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessment (PIA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Plan Exercise\u003c/a\u003e(often called Tabletop Exercise)\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eCompile additional documentation\u003c/h4\u003e\u003cp\u003eAdditional documentation that is often required includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProject management personnel and policies\u003c/li\u003e\u003cli\u003eSecurity and privacy documentation\u003c/li\u003e\u003cli\u003eRisk assessment and abatement\u003c/li\u003e\u003cli\u003eArchitecture diagrams\u003c/li\u003e\u003cli\u003eHardware and software inventories\u003c/li\u003e\u003cli\u003eVulnerability scanning documentation\u003c/li\u003e\u003cli\u003eOpen \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action \u0026amp; Milestones (PO\u0026amp;AMs)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/isso-appointment-letter\"\u003eISSO Appointment Letter\u003c/a\u003e\u003c/li\u003e\u003cli\u003eTRB Letter\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-5-configuration-management-cm\"\u003eConfiguration Management\u003c/a\u003e\u003c/li\u003e\u003cli\u003eBaseline security configurations\u003c/li\u003e\u003cli\u003eConfiguration compliance audits policies\u003c/li\u003e\u003cli\u003eMaintenance and update policies\u003c/li\u003e\u003cli\u003eCompliance monitoring tool output\u003c/li\u003e\u003cli\u003eMalware protection\u003c/li\u003e\u003cli\u003eUser ID conventions, group membership, and information system accounts for each component\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/system-audits\"\u003eAudit documentation\u003c/a\u003e\u003c/li\u003e\u003cli\u003eSystem procedures manual\u003c/li\u003e\u003cli\u003eJob descriptions and personnel policies\u003c/li\u003e\u003cli\u003ePhysical access and remote work policies\u003c/li\u003e\u003cli\u003eData Use and Service Level Agreements\u003c/li\u003e\u003cli\u003eSource code\u003c/li\u003e\u003cli\u003eAnd others\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCategorization, boundary, and controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDuring the documentation process described above, the team will add all required information into CFACTS and work together to categorize the system, document the system boundary, and assign appropriate security controls. These activities formally define what kind of information the system handles, the level of risk associated with the system, and what kind of controls are necessary to manage that risk.\u003c/p\u003e\u003ch4\u003eCategorize the system\u003c/h4\u003e\u003cp\u003e“System categorization” is a required step for every information system with an ATO. The team will classify the system into one of three levels that represent the potential impact to organizations and individuals in the case of a security breach.\u003c/p\u003e\u003cp\u003eAt the end of this process, the system will be categorized as either High, Moderate, or Low risk according to the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf\"\u003eFederal Information Processing Standards (FIPS) Publication 199\u003c/a\u003e. This will determine the required controls. In particular, this will also determine whether the system should be classified as a High Value Asset (HVA) System. HVAs require additional security measures due to their unique risks.\u003c/p\u003e\u003ch4\u003eDocument the system boundary\u003c/h4\u003e\u003cp\u003eNext, the team will document the system architecture, components and boundary in CFACTS. The boundary separates what is part of the system from what is not. It is documented through network diagrams, hardware / software inventories, and narrative explanation.\u003c/p\u003e\u003cp\u003eIncluding a good boundary diagram makes assessments easier and expedites the ATO process. It should include information about what your team is directly responsible for building and maintaining in addition to anything your system is connected to (or utilizing) that someone else is responsible for building and maintaining.\u003c/p\u003e\u003cp\u003eA boundary diagram should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInclude CMS shared services and how they connect to your system\u003c/li\u003e\u003cli\u003eShow proxy - URL Filtering and whitelisting outbound traffic\u003c/li\u003e\u003cli\u003eSeparate S3 buckets for each Subnet\u003c/li\u003e\u003cli\u003eDisplay zonal VRF between VDCs and AWS\u003c/li\u003e\u003cli\u003eInclude API Consumers internal access path(s)\u003c/li\u003e\u003cli\u003eDepict all AWS Services being used\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your team has questions about this, email the Technical Review Board at \u003ca href=\"mailto:cms-trb@cms.hhs.gov\"\u003ecms-trb@cms.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eAssign a control baseline\u003c/h4\u003e\u003cp\u003eBased on the impact categorization from the information provided, the system is assigned a baseline of controls—Low, Moderate, or High. These controls follow the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e, which are the standards and controls for information security and privacy applied to CMS systems to mitigate risk. The ISSO and project team will provide implementation details for each control in CFACTS. This often includes some back-and-forth between the development team, the ISSO, and the CRA as the artifacts are reviewed and accepted.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDevelop and Assess\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis phase is when the system is actually being designed, built, and deployed using the requirements and user stories that will ensure the system meets business needs. At this point the system will be in a non-production environment, meaning it is not being formally used for its intended purpose yet (and is not publicly available).\u003c/p\u003e\u003cp\u003eThen the system must be assessed for security and compliance with CMS standards. This includes documenting and implementing all necessary controls, finalizing required artifacts and supplemental documentation, and completing testing and assessments. When all these steps are complete and documented, the system will ideally be granted an ATO so it can begin operating.\u003c/p\u003e\u003cp\u003eThere are some key steps to keep in mind as the new system enters the Develop and Assess phase.\u003c/p\u003e\u003ch3\u003eEstablish stakeholder communications\u003c/h3\u003e\u003cp\u003eThis part of the system life cycle is document-heavy and requires input from many stakeholders. To minimize costly delays, each project should have a communication plan in place to ensure all parties are in the loop throughout the process. The plan should include all relevant points of contact, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eISSO Contracting Support (ISSOCS)\u003c/li\u003e\u003cli\u003eCyber Risk Advisor (CRA)\u003c/li\u003e\u003cli\u003eBusiness Owner (BO)\u003c/li\u003e\u003cli\u003ePenetration (Pen) Test Coordinator\u003c/li\u003e\u003cli\u003eCybersecurity and Risk Assessment Program (CSRAP) team (within ISPG)\u003c/li\u003e\u003cli\u003eSystem Developer and Maintainer (SDM)\u003c/li\u003e\u003cli\u003ePrivacy Subject Matter Expert (PSME)\u003c/li\u003e\u003cli\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eDesign, develop, and deploy\u003c/h3\u003e\u003cp\u003eDesign and development is managed by the Business Owner (BO) and project team. The \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e requires only a small set of artifacts, and specific methodologies are determined by the BO and team. All initiatives should follow best practices in development and Program Management. Typically, the project team will work with the CMS Cloud Services team to provision the different environments such as development, implementation, and production. \u003cstrong\u003eAs the system is developed, the project team should also move forward with documentation and other compliance activities\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eOnce the system is designed and developed, it is deployed in a non-production environment and tested for compliance with requirements and CMS standards. In order to become production ready, everything must comply with CMS \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e and meet the security, privacy, and accessibility standards outlined in the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eDefine the accreditation boundary\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://csrc.nist.gov/glossary/term/accreditation_boundary\"\u003eaccreditation boundary\u003c/a\u003e describes all components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. So it defines exactly what components and assets the ATO will cover.\u003c/p\u003e\u003cp\u003eWhen defining the accreditation boundary, assets are provided and supported by the CMS cloud service provider. Additionally, the Application Development Organization (ADO) often a contractor provides and supports components. Each project team is responsible for maintaining those assets within the accreditation boundary.\u003c/p\u003e\u003cp\u003eThe ISSO works with the project team to define the boundary according to the three-tier architecture set by the CMS Technical Review Board (GRB). If the system is hosted in the CMS Amazon Web Service (AWS) cloud GSS, it can access and use approved templates to simplify the process.\u003c/p\u003e\u003ch3\u003eImplement controls\u003c/h3\u003e\u003cp\u003eThe accreditation boundary creates an inventory of all system components that will require security controls. A system may be able to inherit controls based on its hosting, platform, data center, and other variables, which can greatly ease the process. With the boundary established, the ISSO will start documenting all ARS security controls in CFACTS, starting with any inheritable controls available.\u003c/p\u003e\u003cp\u003eImplementing controls often involves conversations between the ISSO and project team, especially technical stakeholders, as well as a CRA. To minimize back-and-forth, all relevant stakeholders should be engaged and prepared to participate.\u003c/p\u003e\u003ch3\u003eConduct a system test\u003c/h3\u003e\u003cp\u003eWith all components documented and controls in CFACTS, its time for a system test. The purpose of a system test is to evaluate the endtoend system specifications and make sure the system is working as expected. This test validates the complete and fully integrated software product, and involves the full project team.\u003c/p\u003e\u003ch3\u003eStart continuous monitoring\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://www.cisa.gov/\"\u003eCybersecurity and Infrastructure Security Agency (CISA)\u003c/a\u003e works with partners across government and the private sector to secure national infrastructure. A big part of this effort the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e program is strengthening the cybersecurity of federal networks and systems.\u003c/p\u003e\u003cp\u003eAs part of the ATO process, the ISSO onboards each system to CDM in three stages:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStage 1: Engage Data Center assessment\u003c/li\u003e\u003cli\u003eStage 2: Implement and integrate required capabilities\u003c/li\u003e\u003cli\u003eStage 3: Validate and verify data\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe system is also onboarded to the \u003ca href=\"https://security.cms.gov/learn/cms-cloud-services\"\u003eCMS Cloud\u003c/a\u003e Environment for cloud hosting (if applicable), and the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Operations Center (CCIC)\u003c/a\u003e for security monitoring, event management, and incident handling.\u003c/p\u003e\u003ch3\u003eComplete Tier 13 artifacts\u003c/h3\u003e\u003cp\u003eAs seen in the Initiate Phase, all systems require Tier 1 artifacts. Based on the boundary and controls, they may also require additional documentation. The project team should work with their ISSO and CRA to determine the documentation required for their system and upload it to CFACTS.\u003c/p\u003e\u003ch3\u003eReview for assessment readiness\u003c/h3\u003e\u003cp\u003eOnce all controls, artifacts, and additional documentation are in CFACTS, the ISSO and project team will review the information before the project formally moves to the assessment phase.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssessing and testing a new system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssessments and tests are conducted to ensure that the new system has implemented necessary security controls and meets CMS requirements. If the results show any unacceptable weaknesses in the system, the team will need to mitigate them before continuing the process to request ATO.\u003c/p\u003e\u003ch3\u003eSchedule tests promptly\u003c/h3\u003e\u003cp\u003eThe ISSO and project team will set the timing for the required \u003ca href=\"/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e (or, alternatively, a \u003ca href=\"/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment\u003c/a\u003e). The ISSO reaches out to the PenTest Team and the CSRAP team to schedule the tests. \u003cstrong\u003eAs the team works, the timeline and schedule should be shared with the CRA\u003c/strong\u003e.\u003c/p\u003e\u003ch3\u003eConduct Penetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"/learn/penetration-testing\"\u003ePenetration Testing (or PenTesting)\u003c/a\u003e helps determine the security of a system by attempting to exploit vulnerabilities. It mimics real-world scenarios to see if bad actors will be able to penetrate the system and cause harm to organizations or individuals.\u003c/p\u003e\u003cp\u003eThe ISSO and project team work with a PenTest coordinator to schedule and conduct the test. To avoid delays,\u003cstrong\u003e the pen test should be requested at least 3 months before the ATO deadline\u003c/strong\u003e. \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003eLearn all about PenTesting here\u003c/a\u003e, including scheduling instructions.\u003c/p\u003e\u003cp\u003eAfter the test, the PenTest team will notify the project team of any issues, which must be mitigated within 25 days. If the issue cant be resolved in 25 days, the team must create a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e to manage it.\u003c/p\u003e\u003cp\u003eFinalized results from Penetration Testing are uploaded as a CAAT spreadsheet into CFACTS, and all parties (including the CISO team) are notified that the results are complete and available.\u003c/p\u003e\u003ch3\u003eConduct the Cybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e was created to improve the Security Controls Assessment (SCA) process by introducing risk-based security assessment for CMS systems. Instead of emphasizing technical findings and compliance with controls (which are still important), CSRAP facilitates and encourages risk-based decision making.\u003c/p\u003e\u003cp\u003eCSRAP focuses on the core controls that pose the highest risk to CMS and defines mission-oriented security objectives. CSRAP reports incorporate plain language, relevant findings and actionable results and conclusions to aid project teams risk-based decision making. \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eLearn all about CSRAP here\u003c/a\u003e, including scheduling instructions.\u003c/p\u003e\u003cp\u003eTo fulfill the CSRAP requirement, the ISSO works with the CSRAP team and project team to create and complete an assessment plan. \u003cstrong\u003eTo avoid delays, this assessment should be scheduled at least 3 months before the ATO deadline\u003c/strong\u003e. Once the CSRAP is complete, the CSRAP Final Package will be uploaded to CFACTS.\u003c/p\u003e\u003ch3\u003eCheck for 508 compliance\u003c/h3\u003e\u003cp\u003eWhile it is not an explicit requirement for ATO, accessibility is an important consideration for all project teams at CMS. \u003ca href=\"https://www.section508.gov/\"\u003eSection 508\u003c/a\u003e of the Rehabilitation Act requires all federal systems to be accessible to people with disabilities. To ensure the system is accessible to all users, the project team should consider 508 accessibility compliance throughout design, development, and deployment. \u003ca href=\"https://www.section508.gov/develop/\"\u003eSome 508 resources from GSA can be found here\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eManage identified risks with POA\u0026amp;Ms\u003c/h3\u003e\u003cp\u003eAll information systems include some level of risk. An ATO is designed to document and manage risk, not eliminate it. Once the PenTest and CSRAP assessment identify risks, the ISSO will work with the project team and CRA to create a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003ePlan of Action and Milestones (POA\u0026amp;Ms) are high-level statements that describe how a team will address security weaknesses identified for their system. All federal systems must document POA\u0026amp;Ms to track and mitigate findings from assessments and audits. The ISSO coordinates with the team to manage, remediate, and (if necessary) accept the risk of open POA\u0026amp;Ms. Learn all about managing POA\u0026amp;Ms in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003eCMS POA\u0026amp;M Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS System ATO Request / Re-authorization Form\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWith all documentation and assessments completed and uploaded to CFACTS, the ISSO can now request ATO certification. The ISSO submits the \u003cstrong\u003eCMS System ATO Request / Re-authorization Form\u003c/strong\u003e, which is filled out and submitted within CFACTS. (This form can also be used to request \"re-authorization\" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eATO review and certification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe complete ATO package is reviewed by the CRA, ISSO, BO and ISPG. Once approved by ISPG, the package is submitted to the CISO and CIO for final approval. Once approved by the CISO and CIO, an ATO letter is sent to the BO and ISSO. The CRA uploads the approved ATO package to CFACTS and notifies all relevant parties, including \u003ca href=\"https://www.fedramp.gov/\"\u003eFedRAMP\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe system now officially has an ATO “the authority to operate decision that culminates from the security authorization process of an information technology system in the U.S. federal government”. With a completed and approved ATO, the system moves into the Operate phase of its life cycle.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eOperate\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Operate phase is what we think of as normal business operations. The system runs in a production environment, and the team does normal upgrades, enhancements and maintenance. The system is being used to achieve the business objectives stated in the Initiate phase.\u003c/p\u003e\u003cp\u003eTo remain compliant with the Authority to Operate (ATO), the Business Owner maintains the Target Life Cycle (TLC) System Profile with every production release. Annual security requirements such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound.\u003c/p\u003e\u003cp\u003eThe following maintenance issues must be supported throughout this phase:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpgrades\u003c/li\u003e\u003cli\u003eSystem software patches\u003c/li\u003e\u003cli\u003eHardware upgrades\u003c/li\u003e\u003cli\u003eModifications to interfaces with other systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDuring the Operate Phase the project team works with the Information System Security Officer (ISSO) to maintain current documentation and to support periodic reviews and audits. The inability to produce current documentation may impact a systems ATO.\u003c/p\u003e\u003ch3\u003eConduct annual assessments\u003c/h3\u003e\u003cp\u003eEach system undergoes annual assessments and maintenance throughout their life cycle to ensure compliance with its ATO and identify potential vulnerabilities. These typically include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdating core documentation\u003c/li\u003e\u003cli\u003eUpdating the \u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eConducting a \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Plan Exercise\u003c/a\u003e (often in the form of aTableop Exercise)\u003c/li\u003e\u003cli\u003eUndergoing \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAddressing and closing any \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones\u003c/a\u003e (POA\u0026amp;Ms)\u003c/li\u003e\u003cli\u003eAssessing controls\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRequest re-authorization\u003c/h3\u003e\u003cp\u003eEvery three years, a system's ATO is assessed for re-authorization. Much like the annual assessments, this includes a review of a subset of system controls and POA\u0026amp;Ms. Once the review is completed, the ISSO and Business Owner submit an ATO request form proving that all testing has been completed. ISPG then reviews the request form and renews the system authorization.\u003c/p\u003e\u003ch3\u003eUpdate ATO if system changes\u003c/h3\u003e\u003cp\u003eA significant change to a system can require an update to its ATO. A significant change is defined as a change that is likely to substantively affect the security or privacy posture of a system (see \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf\"\u003eNIST SP 800-37\u003c/a\u003e for more information). This includes upgraded hardware or applications, changes in the information collected by the system or how the information is handled, changes to system ports or services, and more.\u003c/p\u003e\u003cp\u003eIf a system is undergoing a significant update, the Business Owner checks with the ISSO to see if an authorization change will be necessary. The ISSO completes a Security Impact Analysis (SIA). If it is determined that the update will not impact system security, the change is determined to be minor. In this case the only action is to update any relevant documentation in CFACTS.\u003c/p\u003e\u003cp\u003eIf the update is determined to be a significant change, the system could require a new ATO. In this case, the ISSO works with the BO and team to complete a new intake form.\u003c/p\u003e\u003ch3\u003eResolve cyber risk events\u003c/h3\u003e\u003cp\u003eAs more activities move online and to the cloud, the chance of cyber attacks and other risks go up. If a risk event is identified, the ISSO and team must work quickly and collaboratively to isolate and resolve it. The ISSO must open an incident response ticket with the IT service desk to start an investigation. (This is done in \u003ca href=\"https://cmsitsm.servicenowservices.com/connect\"\u003eServiceNOW\u003c/a\u003e). They will execute the CMS incident management lifecycle process to address any actual or false positive events.\u003c/p\u003e\u003cp\u003eOnce the risk is under control, system security should be reviewed and updated to lower the chances of the risk recurring in the future. The updates must be tested to ensure they both remediated the risk and that they haven't negatively impacted any other systems. \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eLearn more about Incident Response here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe system continues to operate undergoing assessment, reassessment, and change management through the end of its contract or useful life. Once it reaches either of these milestones, the system transitions to the Retirement phase.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRetire\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA system moves to the Retire phase once it reaches the end of its useful life or the end of its contract. At this point, the decision is made to shut it down through a managed process outlined in the System Disposition Checklist. This ensures compliance with federal guidelines when retiring a government IT system. There are many aspects to consider, including the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRecords retention\u003c/li\u003e\u003cli\u003eInformation security\u003c/li\u003e\u003cli\u003eInvestment close-out procedures\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Business Owner (BO) and Information System Security Officer (ISSO) conduct a thorough planning process to define all tasks to decommission the system. There are several documents that must be completed by the ISSO and Project team and signed by the BO and/or the ISSO.\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem Disposition Checklist\u003c/li\u003e\u003cli\u003eSystem Disposition Plan\u003c/li\u003e\u003cli\u003eSystem Retirement Memo\u003c/li\u003e\u003cli\u003eCertificate of Destructions\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAny remaining activities must be transitioned to a different process or system. All contracts are closed and data is archived according to the System of Record Notice (SORN) or other guidelines. Any remaining hardware must be disposed of according to federal best practices.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTypes of authorizations\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eEvery system that is integrated at CMS—either built in-house or contracted—must get a compliance authorization to operate and access government data. This ensures that the agency is aware of all components interacting with its data, and that each system can be monitored for compliance and risk mitigation. This helps safeguard sensitive personal information, manage the risk to critical infrastructure, and address cybersecurity issues when they arise.\u003c/p\u003e\u003cp\u003eIf you are introducing a new system at CMS, you must go through the security and compliance process.\u003c/p\u003e\u003cp\u003eCMS recognizes that every system is unique and that a one-size-fits-all approach wont work. There are several different types of compliance authorizations provided by CMS to manage agency-wide risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAuthority to Operate (ATO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs explained above, the Authority to Operate (ATO) is awarded by the CMS Authorization Official (AO) to systems that meet requisite security requirements. Typically, ATOs grant a system compliance for three years, although there are circumstances where CMS will authorize a system for a shorter period of time (see more information about this below).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should ATO be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eInformation systems that intend to operate for three years or more are required to get an ATO. This includes projects that:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore, process, and distribute Personally Identifiable Information (PII), Personal Health Information (PHI), or other sensitive information\u003c/li\u003e\u003cli\u003eHave been reviewed and approved through the existing CMS governance process (EASi)\u003c/li\u003e\u003cli\u003eHave funding and contracting vehicles to develop, implement and maintain a FISMA information system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eLearn more about the process and requirements for ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eOngoing Authorization (OA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eGetting authorization for a system to operate through \u003ca href=\"/learn/ongoing-authorization\"\u003eOngoing Authorization (OA)\u003c/a\u003e is a new initiative at CMS. Its goal is to fundamentally change authorization and compliance from reactive evaluation to proactive, ongoing monitoring. Rather than subjecting project teams to the current 3-year compliance cycle, the OA approach provides real-time data about a systems security posture.\u003c/p\u003e\u003cp\u003eOA is equivalent to ATO in that it gives systems the authorization to operate, but its done through automation and continuous assessment of risk, instead of through documentation-heavy compliance processes. This reduces the load on Business Owners, ISSOs, and project teams while providing CMS a clearer picture of its risk level at any given moment.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should OA be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eTo be eligible for OA, systems must leverage the latest control automation tools, including the latest control automation tools. Additionally, all \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL).\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/ongoing-authorization\"\u003eLearn more about the process and requirements for OA.\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRe-authorization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA system may need to be reassessed and re-authorized if the application team is planning to make significant changes. When changes to a system are being planned, the team completes a \u003ca href=\"/learn/security-impact-analysis-sia\"\u003eSecurity Impact Analysis (SIA)\u003c/a\u003e to determine how the changes will impact the systems security and ATO.\u003c/p\u003e\u003cp\u003eIf the change is significant and the analysis reveals that re-authorization is necessary, the team schedules an CSRAP assessment to determine if there are any potential findings (risks). If there are findings, the team works to mitigate them. Once findings are mitigated to an acceptable level, the Cyber Risk Advisor (CRA) presents the case for the re-authorization to the Business Owner for a new ATO letter.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should re-authorization be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eChanges to a system that are considered “significant” and may require re-authorization include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem security boundary\u003c/li\u003e\u003cli\u003eEncryption methodologies\u003c/li\u003e\u003cli\u003eAdministrative functionality within the application\u003c/li\u003e\u003cli\u003eThe kinds of information stored (for example, PII)\u003c/li\u003e\u003cli\u003eThe external services used or how/what data flows to/from them\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eExample changes that \u003cstrong\u003edo not require re-authorization\u003c/strong\u003e, as long as they dont include the above:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFeatures and functionality\u003c/li\u003e\u003cli\u003eBug fixes\u003c/li\u003e\u003cli\u003eInterface changes\u003c/li\u003e\u003cli\u003eDocumentation updates\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eATO stakeholders\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe process of gaining and maintaining Authorization to Operate (ATO) involves many stakeholders across the organization. Its important for each person or group to understand their responsibilities and to communicate clearly with other stakeholders during the process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eChief Information Security Officer (CISO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CISO is an agency official (federal government employee). They carry out the Chief Information Officers (CIO) information security responsibilities under federal requirements in conjunction with the Senior Official for Privacy. From setting policy and guidance to approving Authorization to Operation (ATOs), the CISO drives information security at CMS.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy control requirements\u003c/li\u003e\u003cli\u003eDelegate authority to approve system configuration deviations to the Cyber Risk Advisor (CRA) and Information System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003ePublish an Ongoing Authorization process\u003c/li\u003e\u003cli\u003eApprove ISSO appointments from the Program Executive\u003c/li\u003e\u003cli\u003eApprove the independent security control assessment deliverables\u003c/li\u003e\u003cli\u003eCoordinate with stakeholders to ensure compliance with control family requirements\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of flagged systems until the AO orders reconnection\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is an agency official (federal government employee). They work with ISSOs and project teams to help ensure that projects adhere to security controls and are documented and tracked accordingly in the CMS FISMA Continuous Tracking System (CFACTS). They act as the subject matter expert in all areas of the \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eCMS Risk Management Framework (RMF)\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eEvaluate and communicate the risk posture of each system to executive leadership and make risk-based recommendations to the Authorizing Official (AO)\u003c/li\u003e\u003cli\u003eHelp ensure that all requirements of the CMS ARS and \u003ca href=\"/learn/cms-security-and-privacy-handbooks\"\u003ethe procedures of the Risk Management Handbook (RMH) \u003c/a\u003eare implemented\u003c/li\u003e\u003cli\u003eParticipate in the System Development Life Cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs based on security, functionality, and cost\u003c/li\u003e\u003cli\u003eFor each system, coordinate with Data Guardian, System Owner, Business Owner, and ISSO to identify types of information processed, assign security categorizations, and manage information security and privacy risk\u003c/li\u003e\u003cli\u003eEnsure information security and privacy testing is performed throughout the SDLC and results are considered during the development phase\u003c/li\u003e\u003cli\u003eMonitor system security posture by reviewing all proposed information security and privacy artifacts to make recommendations to the ISSO\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe BO is a CMS official (federal government employee). They are Group Directors or Deputy Group Directors, and they encounter the ATO process when they are building or implementing a system to address their business needs. BOs are not expected to be technical or security experts, but their participation and collaboration is critical to the success of the ATO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDuring an ATO, the BO works closely with technical and security stakeholders particularly the ISSO to ensure that the data and information in their system is properly documented and managed. Working with their team, the BOs responsibilities include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDocument and Protect PII and PHI\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eComply with the the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/POLICY_DL_InvestmentMgmt.pdf\"\u003eCMS Policy for IT Investment Management \u0026amp; Governance\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the CRA and ISSO to identify the information their system processes, and document and manage any PII and PHI\u003cul\u003e\u003cli\u003eEnsure that CMS has the legal authority to conduct activities involving the collection, use, and disclosure of information\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information system\u003c/li\u003e\u003cli\u003eDetermine information security and privacy impacts and manage risks\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eWork with Contracting Officers (COs) and Contracting Officers Representatives (CORs) to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized\u003c/li\u003e\u003cli\u003eCoordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the Senior Official for Privacy to ensure appropriate information security and privacy contracting language from relevant sources is included into each IT contract. Relevant sources must include, but are not limited to:\u003cul\u003e\u003cli\u003eHHS Office of the Assistant Secretary for Financial Resources (ASFR)\u003c/li\u003e\u003cli\u003eHHS Office of Grants and Acquisition Policy and Accountability (OGAPA)\u003c/li\u003e\u003cli\u003eCMS Office of Acquisition and Grants Management (OAGM)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the CRA, ISSO and others to ensure compliance with the CMS ARS and the Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eManage CMS Data Privacy and Security\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwn and manage access to the information stored, processed, or transmitted in the system\u003c/li\u003e\u003cli\u003eManage and approve all use and disclosure of data from CMS programs or systems\u003c/li\u003e\u003cli\u003eVerify that CMS programs and systems only disclose the minimum data necessary\u003c/li\u003e\u003cli\u003eConfirm adequate security and privacy controls are in place to protect CMS systems\u003c/li\u003e\u003cli\u003ePrepare \u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessments (PIAs)\u003c/a\u003e for programs or systems with the direction from the CRA\u003c/li\u003e\u003cli\u003eSupport the analysis of incidents involving PII and help determine the appropriate action to make notification of privacy breaches and reporting, monitoring, tracking, and closure of incidents\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO is either a CMS official (federal government employee) or a Contractor (also known as an ISSO Contract Support). They are the key connection between the BO and the CMS security apparatus. They work closely with the BO, the CRA and other stakeholders to move a system through the ATO process.\u003c/p\u003e\u003cp\u003eAn ISSOs role in the ATO process which overlaps with many ongoing duties related to system security is outlined in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eISSO Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem Developer\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Developer must be a CMS official (federal government employee). They are responsible for providing management and oversight to the project team developing and maintaining the system. This includes working with the team to implement the security controls needed for an ATO. They work with the ISSO, project team, \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e, and the DevSecOps support team to help project teams build successful DevSecOps platforms and secure system ecosystems.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eCreate, document, and implement information security- and privacy-related functional requirements to protect CMS information, systems, and processes, including:\u003cul\u003e\u003cli\u003eIntegrate requirements effectively into IT products and systems\u003c/li\u003e\u003cli\u003eEnsure requirements are adequately planned and addressed in all aspects of system architecture\u003c/li\u003e\u003cli\u003eIntegrate and deploy automated information security and privacy capabilities (as required)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the ISSO to identify the necessary information security and privacy controls for the system\u003c/li\u003e\u003cli\u003eFollow the CMS System Development Life Cycle (SDLC) in developing and maintaining a system, including:\u003cul\u003e\u003cli\u003eUnderstand the relationships among the system's features and information security and privacy safeguards\u003c/li\u003e\u003cli\u003eEnsure all development practices comply with the \u003ca href=\"https://www.cms.gov/tra/Home/Home.htm\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eExecute the Risk Management Framework tasks listed in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final\"\u003eNIST SP 800-37\u003c/a\u003e and the CMS Risk Management Handbook\u003c/li\u003e\u003cli\u003eEnsure CMS systems or applications that share data for any purpose are capable of extracting data by pre-approved categories\u003c/li\u003e\u003cli\u003eShare only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssessor\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Assessor sits on the CMS security team and is responsible for checking the compliance of systems. Assessors must be independent and impartial, which means they are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems under assessment.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAssessors work with the ISSO and CRA to validate and verify that a systems documented controls work. They use assessment cases to test the system. The process typically involves the following steps:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ISSO notifies the CRA that an assessment is being requested, and a tentative assessment date is set\u003c/li\u003e\u003cli\u003eThe CRA provides the ISSO with pricing information and instructions for using the Comprehensive Acquisitions Management System (CAMS) to pay for the assessment, and notifies the independent assessor that an assessment needs to be scheduled\u003c/li\u003e\u003cli\u003eAt least six weeks prior to the assessment kick-off, the ISSO works with the BO to move funds for the assessment using the CAMS\u003c/li\u003e\u003cli\u003eThe assessment begins once the funds are verified as available via the CAMS\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAuthorizing Official (AO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe AO is responsible for the overall impact categorization and risk acceptance. They determine if the risk of operating the system is acceptable, and if so, issue an Authority to Operate (ATO) for that system. They often designate this responsibility to one or more other people. At most federal agencies this role is performed by the Chief Information Officer (CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Tester (PenTester)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePenTesters test the security of a system by attempting to exploit vulnerabilities.These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. After the test, a findings report is produced.At CMS, this service is offered and funded by the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003eLearn more about CMS PenTesting here.\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProgram / Project Team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThose who are trying to build/launch the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem Owner\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe system owner is usually the product lead or tech lead of the project team. They will be named in the ATO documents and are the main contact during the evaluation process that leads up to an ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eEnterprise Architecture and Data Group (EA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEvery federal agency is required to develop Enterprise Architecture to guide information technology investments. The CMS EA Group is located in the Office of Information Technology (OIT), and it works to help document all information system architecture at the agency. This includes working with project teams to provide the documentation required for an ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGovernance Review Team (GRT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Governance Review Team is a key stakeholder group during the Initiate Phase of the ATO process. It helps project teams determine if there is a need to build a new system, and to work through the IT governance process.\u003c/p\u003e\u003cp\u003eThe GRT directs project teams to available resources, advises them on how to properly develop and document their business case, and analyzes potential existing solutions at CMS. Based on these discussions, the GRT makes recommendations to the Governance Review Board (GRB) about whether to move forward with developing a new system.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1b:Tc210,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eInitiate\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen a business need prompts the idea for a new system (or significant enhancements to a system) at CMS, the Business Owner and other key stakeholders must follow a governance process that makes use of existing resources and ensures the security of CMS information and systems. The first steps of the Initiate phase include documenting the business need and determining if a new system actually needs to be developed.\u003c/p\u003e\u003ch3\u003eDocument the business need\u003c/h3\u003e\u003cp\u003eAll new business needs and material changes to existing systems must be documented in the Initiate phase. During this period, the Business Owner will talk with knowledgeable stakeholders to learn about CMS infrastructure and existing assets. Together they will define and document the general business need or desired enhancement and explore solution options. These stakeholders often include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation Security and Privacy Group (ISPG)\u003c/li\u003e\u003cli\u003eOffice of Acquisition and Grants Management (OAGM)\u003c/li\u003e\u003cli\u003eGovernance Review Team (GRT)\u003c/li\u003e\u003cli\u003eGovernance Review Board (GRB)\u003c/li\u003e\u003cli\u003eOffice of Information Technology (OIT) Navigators\u003c/li\u003e\u003cli\u003eEnterprise Architecture (EA) Team\u003c/li\u003e\u003cli\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003cli\u003eOffice of Financial Management (OFM)\u003c/li\u003e\u003cli\u003eSection 508 Team\u003c/li\u003e\u003cli\u003eVarious Subject Matter Experts (SMEs)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eConsider existing options\u003c/h3\u003e\u003cp\u003eAn important step in the governance process is to consider existing solution options at CMS to determine whether a new system is indeed necessary. In particular, \u003ca href=\"/learn/cms-cloud-services\"\u003e\u003cstrong\u003ecloud computing options\u003c/strong\u003e\u003c/a\u003e should be considered, such as Platform-as-a-Service (PaaS), \u003ca href=\"/learn/saas-governance-saasg\"\u003eSoftware-as-a-Service (SaaS)\u003c/a\u003e, and Infrastructure-as-a-Service (IaaS). CMS has a variety of cloud offerings available that help save time and money on development, compliance, and security. If an existing solution at CMS or HHS can be leveraged, there is no reason to duplicate efforts by developing a new system.\u003c/p\u003e\u003ch3\u003eDecide to proceed with a new system\u003c/h3\u003e\u003cp\u003eIf no solution exists to meet the need, the Business Owner and stakeholders will move forward with the governance process for a new system, receive a Life Cycle ID, and then follow the ATO process. The governance team can help the Business Owner with basic funding and contracting needs. ISPG leadership assigns a Cyber Risk Advisor (CRA) based on the CMS component organization the system will fall under, and the Business Owner appoints an Information System Security Officer (ISSO). ISPG also assigns a Privacy SME to each project to support privacy related considerations.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGetting started\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce the decision is made to develop a new system, intake and other foundational activities will start. This phase requires meetings with various groups across CMS to ensure that resources are used efficiently, governance processes are followed, and security requirements are met.\u003c/p\u003e\u003ch4\u003eDetermine a hosting solution\u003c/h4\u003e\u003cp\u003eIt is important to decide on the primary hosting location for the solution. Hosting the solution within CMS for example, using \u003ca href=\"/learn/cms-cloud-services\"\u003eCMS Cloud Services\u003c/a\u003e instead of using vendor provided hosting locations is much preferred. Leveraging CMS hosting allows the team to access a wide variety of services from CMS. This saves time and money on compliance, so they don't have to worry about reducing cost on implementation to stay on budget. This should be the primary goal at this point in the process.\u003c/p\u003e\u003ch4\u003eComplete Appendix A\u003c/h4\u003e\u003cp\u003eTo ensure that the contract for developing a new system includes the appropriate security measures, the system stakeholders (such as the Business Owner, Privacy SME, ISSO, and CRA) must complete the document \u003ca href=\"https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements\"\u003eCMS Security and Privacy Requirements for IT Procurements\u003c/a\u003e.These standards help government agencies protect all of their assets from security threats and privacy risks, especially when the assets will be managed by third-party organizations. Part of this process includes completing \"Appendix A\" of this document, which is signed by the CMS Chief Information Security Officer (CISO) and the CMS Senior Official for Privacy (SOP).\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/CMS-Security-and-Privacy-Language-for-Procurements\"\u003eLearn more about security and privacy requirements for CMS technology procurements here.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eComplete EASi intake form\u003c/h4\u003e\u003cp\u003eIf you decide to create a new solution at CMS, the \u003ca href=\"https://impl.easi.cms.gov/\"\u003eEasy Access to System Information (EASi)\u003c/a\u003e system helps you get started by automating the governance process and connecting you and your contract to funding at CMS. The Business Owner submits an intake form in EASi to start the governance process and get a Life Cycle ID for their system. This is required for every CMS system, and key to securing funding for a new project.\u003c/p\u003e\u003ch4\u003eConsult with Governance Review Team (GRT)\u003c/h4\u003e\u003cp\u003eSubmitting the intake form engages the Governance Review Team (GRT), who works with the Business Owner, the Enterprise Architecture (EA) team, and SMEs to create a business case for their system. The resulting case includes pros, cons, and alternative options. If the Business Owner decides to move forward with pursuing an ATO for a new system, this iterative and collaborative process should result in a strong business case to present to the Governance Review Board (GRB).\u003c/p\u003e\u003ch4\u003ePresent to the Governance Review Board (GRB)\u003c/h4\u003e\u003cp\u003eOnce they have settled on a direction for their system, the Business Owner and/or their Navigator present their case. The presentation is reviewed by relevant SMEs followed by the GRB itself, which issues an assessment and provides one or more options for the Business Owner to pursue.\u003c/p\u003e\u003ch4\u003eComplete Enterprise Architecture Activities\u003c/h4\u003e\u003cp\u003eOnce the Business Owner selects their chosen path forward, they will work with Enterprise Architecture (EA) to complete a Core System Information Form. EA will then issue a Universally Unique Identification (UUID) number, which allows the project to be entered into the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e. The Life Cycle ID and UUID numbers will remain associated with the project for the duration of its life cycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCreating an Authorization Package\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAfter the initial consultations and intake processes, the focus turns to Assessment and Authorization activities the security-related steps required for ATO. An Authorization Package is the collection of documentation put together by the Business Owner and their team to prove that the system has been designed, built, tested, assessed, and categorized appropriately to meet ATO requirements.\u003c/p\u003e\u003cp\u003eAs you might imagine, collecting and submitting all required information can take a lot of time and resources. To avoid delays in your development process, it is important to start collecting your system documentation as soon as possible.\u003c/p\u003e\u003ch4\u003eUse CFACTS to track compliance\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e is the tool used to track and manage the security and compliance of all CMS systems. Upon receipt of the UID number from Enterprise Architecture, ISPG enters the new system into CFACTS. To access CFACTS, each user will need the CFACTS_USER_P job code from CMS. From this point on, the Business Owner and their team work together with various stakeholders to complete the required ATO documentation in CFACTS. Once all the documentation is compiled, the ISSO submits the \u003cstrong\u003eCMS System ATO Request Form\u003c/strong\u003e, which is filled out and submitted within CFACTS. (This form can also be used to request \"re-authorization\" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)\u003c/p\u003e\u003ch4\u003eCompile Tier 1 Documentation\u003c/h4\u003e\u003cp\u003eThe specific documents required are based on many factors and vary from system to system, but all projects should expect to provide the following Tier 1 Documentation:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eInformation Security Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessment (PIA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Plan Exercise\u003c/a\u003e(often called Tabletop Exercise)\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eCompile additional documentation\u003c/h4\u003e\u003cp\u003eAdditional documentation that is often required includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProject management personnel and policies\u003c/li\u003e\u003cli\u003eSecurity and privacy documentation\u003c/li\u003e\u003cli\u003eRisk assessment and abatement\u003c/li\u003e\u003cli\u003eArchitecture diagrams\u003c/li\u003e\u003cli\u003eHardware and software inventories\u003c/li\u003e\u003cli\u003eVulnerability scanning documentation\u003c/li\u003e\u003cli\u003eOpen \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action \u0026amp; Milestones (PO\u0026amp;AMs)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/isso-appointment-letter\"\u003eISSO Appointment Letter\u003c/a\u003e\u003c/li\u003e\u003cli\u003eTRB Letter\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-5-configuration-management-cm\"\u003eConfiguration Management\u003c/a\u003e\u003c/li\u003e\u003cli\u003eBaseline security configurations\u003c/li\u003e\u003cli\u003eConfiguration compliance audits policies\u003c/li\u003e\u003cli\u003eMaintenance and update policies\u003c/li\u003e\u003cli\u003eCompliance monitoring tool output\u003c/li\u003e\u003cli\u003eMalware protection\u003c/li\u003e\u003cli\u003eUser ID conventions, group membership, and information system accounts for each component\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/system-audits\"\u003eAudit documentation\u003c/a\u003e\u003c/li\u003e\u003cli\u003eSystem procedures manual\u003c/li\u003e\u003cli\u003eJob descriptions and personnel policies\u003c/li\u003e\u003cli\u003ePhysical access and remote work policies\u003c/li\u003e\u003cli\u003eData Use and Service Level Agreements\u003c/li\u003e\u003cli\u003eSource code\u003c/li\u003e\u003cli\u003eAnd others\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCategorization, boundary, and controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDuring the documentation process described above, the team will add all required information into CFACTS and work together to categorize the system, document the system boundary, and assign appropriate security controls. These activities formally define what kind of information the system handles, the level of risk associated with the system, and what kind of controls are necessary to manage that risk.\u003c/p\u003e\u003ch4\u003eCategorize the system\u003c/h4\u003e\u003cp\u003e“System categorization” is a required step for every information system with an ATO. The team will classify the system into one of three levels that represent the potential impact to organizations and individuals in the case of a security breach.\u003c/p\u003e\u003cp\u003eAt the end of this process, the system will be categorized as either High, Moderate, or Low risk according to the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf\"\u003eFederal Information Processing Standards (FIPS) Publication 199\u003c/a\u003e. This will determine the required controls. In particular, this will also determine whether the system should be classified as a High Value Asset (HVA) System. HVAs require additional security measures due to their unique risks.\u003c/p\u003e\u003ch4\u003eDocument the system boundary\u003c/h4\u003e\u003cp\u003eNext, the team will document the system architecture, components and boundary in CFACTS. The boundary separates what is part of the system from what is not. It is documented through network diagrams, hardware / software inventories, and narrative explanation.\u003c/p\u003e\u003cp\u003eIncluding a good boundary diagram makes assessments easier and expedites the ATO process. It should include information about what your team is directly responsible for building and maintaining in addition to anything your system is connected to (or utilizing) that someone else is responsible for building and maintaining.\u003c/p\u003e\u003cp\u003eA boundary diagram should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInclude CMS shared services and how they connect to your system\u003c/li\u003e\u003cli\u003eShow proxy - URL Filtering and whitelisting outbound traffic\u003c/li\u003e\u003cli\u003eSeparate S3 buckets for each Subnet\u003c/li\u003e\u003cli\u003eDisplay zonal VRF between VDCs and AWS\u003c/li\u003e\u003cli\u003eInclude API Consumers internal access path(s)\u003c/li\u003e\u003cli\u003eDepict all AWS Services being used\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your team has questions about this, email the Technical Review Board at \u003ca href=\"mailto:cms-trb@cms.hhs.gov\"\u003ecms-trb@cms.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eAssign a control baseline\u003c/h4\u003e\u003cp\u003eBased on the impact categorization from the information provided, the system is assigned a baseline of controls—Low, Moderate, or High. These controls follow the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e, which are the standards and controls for information security and privacy applied to CMS systems to mitigate risk. The ISSO and project team will provide implementation details for each control in CFACTS. This often includes some back-and-forth between the development team, the ISSO, and the CRA as the artifacts are reviewed and accepted.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDevelop and Assess\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis phase is when the system is actually being designed, built, and deployed using the requirements and user stories that will ensure the system meets business needs. At this point the system will be in a non-production environment, meaning it is not being formally used for its intended purpose yet (and is not publicly available).\u003c/p\u003e\u003cp\u003eThen the system must be assessed for security and compliance with CMS standards. This includes documenting and implementing all necessary controls, finalizing required artifacts and supplemental documentation, and completing testing and assessments. When all these steps are complete and documented, the system will ideally be granted an ATO so it can begin operating.\u003c/p\u003e\u003cp\u003eThere are some key steps to keep in mind as the new system enters the Develop and Assess phase.\u003c/p\u003e\u003ch3\u003eEstablish stakeholder communications\u003c/h3\u003e\u003cp\u003eThis part of the system life cycle is document-heavy and requires input from many stakeholders. To minimize costly delays, each project should have a communication plan in place to ensure all parties are in the loop throughout the process. The plan should include all relevant points of contact, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eISSO Contracting Support (ISSOCS)\u003c/li\u003e\u003cli\u003eCyber Risk Advisor (CRA)\u003c/li\u003e\u003cli\u003eBusiness Owner (BO)\u003c/li\u003e\u003cli\u003ePenetration (Pen) Test Coordinator\u003c/li\u003e\u003cli\u003eCybersecurity and Risk Assessment Program (CSRAP) team (within ISPG)\u003c/li\u003e\u003cli\u003eSystem Developer and Maintainer (SDM)\u003c/li\u003e\u003cli\u003ePrivacy Subject Matter Expert (PSME)\u003c/li\u003e\u003cli\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eDesign, develop, and deploy\u003c/h3\u003e\u003cp\u003eDesign and development is managed by the Business Owner (BO) and project team. The \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e requires only a small set of artifacts, and specific methodologies are determined by the BO and team. All initiatives should follow best practices in development and Program Management. Typically, the project team will work with the CMS Cloud Services team to provision the different environments such as development, implementation, and production. \u003cstrong\u003eAs the system is developed, the project team should also move forward with documentation and other compliance activities\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eOnce the system is designed and developed, it is deployed in a non-production environment and tested for compliance with requirements and CMS standards. In order to become production ready, everything must comply with CMS \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e and meet the security, privacy, and accessibility standards outlined in the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eDefine the accreditation boundary\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://csrc.nist.gov/glossary/term/accreditation_boundary\"\u003eaccreditation boundary\u003c/a\u003e describes all components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. So it defines exactly what components and assets the ATO will cover.\u003c/p\u003e\u003cp\u003eWhen defining the accreditation boundary, assets are provided and supported by the CMS cloud service provider. Additionally, the Application Development Organization (ADO) often a contractor provides and supports components. Each project team is responsible for maintaining those assets within the accreditation boundary.\u003c/p\u003e\u003cp\u003eThe ISSO works with the project team to define the boundary according to the three-tier architecture set by the CMS Technical Review Board (GRB). If the system is hosted in the CMS Amazon Web Service (AWS) cloud GSS, it can access and use approved templates to simplify the process.\u003c/p\u003e\u003ch3\u003eImplement controls\u003c/h3\u003e\u003cp\u003eThe accreditation boundary creates an inventory of all system components that will require security controls. A system may be able to inherit controls based on its hosting, platform, data center, and other variables, which can greatly ease the process. With the boundary established, the ISSO will start documenting all ARS security controls in CFACTS, starting with any inheritable controls available.\u003c/p\u003e\u003cp\u003eImplementing controls often involves conversations between the ISSO and project team, especially technical stakeholders, as well as a CRA. To minimize back-and-forth, all relevant stakeholders should be engaged and prepared to participate.\u003c/p\u003e\u003ch3\u003eConduct a system test\u003c/h3\u003e\u003cp\u003eWith all components documented and controls in CFACTS, its time for a system test. The purpose of a system test is to evaluate the endtoend system specifications and make sure the system is working as expected. This test validates the complete and fully integrated software product, and involves the full project team.\u003c/p\u003e\u003ch3\u003eStart continuous monitoring\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://www.cisa.gov/\"\u003eCybersecurity and Infrastructure Security Agency (CISA)\u003c/a\u003e works with partners across government and the private sector to secure national infrastructure. A big part of this effort the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e program is strengthening the cybersecurity of federal networks and systems.\u003c/p\u003e\u003cp\u003eAs part of the ATO process, the ISSO onboards each system to CDM in three stages:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStage 1: Engage Data Center assessment\u003c/li\u003e\u003cli\u003eStage 2: Implement and integrate required capabilities\u003c/li\u003e\u003cli\u003eStage 3: Validate and verify data\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe system is also onboarded to the \u003ca href=\"https://security.cms.gov/learn/cms-cloud-services\"\u003eCMS Cloud\u003c/a\u003e Environment for cloud hosting (if applicable), and the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Operations Center (CCIC)\u003c/a\u003e for security monitoring, event management, and incident handling.\u003c/p\u003e\u003ch3\u003eComplete Tier 13 artifacts\u003c/h3\u003e\u003cp\u003eAs seen in the Initiate Phase, all systems require Tier 1 artifacts. Based on the boundary and controls, they may also require additional documentation. The project team should work with their ISSO and CRA to determine the documentation required for their system and upload it to CFACTS.\u003c/p\u003e\u003ch3\u003eReview for assessment readiness\u003c/h3\u003e\u003cp\u003eOnce all controls, artifacts, and additional documentation are in CFACTS, the ISSO and project team will review the information before the project formally moves to the assessment phase.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssessing and testing a new system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssessments and tests are conducted to ensure that the new system has implemented necessary security controls and meets CMS requirements. If the results show any unacceptable weaknesses in the system, the team will need to mitigate them before continuing the process to request ATO.\u003c/p\u003e\u003ch3\u003eSchedule tests promptly\u003c/h3\u003e\u003cp\u003eThe ISSO and project team will set the timing for the required \u003ca href=\"/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e (or, alternatively, a \u003ca href=\"/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment\u003c/a\u003e). The ISSO reaches out to the PenTest Team and the CSRAP team to schedule the tests. \u003cstrong\u003eAs the team works, the timeline and schedule should be shared with the CRA\u003c/strong\u003e.\u003c/p\u003e\u003ch3\u003eConduct Penetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"/learn/penetration-testing\"\u003ePenetration Testing (or PenTesting)\u003c/a\u003e helps determine the security of a system by attempting to exploit vulnerabilities. It mimics real-world scenarios to see if bad actors will be able to penetrate the system and cause harm to organizations or individuals.\u003c/p\u003e\u003cp\u003eThe ISSO and project team work with a PenTest coordinator to schedule and conduct the test. To avoid delays,\u003cstrong\u003e the pen test should be requested at least 3 months before the ATO deadline\u003c/strong\u003e. \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003eLearn all about PenTesting here\u003c/a\u003e, including scheduling instructions.\u003c/p\u003e\u003cp\u003eAfter the test, the PenTest team will notify the project team of any issues, which must be mitigated within 25 days. If the issue cant be resolved in 25 days, the team must create a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e to manage it.\u003c/p\u003e\u003cp\u003eFinalized results from Penetration Testing are uploaded as a CAAT spreadsheet into CFACTS, and all parties (including the CISO team) are notified that the results are complete and available.\u003c/p\u003e\u003ch3\u003eConduct the Cybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e was created to improve the Security Controls Assessment (SCA) process by introducing risk-based security assessment for CMS systems. Instead of emphasizing technical findings and compliance with controls (which are still important), CSRAP facilitates and encourages risk-based decision making.\u003c/p\u003e\u003cp\u003eCSRAP focuses on the core controls that pose the highest risk to CMS and defines mission-oriented security objectives. CSRAP reports incorporate plain language, relevant findings and actionable results and conclusions to aid project teams risk-based decision making. \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eLearn all about CSRAP here\u003c/a\u003e, including scheduling instructions.\u003c/p\u003e\u003cp\u003eTo fulfill the CSRAP requirement, the ISSO works with the CSRAP team and project team to create and complete an assessment plan. \u003cstrong\u003eTo avoid delays, this assessment should be scheduled at least 3 months before the ATO deadline\u003c/strong\u003e. Once the CSRAP is complete, the CSRAP Final Package will be uploaded to CFACTS.\u003c/p\u003e\u003ch3\u003eCheck for 508 compliance\u003c/h3\u003e\u003cp\u003eWhile it is not an explicit requirement for ATO, accessibility is an important consideration for all project teams at CMS. \u003ca href=\"https://www.section508.gov/\"\u003eSection 508\u003c/a\u003e of the Rehabilitation Act requires all federal systems to be accessible to people with disabilities. To ensure the system is accessible to all users, the project team should consider 508 accessibility compliance throughout design, development, and deployment. \u003ca href=\"https://www.section508.gov/develop/\"\u003eSome 508 resources from GSA can be found here\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eManage identified risks with POA\u0026amp;Ms\u003c/h3\u003e\u003cp\u003eAll information systems include some level of risk. An ATO is designed to document and manage risk, not eliminate it. Once the PenTest and CSRAP assessment identify risks, the ISSO will work with the project team and CRA to create a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003ePlan of Action and Milestones (POA\u0026amp;Ms) are high-level statements that describe how a team will address security weaknesses identified for their system. All federal systems must document POA\u0026amp;Ms to track and mitigate findings from assessments and audits. The ISSO coordinates with the team to manage, remediate, and (if necessary) accept the risk of open POA\u0026amp;Ms. Learn all about managing POA\u0026amp;Ms in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003eCMS POA\u0026amp;M Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS System ATO Request / Re-authorization Form\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWith all documentation and assessments completed and uploaded to CFACTS, the ISSO can now request ATO certification. The ISSO submits the \u003cstrong\u003eCMS System ATO Request / Re-authorization Form\u003c/strong\u003e, which is filled out and submitted within CFACTS. (This form can also be used to request \"re-authorization\" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eATO review and certification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe complete ATO package is reviewed by the CRA, ISSO, BO and ISPG. Once approved by ISPG, the package is submitted to the CISO and CIO for final approval. Once approved by the CISO and CIO, an ATO letter is sent to the BO and ISSO. The CRA uploads the approved ATO package to CFACTS and notifies all relevant parties, including \u003ca href=\"https://www.fedramp.gov/\"\u003eFedRAMP\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe system now officially has an ATO “the authority to operate decision that culminates from the security authorization process of an information technology system in the U.S. federal government”. With a completed and approved ATO, the system moves into the Operate phase of its life cycle.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eOperate\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Operate phase is what we think of as normal business operations. The system runs in a production environment, and the team does normal upgrades, enhancements and maintenance. The system is being used to achieve the business objectives stated in the Initiate phase.\u003c/p\u003e\u003cp\u003eTo remain compliant with the Authority to Operate (ATO), the Business Owner maintains the Target Life Cycle (TLC) System Profile with every production release. Annual security requirements such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound.\u003c/p\u003e\u003cp\u003eThe following maintenance issues must be supported throughout this phase:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpgrades\u003c/li\u003e\u003cli\u003eSystem software patches\u003c/li\u003e\u003cli\u003eHardware upgrades\u003c/li\u003e\u003cli\u003eModifications to interfaces with other systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDuring the Operate Phase the project team works with the Information System Security Officer (ISSO) to maintain current documentation and to support periodic reviews and audits. The inability to produce current documentation may impact a systems ATO.\u003c/p\u003e\u003ch3\u003eConduct annual assessments\u003c/h3\u003e\u003cp\u003eEach system undergoes annual assessments and maintenance throughout their life cycle to ensure compliance with its ATO and identify potential vulnerabilities. These typically include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdating core documentation\u003c/li\u003e\u003cli\u003eUpdating the \u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eConducting a \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Plan Exercise\u003c/a\u003e (often in the form of aTableop Exercise)\u003c/li\u003e\u003cli\u003eUndergoing \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAddressing and closing any \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones\u003c/a\u003e (POA\u0026amp;Ms)\u003c/li\u003e\u003cli\u003eAssessing controls\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRequest re-authorization\u003c/h3\u003e\u003cp\u003eEvery three years, a system's ATO is assessed for re-authorization. Much like the annual assessments, this includes a review of a subset of system controls and POA\u0026amp;Ms. Once the review is completed, the ISSO and Business Owner submit an ATO request form proving that all testing has been completed. ISPG then reviews the request form and renews the system authorization.\u003c/p\u003e\u003ch3\u003eUpdate ATO if system changes\u003c/h3\u003e\u003cp\u003eA significant change to a system can require an update to its ATO. A significant change is defined as a change that is likely to substantively affect the security or privacy posture of a system (see \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf\"\u003eNIST SP 800-37\u003c/a\u003e for more information). This includes upgraded hardware or applications, changes in the information collected by the system or how the information is handled, changes to system ports or services, and more.\u003c/p\u003e\u003cp\u003eIf a system is undergoing a significant update, the Business Owner checks with the ISSO to see if an authorization change will be necessary. The ISSO completes a Security Impact Analysis (SIA). If it is determined that the update will not impact system security, the change is determined to be minor. In this case the only action is to update any relevant documentation in CFACTS.\u003c/p\u003e\u003cp\u003eIf the update is determined to be a significant change, the system could require a new ATO. In this case, the ISSO works with the BO and team to complete a new intake form.\u003c/p\u003e\u003ch3\u003eResolve cyber risk events\u003c/h3\u003e\u003cp\u003eAs more activities move online and to the cloud, the chance of cyber attacks and other risks go up. If a risk event is identified, the ISSO and team must work quickly and collaboratively to isolate and resolve it. The ISSO must open an incident response ticket with the IT service desk to start an investigation. (This is done in \u003ca href=\"https://cmsitsm.servicenowservices.com/connect\"\u003eServiceNOW\u003c/a\u003e). They will execute the CMS incident management lifecycle process to address any actual or false positive events.\u003c/p\u003e\u003cp\u003eOnce the risk is under control, system security should be reviewed and updated to lower the chances of the risk recurring in the future. The updates must be tested to ensure they both remediated the risk and that they haven't negatively impacted any other systems. \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eLearn more about Incident Response here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe system continues to operate undergoing assessment, reassessment, and change management through the end of its contract or useful life. Once it reaches either of these milestones, the system transitions to the Retirement phase.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRetire\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA system moves to the Retire phase once it reaches the end of its useful life or the end of its contract. At this point, the decision is made to shut it down through a managed process outlined in the System Disposition Checklist. This ensures compliance with federal guidelines when retiring a government IT system. There are many aspects to consider, including the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRecords retention\u003c/li\u003e\u003cli\u003eInformation security\u003c/li\u003e\u003cli\u003eInvestment close-out procedures\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Business Owner (BO) and Information System Security Officer (ISSO) conduct a thorough planning process to define all tasks to decommission the system. There are several documents that must be completed by the ISSO and Project team and signed by the BO and/or the ISSO.\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem Disposition Checklist\u003c/li\u003e\u003cli\u003eSystem Disposition Plan\u003c/li\u003e\u003cli\u003eSystem Retirement Memo\u003c/li\u003e\u003cli\u003eCertificate of Destructions\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAny remaining activities must be transitioned to a different process or system. All contracts are closed and data is archived according to the System of Record Notice (SORN) or other guidelines. Any remaining hardware must be disposed of according to federal best practices.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTypes of authorizations\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eEvery system that is integrated at CMS—either built in-house or contracted—must get a compliance authorization to operate and access government data. This ensures that the agency is aware of all components interacting with its data, and that each system can be monitored for compliance and risk mitigation. This helps safeguard sensitive personal information, manage the risk to critical infrastructure, and address cybersecurity issues when they arise.\u003c/p\u003e\u003cp\u003eIf you are introducing a new system at CMS, you must go through the security and compliance process.\u003c/p\u003e\u003cp\u003eCMS recognizes that every system is unique and that a one-size-fits-all approach wont work. There are several different types of compliance authorizations provided by CMS to manage agency-wide risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAuthority to Operate (ATO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs explained above, the Authority to Operate (ATO) is awarded by the CMS Authorization Official (AO) to systems that meet requisite security requirements. Typically, ATOs grant a system compliance for three years, although there are circumstances where CMS will authorize a system for a shorter period of time (see more information about this below).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should ATO be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eInformation systems that intend to operate for three years or more are required to get an ATO. This includes projects that:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore, process, and distribute Personally Identifiable Information (PII), Personal Health Information (PHI), or other sensitive information\u003c/li\u003e\u003cli\u003eHave been reviewed and approved through the existing CMS governance process (EASi)\u003c/li\u003e\u003cli\u003eHave funding and contracting vehicles to develop, implement and maintain a FISMA information system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eLearn more about the process and requirements for ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eOngoing Authorization (OA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eGetting authorization for a system to operate through \u003ca href=\"/learn/ongoing-authorization\"\u003eOngoing Authorization (OA)\u003c/a\u003e is a new initiative at CMS. Its goal is to fundamentally change authorization and compliance from reactive evaluation to proactive, ongoing monitoring. Rather than subjecting project teams to the current 3-year compliance cycle, the OA approach provides real-time data about a systems security posture.\u003c/p\u003e\u003cp\u003eOA is equivalent to ATO in that it gives systems the authorization to operate, but its done through automation and continuous assessment of risk, instead of through documentation-heavy compliance processes. This reduces the load on Business Owners, ISSOs, and project teams while providing CMS a clearer picture of its risk level at any given moment.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should OA be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eTo be eligible for OA, systems must leverage the latest control automation tools, including the latest control automation tools. Additionally, all \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL).\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/ongoing-authorization\"\u003eLearn more about the process and requirements for OA.\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRe-authorization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA system may need to be reassessed and re-authorized if the application team is planning to make significant changes. When changes to a system are being planned, the team completes a \u003ca href=\"/learn/security-impact-analysis-sia\"\u003eSecurity Impact Analysis (SIA)\u003c/a\u003e to determine how the changes will impact the systems security and ATO.\u003c/p\u003e\u003cp\u003eIf the change is significant and the analysis reveals that re-authorization is necessary, the team schedules an CSRAP assessment to determine if there are any potential findings (risks). If there are findings, the team works to mitigate them. Once findings are mitigated to an acceptable level, the Cyber Risk Advisor (CRA) presents the case for the re-authorization to the Business Owner for a new ATO letter.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should re-authorization be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eChanges to a system that are considered “significant” and may require re-authorization include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem security boundary\u003c/li\u003e\u003cli\u003eEncryption methodologies\u003c/li\u003e\u003cli\u003eAdministrative functionality within the application\u003c/li\u003e\u003cli\u003eThe kinds of information stored (for example, PII)\u003c/li\u003e\u003cli\u003eThe external services used or how/what data flows to/from them\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eExample changes that \u003cstrong\u003edo not require re-authorization\u003c/strong\u003e, as long as they dont include the above:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFeatures and functionality\u003c/li\u003e\u003cli\u003eBug fixes\u003c/li\u003e\u003cli\u003eInterface changes\u003c/li\u003e\u003cli\u003eDocumentation updates\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eATO stakeholders\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe process of gaining and maintaining Authorization to Operate (ATO) involves many stakeholders across the organization. Its important for each person or group to understand their responsibilities and to communicate clearly with other stakeholders during the process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eChief Information Security Officer (CISO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CISO is an agency official (federal government employee). They carry out the Chief Information Officers (CIO) information security responsibilities under federal requirements in conjunction with the Senior Official for Privacy. From setting policy and guidance to approving Authorization to Operation (ATOs), the CISO drives information security at CMS.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy control requirements\u003c/li\u003e\u003cli\u003eDelegate authority to approve system configuration deviations to the Cyber Risk Advisor (CRA) and Information System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003ePublish an Ongoing Authorization process\u003c/li\u003e\u003cli\u003eApprove ISSO appointments from the Program Executive\u003c/li\u003e\u003cli\u003eApprove the independent security control assessment deliverables\u003c/li\u003e\u003cli\u003eCoordinate with stakeholders to ensure compliance with control family requirements\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of flagged systems until the AO orders reconnection\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is an agency official (federal government employee). They work with ISSOs and project teams to help ensure that projects adhere to security controls and are documented and tracked accordingly in the CMS FISMA Continuous Tracking System (CFACTS). They act as the subject matter expert in all areas of the \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eCMS Risk Management Framework (RMF)\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eEvaluate and communicate the risk posture of each system to executive leadership and make risk-based recommendations to the Authorizing Official (AO)\u003c/li\u003e\u003cli\u003eHelp ensure that all requirements of the CMS ARS and \u003ca href=\"/learn/cms-security-and-privacy-handbooks\"\u003ethe procedures of the Risk Management Handbook (RMH) \u003c/a\u003eare implemented\u003c/li\u003e\u003cli\u003eParticipate in the System Development Life Cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs based on security, functionality, and cost\u003c/li\u003e\u003cli\u003eFor each system, coordinate with Data Guardian, System Owner, Business Owner, and ISSO to identify types of information processed, assign security categorizations, and manage information security and privacy risk\u003c/li\u003e\u003cli\u003eEnsure information security and privacy testing is performed throughout the SDLC and results are considered during the development phase\u003c/li\u003e\u003cli\u003eMonitor system security posture by reviewing all proposed information security and privacy artifacts to make recommendations to the ISSO\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe BO is a CMS official (federal government employee). They are Group Directors or Deputy Group Directors, and they encounter the ATO process when they are building or implementing a system to address their business needs. BOs are not expected to be technical or security experts, but their participation and collaboration is critical to the success of the ATO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDuring an ATO, the BO works closely with technical and security stakeholders particularly the ISSO to ensure that the data and information in their system is properly documented and managed. Working with their team, the BOs responsibilities include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDocument and Protect PII and PHI\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eComply with the the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/POLICY_DL_InvestmentMgmt.pdf\"\u003eCMS Policy for IT Investment Management \u0026amp; Governance\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the CRA and ISSO to identify the information their system processes, and document and manage any PII and PHI\u003cul\u003e\u003cli\u003eEnsure that CMS has the legal authority to conduct activities involving the collection, use, and disclosure of information\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information system\u003c/li\u003e\u003cli\u003eDetermine information security and privacy impacts and manage risks\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eWork with Contracting Officers (COs) and Contracting Officers Representatives (CORs) to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized\u003c/li\u003e\u003cli\u003eCoordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the Senior Official for Privacy to ensure appropriate information security and privacy contracting language from relevant sources is included into each IT contract. Relevant sources must include, but are not limited to:\u003cul\u003e\u003cli\u003eHHS Office of the Assistant Secretary for Financial Resources (ASFR)\u003c/li\u003e\u003cli\u003eHHS Office of Grants and Acquisition Policy and Accountability (OGAPA)\u003c/li\u003e\u003cli\u003eCMS Office of Acquisition and Grants Management (OAGM)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the CRA, ISSO and others to ensure compliance with the CMS ARS and the Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eManage CMS Data Privacy and Security\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwn and manage access to the information stored, processed, or transmitted in the system\u003c/li\u003e\u003cli\u003eManage and approve all use and disclosure of data from CMS programs or systems\u003c/li\u003e\u003cli\u003eVerify that CMS programs and systems only disclose the minimum data necessary\u003c/li\u003e\u003cli\u003eConfirm adequate security and privacy controls are in place to protect CMS systems\u003c/li\u003e\u003cli\u003ePrepare \u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessments (PIAs)\u003c/a\u003e for programs or systems with the direction from the CRA\u003c/li\u003e\u003cli\u003eSupport the analysis of incidents involving PII and help determine the appropriate action to make notification of privacy breaches and reporting, monitoring, tracking, and closure of incidents\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO is either a CMS official (federal government employee) or a Contractor (also known as an ISSO Contract Support). They are the key connection between the BO and the CMS security apparatus. They work closely with the BO, the CRA and other stakeholders to move a system through the ATO process.\u003c/p\u003e\u003cp\u003eAn ISSOs role in the ATO process which overlaps with many ongoing duties related to system security is outlined in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eISSO Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem Developer\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Developer must be a CMS official (federal government employee). They are responsible for providing management and oversight to the project team developing and maintaining the system. This includes working with the team to implement the security controls needed for an ATO. They work with the ISSO, project team, \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e, and the DevSecOps support team to help project teams build successful DevSecOps platforms and secure system ecosystems.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eCreate, document, and implement information security- and privacy-related functional requirements to protect CMS information, systems, and processes, including:\u003cul\u003e\u003cli\u003eIntegrate requirements effectively into IT products and systems\u003c/li\u003e\u003cli\u003eEnsure requirements are adequately planned and addressed in all aspects of system architecture\u003c/li\u003e\u003cli\u003eIntegrate and deploy automated information security and privacy capabilities (as required)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the ISSO to identify the necessary information security and privacy controls for the system\u003c/li\u003e\u003cli\u003eFollow the CMS System Development Life Cycle (SDLC) in developing and maintaining a system, including:\u003cul\u003e\u003cli\u003eUnderstand the relationships among the system's features and information security and privacy safeguards\u003c/li\u003e\u003cli\u003eEnsure all development practices comply with the \u003ca href=\"https://www.cms.gov/tra/Home/Home.htm\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eExecute the Risk Management Framework tasks listed in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final\"\u003eNIST SP 800-37\u003c/a\u003e and the CMS Risk Management Handbook\u003c/li\u003e\u003cli\u003eEnsure CMS systems or applications that share data for any purpose are capable of extracting data by pre-approved categories\u003c/li\u003e\u003cli\u003eShare only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssessor\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Assessor sits on the CMS security team and is responsible for checking the compliance of systems. Assessors must be independent and impartial, which means they are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems under assessment.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAssessors work with the ISSO and CRA to validate and verify that a systems documented controls work. They use assessment cases to test the system. The process typically involves the following steps:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ISSO notifies the CRA that an assessment is being requested, and a tentative assessment date is set\u003c/li\u003e\u003cli\u003eThe CRA provides the ISSO with pricing information and instructions for using the Comprehensive Acquisitions Management System (CAMS) to pay for the assessment, and notifies the independent assessor that an assessment needs to be scheduled\u003c/li\u003e\u003cli\u003eAt least six weeks prior to the assessment kick-off, the ISSO works with the BO to move funds for the assessment using the CAMS\u003c/li\u003e\u003cli\u003eThe assessment begins once the funds are verified as available via the CAMS\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAuthorizing Official (AO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe AO is responsible for the overall impact categorization and risk acceptance. They determine if the risk of operating the system is acceptable, and if so, issue an Authority to Operate (ATO) for that system. They often designate this responsibility to one or more other people. At most federal agencies this role is performed by the Chief Information Officer (CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Tester (PenTester)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePenTesters test the security of a system by attempting to exploit vulnerabilities.These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. After the test, a findings report is produced.At CMS, this service is offered and funded by the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003eLearn more about CMS PenTesting here.\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProgram / Project Team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThose who are trying to build/launch the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem Owner\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe system owner is usually the product lead or tech lead of the project team. They will be named in the ATO documents and are the main contact during the evaluation process that leads up to an ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eEnterprise Architecture and Data Group (EA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEvery federal agency is required to develop Enterprise Architecture to guide information technology investments. The CMS EA Group is located in the Office of Information Technology (OIT), and it works to help document all information system architecture at the agency. This includes working with project teams to provide the documentation required for an ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGovernance Review Team (GRT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Governance Review Team is a key stakeholder group during the Initiate Phase of the ATO process. It helps project teams determine if there is a need to build a new system, and to work through the IT governance process.\u003c/p\u003e\u003cp\u003eThe GRT directs project teams to available resources, advises them on how to properly develop and document their business case, and analyzes potential existing solutions at CMS. Based on these discussions, the GRT makes recommendations to the Governance Review Board (GRB) about whether to move forward with developing a new system.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}\n1d:{\"self\":\"$1e\"}\n21:[\"menu_ui\",\"scheduler\"]\n20:{\"module\":\"$21\"}\n24:[]\n23:{\"available_menus\":\"$24\",\"parent\":\"\"}\n25:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n22:{\"menu_ui\":\"$23\",\"scheduler\":\"$25\"}\n1f:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$20\",\"third_party_settings\":\"$22\",\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1c:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":\"$1d\",\"attributes\":\"$1f\"}\n28:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}\n27:{\"self\":\"$28\"}\n29:{\"display_name\":\"mburgess\"}\n26:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":\"$27\",\"attributes\":\"$29\"}\n2c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n2b:{\"self\":\"$2c\"}\n2d:{\"display_name\":\"meg - retired\"}\n2a:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$2b\",\"attributes\":\"$2d\"}\n30:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}\n2f:{\"self\":\"$30\"}\n32:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n31:{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00"])</script><script>self.__next_f.push([1,"\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$32\"}\n36:{\"drupal_internal__target_id\":\"resource_type\"}\n35:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$36\"}\n38:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"}\n39:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}\n37:{\"related\":\"$38\",\"self\":\"$39\"}\n34:{\"data\":\"$35\",\"links\":\"$37\"}\n3c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"}\n3d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}\n3b:{\"related\":\"$3c\",\"self\":\"$3d\"}\n3a:{\"data\":null,\"links\":\"$3b\"}\n44:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n43:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$44\"}\n42:{\"help\":\"$43\"}\n41:{\"links\":\"$42\"}\n40:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$41\"}\n3f:[\"$40\"]\n46:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"}\n47:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}\n45:{\"related\":\"$46\",\"self\":\"$47\"}\n3e:{\"data\":\"$3f\",\"links\":\"$45\"}\n33:{\"vid\":\"$34\",\"revision_user\":\"$3a\",\"parent\":\"$3e\"}\n2e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":\"$2f\",\"attributes\":\"$31\",\"relationships\":\"$33\"}\n4a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n49:{\"self\":\"$4a\"}\n4c:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n4b:{\"drupal_intern"])</script><script>self.__next_f.push([1,"al__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4c\"}\n50:{\"drupal_internal__target_id\":\"roles\"}\n4f:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$50\"}\n52:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n53:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n51:{\"related\":\"$52\",\"self\":\"$53\"}\n4e:{\"data\":\"$4f\",\"links\":\"$51\"}\n56:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n57:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n55:{\"related\":\"$56\",\"self\":\"$57\"}\n54:{\"data\":null,\"links\":\"$55\"}\n5e:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5d:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5e\"}\n5c:{\"help\":\"$5d\"}\n5b:{\"links\":\"$5c\"}\n5a:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$5b\"}\n59:[\"$5a\"]\n60:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n61:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5f:{\"related\":\"$60\",\"self\":\"$61\"}\n58:{\"data\":\"$59\",\"links\":\"$5f\"}\n4d:{\"vid\":\"$4e\",\"revision_user\":\"$54\",\"parent\":\"$58\"}\n48:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$49\",\"attributes\":\"$4b\",\"relationships\":\"$4d\"}\n64:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles"])</script><script>self.__next_f.push([1,"/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n63:{\"self\":\"$64\"}\n66:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n65:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$66\"}\n6a:{\"drupal_internal__target_id\":\"roles\"}\n69:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$6a\"}\n6c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n6d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n6b:{\"related\":\"$6c\",\"self\":\"$6d\"}\n68:{\"data\":\"$69\",\"links\":\"$6b\"}\n70:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n71:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n6f:{\"related\":\"$70\",\"self\":\"$71\"}\n6e:{\"data\":null,\"links\":\"$6f\"}\n78:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n77:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$78\"}\n76:{\"help\":\"$77\"}\n75:{\"links\":\"$76\"}\n74:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$75\"}\n73:[\"$74\"]\n7a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n7b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n79:{\"related\":\"$7a\",\"self\":\"$7b\"}\n72:{\"data\":\"$73\",\"links\":\"$79\"}\n67:{\"vid\":\"$68\",\"revision_user\":\"$6e\",\"parent\":\"$72\"}\n62:{\"type\":\"taxonomy_term--roles\",\"i"])</script><script>self.__next_f.push([1,"d\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$63\",\"attributes\":\"$65\",\"relationships\":\"$67\"}\n7e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n7d:{\"self\":\"$7e\"}\n80:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7f:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$80\"}\n84:{\"drupal_internal__target_id\":\"roles\"}\n83:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$84\"}\n86:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n87:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n85:{\"related\":\"$86\",\"self\":\"$87\"}\n82:{\"data\":\"$83\",\"links\":\"$85\"}\n8a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\n8b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\n89:{\"related\":\"$8a\",\"self\":\"$8b\"}\n88:{\"data\":null,\"links\":\"$89\"}\n92:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n91:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$92\"}\n90:{\"help\":\"$91\"}\n8f:{\"links\":\"$90\"}\n8e:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8f\"}\n8d:[\"$8e\"]\n94:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\n95:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\n93:{\"related"])</script><script>self.__next_f.push([1,"\":\"$94\",\"self\":\"$95\"}\n8c:{\"data\":\"$8d\",\"links\":\"$93\"}\n81:{\"vid\":\"$82\",\"revision_user\":\"$88\",\"parent\":\"$8c\"}\n7c:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$7d\",\"attributes\":\"$7f\",\"relationships\":\"$81\"}\n98:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}\n97:{\"self\":\"$98\"}\n9a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n99:{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$9a\"}\n9e:{\"drupal_internal__target_id\":\"topics\"}\n9d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$9e\"}\na0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"}\na1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}\n9f:{\"related\":\"$a0\",\"self\":\"$a1\"}\n9c:{\"data\":\"$9d\",\"links\":\"$9f\"}\na4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"}\na5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}\na3:{\"related\":\"$a4\",\"self\":\"$a5\"}\na2:{\"data\":null,\"links\":\"$a3\"}\nac:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nab:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$ac\"}\naa:{\"help\":\"$ab\"}\na9:{\"links\":\"$aa\"}\na8:{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$a9\"}\na7:[\"$a8\"]\nae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11\"}\naf:{\"href\":\"h"])</script><script>self.__next_f.push([1,"ttps://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}\nad:{\"related\":\"$ae\",\"self\":\"$af\"}\na6:{\"data\":\"$a7\",\"links\":\"$ad\"}\n9b:{\"vid\":\"$9c\",\"revision_user\":\"$a2\",\"parent\":\"$a6\"}\n96:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":\"$97\",\"attributes\":\"$99\",\"relationships\":\"$9b\"}\nb2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07?resourceVersion=id%3A18928\"}\nb1:{\"self\":\"$b2\"}\nb4:[]\nb6:Te02,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is ATO?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eEvery information system operated by or on behalf of the U.S federal government is required to meet \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFISMA standards\u003c/a\u003e, which includes system authorization (ATO) signed by an Authorizing Official (AO). This means that before a system can be deployed into production at CMS, the Business Owner and other stakeholders must go through the process of testing and documenting the systems security to demonstrate its compliance with federal requirements.\u003c/p\u003e\u003cp\u003eWhen this process is successfully completed, an Authorization to Operate (ATO) is signed and the system can be utilized at CMS. However, the ATO process requires months of planning, scheduling, testing, documenting, and collaborating with various individuals and groups across CMS so you should start working on your ATO as soon as possible.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is the ATO process?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ATO process is built around the \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eRisk Management Framework\u003c/a\u003e from the \u003ca href=\"/learn/national-institute-standards-and-technology-nist\"\u003eNational Institute of Standards and Technology (NIST)\u003c/a\u003e. This framework is based on the idea that no system is ever 100% secure risk is always present and evolving. So the best practice is to take a risk-based approach to system security, as laid out in the NIST Risk Management Framework (and reflected in the ATO process):\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003ePrepare\u003c/strong\u003e: Perform essential activities to prepare the organization to manage security and privacy risks\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eCategorize\u003c/strong\u003e: Categorize the system and information processed, stored, and transmitted based on an impact analysis\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSelect\u003c/strong\u003e: Select the set of \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53\u003c/a\u003e controls to protect the system based on risk assessment(s)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImplement\u003c/strong\u003e: Implement the controls and document how the controls are deployed\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAssess\u003c/strong\u003e: Assess to determine if the controls are in place, operating as intended, and producing the desired results\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAuthorize\u003c/strong\u003e: Senior official makes a risk-based decision to authorize the system (to operate)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitor\u003c/strong\u003e: Continuously monitor control implementation and risks to the system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWhen this process is followed for every information system, CMS can track and manage the risk exposure of individual systems and the agency at large ensuring the protection of critical resources and sensitive information.\u003c/p\u003e\u003cp\u003eHowever, this is a complex and documentation-heavy process that spans the whole life cycle of a FISMA system. It can be challenging to keep in mind the specific steps that need to be taken in order to obtain and maintain ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eATO and your systems life cycle\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ATO process can be mapped to the System Development Life Cycle (SDLC) so that its easier to see what activities should be completed at each stage. At CMS, this means the steps will align to the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e the system development governance process that all CMS systems must follow. These phases are briefly summarized below, with links to details that will help you plan ATO activities for your systems whole life cycle.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"b7:Te02,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eWhat is ATO?\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eEvery information system operated by or on behalf of the U.S federal government is required to meet \u003ca href=\"/learn/federal-information-systems-management-act-fisma\"\u003eFISMA standards\u003c/a\u003e, which includes system authorization (ATO) signed by an Authorizing Official (AO). This means that before a system can be deployed into production at CMS, the Business Owner and other stakeholders must go through the process of testing and documenting the systems security to demonstrate its compliance with federal requirements.\u003c/p\u003e\u003cp\u003eWhen this process is successfully completed, an Authorization to Operate (ATO) is signed and the system can be utilized at CMS. However, the ATO process requires months of planning, scheduling, testing, documenting, and collaborating with various individuals and groups across CMS so you should start working on your ATO as soon as possible.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eWhat is the ATO process?\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ATO process is built around the \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eRisk Management Framework\u003c/a\u003e from the \u003ca href=\"/learn/national-institute-standards-and-technology-nist\"\u003eNational Institute of Standards and Technology (NIST)\u003c/a\u003e. This framework is based on the idea that no system is ever 100% secure risk is always present and evolving. So the best practice is to take a risk-based approach to system security, as laid out in the NIST Risk Management Framework (and reflected in the ATO process):\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003cstrong\u003ePrepare\u003c/strong\u003e: Perform essential activities to prepare the organization to manage security and privacy risks\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eCategorize\u003c/strong\u003e: Categorize the system and information processed, stored, and transmitted based on an impact analysis\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eSelect\u003c/strong\u003e: Select the set of \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\"\u003eNIST SP 800-53\u003c/a\u003e controls to protect the system based on risk assessment(s)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eImplement\u003c/strong\u003e: Implement the controls and document how the controls are deployed\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAssess\u003c/strong\u003e: Assess to determine if the controls are in place, operating as intended, and producing the desired results\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eAuthorize\u003c/strong\u003e: Senior official makes a risk-based decision to authorize the system (to operate)\u003c/li\u003e\u003cli\u003e\u003cstrong\u003eMonitor\u003c/strong\u003e: Continuously monitor control implementation and risks to the system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eWhen this process is followed for every information system, CMS can track and manage the risk exposure of individual systems and the agency at large ensuring the protection of critical resources and sensitive information.\u003c/p\u003e\u003cp\u003eHowever, this is a complex and documentation-heavy process that spans the whole life cycle of a FISMA system. It can be challenging to keep in mind the specific steps that need to be taken in order to obtain and maintain ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eATO and your systems life cycle\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ATO process can be mapped to the System Development Life Cycle (SDLC) so that its easier to see what activities should be completed at each stage. At CMS, this means the steps will align to the \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eTarget Life Cycle (TLC)\u003c/a\u003e the system development governance process that all CMS systems must follow. These phases are briefly summarized below, with links to details that will help you plan ATO activities for your systems whole life cycle.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"b5:{\"value\":\"$b6\",\"format\":\"body_text\",\"processed\":\"$b7\"}\nb3:{\"drupal_internal__id\":711,\"drupal_internal__revision_id\":18928,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T15:41:11+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$b4\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$b5\"}\nbb:{\"drupal_internal__target_id\":\"page_section\"}\nba:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$bb\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07/paragraph_type?resourceVersion=id%3A18928\"}\nbe:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07/relationships/paragraph_type?resourceVersion=id%3A18928\"}\nbc:{\"related\":\"$bd\",\"self\":\"$be\"}\nb9:{\"data\":\"$ba\",\"links\":\"$bc\"}\nc1:{\"target_revision_id\":18927,\"drupal_internal__target_id\":706}\nc0:{\"type\":\"paragraph--process_list\",\"id\":\"b5286761-357f-429f-8502-dd7459bb3e58\",\"meta\":\"$c1\"}\nc3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07/field_specialty_item?resourceVersion=id%3A18928\"}\nc4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07/relationships/field_specialty_item?resourceVersion=id%3A18928\"}\nc2:{\"related\":\"$c3\",\"self\":\"$c4\"}\nbf:{\"data\":\"$c0\",\"links\":\"$c2\"}\nb8:{\"paragraph_type\":\"$b9\",\"field_specialty_item\":\"$bf\"}\nb0:{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"links\":\"$b1\",\"attributes\":\"$b3\",\"relationships\":\"$b8\"}\nc7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df?resourceVersion=id%3A18929\"}\nc6:{\"self\":\"$c7\"}\nc9:[]\ncb:Tc210,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eInitiate\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen a business need prompts the idea for a new system (or significant enhancements to a system) at CMS, the Business Owner and other key stakeholders must follow a governance process that makes use of existing resources and ensures the security of CMS information and systems. The first steps of the Initiate phase include documenting the business need and determining if a new system actually needs to be developed.\u003c/p\u003e\u003ch3\u003eDocument the business need\u003c/h3\u003e\u003cp\u003eAll new business needs and material changes to existing systems must be documented in the Initiate phase. During this period, the Business Owner will talk with knowledgeable stakeholders to learn about CMS infrastructure and existing assets. Together they will define and document the general business need or desired enhancement and explore solution options. These stakeholders often include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation Security and Privacy Group (ISPG)\u003c/li\u003e\u003cli\u003eOffice of Acquisition and Grants Management (OAGM)\u003c/li\u003e\u003cli\u003eGovernance Review Team (GRT)\u003c/li\u003e\u003cli\u003eGovernance Review Board (GRB)\u003c/li\u003e\u003cli\u003eOffice of Information Technology (OIT) Navigators\u003c/li\u003e\u003cli\u003eEnterprise Architecture (EA) Team\u003c/li\u003e\u003cli\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003cli\u003eOffice of Financial Management (OFM)\u003c/li\u003e\u003cli\u003eSection 508 Team\u003c/li\u003e\u003cli\u003eVarious Subject Matter Experts (SMEs)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eConsider existing options\u003c/h3\u003e\u003cp\u003eAn important step in the governance process is to consider existing solution options at CMS to determine whether a new system is indeed necessary. In particular, \u003ca href=\"/learn/cms-cloud-services\"\u003e\u003cstrong\u003ecloud computing options\u003c/strong\u003e\u003c/a\u003e should be considered, such as Platform-as-a-Service (PaaS), \u003ca href=\"/learn/saas-governance-saasg\"\u003eSoftware-as-a-Service (SaaS)\u003c/a\u003e, and Infrastructure-as-a-Service (IaaS). CMS has a variety of cloud offerings available that help save time and money on development, compliance, and security. If an existing solution at CMS or HHS can be leveraged, there is no reason to duplicate efforts by developing a new system.\u003c/p\u003e\u003ch3\u003eDecide to proceed with a new system\u003c/h3\u003e\u003cp\u003eIf no solution exists to meet the need, the Business Owner and stakeholders will move forward with the governance process for a new system, receive a Life Cycle ID, and then follow the ATO process. The governance team can help the Business Owner with basic funding and contracting needs. ISPG leadership assigns a Cyber Risk Advisor (CRA) based on the CMS component organization the system will fall under, and the Business Owner appoints an Information System Security Officer (ISSO). ISPG also assigns a Privacy SME to each project to support privacy related considerations.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGetting started\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce the decision is made to develop a new system, intake and other foundational activities will start. This phase requires meetings with various groups across CMS to ensure that resources are used efficiently, governance processes are followed, and security requirements are met.\u003c/p\u003e\u003ch4\u003eDetermine a hosting solution\u003c/h4\u003e\u003cp\u003eIt is important to decide on the primary hosting location for the solution. Hosting the solution within CMS for example, using \u003ca href=\"/learn/cms-cloud-services\"\u003eCMS Cloud Services\u003c/a\u003e instead of using vendor provided hosting locations is much preferred. Leveraging CMS hosting allows the team to access a wide variety of services from CMS. This saves time and money on compliance, so they don't have to worry about reducing cost on implementation to stay on budget. This should be the primary goal at this point in the process.\u003c/p\u003e\u003ch4\u003eComplete Appendix A\u003c/h4\u003e\u003cp\u003eTo ensure that the contract for developing a new system includes the appropriate security measures, the system stakeholders (such as the Business Owner, Privacy SME, ISSO, and CRA) must complete the document \u003ca href=\"https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements\"\u003eCMS Security and Privacy Requirements for IT Procurements\u003c/a\u003e.These standards help government agencies protect all of their assets from security threats and privacy risks, especially when the assets will be managed by third-party organizations. Part of this process includes completing \"Appendix A\" of this document, which is signed by the CMS Chief Information Security Officer (CISO) and the CMS Senior Official for Privacy (SOP).\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/CMS-Security-and-Privacy-Language-for-Procurements\"\u003eLearn more about security and privacy requirements for CMS technology procurements here.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eComplete EASi intake form\u003c/h4\u003e\u003cp\u003eIf you decide to create a new solution at CMS, the \u003ca href=\"https://impl.easi.cms.gov/\"\u003eEasy Access to System Information (EASi)\u003c/a\u003e system helps you get started by automating the governance process and connecting you and your contract to funding at CMS. The Business Owner submits an intake form in EASi to start the governance process and get a Life Cycle ID for their system. This is required for every CMS system, and key to securing funding for a new project.\u003c/p\u003e\u003ch4\u003eConsult with Governance Review Team (GRT)\u003c/h4\u003e\u003cp\u003eSubmitting the intake form engages the Governance Review Team (GRT), who works with the Business Owner, the Enterprise Architecture (EA) team, and SMEs to create a business case for their system. The resulting case includes pros, cons, and alternative options. If the Business Owner decides to move forward with pursuing an ATO for a new system, this iterative and collaborative process should result in a strong business case to present to the Governance Review Board (GRB).\u003c/p\u003e\u003ch4\u003ePresent to the Governance Review Board (GRB)\u003c/h4\u003e\u003cp\u003eOnce they have settled on a direction for their system, the Business Owner and/or their Navigator present their case. The presentation is reviewed by relevant SMEs followed by the GRB itself, which issues an assessment and provides one or more options for the Business Owner to pursue.\u003c/p\u003e\u003ch4\u003eComplete Enterprise Architecture Activities\u003c/h4\u003e\u003cp\u003eOnce the Business Owner selects their chosen path forward, they will work with Enterprise Architecture (EA) to complete a Core System Information Form. EA will then issue a Universally Unique Identification (UUID) number, which allows the project to be entered into the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e. The Life Cycle ID and UUID numbers will remain associated with the project for the duration of its life cycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCreating an Authorization Package\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAfter the initial consultations and intake processes, the focus turns to Assessment and Authorization activities the security-related steps required for ATO. An Authorization Package is the collection of documentation put together by the Business Owner and their team to prove that the system has been designed, built, tested, assessed, and categorized appropriately to meet ATO requirements.\u003c/p\u003e\u003cp\u003eAs you might imagine, collecting and submitting all required information can take a lot of time and resources. To avoid delays in your development process, it is important to start collecting your system documentation as soon as possible.\u003c/p\u003e\u003ch4\u003eUse CFACTS to track compliance\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e is the tool used to track and manage the security and compliance of all CMS systems. Upon receipt of the UID number from Enterprise Architecture, ISPG enters the new system into CFACTS. To access CFACTS, each user will need the CFACTS_USER_P job code from CMS. From this point on, the Business Owner and their team work together with various stakeholders to complete the required ATO documentation in CFACTS. Once all the documentation is compiled, the ISSO submits the \u003cstrong\u003eCMS System ATO Request Form\u003c/strong\u003e, which is filled out and submitted within CFACTS. (This form can also be used to request \"re-authorization\" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)\u003c/p\u003e\u003ch4\u003eCompile Tier 1 Documentation\u003c/h4\u003e\u003cp\u003eThe specific documents required are based on many factors and vary from system to system, but all projects should expect to provide the following Tier 1 Documentation:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eInformation Security Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessment (PIA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Plan Exercise\u003c/a\u003e(often called Tabletop Exercise)\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eCompile additional documentation\u003c/h4\u003e\u003cp\u003eAdditional documentation that is often required includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProject management personnel and policies\u003c/li\u003e\u003cli\u003eSecurity and privacy documentation\u003c/li\u003e\u003cli\u003eRisk assessment and abatement\u003c/li\u003e\u003cli\u003eArchitecture diagrams\u003c/li\u003e\u003cli\u003eHardware and software inventories\u003c/li\u003e\u003cli\u003eVulnerability scanning documentation\u003c/li\u003e\u003cli\u003eOpen \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action \u0026amp; Milestones (PO\u0026amp;AMs)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/isso-appointment-letter\"\u003eISSO Appointment Letter\u003c/a\u003e\u003c/li\u003e\u003cli\u003eTRB Letter\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-5-configuration-management-cm\"\u003eConfiguration Management\u003c/a\u003e\u003c/li\u003e\u003cli\u003eBaseline security configurations\u003c/li\u003e\u003cli\u003eConfiguration compliance audits policies\u003c/li\u003e\u003cli\u003eMaintenance and update policies\u003c/li\u003e\u003cli\u003eCompliance monitoring tool output\u003c/li\u003e\u003cli\u003eMalware protection\u003c/li\u003e\u003cli\u003eUser ID conventions, group membership, and information system accounts for each component\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/system-audits\"\u003eAudit documentation\u003c/a\u003e\u003c/li\u003e\u003cli\u003eSystem procedures manual\u003c/li\u003e\u003cli\u003eJob descriptions and personnel policies\u003c/li\u003e\u003cli\u003ePhysical access and remote work policies\u003c/li\u003e\u003cli\u003eData Use and Service Level Agreements\u003c/li\u003e\u003cli\u003eSource code\u003c/li\u003e\u003cli\u003eAnd others\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCategorization, boundary, and controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDuring the documentation process described above, the team will add all required information into CFACTS and work together to categorize the system, document the system boundary, and assign appropriate security controls. These activities formally define what kind of information the system handles, the level of risk associated with the system, and what kind of controls are necessary to manage that risk.\u003c/p\u003e\u003ch4\u003eCategorize the system\u003c/h4\u003e\u003cp\u003e“System categorization” is a required step for every information system with an ATO. The team will classify the system into one of three levels that represent the potential impact to organizations and individuals in the case of a security breach.\u003c/p\u003e\u003cp\u003eAt the end of this process, the system will be categorized as either High, Moderate, or Low risk according to the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf\"\u003eFederal Information Processing Standards (FIPS) Publication 199\u003c/a\u003e. This will determine the required controls. In particular, this will also determine whether the system should be classified as a High Value Asset (HVA) System. HVAs require additional security measures due to their unique risks.\u003c/p\u003e\u003ch4\u003eDocument the system boundary\u003c/h4\u003e\u003cp\u003eNext, the team will document the system architecture, components and boundary in CFACTS. The boundary separates what is part of the system from what is not. It is documented through network diagrams, hardware / software inventories, and narrative explanation.\u003c/p\u003e\u003cp\u003eIncluding a good boundary diagram makes assessments easier and expedites the ATO process. It should include information about what your team is directly responsible for building and maintaining in addition to anything your system is connected to (or utilizing) that someone else is responsible for building and maintaining.\u003c/p\u003e\u003cp\u003eA boundary diagram should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInclude CMS shared services and how they connect to your system\u003c/li\u003e\u003cli\u003eShow proxy - URL Filtering and whitelisting outbound traffic\u003c/li\u003e\u003cli\u003eSeparate S3 buckets for each Subnet\u003c/li\u003e\u003cli\u003eDisplay zonal VRF between VDCs and AWS\u003c/li\u003e\u003cli\u003eInclude API Consumers internal access path(s)\u003c/li\u003e\u003cli\u003eDepict all AWS Services being used\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your team has questions about this, email the Technical Review Board at \u003ca href=\"mailto:cms-trb@cms.hhs.gov\"\u003ecms-trb@cms.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eAssign a control baseline\u003c/h4\u003e\u003cp\u003eBased on the impact categorization from the information provided, the system is assigned a baseline of controls—Low, Moderate, or High. These controls follow the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e, which are the standards and controls for information security and privacy applied to CMS systems to mitigate risk. The ISSO and project team will provide implementation details for each control in CFACTS. This often includes some back-and-forth between the development team, the ISSO, and the CRA as the artifacts are reviewed and accepted.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDevelop and Assess\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis phase is when the system is actually being designed, built, and deployed using the requirements and user stories that will ensure the system meets business needs. At this point the system will be in a non-production environment, meaning it is not being formally used for its intended purpose yet (and is not publicly available).\u003c/p\u003e\u003cp\u003eThen the system must be assessed for security and compliance with CMS standards. This includes documenting and implementing all necessary controls, finalizing required artifacts and supplemental documentation, and completing testing and assessments. When all these steps are complete and documented, the system will ideally be granted an ATO so it can begin operating.\u003c/p\u003e\u003cp\u003eThere are some key steps to keep in mind as the new system enters the Develop and Assess phase.\u003c/p\u003e\u003ch3\u003eEstablish stakeholder communications\u003c/h3\u003e\u003cp\u003eThis part of the system life cycle is document-heavy and requires input from many stakeholders. To minimize costly delays, each project should have a communication plan in place to ensure all parties are in the loop throughout the process. The plan should include all relevant points of contact, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eISSO Contracting Support (ISSOCS)\u003c/li\u003e\u003cli\u003eCyber Risk Advisor (CRA)\u003c/li\u003e\u003cli\u003eBusiness Owner (BO)\u003c/li\u003e\u003cli\u003ePenetration (Pen) Test Coordinator\u003c/li\u003e\u003cli\u003eCybersecurity and Risk Assessment Program (CSRAP) team (within ISPG)\u003c/li\u003e\u003cli\u003eSystem Developer and Maintainer (SDM)\u003c/li\u003e\u003cli\u003ePrivacy Subject Matter Expert (PSME)\u003c/li\u003e\u003cli\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eDesign, develop, and deploy\u003c/h3\u003e\u003cp\u003eDesign and development is managed by the Business Owner (BO) and project team. The \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e requires only a small set of artifacts, and specific methodologies are determined by the BO and team. All initiatives should follow best practices in development and Program Management. Typically, the project team will work with the CMS Cloud Services team to provision the different environments such as development, implementation, and production. \u003cstrong\u003eAs the system is developed, the project team should also move forward with documentation and other compliance activities\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eOnce the system is designed and developed, it is deployed in a non-production environment and tested for compliance with requirements and CMS standards. In order to become production ready, everything must comply with CMS \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e and meet the security, privacy, and accessibility standards outlined in the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eDefine the accreditation boundary\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://csrc.nist.gov/glossary/term/accreditation_boundary\"\u003eaccreditation boundary\u003c/a\u003e describes all components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. So it defines exactly what components and assets the ATO will cover.\u003c/p\u003e\u003cp\u003eWhen defining the accreditation boundary, assets are provided and supported by the CMS cloud service provider. Additionally, the Application Development Organization (ADO) often a contractor provides and supports components. Each project team is responsible for maintaining those assets within the accreditation boundary.\u003c/p\u003e\u003cp\u003eThe ISSO works with the project team to define the boundary according to the three-tier architecture set by the CMS Technical Review Board (GRB). If the system is hosted in the CMS Amazon Web Service (AWS) cloud GSS, it can access and use approved templates to simplify the process.\u003c/p\u003e\u003ch3\u003eImplement controls\u003c/h3\u003e\u003cp\u003eThe accreditation boundary creates an inventory of all system components that will require security controls. A system may be able to inherit controls based on its hosting, platform, data center, and other variables, which can greatly ease the process. With the boundary established, the ISSO will start documenting all ARS security controls in CFACTS, starting with any inheritable controls available.\u003c/p\u003e\u003cp\u003eImplementing controls often involves conversations between the ISSO and project team, especially technical stakeholders, as well as a CRA. To minimize back-and-forth, all relevant stakeholders should be engaged and prepared to participate.\u003c/p\u003e\u003ch3\u003eConduct a system test\u003c/h3\u003e\u003cp\u003eWith all components documented and controls in CFACTS, its time for a system test. The purpose of a system test is to evaluate the endtoend system specifications and make sure the system is working as expected. This test validates the complete and fully integrated software product, and involves the full project team.\u003c/p\u003e\u003ch3\u003eStart continuous monitoring\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://www.cisa.gov/\"\u003eCybersecurity and Infrastructure Security Agency (CISA)\u003c/a\u003e works with partners across government and the private sector to secure national infrastructure. A big part of this effort the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e program is strengthening the cybersecurity of federal networks and systems.\u003c/p\u003e\u003cp\u003eAs part of the ATO process, the ISSO onboards each system to CDM in three stages:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStage 1: Engage Data Center assessment\u003c/li\u003e\u003cli\u003eStage 2: Implement and integrate required capabilities\u003c/li\u003e\u003cli\u003eStage 3: Validate and verify data\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe system is also onboarded to the \u003ca href=\"https://security.cms.gov/learn/cms-cloud-services\"\u003eCMS Cloud\u003c/a\u003e Environment for cloud hosting (if applicable), and the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Operations Center (CCIC)\u003c/a\u003e for security monitoring, event management, and incident handling.\u003c/p\u003e\u003ch3\u003eComplete Tier 13 artifacts\u003c/h3\u003e\u003cp\u003eAs seen in the Initiate Phase, all systems require Tier 1 artifacts. Based on the boundary and controls, they may also require additional documentation. The project team should work with their ISSO and CRA to determine the documentation required for their system and upload it to CFACTS.\u003c/p\u003e\u003ch3\u003eReview for assessment readiness\u003c/h3\u003e\u003cp\u003eOnce all controls, artifacts, and additional documentation are in CFACTS, the ISSO and project team will review the information before the project formally moves to the assessment phase.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssessing and testing a new system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssessments and tests are conducted to ensure that the new system has implemented necessary security controls and meets CMS requirements. If the results show any unacceptable weaknesses in the system, the team will need to mitigate them before continuing the process to request ATO.\u003c/p\u003e\u003ch3\u003eSchedule tests promptly\u003c/h3\u003e\u003cp\u003eThe ISSO and project team will set the timing for the required \u003ca href=\"/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e (or, alternatively, a \u003ca href=\"/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment\u003c/a\u003e). The ISSO reaches out to the PenTest Team and the CSRAP team to schedule the tests. \u003cstrong\u003eAs the team works, the timeline and schedule should be shared with the CRA\u003c/strong\u003e.\u003c/p\u003e\u003ch3\u003eConduct Penetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"/learn/penetration-testing\"\u003ePenetration Testing (or PenTesting)\u003c/a\u003e helps determine the security of a system by attempting to exploit vulnerabilities. It mimics real-world scenarios to see if bad actors will be able to penetrate the system and cause harm to organizations or individuals.\u003c/p\u003e\u003cp\u003eThe ISSO and project team work with a PenTest coordinator to schedule and conduct the test. To avoid delays,\u003cstrong\u003e the pen test should be requested at least 3 months before the ATO deadline\u003c/strong\u003e. \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003eLearn all about PenTesting here\u003c/a\u003e, including scheduling instructions.\u003c/p\u003e\u003cp\u003eAfter the test, the PenTest team will notify the project team of any issues, which must be mitigated within 25 days. If the issue cant be resolved in 25 days, the team must create a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e to manage it.\u003c/p\u003e\u003cp\u003eFinalized results from Penetration Testing are uploaded as a CAAT spreadsheet into CFACTS, and all parties (including the CISO team) are notified that the results are complete and available.\u003c/p\u003e\u003ch3\u003eConduct the Cybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e was created to improve the Security Controls Assessment (SCA) process by introducing risk-based security assessment for CMS systems. Instead of emphasizing technical findings and compliance with controls (which are still important), CSRAP facilitates and encourages risk-based decision making.\u003c/p\u003e\u003cp\u003eCSRAP focuses on the core controls that pose the highest risk to CMS and defines mission-oriented security objectives. CSRAP reports incorporate plain language, relevant findings and actionable results and conclusions to aid project teams risk-based decision making. \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eLearn all about CSRAP here\u003c/a\u003e, including scheduling instructions.\u003c/p\u003e\u003cp\u003eTo fulfill the CSRAP requirement, the ISSO works with the CSRAP team and project team to create and complete an assessment plan. \u003cstrong\u003eTo avoid delays, this assessment should be scheduled at least 3 months before the ATO deadline\u003c/strong\u003e. Once the CSRAP is complete, the CSRAP Final Package will be uploaded to CFACTS.\u003c/p\u003e\u003ch3\u003eCheck for 508 compliance\u003c/h3\u003e\u003cp\u003eWhile it is not an explicit requirement for ATO, accessibility is an important consideration for all project teams at CMS. \u003ca href=\"https://www.section508.gov/\"\u003eSection 508\u003c/a\u003e of the Rehabilitation Act requires all federal systems to be accessible to people with disabilities. To ensure the system is accessible to all users, the project team should consider 508 accessibility compliance throughout design, development, and deployment. \u003ca href=\"https://www.section508.gov/develop/\"\u003eSome 508 resources from GSA can be found here\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eManage identified risks with POA\u0026amp;Ms\u003c/h3\u003e\u003cp\u003eAll information systems include some level of risk. An ATO is designed to document and manage risk, not eliminate it. Once the PenTest and CSRAP assessment identify risks, the ISSO will work with the project team and CRA to create a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003ePlan of Action and Milestones (POA\u0026amp;Ms) are high-level statements that describe how a team will address security weaknesses identified for their system. All federal systems must document POA\u0026amp;Ms to track and mitigate findings from assessments and audits. The ISSO coordinates with the team to manage, remediate, and (if necessary) accept the risk of open POA\u0026amp;Ms. Learn all about managing POA\u0026amp;Ms in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003eCMS POA\u0026amp;M Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS System ATO Request / Re-authorization Form\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWith all documentation and assessments completed and uploaded to CFACTS, the ISSO can now request ATO certification. The ISSO submits the \u003cstrong\u003eCMS System ATO Request / Re-authorization Form\u003c/strong\u003e, which is filled out and submitted within CFACTS. (This form can also be used to request \"re-authorization\" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eATO review and certification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe complete ATO package is reviewed by the CRA, ISSO, BO and ISPG. Once approved by ISPG, the package is submitted to the CISO and CIO for final approval. Once approved by the CISO and CIO, an ATO letter is sent to the BO and ISSO. The CRA uploads the approved ATO package to CFACTS and notifies all relevant parties, including \u003ca href=\"https://www.fedramp.gov/\"\u003eFedRAMP\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe system now officially has an ATO “the authority to operate decision that culminates from the security authorization process of an information technology system in the U.S. federal government”. With a completed and approved ATO, the system moves into the Operate phase of its life cycle.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eOperate\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Operate phase is what we think of as normal business operations. The system runs in a production environment, and the team does normal upgrades, enhancements and maintenance. The system is being used to achieve the business objectives stated in the Initiate phase.\u003c/p\u003e\u003cp\u003eTo remain compliant with the Authority to Operate (ATO), the Business Owner maintains the Target Life Cycle (TLC) System Profile with every production release. Annual security requirements such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound.\u003c/p\u003e\u003cp\u003eThe following maintenance issues must be supported throughout this phase:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpgrades\u003c/li\u003e\u003cli\u003eSystem software patches\u003c/li\u003e\u003cli\u003eHardware upgrades\u003c/li\u003e\u003cli\u003eModifications to interfaces with other systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDuring the Operate Phase the project team works with the Information System Security Officer (ISSO) to maintain current documentation and to support periodic reviews and audits. The inability to produce current documentation may impact a systems ATO.\u003c/p\u003e\u003ch3\u003eConduct annual assessments\u003c/h3\u003e\u003cp\u003eEach system undergoes annual assessments and maintenance throughout their life cycle to ensure compliance with its ATO and identify potential vulnerabilities. These typically include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdating core documentation\u003c/li\u003e\u003cli\u003eUpdating the \u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eConducting a \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Plan Exercise\u003c/a\u003e (often in the form of aTableop Exercise)\u003c/li\u003e\u003cli\u003eUndergoing \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAddressing and closing any \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones\u003c/a\u003e (POA\u0026amp;Ms)\u003c/li\u003e\u003cli\u003eAssessing controls\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRequest re-authorization\u003c/h3\u003e\u003cp\u003eEvery three years, a system's ATO is assessed for re-authorization. Much like the annual assessments, this includes a review of a subset of system controls and POA\u0026amp;Ms. Once the review is completed, the ISSO and Business Owner submit an ATO request form proving that all testing has been completed. ISPG then reviews the request form and renews the system authorization.\u003c/p\u003e\u003ch3\u003eUpdate ATO if system changes\u003c/h3\u003e\u003cp\u003eA significant change to a system can require an update to its ATO. A significant change is defined as a change that is likely to substantively affect the security or privacy posture of a system (see \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf\"\u003eNIST SP 800-37\u003c/a\u003e for more information). This includes upgraded hardware or applications, changes in the information collected by the system or how the information is handled, changes to system ports or services, and more.\u003c/p\u003e\u003cp\u003eIf a system is undergoing a significant update, the Business Owner checks with the ISSO to see if an authorization change will be necessary. The ISSO completes a Security Impact Analysis (SIA). If it is determined that the update will not impact system security, the change is determined to be minor. In this case the only action is to update any relevant documentation in CFACTS.\u003c/p\u003e\u003cp\u003eIf the update is determined to be a significant change, the system could require a new ATO. In this case, the ISSO works with the BO and team to complete a new intake form.\u003c/p\u003e\u003ch3\u003eResolve cyber risk events\u003c/h3\u003e\u003cp\u003eAs more activities move online and to the cloud, the chance of cyber attacks and other risks go up. If a risk event is identified, the ISSO and team must work quickly and collaboratively to isolate and resolve it. The ISSO must open an incident response ticket with the IT service desk to start an investigation. (This is done in \u003ca href=\"https://cmsitsm.servicenowservices.com/connect\"\u003eServiceNOW\u003c/a\u003e). They will execute the CMS incident management lifecycle process to address any actual or false positive events.\u003c/p\u003e\u003cp\u003eOnce the risk is under control, system security should be reviewed and updated to lower the chances of the risk recurring in the future. The updates must be tested to ensure they both remediated the risk and that they haven't negatively impacted any other systems. \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eLearn more about Incident Response here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe system continues to operate undergoing assessment, reassessment, and change management through the end of its contract or useful life. Once it reaches either of these milestones, the system transitions to the Retirement phase.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRetire\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA system moves to the Retire phase once it reaches the end of its useful life or the end of its contract. At this point, the decision is made to shut it down through a managed process outlined in the System Disposition Checklist. This ensures compliance with federal guidelines when retiring a government IT system. There are many aspects to consider, including the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRecords retention\u003c/li\u003e\u003cli\u003eInformation security\u003c/li\u003e\u003cli\u003eInvestment close-out procedures\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Business Owner (BO) and Information System Security Officer (ISSO) conduct a thorough planning process to define all tasks to decommission the system. There are several documents that must be completed by the ISSO and Project team and signed by the BO and/or the ISSO.\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem Disposition Checklist\u003c/li\u003e\u003cli\u003eSystem Disposition Plan\u003c/li\u003e\u003cli\u003eSystem Retirement Memo\u003c/li\u003e\u003cli\u003eCertificate of Destructions\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAny remaining activities must be transitioned to a different process or system. All contracts are closed and data is archived according to the System of Record Notice (SORN) or other guidelines. Any remaining hardware must be disposed of according to federal best practices.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTypes of authorizations\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eEvery system that is integrated at CMS—either built in-house or contracted—must get a compliance authorization to operate and access government data. This ensures that the agency is aware of all components interacting with its data, and that each system can be monitored for compliance and risk mitigation. This helps safeguard sensitive personal information, manage the risk to critical infrastructure, and address cybersecurity issues when they arise.\u003c/p\u003e\u003cp\u003eIf you are introducing a new system at CMS, you must go through the security and compliance process.\u003c/p\u003e\u003cp\u003eCMS recognizes that every system is unique and that a one-size-fits-all approach wont work. There are several different types of compliance authorizations provided by CMS to manage agency-wide risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAuthority to Operate (ATO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs explained above, the Authority to Operate (ATO) is awarded by the CMS Authorization Official (AO) to systems that meet requisite security requirements. Typically, ATOs grant a system compliance for three years, although there are circumstances where CMS will authorize a system for a shorter period of time (see more information about this below).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should ATO be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eInformation systems that intend to operate for three years or more are required to get an ATO. This includes projects that:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore, process, and distribute Personally Identifiable Information (PII), Personal Health Information (PHI), or other sensitive information\u003c/li\u003e\u003cli\u003eHave been reviewed and approved through the existing CMS governance process (EASi)\u003c/li\u003e\u003cli\u003eHave funding and contracting vehicles to develop, implement and maintain a FISMA information system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eLearn more about the process and requirements for ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eOngoing Authorization (OA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eGetting authorization for a system to operate through \u003ca href=\"/learn/ongoing-authorization\"\u003eOngoing Authorization (OA)\u003c/a\u003e is a new initiative at CMS. Its goal is to fundamentally change authorization and compliance from reactive evaluation to proactive, ongoing monitoring. Rather than subjecting project teams to the current 3-year compliance cycle, the OA approach provides real-time data about a systems security posture.\u003c/p\u003e\u003cp\u003eOA is equivalent to ATO in that it gives systems the authorization to operate, but its done through automation and continuous assessment of risk, instead of through documentation-heavy compliance processes. This reduces the load on Business Owners, ISSOs, and project teams while providing CMS a clearer picture of its risk level at any given moment.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should OA be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eTo be eligible for OA, systems must leverage the latest control automation tools, including the latest control automation tools. Additionally, all \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL).\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/ongoing-authorization\"\u003eLearn more about the process and requirements for OA.\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRe-authorization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA system may need to be reassessed and re-authorized if the application team is planning to make significant changes. When changes to a system are being planned, the team completes a \u003ca href=\"/learn/security-impact-analysis-sia\"\u003eSecurity Impact Analysis (SIA)\u003c/a\u003e to determine how the changes will impact the systems security and ATO.\u003c/p\u003e\u003cp\u003eIf the change is significant and the analysis reveals that re-authorization is necessary, the team schedules an CSRAP assessment to determine if there are any potential findings (risks). If there are findings, the team works to mitigate them. Once findings are mitigated to an acceptable level, the Cyber Risk Advisor (CRA) presents the case for the re-authorization to the Business Owner for a new ATO letter.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should re-authorization be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eChanges to a system that are considered “significant” and may require re-authorization include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem security boundary\u003c/li\u003e\u003cli\u003eEncryption methodologies\u003c/li\u003e\u003cli\u003eAdministrative functionality within the application\u003c/li\u003e\u003cli\u003eThe kinds of information stored (for example, PII)\u003c/li\u003e\u003cli\u003eThe external services used or how/what data flows to/from them\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eExample changes that \u003cstrong\u003edo not require re-authorization\u003c/strong\u003e, as long as they dont include the above:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFeatures and functionality\u003c/li\u003e\u003cli\u003eBug fixes\u003c/li\u003e\u003cli\u003eInterface changes\u003c/li\u003e\u003cli\u003eDocumentation updates\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eATO stakeholders\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe process of gaining and maintaining Authorization to Operate (ATO) involves many stakeholders across the organization. Its important for each person or group to understand their responsibilities and to communicate clearly with other stakeholders during the process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eChief Information Security Officer (CISO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CISO is an agency official (federal government employee). They carry out the Chief Information Officers (CIO) information security responsibilities under federal requirements in conjunction with the Senior Official for Privacy. From setting policy and guidance to approving Authorization to Operation (ATOs), the CISO drives information security at CMS.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy control requirements\u003c/li\u003e\u003cli\u003eDelegate authority to approve system configuration deviations to the Cyber Risk Advisor (CRA) and Information System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003ePublish an Ongoing Authorization process\u003c/li\u003e\u003cli\u003eApprove ISSO appointments from the Program Executive\u003c/li\u003e\u003cli\u003eApprove the independent security control assessment deliverables\u003c/li\u003e\u003cli\u003eCoordinate with stakeholders to ensure compliance with control family requirements\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of flagged systems until the AO orders reconnection\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is an agency official (federal government employee). They work with ISSOs and project teams to help ensure that projects adhere to security controls and are documented and tracked accordingly in the CMS FISMA Continuous Tracking System (CFACTS). They act as the subject matter expert in all areas of the \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eCMS Risk Management Framework (RMF)\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eEvaluate and communicate the risk posture of each system to executive leadership and make risk-based recommendations to the Authorizing Official (AO)\u003c/li\u003e\u003cli\u003eHelp ensure that all requirements of the CMS ARS and \u003ca href=\"/learn/cms-security-and-privacy-handbooks\"\u003ethe procedures of the Risk Management Handbook (RMH) \u003c/a\u003eare implemented\u003c/li\u003e\u003cli\u003eParticipate in the System Development Life Cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs based on security, functionality, and cost\u003c/li\u003e\u003cli\u003eFor each system, coordinate with Data Guardian, System Owner, Business Owner, and ISSO to identify types of information processed, assign security categorizations, and manage information security and privacy risk\u003c/li\u003e\u003cli\u003eEnsure information security and privacy testing is performed throughout the SDLC and results are considered during the development phase\u003c/li\u003e\u003cli\u003eMonitor system security posture by reviewing all proposed information security and privacy artifacts to make recommendations to the ISSO\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe BO is a CMS official (federal government employee). They are Group Directors or Deputy Group Directors, and they encounter the ATO process when they are building or implementing a system to address their business needs. BOs are not expected to be technical or security experts, but their participation and collaboration is critical to the success of the ATO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDuring an ATO, the BO works closely with technical and security stakeholders particularly the ISSO to ensure that the data and information in their system is properly documented and managed. Working with their team, the BOs responsibilities include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDocument and Protect PII and PHI\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eComply with the the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/POLICY_DL_InvestmentMgmt.pdf\"\u003eCMS Policy for IT Investment Management \u0026amp; Governance\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the CRA and ISSO to identify the information their system processes, and document and manage any PII and PHI\u003cul\u003e\u003cli\u003eEnsure that CMS has the legal authority to conduct activities involving the collection, use, and disclosure of information\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information system\u003c/li\u003e\u003cli\u003eDetermine information security and privacy impacts and manage risks\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eWork with Contracting Officers (COs) and Contracting Officers Representatives (CORs) to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized\u003c/li\u003e\u003cli\u003eCoordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the Senior Official for Privacy to ensure appropriate information security and privacy contracting language from relevant sources is included into each IT contract. Relevant sources must include, but are not limited to:\u003cul\u003e\u003cli\u003eHHS Office of the Assistant Secretary for Financial Resources (ASFR)\u003c/li\u003e\u003cli\u003eHHS Office of Grants and Acquisition Policy and Accountability (OGAPA)\u003c/li\u003e\u003cli\u003eCMS Office of Acquisition and Grants Management (OAGM)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the CRA, ISSO and others to ensure compliance with the CMS ARS and the Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eManage CMS Data Privacy and Security\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwn and manage access to the information stored, processed, or transmitted in the system\u003c/li\u003e\u003cli\u003eManage and approve all use and disclosure of data from CMS programs or systems\u003c/li\u003e\u003cli\u003eVerify that CMS programs and systems only disclose the minimum data necessary\u003c/li\u003e\u003cli\u003eConfirm adequate security and privacy controls are in place to protect CMS systems\u003c/li\u003e\u003cli\u003ePrepare \u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessments (PIAs)\u003c/a\u003e for programs or systems with the direction from the CRA\u003c/li\u003e\u003cli\u003eSupport the analysis of incidents involving PII and help determine the appropriate action to make notification of privacy breaches and reporting, monitoring, tracking, and closure of incidents\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO is either a CMS official (federal government employee) or a Contractor (also known as an ISSO Contract Support). They are the key connection between the BO and the CMS security apparatus. They work closely with the BO, the CRA and other stakeholders to move a system through the ATO process.\u003c/p\u003e\u003cp\u003eAn ISSOs role in the ATO process which overlaps with many ongoing duties related to system security is outlined in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eISSO Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem Developer\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Developer must be a CMS official (federal government employee). They are responsible for providing management and oversight to the project team developing and maintaining the system. This includes working with the team to implement the security controls needed for an ATO. They work with the ISSO, project team, \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e, and the DevSecOps support team to help project teams build successful DevSecOps platforms and secure system ecosystems.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eCreate, document, and implement information security- and privacy-related functional requirements to protect CMS information, systems, and processes, including:\u003cul\u003e\u003cli\u003eIntegrate requirements effectively into IT products and systems\u003c/li\u003e\u003cli\u003eEnsure requirements are adequately planned and addressed in all aspects of system architecture\u003c/li\u003e\u003cli\u003eIntegrate and deploy automated information security and privacy capabilities (as required)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the ISSO to identify the necessary information security and privacy controls for the system\u003c/li\u003e\u003cli\u003eFollow the CMS System Development Life Cycle (SDLC) in developing and maintaining a system, including:\u003cul\u003e\u003cli\u003eUnderstand the relationships among the system's features and information security and privacy safeguards\u003c/li\u003e\u003cli\u003eEnsure all development practices comply with the \u003ca href=\"https://www.cms.gov/tra/Home/Home.htm\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eExecute the Risk Management Framework tasks listed in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final\"\u003eNIST SP 800-37\u003c/a\u003e and the CMS Risk Management Handbook\u003c/li\u003e\u003cli\u003eEnsure CMS systems or applications that share data for any purpose are capable of extracting data by pre-approved categories\u003c/li\u003e\u003cli\u003eShare only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssessor\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Assessor sits on the CMS security team and is responsible for checking the compliance of systems. Assessors must be independent and impartial, which means they are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems under assessment.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAssessors work with the ISSO and CRA to validate and verify that a systems documented controls work. They use assessment cases to test the system. The process typically involves the following steps:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ISSO notifies the CRA that an assessment is being requested, and a tentative assessment date is set\u003c/li\u003e\u003cli\u003eThe CRA provides the ISSO with pricing information and instructions for using the Comprehensive Acquisitions Management System (CAMS) to pay for the assessment, and notifies the independent assessor that an assessment needs to be scheduled\u003c/li\u003e\u003cli\u003eAt least six weeks prior to the assessment kick-off, the ISSO works with the BO to move funds for the assessment using the CAMS\u003c/li\u003e\u003cli\u003eThe assessment begins once the funds are verified as available via the CAMS\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAuthorizing Official (AO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe AO is responsible for the overall impact categorization and risk acceptance. They determine if the risk of operating the system is acceptable, and if so, issue an Authority to Operate (ATO) for that system. They often designate this responsibility to one or more other people. At most federal agencies this role is performed by the Chief Information Officer (CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Tester (PenTester)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePenTesters test the security of a system by attempting to exploit vulnerabilities.These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. After the test, a findings report is produced.At CMS, this service is offered and funded by the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003eLearn more about CMS PenTesting here.\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProgram / Project Team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThose who are trying to build/launch the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem Owner\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe system owner is usually the product lead or tech lead of the project team. They will be named in the ATO documents and are the main contact during the evaluation process that leads up to an ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eEnterprise Architecture and Data Group (EA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEvery federal agency is required to develop Enterprise Architecture to guide information technology investments. The CMS EA Group is located in the Office of Information Technology (OIT), and it works to help document all information system architecture at the agency. This includes working with project teams to provide the documentation required for an ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGovernance Review Team (GRT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Governance Review Team is a key stakeholder group during the Initiate Phase of the ATO process. It helps project teams determine if there is a need to build a new system, and to work through the IT governance process.\u003c/p\u003e\u003cp\u003eThe GRT directs project teams to available resources, advises them on how to properly develop and document their business case, and analyzes potential existing solutions at CMS. Based on these discussions, the GRT makes recommendations to the Governance Review Board (GRB) about whether to move forward with developing a new system.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"cc:Tc210,"])</script><script>self.__next_f.push([1,"\u003ch2\u003e\u003cstrong\u003eInitiate\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eWhen a business need prompts the idea for a new system (or significant enhancements to a system) at CMS, the Business Owner and other key stakeholders must follow a governance process that makes use of existing resources and ensures the security of CMS information and systems. The first steps of the Initiate phase include documenting the business need and determining if a new system actually needs to be developed.\u003c/p\u003e\u003ch3\u003eDocument the business need\u003c/h3\u003e\u003cp\u003eAll new business needs and material changes to existing systems must be documented in the Initiate phase. During this period, the Business Owner will talk with knowledgeable stakeholders to learn about CMS infrastructure and existing assets. Together they will define and document the general business need or desired enhancement and explore solution options. These stakeholders often include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation Security and Privacy Group (ISPG)\u003c/li\u003e\u003cli\u003eOffice of Acquisition and Grants Management (OAGM)\u003c/li\u003e\u003cli\u003eGovernance Review Team (GRT)\u003c/li\u003e\u003cli\u003eGovernance Review Board (GRB)\u003c/li\u003e\u003cli\u003eOffice of Information Technology (OIT) Navigators\u003c/li\u003e\u003cli\u003eEnterprise Architecture (EA) Team\u003c/li\u003e\u003cli\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003cli\u003eOffice of Financial Management (OFM)\u003c/li\u003e\u003cli\u003eSection 508 Team\u003c/li\u003e\u003cli\u003eVarious Subject Matter Experts (SMEs)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eConsider existing options\u003c/h3\u003e\u003cp\u003eAn important step in the governance process is to consider existing solution options at CMS to determine whether a new system is indeed necessary. In particular, \u003ca href=\"/learn/cms-cloud-services\"\u003e\u003cstrong\u003ecloud computing options\u003c/strong\u003e\u003c/a\u003e should be considered, such as Platform-as-a-Service (PaaS), \u003ca href=\"/learn/saas-governance-saasg\"\u003eSoftware-as-a-Service (SaaS)\u003c/a\u003e, and Infrastructure-as-a-Service (IaaS). CMS has a variety of cloud offerings available that help save time and money on development, compliance, and security. If an existing solution at CMS or HHS can be leveraged, there is no reason to duplicate efforts by developing a new system.\u003c/p\u003e\u003ch3\u003eDecide to proceed with a new system\u003c/h3\u003e\u003cp\u003eIf no solution exists to meet the need, the Business Owner and stakeholders will move forward with the governance process for a new system, receive a Life Cycle ID, and then follow the ATO process. The governance team can help the Business Owner with basic funding and contracting needs. ISPG leadership assigns a Cyber Risk Advisor (CRA) based on the CMS component organization the system will fall under, and the Business Owner appoints an Information System Security Officer (ISSO). ISPG also assigns a Privacy SME to each project to support privacy related considerations.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGetting started\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eOnce the decision is made to develop a new system, intake and other foundational activities will start. This phase requires meetings with various groups across CMS to ensure that resources are used efficiently, governance processes are followed, and security requirements are met.\u003c/p\u003e\u003ch4\u003eDetermine a hosting solution\u003c/h4\u003e\u003cp\u003eIt is important to decide on the primary hosting location for the solution. Hosting the solution within CMS for example, using \u003ca href=\"/learn/cms-cloud-services\"\u003eCMS Cloud Services\u003c/a\u003e instead of using vendor provided hosting locations is much preferred. Leveraging CMS hosting allows the team to access a wide variety of services from CMS. This saves time and money on compliance, so they don't have to worry about reducing cost on implementation to stay on budget. This should be the primary goal at this point in the process.\u003c/p\u003e\u003ch4\u003eComplete Appendix A\u003c/h4\u003e\u003cp\u003eTo ensure that the contract for developing a new system includes the appropriate security measures, the system stakeholders (such as the Business Owner, Privacy SME, ISSO, and CRA) must complete the document \u003ca href=\"https://security.cms.gov/learn/security-and-privacy-requirements-it-procurements\"\u003eCMS Security and Privacy Requirements for IT Procurements\u003c/a\u003e.These standards help government agencies protect all of their assets from security threats and privacy risks, especially when the assets will be managed by third-party organizations. Part of this process includes completing \"Appendix A\" of this document, which is signed by the CMS Chief Information Security Officer (CISO) and the CMS Senior Official for Privacy (SOP).\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/InformationSecurity/Info-Security-Library-Items/CMS-Security-and-Privacy-Language-for-Procurements\"\u003eLearn more about security and privacy requirements for CMS technology procurements here.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eComplete EASi intake form\u003c/h4\u003e\u003cp\u003eIf you decide to create a new solution at CMS, the \u003ca href=\"https://impl.easi.cms.gov/\"\u003eEasy Access to System Information (EASi)\u003c/a\u003e system helps you get started by automating the governance process and connecting you and your contract to funding at CMS. The Business Owner submits an intake form in EASi to start the governance process and get a Life Cycle ID for their system. This is required for every CMS system, and key to securing funding for a new project.\u003c/p\u003e\u003ch4\u003eConsult with Governance Review Team (GRT)\u003c/h4\u003e\u003cp\u003eSubmitting the intake form engages the Governance Review Team (GRT), who works with the Business Owner, the Enterprise Architecture (EA) team, and SMEs to create a business case for their system. The resulting case includes pros, cons, and alternative options. If the Business Owner decides to move forward with pursuing an ATO for a new system, this iterative and collaborative process should result in a strong business case to present to the Governance Review Board (GRB).\u003c/p\u003e\u003ch4\u003ePresent to the Governance Review Board (GRB)\u003c/h4\u003e\u003cp\u003eOnce they have settled on a direction for their system, the Business Owner and/or their Navigator present their case. The presentation is reviewed by relevant SMEs followed by the GRB itself, which issues an assessment and provides one or more options for the Business Owner to pursue.\u003c/p\u003e\u003ch4\u003eComplete Enterprise Architecture Activities\u003c/h4\u003e\u003cp\u003eOnce the Business Owner selects their chosen path forward, they will work with Enterprise Architecture (EA) to complete a Core System Information Form. EA will then issue a Universally Unique Identification (UUID) number, which allows the project to be entered into the \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e. The Life Cycle ID and UUID numbers will remain associated with the project for the duration of its life cycle.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCreating an Authorization Package\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAfter the initial consultations and intake processes, the focus turns to Assessment and Authorization activities the security-related steps required for ATO. An Authorization Package is the collection of documentation put together by the Business Owner and their team to prove that the system has been designed, built, tested, assessed, and categorized appropriately to meet ATO requirements.\u003c/p\u003e\u003cp\u003eAs you might imagine, collecting and submitting all required information can take a lot of time and resources. To avoid delays in your development process, it is important to start collecting your system documentation as soon as possible.\u003c/p\u003e\u003ch4\u003eUse CFACTS to track compliance\u003c/h4\u003e\u003cp\u003eThe \u003ca href=\"https://cfacts.cms.gov/apps/ArcherApp/Home.aspx\"\u003eCMS FISMA Continuous Tracking System (CFACTS)\u003c/a\u003e is the tool used to track and manage the security and compliance of all CMS systems. Upon receipt of the UID number from Enterprise Architecture, ISPG enters the new system into CFACTS. To access CFACTS, each user will need the CFACTS_USER_P job code from CMS. From this point on, the Business Owner and their team work together with various stakeholders to complete the required ATO documentation in CFACTS. Once all the documentation is compiled, the ISSO submits the \u003cstrong\u003eCMS System ATO Request Form\u003c/strong\u003e, which is filled out and submitted within CFACTS. (This form can also be used to request \"re-authorization\" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)\u003c/p\u003e\u003ch4\u003eCompile Tier 1 Documentation\u003c/h4\u003e\u003cp\u003eThe specific documents required are based on many factors and vary from system to system, but all projects should expect to provide the following Tier 1 Documentation:\u003c/p\u003e\u003cul\u003e\u003cli\u003e\u003ca href=\"/learn/system-security-and-privacy-plan-sspp\"\u003eSystem Security and Privacy Plan (SSPP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/cms-information-system-risk-assessment-isra\"\u003eInformation Security Risk Assessment (ISRA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessment (PIA)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Plan Exercise\u003c/a\u003e(often called Tabletop Exercise)\u003c/li\u003e\u003c/ul\u003e\u003ch4\u003eCompile additional documentation\u003c/h4\u003e\u003cp\u003eAdditional documentation that is often required includes:\u003c/p\u003e\u003cul\u003e\u003cli\u003eProject management personnel and policies\u003c/li\u003e\u003cli\u003eSecurity and privacy documentation\u003c/li\u003e\u003cli\u003eRisk assessment and abatement\u003c/li\u003e\u003cli\u003eArchitecture diagrams\u003c/li\u003e\u003cli\u003eHardware and software inventories\u003c/li\u003e\u003cli\u003eVulnerability scanning documentation\u003c/li\u003e\u003cli\u003eOpen \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action \u0026amp; Milestones (PO\u0026amp;AMs)\u003c/a\u003e\u003c/li\u003e\u003cli\u003e\u003ca href=\"/learn/isso-appointment-letter\"\u003eISSO Appointment Letter\u003c/a\u003e\u003c/li\u003e\u003cli\u003eTRB Letter\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-5-configuration-management-cm\"\u003eConfiguration Management\u003c/a\u003e\u003c/li\u003e\u003cli\u003eBaseline security configurations\u003c/li\u003e\u003cli\u003eConfiguration compliance audits policies\u003c/li\u003e\u003cli\u003eMaintenance and update policies\u003c/li\u003e\u003cli\u003eCompliance monitoring tool output\u003c/li\u003e\u003cli\u003eMalware protection\u003c/li\u003e\u003cli\u003eUser ID conventions, group membership, and information system accounts for each component\u003c/li\u003e\u003cli\u003e\u003ca href=\"https://security.cms.gov/learn/system-audits\"\u003eAudit documentation\u003c/a\u003e\u003c/li\u003e\u003cli\u003eSystem procedures manual\u003c/li\u003e\u003cli\u003eJob descriptions and personnel policies\u003c/li\u003e\u003cli\u003ePhysical access and remote work policies\u003c/li\u003e\u003cli\u003eData Use and Service Level Agreements\u003c/li\u003e\u003cli\u003eSource code\u003c/li\u003e\u003cli\u003eAnd others\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCategorization, boundary, and controls\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eDuring the documentation process described above, the team will add all required information into CFACTS and work together to categorize the system, document the system boundary, and assign appropriate security controls. These activities formally define what kind of information the system handles, the level of risk associated with the system, and what kind of controls are necessary to manage that risk.\u003c/p\u003e\u003ch4\u003eCategorize the system\u003c/h4\u003e\u003cp\u003e“System categorization” is a required step for every information system with an ATO. The team will classify the system into one of three levels that represent the potential impact to organizations and individuals in the case of a security breach.\u003c/p\u003e\u003cp\u003eAt the end of this process, the system will be categorized as either High, Moderate, or Low risk according to the \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.199.pdf\"\u003eFederal Information Processing Standards (FIPS) Publication 199\u003c/a\u003e. This will determine the required controls. In particular, this will also determine whether the system should be classified as a High Value Asset (HVA) System. HVAs require additional security measures due to their unique risks.\u003c/p\u003e\u003ch4\u003eDocument the system boundary\u003c/h4\u003e\u003cp\u003eNext, the team will document the system architecture, components and boundary in CFACTS. The boundary separates what is part of the system from what is not. It is documented through network diagrams, hardware / software inventories, and narrative explanation.\u003c/p\u003e\u003cp\u003eIncluding a good boundary diagram makes assessments easier and expedites the ATO process. It should include information about what your team is directly responsible for building and maintaining in addition to anything your system is connected to (or utilizing) that someone else is responsible for building and maintaining.\u003c/p\u003e\u003cp\u003eA boundary diagram should:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInclude CMS shared services and how they connect to your system\u003c/li\u003e\u003cli\u003eShow proxy - URL Filtering and whitelisting outbound traffic\u003c/li\u003e\u003cli\u003eSeparate S3 buckets for each Subnet\u003c/li\u003e\u003cli\u003eDisplay zonal VRF between VDCs and AWS\u003c/li\u003e\u003cli\u003eInclude API Consumers internal access path(s)\u003c/li\u003e\u003cli\u003eDepict all AWS Services being used\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eIf your team has questions about this, email the Technical Review Board at \u003ca href=\"mailto:cms-trb@cms.hhs.gov\"\u003ecms-trb@cms.\u003c/a\u003e\u003c/p\u003e\u003ch4\u003eAssign a control baseline\u003c/h4\u003e\u003cp\u003eBased on the impact categorization from the information provided, the system is assigned a baseline of controls—Low, Moderate, or High. These controls follow the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e, which are the standards and controls for information security and privacy applied to CMS systems to mitigate risk. The ISSO and project team will provide implementation details for each control in CFACTS. This often includes some back-and-forth between the development team, the ISSO, and the CRA as the artifacts are reviewed and accepted.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eDevelop and Assess\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThis phase is when the system is actually being designed, built, and deployed using the requirements and user stories that will ensure the system meets business needs. At this point the system will be in a non-production environment, meaning it is not being formally used for its intended purpose yet (and is not publicly available).\u003c/p\u003e\u003cp\u003eThen the system must be assessed for security and compliance with CMS standards. This includes documenting and implementing all necessary controls, finalizing required artifacts and supplemental documentation, and completing testing and assessments. When all these steps are complete and documented, the system will ideally be granted an ATO so it can begin operating.\u003c/p\u003e\u003cp\u003eThere are some key steps to keep in mind as the new system enters the Develop and Assess phase.\u003c/p\u003e\u003ch3\u003eEstablish stakeholder communications\u003c/h3\u003e\u003cp\u003eThis part of the system life cycle is document-heavy and requires input from many stakeholders. To minimize costly delays, each project should have a communication plan in place to ensure all parties are in the loop throughout the process. The plan should include all relevant points of contact, including:\u003c/p\u003e\u003cul\u003e\u003cli\u003eInformation System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003eISSO Contracting Support (ISSOCS)\u003c/li\u003e\u003cli\u003eCyber Risk Advisor (CRA)\u003c/li\u003e\u003cli\u003eBusiness Owner (BO)\u003c/li\u003e\u003cli\u003ePenetration (Pen) Test Coordinator\u003c/li\u003e\u003cli\u003eCybersecurity and Risk Assessment Program (CSRAP) team (within ISPG)\u003c/li\u003e\u003cli\u003eSystem Developer and Maintainer (SDM)\u003c/li\u003e\u003cli\u003ePrivacy Subject Matter Expert (PSME)\u003c/li\u003e\u003cli\u003eTechnical Review Board (TRB)\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eDesign, develop, and deploy\u003c/h3\u003e\u003cp\u003eDesign and development is managed by the Business Owner (BO) and project team. The \u003ca href=\"https://www.cms.gov/research-statistics-data-and-systems/cms-information-technology/tlc\"\u003eCMS Target Life Cycle\u003c/a\u003e requires only a small set of artifacts, and specific methodologies are determined by the BO and team. All initiatives should follow best practices in development and Program Management. Typically, the project team will work with the CMS Cloud Services team to provision the different environments such as development, implementation, and production. \u003cstrong\u003eAs the system is developed, the project team should also move forward with documentation and other compliance activities\u003c/strong\u003e.\u003c/p\u003e\u003cp\u003eOnce the system is designed and developed, it is deployed in a non-production environment and tested for compliance with requirements and CMS standards. In order to become production ready, everything must comply with CMS \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/CIO-IT-Policy-Library-Items/Online-TRA\"\u003eTechnical Reference Architecture (TRA)\u003c/a\u003e and meet the security, privacy, and accessibility standards outlined in the \u003ca href=\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"\u003eCMS Acceptable Risk Safeguards (ARS)\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eDefine the accreditation boundary\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://csrc.nist.gov/glossary/term/accreditation_boundary\"\u003eaccreditation boundary\u003c/a\u003e describes all components of an information system to be accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected. So it defines exactly what components and assets the ATO will cover.\u003c/p\u003e\u003cp\u003eWhen defining the accreditation boundary, assets are provided and supported by the CMS cloud service provider. Additionally, the Application Development Organization (ADO) often a contractor provides and supports components. Each project team is responsible for maintaining those assets within the accreditation boundary.\u003c/p\u003e\u003cp\u003eThe ISSO works with the project team to define the boundary according to the three-tier architecture set by the CMS Technical Review Board (GRB). If the system is hosted in the CMS Amazon Web Service (AWS) cloud GSS, it can access and use approved templates to simplify the process.\u003c/p\u003e\u003ch3\u003eImplement controls\u003c/h3\u003e\u003cp\u003eThe accreditation boundary creates an inventory of all system components that will require security controls. A system may be able to inherit controls based on its hosting, platform, data center, and other variables, which can greatly ease the process. With the boundary established, the ISSO will start documenting all ARS security controls in CFACTS, starting with any inheritable controls available.\u003c/p\u003e\u003cp\u003eImplementing controls often involves conversations between the ISSO and project team, especially technical stakeholders, as well as a CRA. To minimize back-and-forth, all relevant stakeholders should be engaged and prepared to participate.\u003c/p\u003e\u003ch3\u003eConduct a system test\u003c/h3\u003e\u003cp\u003eWith all components documented and controls in CFACTS, its time for a system test. The purpose of a system test is to evaluate the endtoend system specifications and make sure the system is working as expected. This test validates the complete and fully integrated software product, and involves the full project team.\u003c/p\u003e\u003ch3\u003eStart continuous monitoring\u003c/h3\u003e\u003cp\u003eThe \u003ca href=\"https://www.cisa.gov/\"\u003eCybersecurity and Infrastructure Security Agency (CISA)\u003c/a\u003e works with partners across government and the private sector to secure national infrastructure. A big part of this effort the \u003ca href=\"https://security.cms.gov/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e program is strengthening the cybersecurity of federal networks and systems.\u003c/p\u003e\u003cp\u003eAs part of the ATO process, the ISSO onboards each system to CDM in three stages:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStage 1: Engage Data Center assessment\u003c/li\u003e\u003cli\u003eStage 2: Implement and integrate required capabilities\u003c/li\u003e\u003cli\u003eStage 3: Validate and verify data\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe system is also onboarded to the \u003ca href=\"https://security.cms.gov/learn/cms-cloud-services\"\u003eCMS Cloud\u003c/a\u003e Environment for cloud hosting (if applicable), and the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Operations Center (CCIC)\u003c/a\u003e for security monitoring, event management, and incident handling.\u003c/p\u003e\u003ch3\u003eComplete Tier 13 artifacts\u003c/h3\u003e\u003cp\u003eAs seen in the Initiate Phase, all systems require Tier 1 artifacts. Based on the boundary and controls, they may also require additional documentation. The project team should work with their ISSO and CRA to determine the documentation required for their system and upload it to CFACTS.\u003c/p\u003e\u003ch3\u003eReview for assessment readiness\u003c/h3\u003e\u003cp\u003eOnce all controls, artifacts, and additional documentation are in CFACTS, the ISSO and project team will review the information before the project formally moves to the assessment phase.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAssessing and testing a new system\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAssessments and tests are conducted to ensure that the new system has implemented necessary security controls and meets CMS requirements. If the results show any unacceptable weaknesses in the system, the team will need to mitigate them before continuing the process to request ATO.\u003c/p\u003e\u003ch3\u003eSchedule tests promptly\u003c/h3\u003e\u003cp\u003eThe ISSO and project team will set the timing for the required \u003ca href=\"/learn/penetration-testing\"\u003ePenetration Testing\u003c/a\u003e and \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e (or, alternatively, a \u003ca href=\"/learn/security-controls-assessment-sca\"\u003eSecurity Controls Assessment\u003c/a\u003e). The ISSO reaches out to the PenTest Team and the CSRAP team to schedule the tests. \u003cstrong\u003eAs the team works, the timeline and schedule should be shared with the CRA\u003c/strong\u003e.\u003c/p\u003e\u003ch3\u003eConduct Penetration Testing\u003c/h3\u003e\u003cp\u003e\u003ca href=\"/learn/penetration-testing\"\u003ePenetration Testing (or PenTesting)\u003c/a\u003e helps determine the security of a system by attempting to exploit vulnerabilities. It mimics real-world scenarios to see if bad actors will be able to penetrate the system and cause harm to organizations or individuals.\u003c/p\u003e\u003cp\u003eThe ISSO and project team work with a PenTest coordinator to schedule and conduct the test. To avoid delays,\u003cstrong\u003e the pen test should be requested at least 3 months before the ATO deadline\u003c/strong\u003e. \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003eLearn all about PenTesting here\u003c/a\u003e, including scheduling instructions.\u003c/p\u003e\u003cp\u003eAfter the test, the PenTest team will notify the project team of any issues, which must be mitigated within 25 days. If the issue cant be resolved in 25 days, the team must create a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e to manage it.\u003c/p\u003e\u003cp\u003eFinalized results from Penetration Testing are uploaded as a CAAT spreadsheet into CFACTS, and all parties (including the CISO team) are notified that the results are complete and available.\u003c/p\u003e\u003ch3\u003eConduct the Cybersecurity and Risk Assessment Program (CSRAP)\u003c/h3\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eCybersecurity and Risk Assessment Program (CSRAP)\u003c/a\u003e was created to improve the Security Controls Assessment (SCA) process by introducing risk-based security assessment for CMS systems. Instead of emphasizing technical findings and compliance with controls (which are still important), CSRAP facilitates and encourages risk-based decision making.\u003c/p\u003e\u003cp\u003eCSRAP focuses on the core controls that pose the highest risk to CMS and defines mission-oriented security objectives. CSRAP reports incorporate plain language, relevant findings and actionable results and conclusions to aid project teams risk-based decision making. \u003ca href=\"https://security.cms.gov/learn/cybersecurity-risk-assessment-program-csrap\"\u003eLearn all about CSRAP here\u003c/a\u003e, including scheduling instructions.\u003c/p\u003e\u003cp\u003eTo fulfill the CSRAP requirement, the ISSO works with the CSRAP team and project team to create and complete an assessment plan. \u003cstrong\u003eTo avoid delays, this assessment should be scheduled at least 3 months before the ATO deadline\u003c/strong\u003e. Once the CSRAP is complete, the CSRAP Final Package will be uploaded to CFACTS.\u003c/p\u003e\u003ch3\u003eCheck for 508 compliance\u003c/h3\u003e\u003cp\u003eWhile it is not an explicit requirement for ATO, accessibility is an important consideration for all project teams at CMS. \u003ca href=\"https://www.section508.gov/\"\u003eSection 508\u003c/a\u003e of the Rehabilitation Act requires all federal systems to be accessible to people with disabilities. To ensure the system is accessible to all users, the project team should consider 508 accessibility compliance throughout design, development, and deployment. \u003ca href=\"https://www.section508.gov/develop/\"\u003eSome 508 resources from GSA can be found here\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003eManage identified risks with POA\u0026amp;Ms\u003c/h3\u003e\u003cp\u003eAll information systems include some level of risk. An ATO is designed to document and manage risk, not eliminate it. Once the PenTest and CSRAP assessment identify risks, the ISSO will work with the project team and CRA to create a \u003ca href=\"/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones (POA\u0026amp;M)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003ePlan of Action and Milestones (POA\u0026amp;Ms) are high-level statements that describe how a team will address security weaknesses identified for their system. All federal systems must document POA\u0026amp;Ms to track and mitigate findings from assessments and audits. The ISSO coordinates with the team to manage, remediate, and (if necessary) accept the risk of open POA\u0026amp;Ms. Learn all about managing POA\u0026amp;Ms in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-plan-action-and-milestones-poam-handbook\"\u003eCMS POA\u0026amp;M Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eCMS System ATO Request / Re-authorization Form\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eWith all documentation and assessments completed and uploaded to CFACTS, the ISSO can now request ATO certification. The ISSO submits the \u003cstrong\u003eCMS System ATO Request / Re-authorization Form\u003c/strong\u003e, which is filled out and submitted within CFACTS. (This form can also be used to request \"re-authorization\" for a system that is not a new system. ATOs need to be renewed every 3 years, or when the system undergoes a major change.)\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eATO review and certification\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe complete ATO package is reviewed by the CRA, ISSO, BO and ISPG. Once approved by ISPG, the package is submitted to the CISO and CIO for final approval. Once approved by the CISO and CIO, an ATO letter is sent to the BO and ISSO. The CRA uploads the approved ATO package to CFACTS and notifies all relevant parties, including \u003ca href=\"https://www.fedramp.gov/\"\u003eFedRAMP\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe system now officially has an ATO “the authority to operate decision that culminates from the security authorization process of an information technology system in the U.S. federal government”. With a completed and approved ATO, the system moves into the Operate phase of its life cycle.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eOperate\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe Operate phase is what we think of as normal business operations. The system runs in a production environment, and the team does normal upgrades, enhancements and maintenance. The system is being used to achieve the business objectives stated in the Initiate phase.\u003c/p\u003e\u003cp\u003eTo remain compliant with the Authority to Operate (ATO), the Business Owner maintains the Target Life Cycle (TLC) System Profile with every production release. Annual security requirements such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound.\u003c/p\u003e\u003cp\u003eThe following maintenance issues must be supported throughout this phase:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpgrades\u003c/li\u003e\u003cli\u003eSystem software patches\u003c/li\u003e\u003cli\u003eHardware upgrades\u003c/li\u003e\u003cli\u003eModifications to interfaces with other systems\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eDuring the Operate Phase the project team works with the Information System Security Officer (ISSO) to maintain current documentation and to support periodic reviews and audits. The inability to produce current documentation may impact a systems ATO.\u003c/p\u003e\u003ch3\u003eConduct annual assessments\u003c/h3\u003e\u003cp\u003eEach system undergoes annual assessments and maintenance throughout their life cycle to ensure compliance with its ATO and identify potential vulnerabilities. These typically include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eUpdating core documentation\u003c/li\u003e\u003cli\u003eUpdating the \u003ca href=\"/learn/contingency-plan\"\u003eContingency Plan (CP)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eConducting a \u003ca href=\"https://security.cms.gov/policy-guidance/cms-contingency-plan-exercise-handbook\"\u003eContingency Plan Exercise\u003c/a\u003e (often in the form of aTableop Exercise)\u003c/li\u003e\u003cli\u003eUndergoing \u003ca href=\"https://security.cms.gov/learn/penetration-testing-pentesting\"\u003ePenetration Testing\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAddressing and closing any \u003ca href=\"https://security.cms.gov/learn/plan-action-and-milestones-poam\"\u003ePlan of Action and Milestones\u003c/a\u003e (POA\u0026amp;Ms)\u003c/li\u003e\u003cli\u003eAssessing controls\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003eRequest re-authorization\u003c/h3\u003e\u003cp\u003eEvery three years, a system's ATO is assessed for re-authorization. Much like the annual assessments, this includes a review of a subset of system controls and POA\u0026amp;Ms. Once the review is completed, the ISSO and Business Owner submit an ATO request form proving that all testing has been completed. ISPG then reviews the request form and renews the system authorization.\u003c/p\u003e\u003ch3\u003eUpdate ATO if system changes\u003c/h3\u003e\u003cp\u003eA significant change to a system can require an update to its ATO. A significant change is defined as a change that is likely to substantively affect the security or privacy posture of a system (see \u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf\"\u003eNIST SP 800-37\u003c/a\u003e for more information). This includes upgraded hardware or applications, changes in the information collected by the system or how the information is handled, changes to system ports or services, and more.\u003c/p\u003e\u003cp\u003eIf a system is undergoing a significant update, the Business Owner checks with the ISSO to see if an authorization change will be necessary. The ISSO completes a Security Impact Analysis (SIA). If it is determined that the update will not impact system security, the change is determined to be minor. In this case the only action is to update any relevant documentation in CFACTS.\u003c/p\u003e\u003cp\u003eIf the update is determined to be a significant change, the system could require a new ATO. In this case, the ISSO works with the BO and team to complete a new intake form.\u003c/p\u003e\u003ch3\u003eResolve cyber risk events\u003c/h3\u003e\u003cp\u003eAs more activities move online and to the cloud, the chance of cyber attacks and other risks go up. If a risk event is identified, the ISSO and team must work quickly and collaboratively to isolate and resolve it. The ISSO must open an incident response ticket with the IT service desk to start an investigation. (This is done in \u003ca href=\"https://cmsitsm.servicenowservices.com/connect\"\u003eServiceNOW\u003c/a\u003e). They will execute the CMS incident management lifecycle process to address any actual or false positive events.\u003c/p\u003e\u003cp\u003eOnce the risk is under control, system security should be reviewed and updated to lower the chances of the risk recurring in the future. The updates must be tested to ensure they both remediated the risk and that they haven't negatively impacted any other systems. \u003ca href=\"https://security.cms.gov/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\"\u003eLearn more about Incident Response here\u003c/a\u003e.\u003c/p\u003e\u003cp\u003eThe system continues to operate undergoing assessment, reassessment, and change management through the end of its contract or useful life. Once it reaches either of these milestones, the system transitions to the Retirement phase.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eRetire\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eA system moves to the Retire phase once it reaches the end of its useful life or the end of its contract. At this point, the decision is made to shut it down through a managed process outlined in the System Disposition Checklist. This ensures compliance with federal guidelines when retiring a government IT system. There are many aspects to consider, including the following:\u003c/p\u003e\u003cul\u003e\u003cli\u003eRecords retention\u003c/li\u003e\u003cli\u003eInformation security\u003c/li\u003e\u003cli\u003eInvestment close-out procedures\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eThe Business Owner (BO) and Information System Security Officer (ISSO) conduct a thorough planning process to define all tasks to decommission the system. There are several documents that must be completed by the ISSO and Project team and signed by the BO and/or the ISSO.\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem Disposition Checklist\u003c/li\u003e\u003cli\u003eSystem Disposition Plan\u003c/li\u003e\u003cli\u003eSystem Retirement Memo\u003c/li\u003e\u003cli\u003eCertificate of Destructions\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eAny remaining activities must be transitioned to a different process or system. All contracts are closed and data is archived according to the System of Record Notice (SORN) or other guidelines. Any remaining hardware must be disposed of according to federal best practices.\u003c/p\u003e\u003ch2\u003e\u003cstrong\u003eTypes of authorizations\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eEvery system that is integrated at CMS—either built in-house or contracted—must get a compliance authorization to operate and access government data. This ensures that the agency is aware of all components interacting with its data, and that each system can be monitored for compliance and risk mitigation. This helps safeguard sensitive personal information, manage the risk to critical infrastructure, and address cybersecurity issues when they arise.\u003c/p\u003e\u003cp\u003eIf you are introducing a new system at CMS, you must go through the security and compliance process.\u003c/p\u003e\u003cp\u003eCMS recognizes that every system is unique and that a one-size-fits-all approach wont work. There are several different types of compliance authorizations provided by CMS to manage agency-wide risk.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eAuthority to Operate (ATO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eAs explained above, the Authority to Operate (ATO) is awarded by the CMS Authorization Official (AO) to systems that meet requisite security requirements. Typically, ATOs grant a system compliance for three years, although there are circumstances where CMS will authorize a system for a shorter period of time (see more information about this below).\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should ATO be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eInformation systems that intend to operate for three years or more are required to get an ATO. This includes projects that:\u003c/p\u003e\u003cul\u003e\u003cli\u003eStore, process, and distribute Personally Identifiable Information (PII), Personal Health Information (PHI), or other sensitive information\u003c/li\u003e\u003cli\u003eHave been reviewed and approved through the existing CMS governance process (EASi)\u003c/li\u003e\u003cli\u003eHave funding and contracting vehicles to develop, implement and maintain a FISMA information system\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eLearn more about the process and requirements for ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eOngoing Authorization (OA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eGetting authorization for a system to operate through \u003ca href=\"/learn/ongoing-authorization\"\u003eOngoing Authorization (OA)\u003c/a\u003e is a new initiative at CMS. Its goal is to fundamentally change authorization and compliance from reactive evaluation to proactive, ongoing monitoring. Rather than subjecting project teams to the current 3-year compliance cycle, the OA approach provides real-time data about a systems security posture.\u003c/p\u003e\u003cp\u003eOA is equivalent to ATO in that it gives systems the authorization to operate, but its done through automation and continuous assessment of risk, instead of through documentation-heavy compliance processes. This reduces the load on Business Owners, ISSOs, and project teams while providing CMS a clearer picture of its risk level at any given moment.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should OA be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eTo be eligible for OA, systems must leverage the latest control automation tools, including the latest control automation tools. Additionally, all \u003ca href=\"/learn/continuous-diagnostics-and-mitigation-cdm\"\u003eContinuous Diagnostics and Mitigation (CDM)\u003c/a\u003e tools must be implemented and tracking the system's hardware (HWAM), software (SWAM), and vulnerability (VUL).\u003c/p\u003e\u003cp\u003e\u003ca href=\"/learn/ongoing-authorization\"\u003eLearn more about the process and requirements for OA.\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eRe-authorization\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eA system may need to be reassessed and re-authorized if the application team is planning to make significant changes. When changes to a system are being planned, the team completes a \u003ca href=\"/learn/security-impact-analysis-sia\"\u003eSecurity Impact Analysis (SIA)\u003c/a\u003e to determine how the changes will impact the systems security and ATO.\u003c/p\u003e\u003cp\u003eIf the change is significant and the analysis reveals that re-authorization is necessary, the team schedules an CSRAP assessment to determine if there are any potential findings (risks). If there are findings, the team works to mitigate them. Once findings are mitigated to an acceptable level, the Cyber Risk Advisor (CRA) presents the case for the re-authorization to the Business Owner for a new ATO letter.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eWhen should re-authorization be used?\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eChanges to a system that are considered “significant” and may require re-authorization include:\u003c/p\u003e\u003cul\u003e\u003cli\u003eSystem security boundary\u003c/li\u003e\u003cli\u003eEncryption methodologies\u003c/li\u003e\u003cli\u003eAdministrative functionality within the application\u003c/li\u003e\u003cli\u003eThe kinds of information stored (for example, PII)\u003c/li\u003e\u003cli\u003eThe external services used or how/what data flows to/from them\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eExample changes that \u003cstrong\u003edo not require re-authorization\u003c/strong\u003e, as long as they dont include the above:\u003c/p\u003e\u003cul\u003e\u003cli\u003eFeatures and functionality\u003c/li\u003e\u003cli\u003eBug fixes\u003c/li\u003e\u003cli\u003eInterface changes\u003c/li\u003e\u003cli\u003eDocumentation updates\u003c/li\u003e\u003c/ul\u003e\u003ch2\u003e\u003cstrong\u003eATO stakeholders\u003c/strong\u003e\u003c/h2\u003e\u003cp\u003eThe process of gaining and maintaining Authorization to Operate (ATO) involves many stakeholders across the organization. Its important for each person or group to understand their responsibilities and to communicate clearly with other stakeholders during the process.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eChief Information Security Officer (CISO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CISO is an agency official (federal government employee). They carry out the Chief Information Officers (CIO) information security responsibilities under federal requirements in conjunction with the Senior Official for Privacy. From setting policy and guidance to approving Authorization to Operation (ATOs), the CISO drives information security at CMS.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eDefine information security and privacy control requirements\u003c/li\u003e\u003cli\u003eDelegate authority to approve system configuration deviations to the Cyber Risk Advisor (CRA) and Information System Security Officer (ISSO)\u003c/li\u003e\u003cli\u003ePublish an Ongoing Authorization process\u003c/li\u003e\u003cli\u003eApprove ISSO appointments from the Program Executive\u003c/li\u003e\u003cli\u003eApprove the independent security control assessment deliverables\u003c/li\u003e\u003cli\u003eCoordinate with stakeholders to ensure compliance with control family requirements\u003c/li\u003e\u003cli\u003eAuthorize the immediate disconnection or suspension of flagged systems until the AO orders reconnection\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eCyber Risk Advisor (CRA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe CRA is an agency official (federal government employee). They work with ISSOs and project teams to help ensure that projects adhere to security controls and are documented and tracked accordingly in the CMS FISMA Continuous Tracking System (CFACTS). They act as the subject matter expert in all areas of the \u003ca href=\"https://security.cms.gov/learn/national-institute-standards-and-technology-nist#nist-risk-management-framework-rmf\"\u003eCMS Risk Management Framework (RMF)\u003c/a\u003e.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eEvaluate and communicate the risk posture of each system to executive leadership and make risk-based recommendations to the Authorizing Official (AO)\u003c/li\u003e\u003cli\u003eHelp ensure that all requirements of the CMS ARS and \u003ca href=\"/learn/cms-security-and-privacy-handbooks\"\u003ethe procedures of the Risk Management Handbook (RMH) \u003c/a\u003eare implemented\u003c/li\u003e\u003cli\u003eParticipate in the System Development Life Cycle (SDLC) / Technical Review Board (TRB); provide requirements; and recommend design tradeoffs based on security, functionality, and cost\u003c/li\u003e\u003cli\u003eFor each system, coordinate with Data Guardian, System Owner, Business Owner, and ISSO to identify types of information processed, assign security categorizations, and manage information security and privacy risk\u003c/li\u003e\u003cli\u003eEnsure information security and privacy testing is performed throughout the SDLC and results are considered during the development phase\u003c/li\u003e\u003cli\u003eMonitor system security posture by reviewing all proposed information security and privacy artifacts to make recommendations to the ISSO\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eBusiness Owner (BO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe BO is a CMS official (federal government employee). They are Group Directors or Deputy Group Directors, and they encounter the ATO process when they are building or implementing a system to address their business needs. BOs are not expected to be technical or security experts, but their participation and collaboration is critical to the success of the ATO.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eDuring an ATO, the BO works closely with technical and security stakeholders particularly the ISSO to ensure that the data and information in their system is properly documented and managed. Working with their team, the BOs responsibilities include:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDocument and Protect PII and PHI\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eComply with the the \u003ca href=\"https://www.cms.gov/Research-Statistics-Data-and-Systems/CMS-Information-Technology/CIO-Directives-and-Policies/Downloads/POLICY_DL_InvestmentMgmt.pdf\"\u003eCMS Policy for IT Investment Management \u0026amp; Governance\u003c/a\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the CRA and ISSO to identify the information their system processes, and document and manage any PII and PHI\u003cul\u003e\u003cli\u003eEnsure that CMS has the legal authority to conduct activities involving the collection, use, and disclosure of information\u003c/li\u003e\u003cli\u003eAssign the appropriate security categorizations to the information system\u003c/li\u003e\u003cli\u003eDetermine information security and privacy impacts and manage risks\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eWork with Contracting Officers (COs) and Contracting Officers Representatives (CORs) to determine the minimum necessary PII/PHI required to conduct the activity for which the agency is authorized\u003c/li\u003e\u003cli\u003eCoordinate with the COs and CORs, Data Guardian, Program/Project Manager, the CISO, and the Senior Official for Privacy to ensure appropriate information security and privacy contracting language from relevant sources is included into each IT contract. Relevant sources must include, but are not limited to:\u003cul\u003e\u003cli\u003eHHS Office of the Assistant Secretary for Financial Resources (ASFR)\u003c/li\u003e\u003cli\u003eHHS Office of Grants and Acquisition Policy and Accountability (OGAPA)\u003c/li\u003e\u003cli\u003eCMS Office of Acquisition and Grants Management (OAGM)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the CRA, ISSO and others to ensure compliance with the CMS ARS and the Internal Revenue Service (IRS) Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eManage CMS Data Privacy and Security\u003c/strong\u003e\u003c/p\u003e\u003cul\u003e\u003cli\u003eOwn and manage access to the information stored, processed, or transmitted in the system\u003c/li\u003e\u003cli\u003eManage and approve all use and disclosure of data from CMS programs or systems\u003c/li\u003e\u003cli\u003eVerify that CMS programs and systems only disclose the minimum data necessary\u003c/li\u003e\u003cli\u003eConfirm adequate security and privacy controls are in place to protect CMS systems\u003c/li\u003e\u003cli\u003ePrepare \u003ca href=\"/learn/privacy-impact-assessment-pia\"\u003ePrivacy Impact Assessments (PIAs)\u003c/a\u003e for programs or systems with the direction from the CRA\u003c/li\u003e\u003cli\u003eSupport the analysis of incidents involving PII and help determine the appropriate action to make notification of privacy breaches and reporting, monitoring, tracking, and closure of incidents\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eInformation System Security Officer (ISSO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe ISSO is either a CMS official (federal government employee) or a Contractor (also known as an ISSO Contract Support). They are the key connection between the BO and the CMS security apparatus. They work closely with the BO, the CRA and other stakeholders to move a system through the ATO process.\u003c/p\u003e\u003cp\u003eAn ISSOs role in the ATO process which overlaps with many ongoing duties related to system security is outlined in the \u003ca href=\"https://security.cms.gov/policy-guidance/cms-information-system-security-officer-isso-handbook#isso-activities\"\u003eISSO Handbook\u003c/a\u003e.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem Developer\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Developer must be a CMS official (federal government employee). They are responsible for providing management and oversight to the project team developing and maintaining the system. This includes working with the team to implement the security controls needed for an ATO. They work with the ISSO, project team, \u003ca href=\"https://security.cms.gov/learn/security-automation-framework-saf\"\u003eCMS Security Automation Framework (SAF)\u003c/a\u003e, and the DevSecOps support team to help project teams build successful DevSecOps platforms and secure system ecosystems.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cul\u003e\u003cli\u003eCreate, document, and implement information security- and privacy-related functional requirements to protect CMS information, systems, and processes, including:\u003cul\u003e\u003cli\u003eIntegrate requirements effectively into IT products and systems\u003c/li\u003e\u003cli\u003eEnsure requirements are adequately planned and addressed in all aspects of system architecture\u003c/li\u003e\u003cli\u003eIntegrate and deploy automated information security and privacy capabilities (as required)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eCoordinate with the ISSO to identify the necessary information security and privacy controls for the system\u003c/li\u003e\u003cli\u003eFollow the CMS System Development Life Cycle (SDLC) in developing and maintaining a system, including:\u003cul\u003e\u003cli\u003eUnderstand the relationships among the system's features and information security and privacy safeguards\u003c/li\u003e\u003cli\u003eEnsure all development practices comply with the \u003ca href=\"https://www.cms.gov/tra/Home/Home.htm\"\u003eCMS Technical Reference Architecture\u003c/a\u003e (TRA)\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eExecute the Risk Management Framework tasks listed in \u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final\"\u003eNIST SP 800-37\u003c/a\u003e and the CMS Risk Management Handbook\u003c/li\u003e\u003cli\u003eEnsure CMS systems or applications that share data for any purpose are capable of extracting data by pre-approved categories\u003c/li\u003e\u003cli\u003eShare only the minimum PII from CMS systems and applications that is necessary and relevant for the purposes it was originally collected\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAssessor\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Assessor sits on the CMS security team and is responsible for checking the compliance of systems. Assessors must be independent and impartial, which means they are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the information systems under assessment.\u003c/p\u003e\u003ch4\u003e\u003cstrong\u003eResponsibilities related to ATO\u003c/strong\u003e\u003c/h4\u003e\u003cp\u003eAssessors work with the ISSO and CRA to validate and verify that a systems documented controls work. They use assessment cases to test the system. The process typically involves the following steps:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe ISSO notifies the CRA that an assessment is being requested, and a tentative assessment date is set\u003c/li\u003e\u003cli\u003eThe CRA provides the ISSO with pricing information and instructions for using the Comprehensive Acquisitions Management System (CAMS) to pay for the assessment, and notifies the independent assessor that an assessment needs to be scheduled\u003c/li\u003e\u003cli\u003eAt least six weeks prior to the assessment kick-off, the ISSO works with the BO to move funds for the assessment using the CAMS\u003c/li\u003e\u003cli\u003eThe assessment begins once the funds are verified as available via the CAMS\u003c/li\u003e\u003c/ul\u003e\u003ch3\u003e\u003cstrong\u003eAuthorizing Official (AO)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe AO is responsible for the overall impact categorization and risk acceptance. They determine if the risk of operating the system is acceptable, and if so, issue an Authority to Operate (ATO) for that system. They often designate this responsibility to one or more other people. At most federal agencies this role is performed by the Chief Information Officer (CIO).\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003ePenetration Tester (PenTester)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003ePenTesters test the security of a system by attempting to exploit vulnerabilities.These tests can help CMS to improve its overall information security posture by exposing weaknesses and providing guidance on steps that can be taken to reduce the risk of attack. The test is designed to proactively identify the methods that bad actors might use to circumvent security features. After the test, a findings report is produced.At CMS, this service is offered and funded by the \u003ca href=\"https://security.cms.gov/learn/cms-cybersecurity-integration-center-ccic\"\u003eCMS Cybersecurity Integration Center (CCIC)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003ca href=\"https://security.cms.gov/learn/penetration-testing\"\u003eLearn more about CMS PenTesting here.\u003c/a\u003e\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eProgram / Project Team\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThose who are trying to build/launch the system.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eSystem Owner\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe system owner is usually the product lead or tech lead of the project team. They will be named in the ATO documents and are the main contact during the evaluation process that leads up to an ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eEnterprise Architecture and Data Group (EA)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eEvery federal agency is required to develop Enterprise Architecture to guide information technology investments. The CMS EA Group is located in the Office of Information Technology (OIT), and it works to help document all information system architecture at the agency. This includes working with project teams to provide the documentation required for an ATO.\u003c/p\u003e\u003ch3\u003e\u003cstrong\u003eGovernance Review Team (GRT)\u003c/strong\u003e\u003c/h3\u003e\u003cp\u003eThe Governance Review Team is a key stakeholder group during the Initiate Phase of the ATO process. It helps project teams determine if there is a need to build a new system, and to work through the IT governance process.\u003c/p\u003e\u003cp\u003eThe GRT directs project teams to available resources, advises them on how to properly develop and document their business case, and analyzes potential existing solutions at CMS. Based on these discussions, the GRT makes recommendations to the Governance Review Board (GRB) about whether to move forward with developing a new system.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"ca:{\"value\":\"$cb\",\"format\":\"body_text\",\"processed\":\"$cc\"}\nc8:{\"drupal_internal__id\":736,\"drupal_internal__revision_id\":18929,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T16:05:04+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":\"$c9\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":\"$ca\"}\nd0:{\"drupal_internal__target_id\":\"page_section\"}\ncf:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":\"$d0\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df/paragraph_type?resourceVersion=id%3A18929\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df/relationships/paragraph_type?resourceVersion=id%3A18929\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nce:{\"data\":\"$cf\",\"links\":\"$d1\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df/field_specialty_item?resourceVersion=id%3A18929\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df/relationships/field_specialty_item?resourceVersion=id%3A18929\"}\nd5:{\"related\":\"$d6\",\"self\":\"$d7\"}\nd4:{\"data\":null,\"links\":\"$d5\"}\ncd:{\"paragraph_type\":\"$ce\",\"field_specialty_item\":\"$d4\"}\nc5:{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"links\":\"$c6\",\"attributes\":\"$c8\",\"relationships\":\"$cd\"}\nda:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58?resourceVersion=id%3A18927\"}\nd9:{\"self\":\"$da\"}\ndc:[]\ndb:{\"drupal_internal__id\":706,\"drupal_internal__revision_id\":18927,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T15:41:19+00:00\",\"parent_id\":\"711\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":\"$dc\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null}\ne0:{\"drupal_internal__target_id\":\"proc"])</script><script>self.__next_f.push([1,"ess_list\"}\ndf:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":\"$e0\"}\ne2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58/paragraph_type?resourceVersion=id%3A18927\"}\ne3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58/relationships/paragraph_type?resourceVersion=id%3A18927\"}\ne1:{\"related\":\"$e2\",\"self\":\"$e3\"}\nde:{\"data\":\"$df\",\"links\":\"$e1\"}\ne7:{\"target_revision_id\":18923,\"drupal_internal__target_id\":686}\ne6:{\"type\":\"paragraph--process_list_item\",\"id\":\"0d357568-9a13-468c-a504-e9c841212b71\",\"meta\":\"$e7\"}\ne9:{\"target_revision_id\":18924,\"drupal_internal__target_id\":691}\ne8:{\"type\":\"paragraph--process_list_item\",\"id\":\"1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a\",\"meta\":\"$e9\"}\neb:{\"target_revision_id\":18925,\"drupal_internal__target_id\":696}\nea:{\"type\":\"paragraph--process_list_item\",\"id\":\"ba40c87a-73ea-4db7-bc77-4ec1a902a40b\",\"meta\":\"$eb\"}\ned:{\"target_revision_id\":18926,\"drupal_internal__target_id\":701}\nec:{\"type\":\"paragraph--process_list_item\",\"id\":\"b505ec18-afe5-44e5-b4dd-1c41dbeab9be\",\"meta\":\"$ed\"}\ne5:[\"$e6\",\"$e8\",\"$ea\",\"$ec\"]\nef:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58/field_process_list_item?resourceVersion=id%3A18927\"}\nf0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58/relationships/field_process_list_item?resourceVersion=id%3A18927\"}\nee:{\"related\":\"$ef\",\"self\":\"$f0\"}\ne4:{\"data\":\"$e5\",\"links\":\"$ee\"}\ndd:{\"paragraph_type\":\"$de\",\"field_process_list_item\":\"$e4\"}\nd8:{\"type\":\"paragraph--process_list\",\"id\":\"b5286761-357f-429f-8502-dd7459bb3e58\",\"links\":\"$d9\",\"attributes\":\"$db\",\"relationships\":\"$dd\"}\nf3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0d357568-9a13-468c-a504-e9c841212b71?resourceVersion=id%3A18923\"}\nf2:{\"self\":\"$f3\"}\nf5:[]\nf6:{\"value\":\"\u003cp\u003eIn this phase, documentation is created about the general business needs that the system "])</script><script>self.__next_f.push([1,"intends to address. If theres a similar solution already in use at CMS, it can be utilized rather than starting a new system that will require a new ATO. If proceeding with a new system idea, initial activities will begin for things like intake, hosting, consultations with stakeholders, and technical documentation. This is also when you will define the systems categorization, boundary, and security controls.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIn this phase, documentation is created about the general business needs that the system intends to address. If theres a similar solution already in use at CMS, it can be utilized rather than starting a new system that will require a new ATO. If proceeding with a new system idea, initial activities will begin for things like intake, hosting, consultations with stakeholders, and technical documentation. This is also when you will define the systems categorization, boundary, and security controls.\u003c/p\u003e\"}\nf4:{\"drupal_internal__id\":686,\"drupal_internal__revision_id\":18923,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T15:41:19+00:00\",\"parent_id\":\"706\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$f5\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$f6\",\"field_list_item_title\":\"Initiate\"}\nfa:{\"drupal_internal__target_id\":\"process_list_item\"}\nf9:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$fa\"}\nfc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0d357568-9a13-468c-a504-e9c841212b71/paragraph_type?resourceVersion=id%3A18923\"}\nfd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0d357568-9a13-468c-a504-e9c841212b71/relationships/paragraph_type?resourceVersion=id%3A18923\"}\nfb:{\"related\":\"$fc\",\"self\":\"$fd\"}\nf8:{\"data\":\"$f9\",\"links\":\"$fb\"}\nf7:{\"paragraph_type\":\"$f8\"}\nf1:{\"type\":\"paragraph--process_list_item\",\"id\":\"0d357568-9a13-468c-a504-e9c841212b71\",\"links\":\"$f2\",\"attr"])</script><script>self.__next_f.push([1,"ibutes\":\"$f4\",\"relationships\":\"$f7\"}\n100:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a?resourceVersion=id%3A18924\"}\nff:{\"self\":\"$100\"}\n102:[]\n103:{\"value\":\"\u003cp\u003eIn this phase, the system is designed and developed according to requirements and user stories. It is deployed to a non-production environment and tested to make sure its working properly and that security requirements are met. This phase includes documenting and implementing all necessary security controls, finalizing required artifacts, and performing assessments that test the systems security posture.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIn this phase, the system is designed and developed according to requirements and user stories. It is deployed to a non-production environment and tested to make sure its working properly and that security requirements are met. This phase includes documenting and implementing all necessary security controls, finalizing required artifacts, and performing assessments that test the systems security posture.\u003c/p\u003e\"}\n101:{\"drupal_internal__id\":691,\"drupal_internal__revision_id\":18924,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T16:00:11+00:00\",\"parent_id\":\"706\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$102\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$103\",\"field_list_item_title\":\"Develop and assess\"}\n107:{\"drupal_internal__target_id\":\"process_list_item\"}\n106:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$107\"}\n109:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a/paragraph_type?resourceVersion=id%3A18924\"}\n10a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a/relationships/paragraph_type?resourceVersion=id%3A18924\"}\n108:{\"related\":\"$109\",\"self\":\"$10a\"}\n105:{\"data\":\"$106\",\""])</script><script>self.__next_f.push([1,"links\":\"$108\"}\n104:{\"paragraph_type\":\"$105\"}\nfe:{\"type\":\"paragraph--process_list_item\",\"id\":\"1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a\",\"links\":\"$ff\",\"attributes\":\"$101\",\"relationships\":\"$104\"}\n10d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ba40c87a-73ea-4db7-bc77-4ec1a902a40b?resourceVersion=id%3A18925\"}\n10c:{\"self\":\"$10d\"}\n10f:[]\n110:{\"value\":\"\u003cp\u003eIn this phase, ATO has been granted and the system is being used for its intended purpose at CMS. Periodic security activities such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound. The Business Owner and ISSO both keep documentation updated when changes are made to the system a critical part of maintaining a current ATO.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIn this phase, ATO has been granted and the system is being used for its intended purpose at CMS. Periodic security activities such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound. The Business Owner and ISSO both keep documentation updated when changes are made to the system a critical part of maintaining a current ATO.\u003c/p\u003e\"}\n10e:{\"drupal_internal__id\":696,\"drupal_internal__revision_id\":18925,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T16:00:43+00:00\",\"parent_id\":\"706\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$10f\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$110\",\"field_list_item_title\":\"Operate\"}\n114:{\"drupal_internal__target_id\":\"process_list_item\"}\n113:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$114\"}\n116:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ba40c87a-73ea-4db7-bc77-4ec1a902a40b/paragraph_type?resourceVersion=id%3A18925\"}\n117:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ba40c87a-73ea-4db7"])</script><script>self.__next_f.push([1,"-bc77-4ec1a902a40b/relationships/paragraph_type?resourceVersion=id%3A18925\"}\n115:{\"related\":\"$116\",\"self\":\"$117\"}\n112:{\"data\":\"$113\",\"links\":\"$115\"}\n111:{\"paragraph_type\":\"$112\"}\n10b:{\"type\":\"paragraph--process_list_item\",\"id\":\"ba40c87a-73ea-4db7-bc77-4ec1a902a40b\",\"links\":\"$10c\",\"attributes\":\"$10e\",\"relationships\":\"$111\"}\n11a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b505ec18-afe5-44e5-b4dd-1c41dbeab9be?resourceVersion=id%3A18926\"}\n119:{\"self\":\"$11a\"}\n11c:[]\n11d:{\"value\":\"\u003cp\u003eIn this phase, the system has reached the end of its useful life or the end of its contract. The decision to shut it down is made through a managed process and checklist, ensuring compliance with federal guidelines for retiring a government IT system. Final documentation is created, data is archived, and hardware is disposed of according to best practices. Even at this stage, there are security considerations and activities performed by the ISSO and others.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIn this phase, the system has reached the end of its useful life or the end of its contract. The decision to shut it down is made through a managed process and checklist, ensuring compliance with federal guidelines for retiring a government IT system. Final documentation is created, data is archived, and hardware is disposed of according to best practices. Even at this stage, there are security considerations and activities performed by the ISSO and others.\u003c/p\u003e\"}\n11b:{\"drupal_internal__id\":701,\"drupal_internal__revision_id\":18926,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T16:01:11+00:00\",\"parent_id\":\"706\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":\"$11c\",\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":\"$11d\",\"field_list_item_title\":\"Retire\"}\n121:{\"drupal_internal__target_id\":\"process_list_item\"}\n120:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":\"$121\"}\n123:{\"href"])</script><script>self.__next_f.push([1,"\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b505ec18-afe5-44e5-b4dd-1c41dbeab9be/paragraph_type?resourceVersion=id%3A18926\"}\n124:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b505ec18-afe5-44e5-b4dd-1c41dbeab9be/relationships/paragraph_type?resourceVersion=id%3A18926\"}\n122:{\"related\":\"$123\",\"self\":\"$124\"}\n11f:{\"data\":\"$120\",\"links\":\"$122\"}\n11e:{\"paragraph_type\":\"$11f\"}\n118:{\"type\":\"paragraph--process_list_item\",\"id\":\"b505ec18-afe5-44e5-b4dd-1c41dbeab9be\",\"links\":\"$119\",\"attributes\":\"$11b\",\"relationships\":\"$11e\"}\n127:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed?resourceVersion=id%3A18930\"}\n126:{\"self\":\"$127\"}\n129:[]\n128:{\"drupal_internal__id\":3376,\"drupal_internal__revision_id\":18930,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T20:38:41+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$129\",\"default_langcode\":true,\"revision_translation_affected\":true}\n12d:{\"drupal_internal__target_id\":\"internal_link\"}\n12c:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$12d\"}\n12f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed/paragraph_type?resourceVersion=id%3A18930\"}\n130:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed/relationships/paragraph_type?resourceVersion=id%3A18930\"}\n12e:{\"related\":\"$12f\",\"self\":\"$130\"}\n12b:{\"data\":\"$12c\",\"links\":\"$12e\"}\n133:{\"drupal_internal__target_id\":771}\n132:{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"meta\":\"$133\"}\n135:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed/field_link?resourceVersion=id%3A18930\"}\n136:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed/relationships/field_link?resourceVersion=id%3A18930\"}\n134:{\"related\":\"$135\",\""])</script><script>self.__next_f.push([1,"self\":\"$136\"}\n131:{\"data\":\"$132\",\"links\":\"$134\"}\n12a:{\"paragraph_type\":\"$12b\",\"field_link\":\"$131\"}\n125:{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"links\":\"$126\",\"attributes\":\"$128\",\"relationships\":\"$12a\"}\n139:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5?resourceVersion=id%3A18931\"}\n138:{\"self\":\"$139\"}\n13b:[]\n13a:{\"drupal_internal__id\":1306,\"drupal_internal__revision_id\":18931,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T16:59:01+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$13b\",\"default_langcode\":true,\"revision_translation_affected\":true}\n13f:{\"drupal_internal__target_id\":\"internal_link\"}\n13e:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$13f\"}\n141:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5/paragraph_type?resourceVersion=id%3A18931\"}\n142:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5/relationships/paragraph_type?resourceVersion=id%3A18931\"}\n140:{\"related\":\"$141\",\"self\":\"$142\"}\n13d:{\"data\":\"$13e\",\"links\":\"$140\"}\n145:{\"drupal_internal__target_id\":391}\n144:{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"meta\":\"$145\"}\n147:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5/field_link?resourceVersion=id%3A18931\"}\n148:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5/relationships/field_link?resourceVersion=id%3A18931\"}\n146:{\"related\":\"$147\",\"self\":\"$148\"}\n143:{\"data\":\"$144\",\"links\":\"$146\"}\n13c:{\"paragraph_type\":\"$13d\",\"field_link\":\"$143\"}\n137:{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"links\":\"$138\",\"attributes\":\"$13a\",\"relationships\":\"$13c\"}\n14b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f6"])</script><script>self.__next_f.push([1,"57-43ce-bc94-0a2d803430c6?resourceVersion=id%3A18932\"}\n14a:{\"self\":\"$14b\"}\n14d:[]\n14c:{\"drupal_internal__id\":1316,\"drupal_internal__revision_id\":18932,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T16:59:18+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$14d\",\"default_langcode\":true,\"revision_translation_affected\":true}\n151:{\"drupal_internal__target_id\":\"internal_link\"}\n150:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$151\"}\n153:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f657-43ce-bc94-0a2d803430c6/paragraph_type?resourceVersion=id%3A18932\"}\n154:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f657-43ce-bc94-0a2d803430c6/relationships/paragraph_type?resourceVersion=id%3A18932\"}\n152:{\"related\":\"$153\",\"self\":\"$154\"}\n14f:{\"data\":\"$150\",\"links\":\"$152\"}\n157:{\"drupal_internal__target_id\":201}\n156:{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"meta\":\"$157\"}\n159:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f657-43ce-bc94-0a2d803430c6/field_link?resourceVersion=id%3A18932\"}\n15a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f657-43ce-bc94-0a2d803430c6/relationships/field_link?resourceVersion=id%3A18932\"}\n158:{\"related\":\"$159\",\"self\":\"$15a\"}\n155:{\"data\":\"$156\",\"links\":\"$158\"}\n14e:{\"paragraph_type\":\"$14f\",\"field_link\":\"$155\"}\n149:{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"links\":\"$14a\",\"attributes\":\"$14c\",\"relationships\":\"$14e\"}\n15d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce?resourceVersion=id%3A18933\"}\n15c:{\"self\":\"$15d\"}\n15f:[]\n15e:{\"drupal_internal__id\":2521,\"drupal_internal__revision_id\":18933,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-13T14:26:44+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings"])</script><script>self.__next_f.push([1,"\":\"$15f\",\"default_langcode\":true,\"revision_translation_affected\":true}\n163:{\"drupal_internal__target_id\":\"internal_link\"}\n162:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$163\"}\n165:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce/paragraph_type?resourceVersion=id%3A18933\"}\n166:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce/relationships/paragraph_type?resourceVersion=id%3A18933\"}\n164:{\"related\":\"$165\",\"self\":\"$166\"}\n161:{\"data\":\"$162\",\"links\":\"$164\"}\n169:{\"drupal_internal__target_id\":261}\n168:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":\"$169\"}\n16b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce/field_link?resourceVersion=id%3A18933\"}\n16c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce/relationships/field_link?resourceVersion=id%3A18933\"}\n16a:{\"related\":\"$16b\",\"self\":\"$16c\"}\n167:{\"data\":\"$168\",\"links\":\"$16a\"}\n160:{\"paragraph_type\":\"$161\",\"field_link\":\"$167\"}\n15b:{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"links\":\"$15c\",\"attributes\":\"$15e\",\"relationships\":\"$160\"}\n16f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-bf38aa8054a1?resourceVersion=id%3A18934\"}\n16e:{\"self\":\"$16f\"}\n171:[]\n170:{\"drupal_internal__id\":3444,\"drupal_internal__revision_id\":18934,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-22T13:57:08+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":\"$171\",\"default_langcode\":true,\"revision_translation_affected\":true}\n175:{\"drupal_internal__target_id\":\"internal_link\"}\n174:{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":\"$175\"}\n177:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-"])</script><script>self.__next_f.push([1,"bf38aa8054a1/paragraph_type?resourceVersion=id%3A18934\"}\n178:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-bf38aa8054a1/relationships/paragraph_type?resourceVersion=id%3A18934\"}\n176:{\"related\":\"$177\",\"self\":\"$178\"}\n173:{\"data\":\"$174\",\"links\":\"$176\"}\n17b:{\"drupal_internal__target_id\":1148}\n17a:{\"type\":\"node--explainer\",\"id\":\"629f4bb3-7fe0-4e63-92e0-467c0325a9bd\",\"meta\":\"$17b\"}\n17d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-bf38aa8054a1/field_link?resourceVersion=id%3A18934\"}\n17e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-bf38aa8054a1/relationships/field_link?resourceVersion=id%3A18934\"}\n17c:{\"related\":\"$17d\",\"self\":\"$17e\"}\n179:{\"data\":\"$17a\",\"links\":\"$17c\"}\n172:{\"paragraph_type\":\"$173\",\"field_link\":\"$179\"}\n16d:{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"links\":\"$16e\",\"attributes\":\"$170\",\"relationships\":\"$172\"}\n181:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf?resourceVersion=id%3A5861\"}\n180:{\"self\":\"$181\"}\n183:{\"alias\":\"/learn/ongoing-authorization-oa\",\"pid\":751,\"langcode\":\"en\"}\n184:{\"value\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSupporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\u003c/p\u003e\\n\"}\n185:[\"#oa-onboarding \",\"#security_community \",\"#CMS-CDM\"]\n182:{\"drupal_internal__nid\":771,\"drupal_internal__vid\":5861,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-08T14:51:46+00:00\",\"status\":true,\"title\":\"Ongoing Authorization (OA)\",\"created\":\"2023-03-06T21:09:39+00:00\",\"changed\":\"2024-08-08T14:51:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$183\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\""])</script><script>self.__next_f.push([1,":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":\"$184\",\"field_slack_channel\":\"$185\"}\n189:{\"drupal_internal__target_id\":\"explainer\"}\n188:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$189\"}\n18b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/node_type?resourceVersion=id%3A5861\"}\n18c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/node_type?resourceVersion=id%3A5861\"}\n18a:{\"related\":\"$18b\",\"self\":\"$18c\"}\n187:{\"data\":\"$188\",\"links\":\"$18a\"}\n18f:{\"drupal_internal__target_id\":6}\n18e:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$18f\"}\n191:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/revision_uid?resourceVersion=id%3A5861\"}\n192:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/revision_uid?resourceVersion=id%3A5861\"}\n190:{\"related\":\"$191\",\"self\":\"$192\"}\n18d:{\"data\":\"$18e\",\"links\":\"$190\"}\n195:{\"drupal_internal__target_id\":26}\n194:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$195\"}\n197:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/uid?resourceVersion=id%3A5861\"}\n198:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/uid?resourceVersion=id%3A5861\"}\n196:{\"related\":\"$197\",\"self\":\"$198\"}\n193:{\"data\":\"$194\",\"links\":\"$196\"}\n19c:{\"target_revision_id\":19161,\"drupal_internal__target_id\":2336}\n19b:{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"meta\":\"$19c\"}\n19e:{\"target_revision_id\":19169,\"drupal_internal__target_id\":2351}\n19d:{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"meta\":\"$19e\"}\n1a0:{\"target_revision_id\":19171,\"drupal_internal__target_id\":2"])</script><script>self.__next_f.push([1,"386}\n19f:{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"meta\":\"$1a0\"}\n1a2:{\"target_revision_id\":19172,\"drupal_internal__target_id\":2426}\n1a1:{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"meta\":\"$1a2\"}\n19a:[\"$19b\",\"$19d\",\"$19f\",\"$1a1\"]\n1a4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_page_section?resourceVersion=id%3A5861\"}\n1a5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_page_section?resourceVersion=id%3A5861\"}\n1a3:{\"related\":\"$1a4\",\"self\":\"$1a5\"}\n199:{\"data\":\"$19a\",\"links\":\"$1a3\"}\n1a9:{\"target_revision_id\":19173,\"drupal_internal__target_id\":2466}\n1a8:{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"meta\":\"$1a9\"}\n1ab:{\"target_revision_id\":19174,\"drupal_internal__target_id\":2471}\n1aa:{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"meta\":\"$1ab\"}\n1ad:{\"target_revision_id\":19175,\"drupal_internal__target_id\":2476}\n1ac:{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"meta\":\"$1ad\"}\n1af:{\"target_revision_id\":19176,\"drupal_internal__target_id\":2481}\n1ae:{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"meta\":\"$1af\"}\n1b1:{\"target_revision_id\":19177,\"drupal_internal__target_id\":2486}\n1b0:{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"meta\":\"$1b1\"}\n1b3:{\"target_revision_id\":19178,\"drupal_internal__target_id\":2491}\n1b2:{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"meta\":\"$1b3\"}\n1a7:[\"$1a8\",\"$1aa\",\"$1ac\",\"$1ae\",\"$1b0\",\"$1b2\"]\n1b5:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_related_collection?resourceVersion=id%3A5861\"}\n1b6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_related_collection?resourceVersion=id%3A5861\"}\n1b4:{\"related\""])</script><script>self.__next_f.push([1,":\"$1b5\",\"self\":\"$1b6\"}\n1a6:{\"data\":\"$1a7\",\"links\":\"$1b4\"}\n1b9:{\"drupal_internal__target_id\":131}\n1b8:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$1b9\"}\n1bb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_resource_type?resourceVersion=id%3A5861\"}\n1bc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_resource_type?resourceVersion=id%3A5861\"}\n1ba:{\"related\":\"$1bb\",\"self\":\"$1bc\"}\n1b7:{\"data\":\"$1b8\",\"links\":\"$1ba\"}\n1c0:{\"drupal_internal__target_id\":66}\n1bf:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$1c0\"}\n1c2:{\"drupal_internal__target_id\":61}\n1c1:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$1c2\"}\n1c4:{\"drupal_internal__target_id\":76}\n1c3:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$1c4\"}\n1be:[\"$1bf\",\"$1c1\",\"$1c3\"]\n1c6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_roles?resourceVersion=id%3A5861\"}\n1c7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_roles?resourceVersion=id%3A5861\"}\n1c5:{\"related\":\"$1c6\",\"self\":\"$1c7\"}\n1bd:{\"data\":\"$1be\",\"links\":\"$1c5\"}\n1cb:{\"drupal_internal__target_id\":36}\n1ca:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$1cb\"}\n1cd:{\"drupal_internal__target_id\":11}\n1cc:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$1cd\"}\n1c9:[\"$1ca\",\"$1cc\"]\n1cf:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_topics?resourceVersion=id%3A5861\"}\n1d0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_topics?resourceVersion=id%3A5861\"}\n1ce:{\"related\":\"$1cf\",\"self\":\"$1d0\"}\n1c8:{\"data\":\"$1c9\",\"links\":\"$1ce\"}\n186:{\"node_type\":\"$187\",\"revis"])</script><script>self.__next_f.push([1,"ion_uid\":\"$18d\",\"uid\":\"$193\",\"field_page_section\":\"$199\",\"field_related_collection\":\"$1a6\",\"field_resource_type\":\"$1b7\",\"field_roles\":\"$1bd\",\"field_topics\":\"$1c8\"}\n17f:{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"links\":\"$180\",\"attributes\":\"$182\",\"relationships\":\"$186\"}\n1d3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748?resourceVersion=id%3A5886\"}\n1d2:{\"self\":\"$1d3\"}\n1d5:{\"alias\":\"/learn/penetration-testing-pentesting\",\"pid\":381,\"langcode\":\"en\"}\n1d6:{\"value\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\u003c/p\u003e\\n\"}\n1d7:[\"#ccic_sec_eng_and_soc\"]\n1d4:{\"drupal_internal__nid\":391,\"drupal_internal__vid\":5886,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-30T19:33:09+00:00\",\"status\":true,\"title\":\"Penetration Testing (PenTesting)\",\"created\":\"2022-08-29T16:54:55+00:00\",\"changed\":\"2024-08-30T19:33:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$1d5\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cmspentestmanagement@cms.hhs.gov\",\"field_contact_name\":\"Penetration Testing Team\",\"field_short_description\":\"$1d6\",\"field_slack_channel\":\"$1d7\"}\n1db:{\"drupal_internal__target_id\":\"explainer\"}\n1da:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$1db\"}\n1dd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/node_type?resourceVersion=id%3A5886\"}\n1de:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/node_type?resourceVersion=id%3A5886\"}\n1dc:{\"related\":\"$1dd\",\"self\":\"$1de\"}\n1d9:{\"data\":\"$1da\",\"links\":"])</script><script>self.__next_f.push([1,"\"$1dc\"}\n1e1:{\"drupal_internal__target_id\":122}\n1e0:{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"meta\":\"$1e1\"}\n1e3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/revision_uid?resourceVersion=id%3A5886\"}\n1e4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/revision_uid?resourceVersion=id%3A5886\"}\n1e2:{\"related\":\"$1e3\",\"self\":\"$1e4\"}\n1df:{\"data\":\"$1e0\",\"links\":\"$1e2\"}\n1e7:{\"drupal_internal__target_id\":26}\n1e6:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$1e7\"}\n1e9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/uid?resourceVersion=id%3A5886\"}\n1ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/uid?resourceVersion=id%3A5886\"}\n1e8:{\"related\":\"$1e9\",\"self\":\"$1ea\"}\n1e5:{\"data\":\"$1e6\",\"links\":\"$1e8\"}\n1ee:{\"target_revision_id\":19217,\"drupal_internal__target_id\":501}\n1ed:{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"meta\":\"$1ee\"}\n1f0:{\"target_revision_id\":19218,\"drupal_internal__target_id\":2546}\n1ef:{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"meta\":\"$1f0\"}\n1ec:[\"$1ed\",\"$1ef\"]\n1f2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_page_section?resourceVersion=id%3A5886\"}\n1f3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_page_section?resourceVersion=id%3A5886\"}\n1f1:{\"related\":\"$1f2\",\"self\":\"$1f3\"}\n1eb:{\"data\":\"$1ec\",\"links\":\"$1f1\"}\n1f7:{\"target_revision_id\":19219,\"drupal_internal__target_id\":2021}\n1f6:{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"meta\":\"$1f7\"}\n1f9:{\"target_revision_id\":19220,\"drupal_internal__target_id\":2026}\n1f8:{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"meta\":\"$1f9\"}\n1fb:{\"target_revision_id\":"])</script><script>self.__next_f.push([1,"19221,\"drupal_internal__target_id\":2031}\n1fa:{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"meta\":\"$1fb\"}\n1fd:{\"target_revision_id\":19222,\"drupal_internal__target_id\":2036}\n1fc:{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"meta\":\"$1fd\"}\n1ff:{\"target_revision_id\":19223,\"drupal_internal__target_id\":3388}\n1fe:{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"meta\":\"$1ff\"}\n201:{\"target_revision_id\":19224,\"drupal_internal__target_id\":3389}\n200:{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"meta\":\"$201\"}\n1f5:[\"$1f6\",\"$1f8\",\"$1fa\",\"$1fc\",\"$1fe\",\"$200\"]\n203:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_related_collection?resourceVersion=id%3A5886\"}\n204:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_related_collection?resourceVersion=id%3A5886\"}\n202:{\"related\":\"$203\",\"self\":\"$204\"}\n1f4:{\"data\":\"$1f5\",\"links\":\"$202\"}\n207:{\"drupal_internal__target_id\":121}\n206:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$207\"}\n209:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_resource_type?resourceVersion=id%3A5886\"}\n20a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_resource_type?resourceVersion=id%3A5886\"}\n208:{\"related\":\"$209\",\"self\":\"$20a\"}\n205:{\"data\":\"$206\",\"links\":\"$208\"}\n20e:{\"drupal_internal__target_id\":66}\n20d:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$20e\"}\n210:{\"drupal_internal__target_id\":61}\n20f:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$210\"}\n212:{\"drupal_internal__target_id\":76}\n211:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$212\"}\n214:{\"drupal_internal__target_id\":71}\n213:{\"type\":\"taxonomy"])</script><script>self.__next_f.push([1,"_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$214\"}\n20c:[\"$20d\",\"$20f\",\"$211\",\"$213\"]\n216:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_roles?resourceVersion=id%3A5886\"}\n217:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_roles?resourceVersion=id%3A5886\"}\n215:{\"related\":\"$216\",\"self\":\"$217\"}\n20b:{\"data\":\"$20c\",\"links\":\"$215\"}\n21b:{\"drupal_internal__target_id\":6}\n21a:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$21b\"}\n21d:{\"drupal_internal__target_id\":46}\n21c:{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":\"$21d\"}\n219:[\"$21a\",\"$21c\"]\n21f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_topics?resourceVersion=id%3A5886\"}\n220:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_topics?resourceVersion=id%3A5886\"}\n21e:{\"related\":\"$21f\",\"self\":\"$220\"}\n218:{\"data\":\"$219\",\"links\":\"$21e\"}\n1d8:{\"node_type\":\"$1d9\",\"revision_uid\":\"$1df\",\"uid\":\"$1e5\",\"field_page_section\":\"$1eb\",\"field_related_collection\":\"$1f4\",\"field_resource_type\":\"$205\",\"field_roles\":\"$20b\",\"field_topics\":\"$218\"}\n1d1:{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"links\":\"$1d2\",\"attributes\":\"$1d4\",\"relationships\":\"$1d8\"}\n223:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320?resourceVersion=id%3A5941\"}\n222:{\"self\":\"$223\"}\n225:{\"alias\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"pid\":191,\"langcode\":\"en\"}\n226:{\"value\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA streamlined risk-based control(s) testing methodology designed to relieve operational burden.\u003c/p\u003e\\n\"}\n227:[]\n224:{\"drupal_internal__nid\":201,\"drupal_internal__vid\":5941,\"langcode\":\"en\",\"revision_timestamp\":\"2"])</script><script>self.__next_f.push([1,"024-10-17T14:04:35+00:00\",\"status\":true,\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"created\":\"2022-08-25T18:58:52+00:00\",\"changed\":\"2024-10-07T20:27:11+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$225\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team\",\"field_short_description\":\"$226\",\"field_slack_channel\":\"$227\"}\n22b:{\"drupal_internal__target_id\":\"explainer\"}\n22a:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$22b\"}\n22d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/node_type?resourceVersion=id%3A5941\"}\n22e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/node_type?resourceVersion=id%3A5941\"}\n22c:{\"related\":\"$22d\",\"self\":\"$22e\"}\n229:{\"data\":\"$22a\",\"links\":\"$22c\"}\n231:{\"drupal_internal__target_id\":95}\n230:{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"meta\":\"$231\"}\n233:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/revision_uid?resourceVersion=id%3A5941\"}\n234:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/revision_uid?resourceVersion=id%3A5941\"}\n232:{\"related\":\"$233\",\"self\":\"$234\"}\n22f:{\"data\":\"$230\",\"links\":\"$232\"}\n237:{\"drupal_internal__target_id\":26}\n236:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$237\"}\n239:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/uid?resourceVersion=id%3A5941\"}\n23a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/uid?resourceVersion=id%3A5941\"}\n238:{\"related\":\"$239\",\"self\":\"$23a\"}\n235:{\"data\":\"$236\",\"lin"])</script><script>self.__next_f.push([1,"ks\":\"$238\"}\n23e:{\"target_revision_id\":19433,\"drupal_internal__target_id\":3501}\n23d:{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"meta\":\"$23e\"}\n240:{\"target_revision_id\":19434,\"drupal_internal__target_id\":611}\n23f:{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"meta\":\"$240\"}\n242:{\"target_revision_id\":19435,\"drupal_internal__target_id\":651}\n241:{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"meta\":\"$242\"}\n244:{\"target_revision_id\":19442,\"drupal_internal__target_id\":3502}\n243:{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"meta\":\"$244\"}\n246:{\"target_revision_id\":19443,\"drupal_internal__target_id\":3503}\n245:{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"meta\":\"$246\"}\n248:{\"target_revision_id\":19444,\"drupal_internal__target_id\":3504}\n247:{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"meta\":\"$248\"}\n23c:[\"$23d\",\"$23f\",\"$241\",\"$243\",\"$245\",\"$247\"]\n24a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_page_section?resourceVersion=id%3A5941\"}\n24b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_page_section?resourceVersion=id%3A5941\"}\n249:{\"related\":\"$24a\",\"self\":\"$24b\"}\n23b:{\"data\":\"$23c\",\"links\":\"$249\"}\n24f:{\"target_revision_id\":19445,\"drupal_internal__target_id\":656}\n24e:{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"meta\":\"$24f\"}\n251:{\"target_revision_id\":19446,\"drupal_internal__target_id\":661}\n250:{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"meta\":\"$251\"}\n253:{\"target_revision_id\":19447,\"drupal_internal__target_id\":671}\n252:{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"meta\":\"$253\"}\n255:{\"target_revision_id\":19448,\"drupal_internal__target_id\":676}\n254:{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4"])</script><script>self.__next_f.push([1,"f4c55fe4a5a\",\"meta\":\"$255\"}\n257:{\"target_revision_id\":19449,\"drupal_internal__target_id\":681}\n256:{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"meta\":\"$257\"}\n259:{\"target_revision_id\":19450,\"drupal_internal__target_id\":3505}\n258:{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"meta\":\"$259\"}\n24d:[\"$24e\",\"$250\",\"$252\",\"$254\",\"$256\",\"$258\"]\n25b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_related_collection?resourceVersion=id%3A5941\"}\n25c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_related_collection?resourceVersion=id%3A5941\"}\n25a:{\"related\":\"$25b\",\"self\":\"$25c\"}\n24c:{\"data\":\"$24d\",\"links\":\"$25a\"}\n25f:{\"drupal_internal__target_id\":121}\n25e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$25f\"}\n261:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_resource_type?resourceVersion=id%3A5941\"}\n262:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_resource_type?resourceVersion=id%3A5941\"}\n260:{\"related\":\"$261\",\"self\":\"$262\"}\n25d:{\"data\":\"$25e\",\"links\":\"$260\"}\n266:{\"drupal_internal__target_id\":66}\n265:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$266\"}\n268:{\"drupal_internal__target_id\":61}\n267:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$268\"}\n26a:{\"drupal_internal__target_id\":76}\n269:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$26a\"}\n264:[\"$265\",\"$267\",\"$269\"]\n26c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_roles?resourceVersion=id%3A5941\"}\n26d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_roles?resourceVersion=id%3A5941\"}\n26b:{\"related\":\"$"])</script><script>self.__next_f.push([1,"26c\",\"self\":\"$26d\"}\n263:{\"data\":\"$264\",\"links\":\"$26b\"}\n271:{\"drupal_internal__target_id\":6}\n270:{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":\"$271\"}\n273:{\"drupal_internal__target_id\":36}\n272:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$273\"}\n26f:[\"$270\",\"$272\"]\n275:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_topics?resourceVersion=id%3A5941\"}\n276:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_topics?resourceVersion=id%3A5941\"}\n274:{\"related\":\"$275\",\"self\":\"$276\"}\n26e:{\"data\":\"$26f\",\"links\":\"$274\"}\n228:{\"node_type\":\"$229\",\"revision_uid\":\"$22f\",\"uid\":\"$235\",\"field_page_section\":\"$23b\",\"field_related_collection\":\"$24c\",\"field_resource_type\":\"$25d\",\"field_roles\":\"$263\",\"field_topics\":\"$26e\"}\n221:{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"links\":\"$222\",\"attributes\":\"$224\",\"relationships\":\"$228\"}\n279:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}\n278:{\"self\":\"$279\"}\n27b:{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"}\n27c:{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"}\n27d:[\"#cfacts_community\"]\n27a:{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":\"$27b\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_res"])</script><script>self.__next_f.push([1,"ponse\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":\"$27c\",\"field_slack_channel\":\"$27d\"}\n281:{\"drupal_internal__target_id\":\"explainer\"}\n280:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$281\"}\n283:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"}\n284:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}\n282:{\"related\":\"$283\",\"self\":\"$284\"}\n27f:{\"data\":\"$280\",\"links\":\"$282\"}\n287:{\"drupal_internal__target_id\":159}\n286:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":\"$287\"}\n289:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"}\n28a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}\n288:{\"related\":\"$289\",\"self\":\"$28a\"}\n285:{\"data\":\"$286\",\"links\":\"$288\"}\n28d:{\"drupal_internal__target_id\":26}\n28c:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":\"$28d\"}\n28f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"}\n290:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}\n28e:{\"related\":\"$28f\",\"self\":\"$290\"}\n28b:{\"data\":\"$28c\",\"links\":\"$28e\"}\n294:{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}\n293:{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":\"$294\"}\n296:{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}\n295:{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":\"$296\"}\n298:{\"target_revision_id"])</script><script>self.__next_f.push([1,"\":19666,\"drupal_internal__target_id\":1781}\n297:{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":\"$298\"}\n29a:{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}\n299:{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":\"$29a\"}\n292:[\"$293\",\"$295\",\"$297\",\"$299\"]\n29c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"}\n29d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}\n29b:{\"related\":\"$29c\",\"self\":\"$29d\"}\n291:{\"data\":\"$292\",\"links\":\"$29b\"}\n2a1:{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}\n2a0:{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":\"$2a1\"}\n2a3:{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}\n2a2:{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":\"$2a3\"}\n2a5:{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}\n2a4:{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":\"$2a5\"}\n2a7:{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}\n2a6:{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":\"$2a7\"}\n2a9:{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}\n2a8:{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":\"$2a9\"}\n2ab:{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}\n2aa:{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":\"$2ab\"}\n29f:[\"$2a0\",\"$2a2\",\"$2a4\",\"$2a6\",\"$2a8\",\"$2aa\"]\n2ad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"}\n2ae:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?reso"])</script><script>self.__next_f.push([1,"urceVersion=id%3A5999\"}\n2ac:{\"related\":\"$2ad\",\"self\":\"$2ae\"}\n29e:{\"data\":\"$29f\",\"links\":\"$2ac\"}\n2b1:{\"drupal_internal__target_id\":121}\n2b0:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":\"$2b1\"}\n2b3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"}\n2b4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}\n2b2:{\"related\":\"$2b3\",\"self\":\"$2b4\"}\n2af:{\"data\":\"$2b0\",\"links\":\"$2b2\"}\n2b8:{\"drupal_internal__target_id\":66}\n2b7:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":\"$2b8\"}\n2ba:{\"drupal_internal__target_id\":61}\n2b9:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$2ba\"}\n2bc:{\"drupal_internal__target_id\":76}\n2bb:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$2bc\"}\n2be:{\"drupal_internal__target_id\":71}\n2bd:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":\"$2be\"}\n2b6:[\"$2b7\",\"$2b9\",\"$2bb\",\"$2bd\"]\n2c0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"}\n2c1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}\n2bf:{\"related\":\"$2c0\",\"self\":\"$2c1\"}\n2b5:{\"data\":\"$2b6\",\"links\":\"$2bf\"}\n2c5:{\"drupal_internal__target_id\":36}\n2c4:{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":\"$2c5\"}\n2c7:{\"drupal_internal__target_id\":11}\n2c6:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$2c7\"}\n2c3:[\"$2c4\",\"$2c6\"]\n2c9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"}\n2ca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491"])</script><script>self.__next_f.push([1,"c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}\n2c8:{\"related\":\"$2c9\",\"self\":\"$2ca\"}\n2c2:{\"data\":\"$2c3\",\"links\":\"$2c8\"}\n27e:{\"node_type\":\"$27f\",\"revision_uid\":\"$285\",\"uid\":\"$28b\",\"field_page_section\":\"$291\",\"field_related_collection\":\"$29e\",\"field_resource_type\":\"$2af\",\"field_roles\":\"$2b5\",\"field_topics\":\"$2c2\"}\n277:{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":\"$278\",\"attributes\":\"$27a\",\"relationships\":\"$27e\"}\n2cd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd?resourceVersion=id%3A5714\"}\n2cc:{\"self\":\"$2cd\"}\n2cf:{\"alias\":\"/learn/cms-technical-reference-architecture-tra\",\"pid\":1000,\"langcode\":\"en\"}\n2d0:{\"value\":\"The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency\u003c/p\u003e\\n\"}\n2d1:[\"#cms-it-governance\"]\n2ce:{\"drupal_internal__nid\":1148,\"drupal_internal__vid\":5714,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T17:45:12+00:00\",\"status\":true,\"title\":\"CMS Technical Reference Architecture (TRA)\",\"created\":\"2023-09-18T12:44:53+00:00\",\"changed\":\"2024-01-05T17:45:12+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":null,\"moderation_state\":\"published\",\"path\":\"$2cf\",\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"tra-admin@cms.hhs.gov\",\"field_contact_name\":\"TRA Team\",\"field_short_description\":\"$2d0\",\"field_slack_channel\":\"$2d1\"}\n2d5:{\"drupal_internal__target_id\":\"explainer\"}\n2d4:{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":\"$2d5\"}\n2d7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0"])</script><script>self.__next_f.push([1,"325a9bd/node_type?resourceVersion=id%3A5714\"}\n2d8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/node_type?resourceVersion=id%3A5714\"}\n2d6:{\"related\":\"$2d7\",\"self\":\"$2d8\"}\n2d3:{\"data\":\"$2d4\",\"links\":\"$2d6\"}\n2db:{\"drupal_internal__target_id\":36}\n2da:{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":\"$2db\"}\n2dd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/revision_uid?resourceVersion=id%3A5714\"}\n2de:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/revision_uid?resourceVersion=id%3A5714\"}\n2dc:{\"related\":\"$2dd\",\"self\":\"$2de\"}\n2d9:{\"data\":\"$2da\",\"links\":\"$2dc\"}\n2e1:{\"drupal_internal__target_id\":6}\n2e0:{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":\"$2e1\"}\n2e3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/uid?resourceVersion=id%3A5714\"}\n2e4:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/uid?resourceVersion=id%3A5714\"}\n2e2:{\"related\":\"$2e3\",\"self\":\"$2e4\"}\n2df:{\"data\":\"$2e0\",\"links\":\"$2e2\"}\n2e8:{\"target_revision_id\":16265,\"drupal_internal__target_id\":3416}\n2e7:{\"type\":\"paragraph--page_section\",\"id\":\"69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1\",\"meta\":\"$2e8\"}\n2e6:[\"$2e7\"]\n2ea:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_page_section?resourceVersion=id%3A5714\"}\n2eb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_page_section?resourceVersion=id%3A5714\"}\n2e9:{\"related\":\"$2ea\",\"self\":\"$2eb\"}\n2e5:{\"data\":\"$2e6\",\"links\":\"$2e9\"}\n2ef:{\"target_revision_id\":16266,\"drupal_internal__target_id\":3417}\n2ee:{\"type\":\"paragraph--internal_link\",\"id\":\"a39bcbf9-8522-4dcf-b5fe-49bfc2c77414\",\"meta\":\"$2ef\"}\n2f1:{\"target_revision_id\":16267,\"drupal_internal__target_id\":3418}\n2f0:{\"type\":\"paragraph--internal_li"])</script><script>self.__next_f.push([1,"nk\",\"id\":\"f41c8404-7b78-4975-a0ff-fff1409d6a77\",\"meta\":\"$2f1\"}\n2f3:{\"target_revision_id\":16268,\"drupal_internal__target_id\":3419}\n2f2:{\"type\":\"paragraph--internal_link\",\"id\":\"669ee575-5a38-48c7-87cc-033627065f29\",\"meta\":\"$2f3\"}\n2f5:{\"target_revision_id\":16269,\"drupal_internal__target_id\":3420}\n2f4:{\"type\":\"paragraph--internal_link\",\"id\":\"b298ff2d-1fb1-485e-84aa-92c94e581f61\",\"meta\":\"$2f5\"}\n2f7:{\"target_revision_id\":16270,\"drupal_internal__target_id\":3421}\n2f6:{\"type\":\"paragraph--internal_link\",\"id\":\"64cbbefb-4c79-4a51-a519-de08bd054e61\",\"meta\":\"$2f7\"}\n2f9:{\"target_revision_id\":16271,\"drupal_internal__target_id\":3443}\n2f8:{\"type\":\"paragraph--internal_link\",\"id\":\"14136e73-8c9c-4b8e-be4e-64b3ed5487a1\",\"meta\":\"$2f9\"}\n2ed:[\"$2ee\",\"$2f0\",\"$2f2\",\"$2f4\",\"$2f6\",\"$2f8\"]\n2fb:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_related_collection?resourceVersion=id%3A5714\"}\n2fc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_related_collection?resourceVersion=id%3A5714\"}\n2fa:{\"related\":\"$2fb\",\"self\":\"$2fc\"}\n2ec:{\"data\":\"$2ed\",\"links\":\"$2fa\"}\n2ff:{\"drupal_internal__target_id\":131}\n2fe:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":\"$2ff\"}\n301:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_resource_type?resourceVersion=id%3A5714\"}\n302:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_resource_type?resourceVersion=id%3A5714\"}\n300:{\"related\":\"$301\",\"self\":\"$302\"}\n2fd:{\"data\":\"$2fe\",\"links\":\"$300\"}\n306:{\"drupal_internal__target_id\":61}\n305:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":\"$306\"}\n308:{\"drupal_internal__target_id\":76}\n307:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":\"$308\"}\n30a:{\"drupal_internal__target_id\":71}\n309:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0"])</script><script>self.__next_f.push([1,"-3d2da2c5056e\",\"meta\":\"$30a\"}\n304:[\"$305\",\"$307\",\"$309\"]\n30c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_roles?resourceVersion=id%3A5714\"}\n30d:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_roles?resourceVersion=id%3A5714\"}\n30b:{\"related\":\"$30c\",\"self\":\"$30d\"}\n303:{\"data\":\"$304\",\"links\":\"$30b\"}\n311:{\"drupal_internal__target_id\":16}\n310:{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":\"$311\"}\n313:{\"drupal_internal__target_id\":11}\n312:{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":\"$313\"}\n30f:[\"$310\",\"$312\"]\n315:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_topics?resourceVersion=id%3A5714\"}\n316:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_topics?resourceVersion=id%3A5714\"}\n314:{\"related\":\"$315\",\"self\":\"$316\"}\n30e:{\"data\":\"$30f\",\"links\":\"$314\"}\n2d2:{\"node_type\":\"$2d3\",\"revision_uid\":\"$2d9\",\"uid\":\"$2df\",\"field_page_section\":\"$2e5\",\"field_related_collection\":\"$2ec\",\"field_resource_type\":\"$2fd\",\"field_roles\":\"$303\",\"field_topics\":\"$30e\"}\n2cb:{\"type\":\"node--explainer\",\"id\":\"629f4bb3-7fe0-4e63-92e0-467c0325a9bd\",\"links\":\"$2cc\",\"attributes\":\"$2ce\",\"relationships\":\"$2d2\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"defa7277-790b-4bbd-b6ee-cc539e121df2\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2?resourceVersion=id%3A5737\"}},\"attributes\":{\"drupal_internal__nid\":206,\"drupal_internal__vid\":5737,\"langcode\":\"en\",\"revision_timestamp\":\"2024-07-31T17:37:48+00:00\",\"status\":true,\"title\":\"Authorization to Operate (ATO)\",\"created\":\"2022-08-25T19:06:37+00:00\",\"changed\":\"2024-07-31T17:37:48+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/authorization-operate-ato\",\"pid\":196,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting and documenting system security and compliance to gain approval to operate the system at CMS\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cra-help\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/node_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/node_type?resourceVersion=id%3A5737\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/revision_uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/revision_uid?resourceVersion=id%3A5737\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/uid?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/uid?resourceVersion=id%3A5737\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"meta\":{\"target_revision_id\":18928,\"drupal_internal__target_id\":711}},{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"meta\":{\"target_revision_id\":18929,\"drupal_internal__target_id\":736}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_page_section?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_page_section?resourceVersion=id%3A5737\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"meta\":{\"target_revision_id\":18930,\"drupal_internal__target_id\":3376}},{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"meta\":{\"target_revision_id\":18931,\"drupal_internal__target_id\":1306}},{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"meta\":{\"target_revision_id\":18932,\"drupal_internal__target_id\":1316}},{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"meta\":{\"target_revision_id\":18933,\"drupal_internal__target_id\":2521}},{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"meta\":{\"target_revision_id\":18934,\"drupal_internal__target_id\":3444}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_related_collection?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_related_collection?resourceVersion=id%3A5737\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_resource_type?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_resource_type?resourceVersion=id%3A5737\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_roles?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_roles?resourceVersion=id%3A5737\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/field_topics?resourceVersion=id%3A5737\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/defa7277-790b-4bbd-b6ee-cc539e121df2/relationships/field_topics?resourceVersion=id%3A5737\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/d185e460-4998-4d2b-85cb-b04f304dfb1b\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Explainer page\",\"drupal_internal__type\":\"explainer\",\"description\":\"Use \u003ci\u003eExplainer pages\u003c/i\u003e to provide general information in plain language about a policy, program, tool, service, or task related to security and privacy at CMS.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/e352e203-fe9c-47ba-af75-2c7f8302fca8\"}},\"attributes\":{\"display_name\":\"mburgess\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22?resourceVersion=id%3A131\"}},\"attributes\":{\"drupal_internal__tid\":131,\"drupal_internal__revision_id\":131,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:13:33+00:00\",\"status\":true,\"name\":\"General Information\",\"description\":null,\"weight\":2,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/vid?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/vid?resourceVersion=id%3A131\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/revision_user?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/revision_user?resourceVersion=id%3A131\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/parent?resourceVersion=id%3A131\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/a17f4908-9141-4b1e-82aa-e6bfe0f91a22/relationships/parent?resourceVersion=id%3A131\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e?resourceVersion=id%3A11\"}},\"attributes\":{\"drupal_internal__tid\":11,\"drupal_internal__revision_id\":11,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:12+00:00\",\"status\":true,\"name\":\"System Authorization\",\"description\":null,\"weight\":7,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/vid?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/vid?resourceVersion=id%3A11\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/revision_user?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/revision_user?resourceVersion=id%3A11\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/parent?resourceVersion=id%3A11\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/0bc7c1d0-b569-4514-b66c-367457dead7e/relationships/parent?resourceVersion=id%3A11\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"d94629f9-9668-41dd-bce7-a4f267239c07\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07?resourceVersion=id%3A18928\"}},\"attributes\":{\"drupal_internal__id\":711,\"drupal_internal__revision_id\":18928,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T15:41:11+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07/paragraph_type?resourceVersion=id%3A18928\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07/relationships/paragraph_type?resourceVersion=id%3A18928\"}}},\"field_specialty_item\":{\"data\":{\"type\":\"paragraph--process_list\",\"id\":\"b5286761-357f-429f-8502-dd7459bb3e58\",\"meta\":{\"target_revision_id\":18927,\"drupal_internal__target_id\":706}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07/field_specialty_item?resourceVersion=id%3A18928\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/d94629f9-9668-41dd-bce7-a4f267239c07/relationships/field_specialty_item?resourceVersion=id%3A18928\"}}}}},{\"type\":\"paragraph--page_section\",\"id\":\"243e2d3f-f903-438c-8b1f-aee53390b1df\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df?resourceVersion=id%3A18929\"}},\"attributes\":{\"drupal_internal__id\":736,\"drupal_internal__revision_id\":18929,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T16:05:04+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_page_section\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_text_block\":{\"value\":\"$1a\",\"format\":\"body_text\",\"processed\":\"$1b\"}},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"57f3f40a-8120-4393-b881-a5758f9fb30d\",\"meta\":{\"drupal_internal__target_id\":\"page_section\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df/paragraph_type?resourceVersion=id%3A18929\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df/relationships/paragraph_type?resourceVersion=id%3A18929\"}}},\"field_specialty_item\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df/field_specialty_item?resourceVersion=id%3A18929\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/page_section/243e2d3f-f903-438c-8b1f-aee53390b1df/relationships/field_specialty_item?resourceVersion=id%3A18929\"}}}}},{\"type\":\"paragraph--process_list\",\"id\":\"b5286761-357f-429f-8502-dd7459bb3e58\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58?resourceVersion=id%3A18927\"}},\"attributes\":{\"drupal_internal__id\":706,\"drupal_internal__revision_id\":18927,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T15:41:19+00:00\",\"parent_id\":\"711\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_specialty_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_process_list_conclusion\":null},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"8a1fa202-0dc7-4f58-9b3d-7f9c44c9a9c8\",\"meta\":{\"drupal_internal__target_id\":\"process_list\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58/paragraph_type?resourceVersion=id%3A18927\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58/relationships/paragraph_type?resourceVersion=id%3A18927\"}}},\"field_process_list_item\":{\"data\":[{\"type\":\"paragraph--process_list_item\",\"id\":\"0d357568-9a13-468c-a504-e9c841212b71\",\"meta\":{\"target_revision_id\":18923,\"drupal_internal__target_id\":686}},{\"type\":\"paragraph--process_list_item\",\"id\":\"1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a\",\"meta\":{\"target_revision_id\":18924,\"drupal_internal__target_id\":691}},{\"type\":\"paragraph--process_list_item\",\"id\":\"ba40c87a-73ea-4db7-bc77-4ec1a902a40b\",\"meta\":{\"target_revision_id\":18925,\"drupal_internal__target_id\":696}},{\"type\":\"paragraph--process_list_item\",\"id\":\"b505ec18-afe5-44e5-b4dd-1c41dbeab9be\",\"meta\":{\"target_revision_id\":18926,\"drupal_internal__target_id\":701}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58/field_process_list_item?resourceVersion=id%3A18927\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list/b5286761-357f-429f-8502-dd7459bb3e58/relationships/field_process_list_item?resourceVersion=id%3A18927\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"0d357568-9a13-468c-a504-e9c841212b71\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0d357568-9a13-468c-a504-e9c841212b71?resourceVersion=id%3A18923\"}},\"attributes\":{\"drupal_internal__id\":686,\"drupal_internal__revision_id\":18923,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T15:41:19+00:00\",\"parent_id\":\"706\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eIn this phase, documentation is created about the general business needs that the system intends to address. If theres a similar solution already in use at CMS, it can be utilized rather than starting a new system that will require a new ATO. If proceeding with a new system idea, initial activities will begin for things like intake, hosting, consultations with stakeholders, and technical documentation. This is also when you will define the systems categorization, boundary, and security controls.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIn this phase, documentation is created about the general business needs that the system intends to address. If theres a similar solution already in use at CMS, it can be utilized rather than starting a new system that will require a new ATO. If proceeding with a new system idea, initial activities will begin for things like intake, hosting, consultations with stakeholders, and technical documentation. This is also when you will define the systems categorization, boundary, and security controls.\u003c/p\u003e\"},\"field_list_item_title\":\"Initiate\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0d357568-9a13-468c-a504-e9c841212b71/paragraph_type?resourceVersion=id%3A18923\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/0d357568-9a13-468c-a504-e9c841212b71/relationships/paragraph_type?resourceVersion=id%3A18923\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a?resourceVersion=id%3A18924\"}},\"attributes\":{\"drupal_internal__id\":691,\"drupal_internal__revision_id\":18924,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T16:00:11+00:00\",\"parent_id\":\"706\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eIn this phase, the system is designed and developed according to requirements and user stories. It is deployed to a non-production environment and tested to make sure its working properly and that security requirements are met. This phase includes documenting and implementing all necessary security controls, finalizing required artifacts, and performing assessments that test the systems security posture.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIn this phase, the system is designed and developed according to requirements and user stories. It is deployed to a non-production environment and tested to make sure its working properly and that security requirements are met. This phase includes documenting and implementing all necessary security controls, finalizing required artifacts, and performing assessments that test the systems security posture.\u003c/p\u003e\"},\"field_list_item_title\":\"Develop and assess\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a/paragraph_type?resourceVersion=id%3A18924\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a/relationships/paragraph_type?resourceVersion=id%3A18924\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"ba40c87a-73ea-4db7-bc77-4ec1a902a40b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ba40c87a-73ea-4db7-bc77-4ec1a902a40b?resourceVersion=id%3A18925\"}},\"attributes\":{\"drupal_internal__id\":696,\"drupal_internal__revision_id\":18925,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T16:00:43+00:00\",\"parent_id\":\"706\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eIn this phase, ATO has been granted and the system is being used for its intended purpose at CMS. Periodic security activities such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound. The Business Owner and ISSO both keep documentation updated when changes are made to the system a critical part of maintaining a current ATO.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIn this phase, ATO has been granted and the system is being used for its intended purpose at CMS. Periodic security activities such as controls assessments, pen tests, and annual recertification are completed to ensure the security posture of the system is sound. The Business Owner and ISSO both keep documentation updated when changes are made to the system a critical part of maintaining a current ATO.\u003c/p\u003e\"},\"field_list_item_title\":\"Operate\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ba40c87a-73ea-4db7-bc77-4ec1a902a40b/paragraph_type?resourceVersion=id%3A18925\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/ba40c87a-73ea-4db7-bc77-4ec1a902a40b/relationships/paragraph_type?resourceVersion=id%3A18925\"}}}}},{\"type\":\"paragraph--process_list_item\",\"id\":\"b505ec18-afe5-44e5-b4dd-1c41dbeab9be\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b505ec18-afe5-44e5-b4dd-1c41dbeab9be?resourceVersion=id%3A18926\"}},\"attributes\":{\"drupal_internal__id\":701,\"drupal_internal__revision_id\":18926,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-08T16:01:11+00:00\",\"parent_id\":\"706\",\"parent_type\":\"paragraph\",\"parent_field_name\":\"field_process_list_item\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true,\"field_list_item_description\":{\"value\":\"\u003cp\u003eIn this phase, the system has reached the end of its useful life or the end of its contract. The decision to shut it down is made through a managed process and checklist, ensuring compliance with federal guidelines for retiring a government IT system. Final documentation is created, data is archived, and hardware is disposed of according to best practices. Even at this stage, there are security considerations and activities performed by the ISSO and others.\u003c/p\u003e\\r\\n\",\"format\":\"main_point_html\",\"processed\":\"\u003cp\u003eIn this phase, the system has reached the end of its useful life or the end of its contract. The decision to shut it down is made through a managed process and checklist, ensuring compliance with federal guidelines for retiring a government IT system. Final documentation is created, data is archived, and hardware is disposed of according to best practices. Even at this stage, there are security considerations and activities performed by the ISSO and others.\u003c/p\u003e\"},\"field_list_item_title\":\"Retire\"},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"169b4697-c521-4a95-b21a-aa0d3f051203\",\"meta\":{\"drupal_internal__target_id\":\"process_list_item\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b505ec18-afe5-44e5-b4dd-1c41dbeab9be/paragraph_type?resourceVersion=id%3A18926\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/process_list_item/b505ec18-afe5-44e5-b4dd-1c41dbeab9be/relationships/paragraph_type?resourceVersion=id%3A18926\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"6f904ac4-c80e-47d9-b786-ee79256befed\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed?resourceVersion=id%3A18930\"}},\"attributes\":{\"drupal_internal__id\":3376,\"drupal_internal__revision_id\":18930,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-06-20T20:38:41+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed/paragraph_type?resourceVersion=id%3A18930\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed/relationships/paragraph_type?resourceVersion=id%3A18930\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"meta\":{\"drupal_internal__target_id\":771}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed/field_link?resourceVersion=id%3A18930\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/6f904ac4-c80e-47d9-b786-ee79256befed/relationships/field_link?resourceVersion=id%3A18930\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"e20959d7-2a7b-4a01-b985-cfa5363233f5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5?resourceVersion=id%3A18931\"}},\"attributes\":{\"drupal_internal__id\":1306,\"drupal_internal__revision_id\":18931,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T16:59:01+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5/paragraph_type?resourceVersion=id%3A18931\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5/relationships/paragraph_type?resourceVersion=id%3A18931\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"meta\":{\"drupal_internal__target_id\":391}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5/field_link?resourceVersion=id%3A18931\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/e20959d7-2a7b-4a01-b985-cfa5363233f5/relationships/field_link?resourceVersion=id%3A18931\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"dba9b926-f657-43ce-bc94-0a2d803430c6\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f657-43ce-bc94-0a2d803430c6?resourceVersion=id%3A18932\"}},\"attributes\":{\"drupal_internal__id\":1316,\"drupal_internal__revision_id\":18932,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-02-13T16:59:18+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f657-43ce-bc94-0a2d803430c6/paragraph_type?resourceVersion=id%3A18932\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f657-43ce-bc94-0a2d803430c6/relationships/paragraph_type?resourceVersion=id%3A18932\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"meta\":{\"drupal_internal__target_id\":201}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f657-43ce-bc94-0a2d803430c6/field_link?resourceVersion=id%3A18932\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/dba9b926-f657-43ce-bc94-0a2d803430c6/relationships/field_link?resourceVersion=id%3A18932\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"44f7083e-9341-42a5-85dc-a9043cdccdce\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce?resourceVersion=id%3A18933\"}},\"attributes\":{\"drupal_internal__id\":2521,\"drupal_internal__revision_id\":18933,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-03-13T14:26:44+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce/paragraph_type?resourceVersion=id%3A18933\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce/relationships/paragraph_type?resourceVersion=id%3A18933\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"meta\":{\"drupal_internal__target_id\":261}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce/field_link?resourceVersion=id%3A18933\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/44f7083e-9341-42a5-85dc-a9043cdccdce/relationships/field_link?resourceVersion=id%3A18933\"}}}}},{\"type\":\"paragraph--internal_link\",\"id\":\"bd0366d9-64ce-401f-9453-bf38aa8054a1\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-bf38aa8054a1?resourceVersion=id%3A18934\"}},\"attributes\":{\"drupal_internal__id\":3444,\"drupal_internal__revision_id\":18934,\"langcode\":\"en\",\"status\":true,\"created\":\"2023-09-22T13:57:08+00:00\",\"parent_id\":\"206\",\"parent_type\":\"node\",\"parent_field_name\":\"field_related_collection\",\"behavior_settings\":[],\"default_langcode\":true,\"revision_translation_affected\":true},\"relationships\":{\"paragraph_type\":{\"data\":{\"type\":\"paragraphs_type--paragraphs_type\",\"id\":\"81d4313f-807c-40e2-8ffa-700ec8c17167\",\"meta\":{\"drupal_internal__target_id\":\"internal_link\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-bf38aa8054a1/paragraph_type?resourceVersion=id%3A18934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-bf38aa8054a1/relationships/paragraph_type?resourceVersion=id%3A18934\"}}},\"field_link\":{\"data\":{\"type\":\"node--explainer\",\"id\":\"629f4bb3-7fe0-4e63-92e0-467c0325a9bd\",\"meta\":{\"drupal_internal__target_id\":1148}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-bf38aa8054a1/field_link?resourceVersion=id%3A18934\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/paragraph/internal_link/bd0366d9-64ce-401f-9453-bf38aa8054a1/relationships/field_link?resourceVersion=id%3A18934\"}}}}},{\"type\":\"node--explainer\",\"id\":\"dfeef1d1-c536-4496-97ad-5488a965a6cf\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf?resourceVersion=id%3A5861\"}},\"attributes\":{\"drupal_internal__nid\":771,\"drupal_internal__vid\":5861,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-08T14:51:46+00:00\",\"status\":true,\"title\":\"Ongoing Authorization (OA)\",\"created\":\"2023-03-06T21:09:39+00:00\",\"changed\":\"2024-08-08T14:51:46+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/ongoing-authorization-oa\",\"pid\":751,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_short_description\":{\"value\":\"Supporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eSupporting the continuous compliance and safety of FISMA systems through proactive, ongoing monitoring activities\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#oa-onboarding \",\"#security_community \",\"#CMS-CDM\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/node_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/node_type?resourceVersion=id%3A5861\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/revision_uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/revision_uid?resourceVersion=id%3A5861\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/uid?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/uid?resourceVersion=id%3A5861\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"8e64b2f7-d23c-4782-b0e3-e3b850374054\",\"meta\":{\"target_revision_id\":19161,\"drupal_internal__target_id\":2336}},{\"type\":\"paragraph--page_section\",\"id\":\"53ba39d8-a757-47cf-9d7e-e7a23389889e\",\"meta\":{\"target_revision_id\":19169,\"drupal_internal__target_id\":2351}},{\"type\":\"paragraph--page_section\",\"id\":\"123ffcec-1914-4725-a582-5c61bd8c9241\",\"meta\":{\"target_revision_id\":19171,\"drupal_internal__target_id\":2386}},{\"type\":\"paragraph--page_section\",\"id\":\"e5ef118a-a42b-4cfb-b5a6-cebc127739d3\",\"meta\":{\"target_revision_id\":19172,\"drupal_internal__target_id\":2426}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_page_section?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_page_section?resourceVersion=id%3A5861\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"de5326cf-552a-427c-9781-a4912ad4e45a\",\"meta\":{\"target_revision_id\":19173,\"drupal_internal__target_id\":2466}},{\"type\":\"paragraph--internal_link\",\"id\":\"b5f6c429-201a-4f5f-ae6e-05b6e235ddbc\",\"meta\":{\"target_revision_id\":19174,\"drupal_internal__target_id\":2471}},{\"type\":\"paragraph--internal_link\",\"id\":\"5a2be300-e6a0-41ff-9db9-5b88b77f18f2\",\"meta\":{\"target_revision_id\":19175,\"drupal_internal__target_id\":2476}},{\"type\":\"paragraph--internal_link\",\"id\":\"a7539e73-da37-44b0-ad17-9c481c5e89e9\",\"meta\":{\"target_revision_id\":19176,\"drupal_internal__target_id\":2481}},{\"type\":\"paragraph--internal_link\",\"id\":\"4f862230-6bb8-4954-b295-52e00e609ba5\",\"meta\":{\"target_revision_id\":19177,\"drupal_internal__target_id\":2486}},{\"type\":\"paragraph--internal_link\",\"id\":\"8f0f75de-c261-41da-9ef7-06ccd80efb66\",\"meta\":{\"target_revision_id\":19178,\"drupal_internal__target_id\":2491}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_related_collection?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_related_collection?resourceVersion=id%3A5861\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_resource_type?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_resource_type?resourceVersion=id%3A5861\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_roles?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_roles?resourceVersion=id%3A5861\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/field_topics?resourceVersion=id%3A5861\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/dfeef1d1-c536-4496-97ad-5488a965a6cf/relationships/field_topics?resourceVersion=id%3A5861\"}}}}},{\"type\":\"node--explainer\",\"id\":\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748?resourceVersion=id%3A5886\"}},\"attributes\":{\"drupal_internal__nid\":391,\"drupal_internal__vid\":5886,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-30T19:33:09+00:00\",\"status\":true,\"title\":\"Penetration Testing (PenTesting)\",\"created\":\"2022-08-29T16:54:55+00:00\",\"changed\":\"2024-08-30T19:33:09+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/penetration-testing-pentesting\",\"pid\":381,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"cmspentestmanagement@cms.hhs.gov\",\"field_contact_name\":\"Penetration Testing Team\",\"field_short_description\":{\"value\":\"Testing that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eTesting that mimics real-world attacks on a system to assess its security posture and identify gaps in protection\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#ccic_sec_eng_and_soc\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/node_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/node_type?resourceVersion=id%3A5886\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"94466ab9-93ba-4374-964a-cac08e0505c1\",\"meta\":{\"drupal_internal__target_id\":122}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/revision_uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/revision_uid?resourceVersion=id%3A5886\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/uid?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/uid?resourceVersion=id%3A5886\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"9ce3ee98-23ca-4e7f-aba7-eb85e992ee97\",\"meta\":{\"target_revision_id\":19217,\"drupal_internal__target_id\":501}},{\"type\":\"paragraph--page_section\",\"id\":\"7b5e13a5-a70b-4570-8feb-183ff1d4fae9\",\"meta\":{\"target_revision_id\":19218,\"drupal_internal__target_id\":2546}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_page_section?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_page_section?resourceVersion=id%3A5886\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"a7c47ed1-07a0-4487-8538-27c56a8e48d2\",\"meta\":{\"target_revision_id\":19219,\"drupal_internal__target_id\":2021}},{\"type\":\"paragraph--internal_link\",\"id\":\"44807064-0310-448f-8f66-09ee2ff9b17d\",\"meta\":{\"target_revision_id\":19220,\"drupal_internal__target_id\":2026}},{\"type\":\"paragraph--internal_link\",\"id\":\"825dc9a2-1603-4c2a-aa0f-0fa0524dd1eb\",\"meta\":{\"target_revision_id\":19221,\"drupal_internal__target_id\":2031}},{\"type\":\"paragraph--internal_link\",\"id\":\"8d631ecf-4c48-46d2-b8f2-5db69fd03245\",\"meta\":{\"target_revision_id\":19222,\"drupal_internal__target_id\":2036}},{\"type\":\"paragraph--internal_link\",\"id\":\"2121533f-ed8e-4292-81c3-c9c5f3b88c42\",\"meta\":{\"target_revision_id\":19223,\"drupal_internal__target_id\":3388}},{\"type\":\"paragraph--internal_link\",\"id\":\"e3a2533a-0128-4439-8ca5-a56210aa267e\",\"meta\":{\"target_revision_id\":19224,\"drupal_internal__target_id\":3389}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_related_collection?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_related_collection?resourceVersion=id%3A5886\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_resource_type?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_resource_type?resourceVersion=id%3A5886\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_roles?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_roles?resourceVersion=id%3A5886\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0534f7e2-9894-488d-a526-3c0255df2ad5\",\"meta\":{\"drupal_internal__target_id\":46}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/field_topics?resourceVersion=id%3A5886\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/845c4eed-8d1a-4c98-9ed4-0c6e102b1748/relationships/field_topics?resourceVersion=id%3A5886\"}}}}},{\"type\":\"node--explainer\",\"id\":\"a74e943d-f87d-4688-81e7-65a4013fa320\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320?resourceVersion=id%3A5941\"}},\"attributes\":{\"drupal_internal__nid\":201,\"drupal_internal__vid\":5941,\"langcode\":\"en\",\"revision_timestamp\":\"2024-10-17T14:04:35+00:00\",\"status\":true,\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"created\":\"2022-08-25T18:58:52+00:00\",\"changed\":\"2024-10-07T20:27:11+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"pid\":191,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"CSRAP@cms.hhs.gov\",\"field_contact_name\":\"CSRAP Team\",\"field_short_description\":{\"value\":\"A streamlined risk-based control(s) testing methodology designed to relieve operational burden.\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA streamlined risk-based control(s) testing methodology designed to relieve operational burden.\u003c/p\u003e\\n\"},\"field_slack_channel\":[]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/node_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/node_type?resourceVersion=id%3A5941\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"39240c69-3096-49cd-a07c-3843b6c48c5f\",\"meta\":{\"drupal_internal__target_id\":95}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/revision_uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/revision_uid?resourceVersion=id%3A5941\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/uid?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/uid?resourceVersion=id%3A5941\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"f36fb6d1-0795-400f-8a15-36d1979118b0\",\"meta\":{\"target_revision_id\":19433,\"drupal_internal__target_id\":3501}},{\"type\":\"paragraph--page_section\",\"id\":\"eb5b28d8-8825-43c5-a889-513068f48fd8\",\"meta\":{\"target_revision_id\":19434,\"drupal_internal__target_id\":611}},{\"type\":\"paragraph--page_section\",\"id\":\"269aaf52-85f1-411f-a67e-e9d9ad620d8a\",\"meta\":{\"target_revision_id\":19435,\"drupal_internal__target_id\":651}},{\"type\":\"paragraph--page_section\",\"id\":\"3a3615ff-9d53-40d6-8291-fd4516dbc893\",\"meta\":{\"target_revision_id\":19442,\"drupal_internal__target_id\":3502}},{\"type\":\"paragraph--page_section\",\"id\":\"cbe6ce50-d7fa-40ac-afe1-00d600e4a4aa\",\"meta\":{\"target_revision_id\":19443,\"drupal_internal__target_id\":3503}},{\"type\":\"paragraph--page_section\",\"id\":\"a46d03b7-7478-40f1-a7da-3171ffcfaa2d\",\"meta\":{\"target_revision_id\":19444,\"drupal_internal__target_id\":3504}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_page_section?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_page_section?resourceVersion=id%3A5941\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"28dbad4c-79e6-4f83-bc5e-965ba6aa4926\",\"meta\":{\"target_revision_id\":19445,\"drupal_internal__target_id\":656}},{\"type\":\"paragraph--internal_link\",\"id\":\"9b8ddf12-5af3-4acf-a7bd-c5f629ddc1e2\",\"meta\":{\"target_revision_id\":19446,\"drupal_internal__target_id\":661}},{\"type\":\"paragraph--internal_link\",\"id\":\"77c203ce-2da8-4200-986c-1093acc2ff5a\",\"meta\":{\"target_revision_id\":19447,\"drupal_internal__target_id\":671}},{\"type\":\"paragraph--internal_link\",\"id\":\"50fa320c-23ef-4b7f-b3ee-4f4c55fe4a5a\",\"meta\":{\"target_revision_id\":19448,\"drupal_internal__target_id\":676}},{\"type\":\"paragraph--internal_link\",\"id\":\"c4a332dc-02ea-48f6-9c08-c12ca06e62b5\",\"meta\":{\"target_revision_id\":19449,\"drupal_internal__target_id\":681}},{\"type\":\"paragraph--internal_link\",\"id\":\"5cc61db4-e2f7-43ad-b914-3661d73886e9\",\"meta\":{\"target_revision_id\":19450,\"drupal_internal__target_id\":3505}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_related_collection?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_related_collection?resourceVersion=id%3A5941\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_resource_type?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_resource_type?resourceVersion=id%3A5941\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_roles?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_roles?resourceVersion=id%3A5941\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"7917cea4-02d7-4ebd-93a3-4c39d5f24674\",\"meta\":{\"drupal_internal__target_id\":6}},{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/field_topics?resourceVersion=id%3A5941\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/a74e943d-f87d-4688-81e7-65a4013fa320/relationships/field_topics?resourceVersion=id%3A5941\"}}}}},{\"type\":\"node--explainer\",\"id\":\"de0901ae-4ea5-491c-badd-90a32da3989b\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b?resourceVersion=id%3A5999\"}},\"attributes\":{\"drupal_internal__nid\":261,\"drupal_internal__vid\":5999,\"langcode\":\"en\",\"revision_timestamp\":\"2024-12-05T18:41:37+00:00\",\"status\":true,\"title\":\"CMS FISMA Continuous Tracking System (CFACTS)\",\"created\":\"2022-08-26T14:57:02+00:00\",\"changed\":\"2024-12-05T18:41:37+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"pid\":251,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"ciso@cms.hhs.gov\",\"field_contact_name\":\"CFACTS Team \",\"field_short_description\":{\"value\":\"CFACTS is a CMS database that tracks application security deficiencies and POA\u0026Ms, and supports the ATO process\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eCFACTS is a CMS database that tracks application security deficiencies and POA\u0026amp;Ms, and supports the ATO process\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cfacts_community\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/node_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/node_type?resourceVersion=id%3A5999\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/revision_uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/revision_uid?resourceVersion=id%3A5999\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/uid?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/uid?resourceVersion=id%3A5999\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"963db416-cca0-421d-8c3e-40c8e2ce190f\",\"meta\":{\"target_revision_id\":19655,\"drupal_internal__target_id\":2101}},{\"type\":\"paragraph--page_section\",\"id\":\"9b87eb1d-cb43-472b-9b5b-8618d2688563\",\"meta\":{\"target_revision_id\":19660,\"drupal_internal__target_id\":446}},{\"type\":\"paragraph--page_section\",\"id\":\"122a8de9-c38d-492b-bc93-b43b270f2933\",\"meta\":{\"target_revision_id\":19666,\"drupal_internal__target_id\":1781}},{\"type\":\"paragraph--page_section\",\"id\":\"594617c8-824a-4962-aa08-fdf8dd4677fb\",\"meta\":{\"target_revision_id\":19667,\"drupal_internal__target_id\":3468}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_page_section?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_page_section?resourceVersion=id%3A5999\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"76dcb171-ae0a-42ba-b330-b93b63633cdd\",\"meta\":{\"target_revision_id\":19668,\"drupal_internal__target_id\":1816}},{\"type\":\"paragraph--internal_link\",\"id\":\"7f340091-9774-491a-817d-0cdfaf0c72d1\",\"meta\":{\"target_revision_id\":19669,\"drupal_internal__target_id\":1821}},{\"type\":\"paragraph--internal_link\",\"id\":\"4b7486bb-57c5-440b-b07c-54deb80f1ca1\",\"meta\":{\"target_revision_id\":19670,\"drupal_internal__target_id\":1826}},{\"type\":\"paragraph--internal_link\",\"id\":\"d72a41d1-1d17-452f-9375-aea58d84e8e7\",\"meta\":{\"target_revision_id\":19671,\"drupal_internal__target_id\":1831}},{\"type\":\"paragraph--internal_link\",\"id\":\"726e3057-d549-4d7d-80c7-0f4c5d5f8007\",\"meta\":{\"target_revision_id\":19672,\"drupal_internal__target_id\":3462}},{\"type\":\"paragraph--internal_link\",\"id\":\"dbde5fa8-5137-4df4-af83-a4330e0778c7\",\"meta\":{\"target_revision_id\":19673,\"drupal_internal__target_id\":3463}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_related_collection?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_related_collection?resourceVersion=id%3A5999\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"9e907eeb-b0a8-4dd3-8818-37cb1557a8f4\",\"meta\":{\"drupal_internal__target_id\":121}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_resource_type?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_resource_type?resourceVersion=id%3A5999\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_roles?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_roles?resourceVersion=id%3A5999\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"65ef6410-4066-4db4-be03-c8eb26b63305\",\"meta\":{\"drupal_internal__target_id\":36}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/field_topics?resourceVersion=id%3A5999\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/de0901ae-4ea5-491c-badd-90a32da3989b/relationships/field_topics?resourceVersion=id%3A5999\"}}}}},{\"type\":\"node--explainer\",\"id\":\"629f4bb3-7fe0-4e63-92e0-467c0325a9bd\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd?resourceVersion=id%3A5714\"}},\"attributes\":{\"drupal_internal__nid\":1148,\"drupal_internal__vid\":5714,\"langcode\":\"en\",\"revision_timestamp\":\"2024-01-05T17:45:12+00:00\",\"status\":true,\"title\":\"CMS Technical Reference Architecture (TRA)\",\"created\":\"2023-09-18T12:44:53+00:00\",\"changed\":\"2024-01-05T17:45:12+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":null,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/learn/cms-technical-reference-architecture-tra\",\"pid\":1000,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":null,\"field_contact_email\":\"tra-admin@cms.hhs.gov\",\"field_contact_name\":\"TRA Team\",\"field_short_description\":{\"value\":\"The technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eThe technical architecture approach and technical reference standards that must be followed by all CMS IT systems, ensuring policy compliance across the agency\u003c/p\u003e\\n\"},\"field_slack_channel\":[\"#cms-it-governance\"]},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"d185e460-4998-4d2b-85cb-b04f304dfb1b\",\"meta\":{\"drupal_internal__target_id\":\"explainer\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/node_type?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/node_type?resourceVersion=id%3A5714\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"663db243-0ec9-4d3f-9589-5a0ed308fbbc\",\"meta\":{\"drupal_internal__target_id\":36}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/revision_uid?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/revision_uid?resourceVersion=id%3A5714\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"e352e203-fe9c-47ba-af75-2c7f8302fca8\",\"meta\":{\"drupal_internal__target_id\":6}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/uid?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/uid?resourceVersion=id%3A5714\"}}},\"field_page_section\":{\"data\":[{\"type\":\"paragraph--page_section\",\"id\":\"69ac2c7e-8729-4ec7-b6b3-3c757fc6c5e1\",\"meta\":{\"target_revision_id\":16265,\"drupal_internal__target_id\":3416}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_page_section?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_page_section?resourceVersion=id%3A5714\"}}},\"field_related_collection\":{\"data\":[{\"type\":\"paragraph--internal_link\",\"id\":\"a39bcbf9-8522-4dcf-b5fe-49bfc2c77414\",\"meta\":{\"target_revision_id\":16266,\"drupal_internal__target_id\":3417}},{\"type\":\"paragraph--internal_link\",\"id\":\"f41c8404-7b78-4975-a0ff-fff1409d6a77\",\"meta\":{\"target_revision_id\":16267,\"drupal_internal__target_id\":3418}},{\"type\":\"paragraph--internal_link\",\"id\":\"669ee575-5a38-48c7-87cc-033627065f29\",\"meta\":{\"target_revision_id\":16268,\"drupal_internal__target_id\":3419}},{\"type\":\"paragraph--internal_link\",\"id\":\"b298ff2d-1fb1-485e-84aa-92c94e581f61\",\"meta\":{\"target_revision_id\":16269,\"drupal_internal__target_id\":3420}},{\"type\":\"paragraph--internal_link\",\"id\":\"64cbbefb-4c79-4a51-a519-de08bd054e61\",\"meta\":{\"target_revision_id\":16270,\"drupal_internal__target_id\":3421}},{\"type\":\"paragraph--internal_link\",\"id\":\"14136e73-8c9c-4b8e-be4e-64b3ed5487a1\",\"meta\":{\"target_revision_id\":16271,\"drupal_internal__target_id\":3443}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_related_collection?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_related_collection?resourceVersion=id%3A5714\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\",\"meta\":{\"drupal_internal__target_id\":131}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_resource_type?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_resource_type?resourceVersion=id%3A5714\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_roles?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_roles?resourceVersion=id%3A5714\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"c12221c3-2c7e-4eb0-903f-0470aad63bf0\",\"meta\":{\"drupal_internal__target_id\":16}},{\"type\":\"taxonomy_term--topics\",\"id\":\"0bc7c1d0-b569-4514-b66c-367457dead7e\",\"meta\":{\"drupal_internal__target_id\":11}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/field_topics?resourceVersion=id%3A5714\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/explainer/629f4bb3-7fe0-4e63-92e0-467c0325a9bd/relationships/field_topics?resourceVersion=id%3A5714\"}}}}}],\"includedMap\":{\"d185e460-4998-4d2b-85cb-b04f304dfb1b\":\"$1c\",\"e352e203-fe9c-47ba-af75-2c7f8302fca8\":\"$26\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$2a\",\"a17f4908-9141-4b1e-82aa-e6bfe0f91a22\":\"$2e\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$48\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$62\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$7c\",\"0bc7c1d0-b569-4514-b66c-367457dead7e\":\"$96\",\"d94629f9-9668-41dd-bce7-a4f267239c07\":\"$b0\",\"243e2d3f-f903-438c-8b1f-aee53390b1df\":\"$c5\",\"b5286761-357f-429f-8502-dd7459bb3e58\":\"$d8\",\"0d357568-9a13-468c-a504-e9c841212b71\":\"$f1\",\"1c28de5d-d763-42b4-9eb4-b09fa9e9fc2a\":\"$fe\",\"ba40c87a-73ea-4db7-bc77-4ec1a902a40b\":\"$10b\",\"b505ec18-afe5-44e5-b4dd-1c41dbeab9be\":\"$118\",\"6f904ac4-c80e-47d9-b786-ee79256befed\":\"$125\",\"e20959d7-2a7b-4a01-b985-cfa5363233f5\":\"$137\",\"dba9b926-f657-43ce-bc94-0a2d803430c6\":\"$149\",\"44f7083e-9341-42a5-85dc-a9043cdccdce\":\"$15b\",\"bd0366d9-64ce-401f-9453-bf38aa8054a1\":\"$16d\",\"dfeef1d1-c536-4496-97ad-5488a965a6cf\":\"$17f\",\"845c4eed-8d1a-4c98-9ed4-0c6e102b1748\":\"$1d1\",\"a74e943d-f87d-4688-81e7-65a4013fa320\":\"$221\",\"de0901ae-4ea5-491c-badd-90a32da3989b\":\"$277\",\"629f4bb3-7fe0-4e63-92e0-467c0325a9bd\":\"$2cb\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"Authorization to Operate (ATO) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/learn/authorization-operate-ato\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"Authorization to Operate (ATO) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/learn/authorization-operate-ato\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/learn/authorization-operate-ato/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Authorization to Operate (ATO) | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Testing and documenting system security and compliance to gain approval to operate the system at CMS\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/learn/authorization-operate-ato/opengraph-image.jpg?d21225707c5ed280\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html>
Reference in a new issue View git blame Copy permalink